During installation of the first Lync Server in a greenfield environment we ran into the following issue.
The Local Installer was failing with a rather strange Error Message : “AccountDomainAdminsSid" does not correspond to a unique object in Active Directory. If you read that correctly it looks like the SID of DomainAdmins Group in AD is not unique, that is absolutely not possible because that is blocked by the Directory Service if someone would even try to do change or add SID’s manually. So what could be wrong here?
The specific customer where we ran into this issue has a very locked down Active Directory. So we executed Grant-CsSetupPermissions and Grant-CsOUPermissions for “Computer” and “User” on the required OU’s.
If we look at the requirements on Technet we find the following requirements for Deploy.exe and Bootstrapper.exe: Member of the Local Administrators group on the computer from which the executable is run. Member of Domain Users group to read information in AD DS
So we need Read Access to Active Directory! This is a very vague requirement and that requirement is satisfied although we don’t have access to all of AD’s Containers…
As it turns out we don’t have Access to the Container where the Domain Admins Group resides, so we cannot find the “Domain Admins” Group or see what Members are in there.
Trying to open the Properties of the Domain Admins group gives problems (Directory Object Not Found)
Make sure the Installation account has Read Access to the Domain Admins Group. As a compromise not to break security in the Locked Down AD we have configured Read Access for the RTCUniversalServerAdmins on the Container and child objects where the Domain Admins reside. After that change we were able to successfully deploy the Lync Server.
Why the Local installer needs access to the Domain Admins group is that the setup process must be able to read the Domain Admins SID to grant the Domain Admins permissions to DCOM registry keys.