LCS Services Fail to Start After Running the Global Settings Migration Tool

I ran into this problem recently.  I was doing a migration from LCS 2005 SP1 to OCS 2007 R2 and as part of the R2 prep we were moving the global settings to the Configuration Partition.  We followed the steps outlined in this TechNet article (http://technet.microsoft.com/en-us/library/dd819962(office.13).aspx), and while trying to complete Step #7, we ran into a small issue.  When trying to start the LCS service, so that we could test, we got the error listed below:

Windows could not start the Live Communications Server on Local Computer. For more information, review the System Event Log. If this is a non-Microsoft service, contact the service vendor, and refer to service-specific error code -2147016694.

Looking in the Application Event Log, we got Event IDs 16417 and 12299.

 

Checking the System Event Log, we got Event ID 7024.

The service can't start up because the rights aren't being applied to the new container structure in the Configuration Partition.  If you check the Security tab for the RTC Service container in ADSI Edit, you see the following:

The RTC groups that need rights aren't being added.  There are 2 ways to fix this issue.  The first options is to grant the RTCDomainUserAdmins, RTCDomainServerAdmins, and RTCHSDomainServices groups permissions to the Services (or RTC Service) container.  I've included a report of the permission both before moving the global settings as well as after moving the global settings to the Configuration Partition.  A copy of the permissions is also attached to this post, since some of the report is cut off the screen.  The second option is a little more risky.  In my lab I was able to successfully get the permissions to apply if I re-ran the DomainPrep step AFTER completing Step #8, which is removing the RTC Service container in the System container.  This is risky because you couldn't switch back to using the System container if you absolutely had to.  You can mitigate this risk by making sure that you have a recent backup of Active Directory.  You should also be able to get the services started by using Option #1, but you will more than likely be granting more permissions than necessary.  After re-running DomainPrep, the permissions were applied to the Services container in the Configuration Partition and I could start the LCS service.

 

Before Moving the Global Settings (CN=Microsoft,CN=System,DC=test,DC=domain,DC=com)

Access list:
Effective Permissions on this object are:
Allow TEST\Domain Admins FULL CONTROL
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Administrators SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
LIST CONTENTS

Inherited to computer
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups <Inherited from parent>
READ PROPERTY
Inherited to group
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups <Inherited from parent>
READ PROPERTY
Inherited to user
Allow NT AUTHORITY\ENTERPRISE DOMAIN CONTROLLERS SPECIAL ACCESS for tokenGroups <Inherited from parent>
READ PROPERTY
Inherited to inetOrgPerson
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information <Inherited from parent>
READ PROPERTY
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to group
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS <Inherited from parent>
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Inherited to user
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Logon Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Account Restrictions <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Group Membership <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for General Information <Inherited from parent>
READ PROPERTY
Allow BUILTIN\Pre-Windows 2000 Compatible Access SPECIAL ACCESS for Remote Access Information <Inherited from parent>
READ PROPERTY
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS for RTCUserSearchPropertySet <Inherited from parent>
READ PROPERTY
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS for Public Information <Inherited from parent>
DELETE
WRITE PROPERTY
READ PROPERTY
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS for RTCUserSearchPropertySet <Inherited from parent>
DELETE
WRITE PROPERTY
READ PROPERTY
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS for RTCPropertySet <Inherited from parent>
DELETE
WRITE PROPERTY
READ PROPERTY
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS for RTCPropertySet <Inherited from parent>
DELETE
WRITE PROPERTY
READ PROPERTY
Allow TEST\RTCHSDomainServices SPECIAL ACCESS for RTCUserSearchPropertySet <Inherited from parent>
READ PROPERTY
Allow TEST\RTCHSDomainServices SPECIAL ACCESS for RTCPropertySet <Inherited from parent>
READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to container
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to container
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Domain
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to container
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-Domain
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY

 

After Moving the Global Settings (CN=Services,CN=Configuration,DC=test,DC=domain,DC=com)

Access list:
Effective Permissions on this object are:
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow TEST\Enterprise Admins SPECIAL ACCESS
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS
Allow NT AUTHORITY\SYSTEM FULL CONTROL
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow TEST\Domain Admins SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS

Permissions inherited to subobjects are:
Inherited to all subobjects
Allow NT AUTHORITY\Authenticated Users SPECIAL ACCESS
READ PERMISSONS
LIST CONTENTS
READ PROPERTY
LIST OBJECT
Allow TEST\Enterprise Admins FULL CONTROL <Inherited from parent>
Allow TEST\Domain Admins SPECIAL ACCESS <Inherited from parent>
DELETE
READ PERMISSONS
WRITE PERMISSIONS
CHANGE OWNERSHIP
CREATE CHILD
LIST CONTENTS
WRITE SELF
WRITE PROPERTY
READ PROPERTY
LIST OBJECT
CONTROL ACCESS

Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to container
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainUserAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-PoolService
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to container
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Pool
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Pools
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-Domain
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
WRITE PROPERTY
READ PROPERTY
DELETE TREE
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
CREATE CHILD
DELETE CHILD
LIST CONTENTS
WRITE PROPERTY
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCDomainServerAdmins SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-ArchivingServer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-EdgeProxy
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-PoolService
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to container
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pool
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Pools
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-TrustedServer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-Domain
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
READ PROPERTY
Inherited to msRTCSIP-GlobalContainer
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY
Inherited to msRTCSIP-Service
Allow TEST\RTCHSDomainServices SPECIAL ACCESS
LIST CONTENTS
READ PROPERTY

permissions.txt