Installing Lync 2010 Without Domain Admin Rights

Wednesday, February 16, 2011
I recently installed Lync Server 2010 at a customer where I did not have Domain Admin rights.  This presents a challenge, since setting up Lync Server requires various updates to Active Directory.  The online documentation isn't very clear on on this, so that's the purpose of this article.

Before you get started installing Lync, you will need to update the schema and prepare both the forest and the domains.  The schema updates require Schema Admin rights, and the forest and domain preps require Enterprise Admin rights or Domain Admin rights in each domain.

In order to hand over the Lync Server installation to a non-Domain Admin, you will need to do a few more things.  First, add the Lync setup administrator account to the CS Administrator and RTCUniversalServerAdmins groups in AD.  These groups were created in the domainprep steps performed earlier.

Next, you will need to grant setup permissions to allow the Lync setup administrator to update AD as needed by the Lync Server Topology Builder tool.  This is done using the Grant-CsSetupPermission cmdlet.
  1. Logon to the server where Lync is going to be installed as a member of the Domain Admins group.
  2. Open the Lync Server Management Shell as an administrator and run the following cmdlet:
Grant-CsSetupPermission -ComputerOU <DN of the OU where the Lync server exists>
For example:
Grant-CsSetupPermission -ComputerOU “OU=Lync Servers,OU=Servers,DC=US,DC=companyabc,DC=local”
If this step is not run, it will fail to enable the topology in the Topology Builder and you will see the following error:
  • Error: An error occurred: “System.UnauthorizedAccessException” “Access is denied. (Exception from HRESULT: 0×80070005 (E_ACCESSDENIED))”
Finally, grant permissions to allow the Lync setup administrator to update objects in the Lync servers OU with necessary group memberships.  This is done using the Grant-CsOUPermission cmdlet.
  1. Logon to the server where Lync is going to be installed as a member of the Domain Admins group.
  2. Open the Lync Server Management Shell as an administrator and run the following cmdlet:
Grant-CsOUPermission -OU <DN of the OU where the Lync server exists> -ObjectType "user"
For example:
Grant-CsOUPermission -OU “OU=Lync Servers,OU=Servers,DC=US,DC=companyabc,DC=local” -ObjectType "user"
If this step is not run, you will see the following errors when publishing the Lync topology with Topology Builder:
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCHSUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCHSUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCUniversalConfigReplicator".
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
You can now turn the setup over to the Lync setup administrator to complete the installation.

For a thorough explanation of what permissions the Enable-CsSetupPermission and Enable-CsOUPermission cmdlets grant, see the article Grant-CsSetupPermission and Grant-CsOuPermission by Jens Trier Rasmussen (Microsoft).

5 comments:

  1. Perfect timing! This is just what I needed for this evening's work.

    Thanks for the clear steps and keep up the good work!

    ReplyDelete
  2. You also need the Lync FE computer account in the following AD groups:

    RTCHSUniversalServices
    RTCComponentUniversalServices
    RTCUniversalConfigReplicator
    RTCUniversalServerAdmins
    RTCUniversalUserAdmins

    I am pissed off, that these group memberships are not discussed anywhere in the Lync documentation. If these AD groups are in the root domain, but you will deploy Lync in a child domain, child domain admin membership is not enough, as you still have to mess with group memberships in the parent domain.

    ReplyDelete
  3. I got following error while publishing topology
    in error log .
    A pool object with the fully qualified domain name (FQDN) "abc.lync.com" was found for a previous version of "Lync Server".
    What to do for it?

    ReplyDelete
  4. I also ran into an issue where Grant-CsSetupPermission and Grant-CsOUPermission wasn't sufficient. The only way I am able to publish the topology successfully without any error is if I am a member of domain admins. Otherwise, the topology completes successfully with errors. The error is "Attempted to perform an unauthorized operation...". I wasn't able to find any information on this and not sure what to do. I had the same experience on three different environments.

    ReplyDelete
  5. This is a great article. The tidbit I would add is that you also have to have the central store database in place to be able to complete these steps.

    ReplyDelete

Thank you for your comment! It is my hope that you find the information here useful. Let others know if this post helped you out, or if you have a comment or further information.