Wednesday, February 16, 2011

Installing Lync 2010 Without Domain Admin Rights

I recently installed Lync Server 2010 at a customer where I did not have Domain Admin rights.  This presents a challenge, since setting up Lync Server requires various updates to Active Directory.  The online documentation isn't very clear on on this, so that's the purpose of this article.

Before you get started installing Lync, you will need to update the schema and prepare both the forest and the domains.  The schema updates require Schema Admin rights, and the forest and domain preps require Enterprise Admin rights or Domain Admin rights in each domain.

In order to hand over the Lync Server installation to a non-Domain Admin, you will need to do a few more things.  First, add the Lync setup administrator account to the CS Administrator and RTCUniversalServerAdmins groups in AD.  These groups were created in the domainprep steps performed earlier.

Next, you will need to grant setup permissions to allow the Lync setup administrator to update AD as needed by the Lync Server Topology Builder tool.  This is done using the Grant-CsSetupPermission cmdlet.
  1. Logon to the server where Lync is going to be installed as a member of the Domain Admins group.
  2. Open the Lync Server Management Shell as an administrator and run the following cmdlet:
Grant-CsSetupPermission -ComputerOU <DN of the OU where the Lync server exists>
For example:
Grant-CsSetupPermission -ComputerOU “OU=Lync Servers,OU=Servers,DC=US,DC=companyabc,DC=local”
If this step is not run, it will fail to enable the topology in the Topology Builder and you will see the following error:
  • Error: An error occurred: “System.UnauthorizedAccessException” “Access is denied. (Exception from HRESULT: 0×80070005 (E_ACCESSDENIED))”
Finally, grant permissions to allow the Lync setup administrator to update objects in the Lync servers OU with necessary group memberships.  This is done using the Grant-CsOUPermission cmdlet.
  1. Logon to the server where Lync is going to be installed as a member of the Domain Admins group.
  2. Open the Lync Server Management Shell as an administrator and run the following cmdlet:
Grant-CsOUPermission -OU <DN of the OU where the Lync server exists> -ObjectType "user"
For example:
Grant-CsOUPermission -OU “OU=Lync Servers,OU=Servers,DC=US,DC=companyabc,DC=local” -ObjectType "user"
If this step is not run, you will see the following errors when publishing the Lync topology with Topology Builder:
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCHSUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCHSUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCUniversalConfigReplicator".
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
You can now turn the setup over to the Lync setup administrator to complete the installation.

For a thorough explanation of what permissions the Enable-CsSetupPermission and Enable-CsOUPermission cmdlets grant, see the article Grant-CsSetupPermission and Grant-CsOuPermission by Jens Trier Rasmussen (Microsoft). 1:18 PM