locked
Two server roles at FQDN have different 'Treat As Authenticated' options RRS feed

  • Question

  • Hi.. Have an OCS-StandardEdition_FrontEnd and OCS-Proxy install. For some reason get the below error during startup of OCS-FrontEnd pointing to (i assume) the OCS-Proxy. This prevents OCS-StandardEdition_FrontEnd's RTCSrv service from coming up. Any thoughts would be appreciated 

    jgv

     

    ERRORS:
    Two server roles at FQDN [OCSPROXY.CAPTIVELAB.COM] have different 'Treat As Authenticated' options. First server has GUID {90984363-79A7-4C32-BD9C-D785074FC7DF} and role 'Conferencing Server' (option is set). Second server has GUID {C91509BC-A6A7-40C7-BEB8-53B19F370AEA} and role 'Proxy Server' (option is not set).
    Sunday, March 2, 2008 6:15 AM

All replies

  • I am having the exact same problem. I will let you know as soon as I get a resolution.

    Sunday, April 13, 2008 12:02 AM
  • Have you had any luck resolving this?

    Tuesday, April 15, 2008 7:42 PM
  • I too am having this exact same problem and I have no idea what to do about this?  I have never had so much difficulty installing anything in my life, this OCS2007 Standard has been beyond hairy....

    When I try starting the services, I get these errors in event log:

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Event Type:    Error
    Event Source:    OCS Server
    Event Category:    (1000)
    Event ID:    12326
    Date:        4/18/2008
    Time:        3:15:54 PM
    User:        N/A
    Computer:    ---
    Description:
    Failed starting the protocol stack. The service has to stop

    Error code is:0xC3E93C47 (SIPPROXY_E_BAD_SERVER_CONFIGURATION).
    Cause: Check the previous entries in the event log for the failure reason.
    Resolution:
    Try restarting the server after resolving the failures listed in the previous event log entries.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Event Type:    Error
    Event Source:    OCS Protocol Stack
    Event Category:    (1001)
    Event ID:    14352
    Date:        4/18/2008
    Time:        3:15:54 PM
    User:        N/A
    Computer:    ---
    Description:
    Unable to start the stack.

    Error: 0x0xC3E93C47 (SIPPROXY_E_BAD_SERVER_CONFIGURATION).

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Event Type:    Error
    Event Source:    OCS Protocol Stack
    Event Category:    (1001)
    Event ID:    14497
    Date:        4/18/2008
    Time:        3:15:54 PM
    User:        N/A
    Computer:    ---
    Description:
    One or more configuration errors were detected at startup that cannot be mitigated.

    Cause: There are serious problems with the server configuration that prevented it from starting up.
    Resolution:
    Review the previous event log entries to identify failures. Alter the server configuration as required. If problems persist, contact product support.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

    ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

    Event Type:    Error
    Event Source:    OCS Protocol Stack
    Event Category:    (1001)
    Event ID:    14517
    Date:        4/18/2008
    Time:        3:15:54 PM
    User:        N/A
    Computer:    ---
    Description:
    The server configuration validation mechanism detected some serious problems.

    4 errors and 0 warnings were detected.

    ERRORS:
    Two server roles at FQDN [***.***.net] have different 'Treat As Authenticated' options. First server has GUID {A9A2F909-75F7-415B-A823-7BAD428DD285} and role 'Conferencing Server' (option is set). Second server has GUID {51E0279D-3AC5-48D2-A20D-F204F02071F4} and role 'A/V Authentication Service' (option is not set).
    Two server roles at FQDN [***.***.net] have different server version numbers. First server has GUID {A9A2F909-75F7-415B-A823-7BAD428DD285} and role 'Conferencing Server' (version 3). Second server has GUID {51E0279D-3AC5-48D2-A20D-F204F02071F4} and role 'A/V Authentication Service' (version 0).
    Two server roles at FQDN [***.***.net] have different 'Treat As Authenticated' options. First server has GUID {A9A2F909-75F7-415B-A823-7BAD428DD285} and role 'Conferencing Server' (option is set). Second server has GUID {2E2A74AE-4CD7-509F-8492-311D9AB4B4D8} and role 'Edge Server' (option is not set).
    Two server roles at FQDN [***.***.net] have different server version numbers. First server has GUID {A9A2F909-75F7-415B-A823-7BAD428DD285} and role 'Conferencing Server' (version 3). Second server has GUID {2E2A74AE-4CD7-509F-8492-311D9AB4B4D8} and role 'Edge Server' (version 0).

    WARNINGS:
    No warnings

    Cause: The configuration is invalid and the server might not behave as expected.
    Resolution:
    Review and correct the errors listed above, then restart the service. You also wish to review any warnings present.

    For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.





    I have a single server setup going on and I can't wait for this to be done....  All I want is the LiveMeeting functionality for external and internal users, nothing more....  Any helps are appreciated.  Thanks!

    Friday, April 18, 2008 9:32 PM
  • The problem is common in installing OCS...

     

    Several causes & ways to solve it exist.

    Most probably (as I see from event) the case is the hard one, but check the easy case first.

    Also the DC problem - for additional information... 

    Please read to the end before doing something - I hope I'll give here some ideas to you where to dig and how to do it.

     

    0. Domain Controller issue

     

    Some people say that installing OCS on DC is Evil!

    Sometimes it is the cause of the problems (not this case, but near).

    Problem is not installing on DC, but changing role FROM or TO DC AFTER installing OCS role (mainly permissions).

    It is curable - uninstall and reinstall roles on DC - the easiest way. If no luck - hard case is for you.

    You will even preserve users and most settings!

    Now you know, I wasted some hours... Now my front end on DC works perfectly!

     

    Easy case:

     

    Cause: Duplicate trust records...

     

    1. Check the Standard Server Front end properties - Properties of the STANDARD POOL - not server itself (a little bit confusing, but pool names by simple name, for example "OCS", and server in pool as FQDN "OCS.domain.com"

    Open Host Authorization tab and clean it up.

    Some people add their servers with installed OCS roles here - You must not do this if you are not sure!

    This confuses OCS as the servers with roles are trusted by internal relations; this tab is for other purposes (read help, its great!)

    Try to start Front End server, then others one by one. Hope this is all.

     

    2. If not: Check the Global properties of the forest - Edge Servers tab.

    Clean it up - delete servers from list, you can always restore settings. Sometimes the problem is right there!

    Read the help - it will explain their meaning.

    Generally, I prefer to get OCS running without Edge & Auth servers and install them last.

    Try to start from front end...

     

    If no luck - the hard case:

     

    Cause: This can be after installing & deleting the Enterprise Server without Active directory cleanup.

    Also can be with older versions of OCS, for example RC.

     

    Some people test all possible setups of OCS and get themselves in such position.

     

    OCS, both Standart and Enterprise, store configuration in Active Directory, but in a slightly different way. As a result, you see these messages. As far as I understand, the only way to install Enterprise along with Standart is to install Enterprise first, than install Standart. If cleanup has not been done completely after de-installation, if you forced deletion of some server roles - information stays in Active directory.

     

    Long way - get patience.

     

    The correct way - long, dumb, but for sure.

     

    1. Deactivate & de-install (no force this time!) all existing servers from Standart to Enterprise one by one.

     

    2. Use lsctool.exe from BOTH setups (standard first) and check if something stayed in AD after

    lsccmd.exe /domain /action: domainUnprep and

    lsccmd.exe /domain /action:ForestUnprep.

    The tool is powerful (used during install - it's the source of xml reports by the way).

    It's well self documented - no need to read help outside.

     

    3. You can use this tool to deactivate servers too, especially forced deleted ones.

     

    It's quite a long procedure - needs time to replicate AD to all Domain Controllers.

    You can speed it up of course...

    But be sure, that replication is done.

     

    If you do it right (not always possible), you can (after check) install fresh OCS without problems, using standard setup!

     

    4. OCS is gone or not?

     

    Then I've faced it for the first time, I've tried the simple & extremely dangerous way - ADSI edit on domain controller (without reinstall).

    I strongly discourage this, manual AD editing is dangerous and can kill your domain infrastructure if you don't know exactly what are you doing.

     

    First: Do not hurry - both tools are dangerous in admin hands!

    What will be if you delete something manually - read to the end!

     

    To simply diagnose the AD is clean - use AD Users and Computers (enable Additional...) or ADSI. If you see

    System-Microsoft-RTC Service (AD Users and Computers) - this means that OCS is still here!!!

     

    To make sure for sure - use adsiedit.msc (support tools from install CD or latest from microsoft.com - recommended) 

    CN=RTC Service,CN=Microsoft,CN=System,DC=yourdomain,DC=... - still here - you can examine its' config.

     

    Also check records of each server ever has OCS role installed:

    For example, my favorite Mediation looks like this:

    CN=LS Mediation Service,CN=Microsoft,CN=[server name],CN=Computers,DC=yourdomain,DC=...

     

    The structure of configuration lives in

    CN=ms-RTC-SIP-Default,CN=Schema,CN=Configuration,DC=yourdomain,DC=...

    (there are numerous schema records, but most of them are successfully updated during forest-domain prep)

     

    Now, if you already done full delete and lsccmd.exe - simply clean up all stayed records in ADSI

    (starts with LS & RTC Service). These are conflicting records from previous installation.

     

    All responsibility is yours!!! Do not kill Exchange or DC! Backup AD before!

     

    5. To be paranoid sure check all by lsccmd.exe

     

    6. Wait for AD replication finish

     

    7. Reinstall the OCS of your dream! It really costs its' money!

     

    If you are still here - my experience.

     

    The dangerous way - detect wrong records and delete them!

    The danger not only to miss, but leave the time bomb in installation, that will fire later.

     

    Now you know where the settings are - you can manually delete in ADSI unwanted/obsolete ones.

     

    1. FQDN(s) - you know,

    2. GUIDS are the same in log and in ADSI.

    3. Locate each record, check GUID and its properties.

    4. Delete only unneeded

     

    TIP:

    As I mentioned above, most OCS servers with roles are trusted, but not visible in Host Authorization.

     

    Trusted servers (obsolete and active) live in

    CN=Trusted *,CN=RTC Service,CN=Microsoft,CN=System,DC=yourdomain,DC=...

     

    To find obsolete ones check both properties here and at server DN

    CN=[OCS role],CN=Microsoft,CN=[server name],CN=Computers,DC=yourdomain,DC=...

     

    If the GUID is in both places - it is most probably actual role.

    If only in Trusted - delete this GUID record.

    If you are not sure - change some properties of the conflicting role server and look at AD - the properties of correct GUID will change...

     

    Good luck and happy UM!

    Sunday, April 20, 2008 4:50 AM
  • Dmitry,

    That was quite a post.  Thanks for all the tons of information.

    I just wanted to clarify some things and hopefully this will help out some.

    First: I have OCS2007 standard, the version with MAPS.  It is installed on a stand alone server, it is not a domain controller, just a domain member.  This server is dedicated to running OCS2007, I beleive this is a supported installation.

    EASY CASE

    The host authorization tab had nothing in it.  I tried adding the ocs server FQDN, but that didn't seem to change anything.

    Global properties > edge servers > It wont let me detele the AV Edge server entry, but it will let me delete the access edge entry.

    FYI: All services start fine except the "Office Communications Server Front-End" service.  This is the only one that will not start.

    HARD CASE

    I did start the installation of Live Communicatinos Server 2005 in the past.  I did not finish it and I don't remeber how far along I got into it, but it wasn't very far at all, I suspect that this might have caused an issue, I could be wrong, but maybe this is why there are multiple GUIDs?

    Do you think that if I delete the incorrect GUID I will be fixed?  I am not sure how to do this or how to even see them.  I am very unfamiliar with this portion, sadly...

    I haven't gone on to do the hard part yet becaue I want to see if I can get by without having to go to such lengths because I don't feel comfortable about this installation at all.   Thanks for your inout and if you can be as specific as you can on what to do, I am a first time OCS installer....  Sorry.

    Thanks a ton.
    Monday, April 21, 2008 10:58 PM
  • Hello  DWAyotte!


    Ok, first - ADDING OCS to Auth tab - not a way, it is allready trusted (hidden).
    Live comminication server also have it's AD schema - so that is the most probably your case - record of LCS in AD.

    To support old versions LCS 2005 also visible in OCS mmc console & also it is present in AD schema when installing OCS 2007.


    Especially it is the case of unfinished install - you prepare Active Directory, try install, fail - forget - but AD does not!

    If You want to detect the wrong GUID in this (LCS) case - try to look at:

    Your case - quite easy to guess:

    Two server roles at FQDN [***.***.net] have different 'Treat As Authenticated' options.
    First server has GUID {A9A2F909-75F7-415B-A823-7BAD428DD285} and role 'Conferencing Server' (option is set).
    Second server has GUID {51E0279D-3AC5-48D2-A20D-F204F02071F4} and role 'A/V Authentication Service' (option is not set).

    Two server roles at FQDN [***.***.net] have different server version numbers.
    First server has GUID {A9A2F909-75F7-415B-A823-7BAD428DD285} and role 'Conferencing Server' (version 3).
    Second server has GUID {51E0279D-3AC5-48D2-A20D-F204F02071F4} and role 'A/V Authentication Service' (version 0).

    Two server roles at FQDN [***.***.net] have different 'Treat As Authenticated' options.
    First server has GUID {A9A2F909-75F7-415B-A823-7BAD428DD285} and role 'Conferencing Server' (option is set).
    Second server has GUID {2E2A74AE-4CD7-509F-8492-311D9AB4B4D8} and role 'Edge Server' (option is not set).

    Two server roles at FQDN [***.***.net] have different server version numbers.
    First server has GUID {A9A2F909-75F7-415B-A823-7BAD428DD285} and role 'Conferencing Server' (version 3).
    Second server has GUID {2E2A74AE-4CD7-509F-8492-311D9AB4B4D8} and role 'Edge Server' (version 0).

     

    As you see, GUID  {A9A2F909-75F7-415B-A823-7BAD428DD285} is present in all lines.
    It is 'Conferencing Server' (version 3) &  'Treat As Authenticated'

     

    As I mentioned, OCS (LCS) roles are  'Treat As Authenticated' by default & not seen in Auth tabs.

    Another two GUIDS tell us, that there are 'A/V Authentication Service' & 'Edge Server'  on that computer.

    They can not coexist with 'Conferencing Server'. - that is the point. Also, as they can be located on differrent servers - their GUIDs are different.

     

    Logic tells us that the {A9A2F909-75F7-415B-A823-7BAD428DD285} = LCS 'Conferencing Server' - our foe!

     

    How to get rid of it?

     

    1. Backup AD
    2. Install support tools on DC
    3. Run adsiedit.msc

    One point - it's not easy to find UniqueId using ADSIEDIT - it shows GUIDS in differrent notation from above

    4.  Fixing server machine configuration

    As you have on stand alone server it is in CN=[server short name],CN=Computers,DC=[domain short name],DC=...
    Explore it's subkey CN=Microsoft

    You see the configuration on the server machine itself

    On OCS edge server this has no subkeys - but you may see something - check it's properties - if not skip.

    Delete found SUBKEY of CN=Microsoft,CN=[server short name],CN=Computers,DC=[domain short name],DC=...
    This is manual deinstall of service from local computer configuration (like LCS or OCS Front ...)

     

    5. Fixing trusted

    Explore DN  CN=Trusted MCUs,CN=RTC Service,CN=Microsoft,CN=System,DC=[domain short name],DC=...
     You see some GUID records...
     These are records of main services (OCS Front End, etc)

     

    Check each subkeys one by one.

    You need to find in properties
     UNIQUE ID = {A9A2F909-75F7-415B-A823-7BAD428DD285}
    In ADSIEDIT you can see it as
     ObjectId = 09 F9 A2 A9 F7 75 5B 41 A8 23 7B AD 42 8D D2 85 (hex view)
     
    Tip - I allways read guids from end - tale is equal...
    Delete subkey containing such an object GUID - You have no LCS where!
    Version in also here - so if your are lucky - thats all!

     

    6. Wait for AD replication (if more than one DC)
    7. Try to start OCS front end

     

    Good luck!

     

     

     

     

    Tuesday, April 22, 2008 6:39 PM
  • From the beginning of the post...

     

    These services can not coexist.

    Most probably this is a result of failed install of OCS Enterprise, older OCS or LCS 2005.

    See my messages in this post.

    Tuesday, April 22, 2008 6:56 PM
  • Dmitry,

    I appreciate all your help.  I am still struggling here unfortunately.  I went ahead and I did what you wrote for the long hard process.  I uninstalled OCS and then went in and had to edit AD and unprep forest and domain.  The uninstall from add remove programs actually failed with all sorts of errors, so I fear there are still remnants of OCS in my AD Sad

    I went so far as to disjoin my OCS server from the domain and I reformatted and reinstalled windows server 2003 on it.  I have it all updated and patched and joined to the domain under a different name now.  I went to install OCS 2007 standard again and when I clicked on deploy standard server, the first step in the active directory preperation is already checked complete, so I fear that there is still remnants of the old install in my AD that will interfere with this new install.  I want to get everything out and start fresh.  Any ideas?  Thanks a bunch.

    Is there a good step by step install guide anywhere that anyone knows about?

    I want to setup livemeeting to be accessible from the internet and i dont care about the other features in OCS.....  I want to run OCS all on 1 single server.  Thanks a bunch.
    Thursday, April 24, 2008 5:12 PM
  • Answer from trom the end to top.

     

    3. OCS on single server - only if it is Front End - if you want of course you can open its' ports to internet, but in OCS deployment it is the task of Edge server(s) - see Edge server technical reference on Microsoft site.

     

    It is possible, but this is not the way to do it. For your task you need two servers - Front End & Consolidated Edge.

    If you have no fear of putting OCS Front end on public ip - it's ok. But you'll need to find out what ports you have to open on firewall by yourself (generally they are nearly or the same as on Edge server)

     

    Step by step - Edge server deployment guide is written quite ok for this (you only must skip some sections about more complex deployments)

     

    If putting front end - You will not get the step-by-step...

    We all get the info from one source

    http://technet.microsoft.com/en-us/library/bb676082.aspx

     

    2. Traces ARE in AD - so uninstalling servers means nothing. Don't waste your time!

    Lets think...

    Ok, my site is in .ru domain, names as my second name. On the first page there is my e-mail.

    Contact me directly - if you want I can propose you to communicate via phone (Communicator of course!) - Microsoft  provide everything you need except your computer :-)

    This will shorten the time of fixing your problem.

    We only need to deal with the time (I live in GMT +3) of the call.

    I can even assist you with my hands on using only OCS tools!

    Do you have headphones & microphone? - If not - get them!

     

    1. So - I think my proposition in point 2 is the best solution in your case!

     

    The only point - most probably tomorrow 29.04.2009 I'll be busy all day long participating in the local "Heroes are here" (Microsoft conference)...

     

    Good luck!

     

     

     

     

     

     

    Monday, April 28, 2008 7:28 AM
  •  DWAyotte wrote:
    ...so I fear there are still remnants of OCS in my AD

     

    Search the forums for the usage of lcscmd for cleaning AD, and also take a look at this blog: https://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=13.

     

    You can manually look through the AD configuration partition to see if anything LCS/OCS realted needs to be removed.

     

    Also, I personally would not configure a Front-End server for public access, just deploy an Access Edge Server and follow the deployment guides as designed.  Good luck.

    Monday, April 28, 2008 11:46 AM
    Moderator
  • Dmitry,

    You are a very kind person to offer such assistance.  I have actually made some good progress!  Thanks to all your help I was able to clear out all the leftovers in AD and I have a working install of OCS2007 front end server.  I am able to host and join meetings internally!  I just can't schedule from outlook plugin yet, but I will figure that out I am sure.  Now my new obstacle is the edge server.  I am currently configuring a second 2003 sever as you and Jeff have mentioned for use as my edge server and I will be trying to get that deployed asap.

    I do have one question already, is a reverse proxy absolutely necessary?  If I understand correctly, I will lose some funcitonality without it such as sharing documents, but that won't be an issue as that is not something we need to do.  All we need is the ability to have a live meeting both internally and externally, nothing fancy.

    thanks a ton for all the help, you have done me a great favor and I appreciate it very much.
    Monday, April 28, 2008 5:07 PM
  • According to Edge deployment guide it is needed for:

     

    Group expansion, address book file download, and access to meeting content (such as slides) for Web conferencing by external users.

     

    So... You need it.

    Live meeting fails to work without reverce proxy...

     

    Monday, April 28, 2008 7:59 PM
  • I dont have a reverse proxy Tongue Tied  I dont run ISA....  My firewall is also not capable of running reverse proxy... Tongue Tied
    Monday, April 28, 2008 8:01 PM
  • If you need only audio video & im - you may not configure it.

    Not your case I think.

     

    By the way do not forget to deploy your internal certs autoritys' key in trusted authorities of external users (of course if you use internal certification authority)

     

    Good luck

     

    Monday, April 28, 2008 8:04 PM
  • I just sent you an email
    Monday, April 28, 2008 8:09 PM
  •  

    Hi DWAyotte,

     

    Can you share how you clean all the remnants of the old OCS installed on your AD?  Would highgly appreciate if you would.

     

     

    Thanks

    Tuesday, June 24, 2008 12:06 PM