Quantcast
Channel: Lync 2010
Mark channel Not-Safe-For-Work? cancel confirm NSFW Votes: (0 votes)
Are you the publisher? Claim or contact us about this channel.
0

Lync Server Installation Fails with “AccountDomainAdminsSid" does not correspond to a unique object in Active Directory

0
0

During installation of the first Lync Server in a greenfield environment we ran into the following issue.

The Local Installer was failing with a rather strange Error Message : “AccountDomainAdminsSid" does not correspond to a unique object in Active Directory.  If you read that correctly it looks like the SID of DomainAdmins Group in AD is not unique, that is absolutely not possible because that is blocked by the Directory Service if someone would even try to do change or add SID’s manually.  So what could be wrong here?

image

 

The specific customer where we ran into this issue has a very locked down Active Directory.  So we executed Grant-CsSetupPermissions and Grant-CsOUPermissions for “Computer” and “User” on the required OU’s.

If we look at the requirements on Technet we find the following requirements for Deploy.exe and Bootstrapper.exe: Member of the Local Administrators group on the computer from which the executable is run. Member of Domain Users group to read information in AD DS
http://technet.microsoft.com/en-us/library/gg412962(v=ocs.14).aspx

 

So we need Read Access to Active Directory! This is a very vague requirement and that requirement is satisfied although we don’t have access to all of AD’s Containers…

As it turns out we don’t have Access to the Container where the Domain Admins Group resides, so we cannot find the “Domain Admins” Group or see what Members are in there.

Trying to open the Properties of the Domain Admins group gives problems (Directory Object Not Found)

image

 

Solution
Make sure the Installation account has Read Access to the Domain Admins Group.  As a compromise not to break security in the Locked Down AD we have configured Read Access for the RTCUniversalServerAdmins on the Container and child objects where the Domain Admins reside.  After that change we were able to successfully deploy the Lync Server.

 

Background
Why the Local installer needs access to the Domain Admins group is that the setup process must be able to read the Domain Admins SID to grant the Domain Admins permissions to DCOM registry keys.

clip_image001

Latest Images

Trending Articles