locked
OCS User Replicator Error Event ID 30014 - Some Users can login via Communicator, others cannot

    Question

  • I am very new to OCS.  I managed to setup a single OCS 2007 R2 Enterprise Edition server (consolidated mode) with 1 pool and no load balancer.  The OCS Enterprise Edition server is installed on a member server in my test domain. I have gotten as far as being able to login with the Communicator client for some users, yet other users cannot seem to login.  Here is what Ive been doing:

    If I create a brand new user in the "CN=Users" container, and I right-click "Enable users for Communications Server...", my user can log in to Office Communication Client correctly.

    This is where things can a little messy.  My OU structure is locked down (inheritence is turned off, Authenciated users removed, etc.).  So, I ended up using the info in "Appendix A: How to Prepare a Locked Down Active Directory" in the "Microsoft OCS 2007 Active Directory Guide".  I used the command:

    lcsCmd.exe /domain:mydomain.local /action:CreateLcsOuPermissions /ou:"OU=MyTopLevelOU" /objectType:user.

    Initially this didnt seem to do anything, but after a while and after creating more test accounts I finally was able to create users in the "MyTopLevelOU" container, and then log into Communicator 2007 R2 client with those users.

    I also have sub-ous undernearth "OU=MyTopLevelOU".  I was not sure if I needed to run the lcsCmd.exe with /action:CreateLcsOuPermissions on these sub-ous or not, but I did anyways.  Now I am able to use ADUC to create users in the OU "OU=SecondLevelOU,OU=MyTopLevelOU" container, then right-click on them and choose "Enable users for Communications Server...", wait a bit, and then I can log in with that user using Communicator 2007 R2 Client.

    I have also created my own custom script to Enable OCS users.  My script sets the following 6 user attributes on the user (using ADSI):
    -msRTCSIP-ArchivingEnabled: 0
    -msRTCSIP-OptionFlags:0
    -msRTCSip-PrimaryHomeServer: CN=LC Services,CN=Microsoft,CN=mypool,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=mydomain,DC=local
    -msRTCSip-PrimaryUserAddress: sip:mytestuser@mydomain.local
    -msRTCSip-UserEnabled: TRUE
    -proxyAddresses: sip:mytestuser@mydomain.local

    Users "OCS Enabled" with my script show up in the "Administrative Tools -> Office Communications Server 2007 R2" tool, and they look the same as users who were OCS enabled in ADUC.

    However, users created with my script cannot log into Communicator 2007 Client.  When I try to login they get the error:

    "Cannot sign in to Communicator because this sign-in address was not found.  Please verify the sign-in address and try again.  If the problem persists, contact your system administrator."

    Users that are OCS enabled with my script end up throwing this error message in the EventViewer on my OCS server:

    Source: OCS User Replicator
    Category: (1009)
    Type: Error
    Event ID: 30014
    User: N/A
    Computer: OCS

    Encountered an error while attempting to perform an LDAP search for all Office Communications Server attributes on user object CN=mytestuser,OU=SecondLevelOU,OU=MyTopLevelOU,DC=mydomain,DC=local. The error was 32, (No Such Object) This user update has been skipped, and this user may not be enabled for SIP as a result. This error usually occurs when the Office Communications Server service account doesn't have enough permissions to read the attributes on the above user object. If this user is supposed to be enabled for Office Communications Server, then try to fix the problem, then disable and enable the user for SIP to resynchronize him/her.

    Is my script not enabling OCS properly for my users? 

    To be fair, if I create a user in ADUC, and right-click and select "Enable users for Communications Server...", I also see the Event Viewer error: OCS User Replicator Error Event ID 30014.  The only difference is, 10 minutes later in the Event Viewer, I see:

    Source: OCS User Replicator
    Category: (1009)
    Type: Information
    Event ID: 30021

    User Replicator connected to domain controller my-secondary-dc.mydomain.local in domain mydomain.local to perform synchronization


    I never see this 30021 Event ID after OCS Enabling users with my script.

    My script just sets the attributes using ADSI.  Nothing special, or strange.

    Tuesday, April 21, 2009 5:16 PM

Answers

  • I read through that post and it don't beleive it's a problem with the process but the fact that you have lockdowned permissions throughout your Active Directory.  It appears that either the accounts your are administrating with or the RTCservice accounts (or both) do not have suffcient rights to the specific OUs (or OU tree) to read or modify the objects your are attempting to enable.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by quencybrown Wednesday, April 22, 2009 3:03 PM
    Wednesday, April 22, 2009 1:11 PM
    Moderator
  • I have everything working and now the RTCService account only has the "Read" and "ReadRTCUserSearchPropertySet" permissions on my top level OU.  I also set the permissions to apply on "this object and all child objects" so that the permissions are also set on my sub ou containers.

    • Marked as answer by quencybrown Wednesday, April 22, 2009 3:03 PM
    Wednesday, April 22, 2009 3:01 PM

All replies

  • I read through that post and it don't beleive it's a problem with the process but the fact that you have lockdowned permissions throughout your Active Directory.  It appears that either the accounts your are administrating with or the RTCservice accounts (or both) do not have suffcient rights to the specific OUs (or OU tree) to read or modify the objects your are attempting to enable.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    • Marked as answer by quencybrown Wednesday, April 22, 2009 3:03 PM
    Wednesday, April 22, 2009 1:11 PM
    Moderator
  • Hi Jeff,

    It could very well be a permission problem, but Im not yet convinced.

    I tried some more testing, and this is what I do.

    If I create a user using ADUC in the CN=Users container, then right-click and use the  "Enable users for Communications Server..." wizard, my user can login via Communicator 2007 no problem.

    However, if I create a user using ADUC in the same CN=Users container, but instead use ADSIEdit to stamp the 6 attributes I listed in my original post, the user cannot log in to Communicator client, and I get the User Replicator Error Event ID 30014 in the Event Viewer.

    I will try messing around with the RTCservice account permissions on my containers, and if I find any more info I will post back.

    Wednesday, April 22, 2009 1:57 PM
  • UPDATE: Adding the RTCService user to my container with Full Permissions (on this object and all child objects) fixes my problem. Thank you for the information. However it opens up two more questions:

    1. After my "initial" installation, my CN=Users container did not have the RTCService account listed in the Security Permissions. Yet, I could create user accounts using ADUC, and right click and use the "Enable users for Communications Server..." wizard to provision OCS to my users. Yet, I could not use ADSI to stamp the 6 attributes. It seems in order to be able to stamp the 6 attributes to provision OCS, I need this extra RTCService permission. This doesnt really make sense to me, but at least I know the work around needed to make it work

    2. Why doesnt "Appendix A: How to Prepare a Locked Down Active Directory" mention the need of the RTCService account permission? Or why doesnt the following command add RTCService to the security tab permissions on the OU:

    LcsCmd.exe /domain:mydomain.local /action:CreateLcsOuPermissions /ou:"OU=MyTopLevelOU" /objectType:user

    I dont mind that I have to add the "RTCService" account to the permissions on my OUs, but I am just curious if this is an oversight with the OCS installer and documentation? I am going to work out the minumum set of permissions you need to give to RTCService so that provisioning users via the 6 attributes works properly. I will update this thread one last time with those permissions so that others may benefit from the information.

    Thanks for the help Jeff!
    Wednesday, April 22, 2009 2:42 PM
  • I have everything working and now the RTCService account only has the "Read" and "ReadRTCUserSearchPropertySet" permissions on my top level OU.  I also set the permissions to apply on "this object and all child objects" so that the permissions are also set on my sub ou containers.

    • Marked as answer by quencybrown Wednesday, April 22, 2009 3:03 PM
    Wednesday, April 22, 2009 3:01 PM