Wednesday, August 12, 2015

Skype for Business File Share: Failed to save permissions during Topology publishing

While your are installing and publishing a Skype for Business Server 2015 Topology, you have to create a File Share for all important services.

In this example the File Share is located on the same server which will later host the Skype for Business Standard Server. But in larger or other setup, where the File Share is located on SAN, DFS or File Cluster, you might experience the same issue.


File Share and Folder Prerequisites:



The share name can either a normal share as well as a administrative share$

Share Permission:

EVERYONE: READ
ADMINISTRATORS: FULL CONTROL, CHANGE, READ


Folder (Security Settings):

SYSTEM and CREATOR: must be Windows Server defaultInstalling user: FULL CONTROLlocal Server Administrators: FULL CONTROL


Skype for Business Topology Builder:

Must be started with: "Run as administrator"



Example and problem description:


This example applies to a Windows Server 2012 R2, where we are installing in Single Domain Forest with an Domain Admin. The Domain Administrator Group was placed in the local Member Server Groups for Administrators.

Next step I personally do is setting the User Access Control UAC to NEVER, meaning switching it off entirely.


 
 
Next step after defining the Topology is going to publish it, either with the PoC's Standard Server or with the Primary Pool associated SQL Backend Store.
 
 
Doing so resulted in the describe issue below:


Role: FileStore:1
Acl: "Accesswrite" permission for "RTCHSUniversialServices" on \\fileshareServer\SkypeShare$
Acl: Committed permission changes for \\fileshareServer\SkypeShare$\WinFabDumpFiles.
ACLError: Access permission error.
Error: Failed to save permissions on \\fileshareServer\SkypeShare$

 
The funny part is, that most of the Directories where created successfully during this point.
 
 
 
Next important check are link with Lync 2013 the share permission, well EVERYONE is READ, and the local ADMINISTRATORS have FULL CONTROL, CHANGE and READ
 
 
 
 
Next to share permissions, we also have to check the file/ folder permission. Here the Admin we logged on with can normally stay in the permission for file7 folders, just as a test we removed the administrator from the tap.
 
 
This resulted in the normal issue with Windows Server 2012 and 2012 R2, where the Access Control prevents the user/ admin accessing this folder. Once you click the Continue button, the admin will be part of the permissions again.
 
Therefor I DID NOT ADD the ADMIN the permissions!
 
 
Than we executed the Topology publishing task again and ran in a very interesting issue:
 
Role: FileStore:1
InvalidFolder: Invalid Share.
Error: Caller does not have required permission to create directory \\fileshareServer\SkypeShare$\WinFabTraceFiles. Verify that your user account has administrative privileges and that you selected "Run as administrator" when your started Windows PowerShell.

 

 This is a very good hint, but remember we were Domain Admin, local Server Admin and had switched of the UAC.

 
 
Finally due to the hint I stared the Topology Builder with the option "Run as administrator"


 
 
 
As expected the Wizard finished without any issue or error.
 
Once I tried to access the folder for the Skype for Business File Share, the same warning popped up again and I granted access myself.
In the last picture, you can see the correct permission and also the correct groups were set to the file share and folders finally.