Microsoft Knowledge Base Email Alertz
All KB/RSS Links  |  Hot Kb!  |  New Kb!  |  Scott Cate  |  FAQ / KB  |  Web Hosting  |  Unsubscribe  

(835970) - Describes an issue that may occur after you remove permission inheritance from the domain container in Active Directory. Explains the correct permissions to assign to user containers in Active Directory for Live Communications Server.

Search KbAlertz

Advanced Search

Receive Microsoft Knowledge Base articles by E-Mail?

Every night we scan the Microsoft Knowledge Base. If technologies you're interested in are updated, we'll send you an e-mail. You only get one e-mail a day, and only when new articles are added.
Click here to create a
FREE account
Already have an account?
[Click here to Login]











Microsoft Knowledge Base Article

This article contents is Microsoft Copyrighted material.
©2005-©2007 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks
Article ID: 835970 - Last Review: June 29, 2004 - Revision: 2.1

Windows Messenger users cannot sign in to Live Communications Server, and event ID 29 appears in the application log

View products that this article applies to.

SYMPTOMS

After you install and configure Microsoft Office Live Communications Server 2003, Microsoft Windows Messenger users cannot sign in to Live Communications Server. Additionally, the following event appears in the application log on the Live Communications Server computer.

Event Source: Live Communications Active Directory Connector
Event Category: None
Event ID: 29
Date: date
Time: time
Event Type: Error
Computer: computername
Description: Encountered an unknown failure while attempting to process a user entry. The entry came from naming context DC=contoso,DC=com. This error has caused the replication cycle to fail. It will be retried.
Diagnostic information: User DN attribute value: CN=Guest,CN=Users,DC=contoso,DC=com Guid Active Directory attribute name: objectGUID Guid Active Directory attribute value: {A5E68767-26D9-4843-9B07-FDE285F87996} The error occurred while processing attribute isDeleted. The description of the error that occurred is: Decoding Error (hr=0x8007003b).

Back to the top

CAUSE

This issue occurs if the following groups do not have sufficient permissions to the user objects in the Active Directory directory service:
  • RTCHSDomainServices
  • RTCDomainServerAdmins
  • RTCDomainUserAdmins
This scenario may occur if you remove permission inheritance from the domain container in Active Directory before you install Live Communications Server.

Sometimes, this issue occurs because authenticated users may not have Read permissions for a user objects container and for the user objects in the container. If authenticated users has been removed or denied Read permissions, you must grant the RTCHSDomainServices group Read permissions on the user objects in the container and on the container.
Back to the top

RESOLUTION

To resolve this issue, verify the permissions that are assigned to Live Communications Server-related groups in Active Directory. The following table lists the appropriate permission assignments for these groups.
Collapse this tableExpand this table
Group namePermissionProperty name
RTCHSDomainServicesReadRTCPropertySet
RTCHSDomainServicesReadRTCUserSearchPropertySet
RTCDomainServerAdminsReadRTCPropertySet
RTCDomainServerAdminsWriteRTCPropertySet
RTCDomainUserAdminsReadRTCPropertySet
RTCDomainUserAdminsWriteRTCPropertySet
RTCDomainUserAdminsReadRTCUserSearchPropertySet
RTCDomainUserAdminsWriteRTCUserSearchPropertySet
RTCDomainUserAdminsReadPublic Information
RTCDomainUserAdminsWritePublic Information
Assign the correct permissions to each of the Active Directory containers that contain user objects. To assign these permissions to a user objects container, follow these steps.Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. Start the ADSI Edit tool, and then connect to a domain controller. To start ADSI Edit, click Start, click Run, type adsiedit.msc, and then click OK.

    Note ADSI Edit is included with the Microsoft Windows Server 2003 Support Tools. To install the Windows Support Tools, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD.
  2. Expand Domain [domaincontrollername.example.com], right-click the user objects container where you want to assign permissions, and then click Properties. For example, right-click CN=Users, and then click Properties or right-click OU=organizational-unit-name, and then click Properties.
  3. Click the Security tab, and then click Advanced.
  4. Click Add, type rtchsdomainservices, click Check Names, and then click OK.
  5. In the Permission Entry for ContainerName dialog box that appears, click the Properties tab.
  6. In the Apply onto list, click User objects.
  7. In the Allow column, click to select both of the following check boxes:
    Read RTCPropertySet
    Read RTCUserSearchPropertySet
  8. Click OK.
  9. Click Add, type rtcdomainserveradmins, click Check Names, and then click OK.
  10. Click the Properties tab, click User objects in the Apply onto list, and then in the Allow column, click to select both of the following check boxes:
    Read RTCPropertySet
    Write RTCPropertySet
  11. Click OK.
  12. Click Add, type rtcdomainuseradmins, click Check Names, and then click OK.
  13. Click the Properties tab, click User objects in the Apply onto list, and then in the Allow column, click to select all the following check boxes:
    Read Public Information
    Write Public Information
    Read RTCPropertySet
    Write RTCPropertySet
    Read RTCUserSearchPropertySet
    Write RTCUserSearchPropertySet
  14. Click OK three times to close all dialog boxes.
  15. Follow steps 2 through 14 to assign the correct permissions to the other containers that contain Live Communications Server users.
  16. When you are finished modifying permissions, quit ADSI Edit.
Back to the top
APPLIES TO
  • Microsoft Office Live Communications Server 2003
  • Microsoft Windows Messenger 5.0
Back to the top
Keywords: 
kbprb KB835970
Back to the top
        

Community Feedback System

Very often, it takes hours to solve a problem. Very often, you've looked high and low, and have tried a lot of solutions. When you finally found it, chances are, it was because someone else helped you. Here's your chance to give back. Use our community feedback tool to let others know what worked for you and what didn't.

Please also understand that the community feedback system is not warranted to be correct, it's simply a system that we've built to let people try and help each other. If something in a feedback response doesn't make sense to you, or you're not comfortable making changes that the feedback talks about (like registry edits), please consult a professional.

Thank you for using kbAlertz.com Feedback System.

-- Scott Cate

Copyright © 2002-2007 KBALERTZ.COM.  All Rights Reserved. Terms / PrivacyDiscount ASP.NET Hosting