Friday, March 10, 2017

Cannot grant AccessRights for RTCUniversalServerAdmins/RTCComponentUniversalServices of SfB to read Exchange UM AD objects using ExchUCUtil.ps1

Scenario


Per Microsoft guide you try to integrate Exchange Server (2013/2016) with Skype for Business (or Lync Server 2013) for UM. You run ExchUCUtil.ps1 integration script with required permissions (Exchange Organization administrator, Exchange Recipient administrator)

C:\Program Files\Microsoft\Exchange Server\V15\Scripts> .\ExchUCUtil.ps1

at the end you get something like:


Grants Skype for Business Server 2015 permission to read Exchange UM Active Directory Domain Services objects

Configuring UM IP Gateway objects...
Pool: pool.domain.com
A UMIPGateway already exists in Active Directory for the Lync Server pool. A new UM IP gateway wasn't created for the po
ol.
IsBranchRegistrar: False
MessageWaitingIndicatorAllowed: True
OutcallsAllowed: True
WARNING: The command completed successfully but no settings of 'pool' have been modified.
Dial plans: Contoso Dial Plan

Permissions for group domain.com\RTCUniversalServerAdmins

ObjectName                              AccessRights                            Configured
----------                              ------------                            ----------
First Organization                      ListChildren                            True
UM DialPlan Container                   ListChildren, ReadProperty              True
UM AutoAttendant Container              ListChildren, ReadProperty              True
Administrative Groups                   ListChildren, ReadProperty              False

Permissions for group domain.com\RTCComponentUniversalServices

ObjectName                              AccessRights                            Configured
----------                              ------------                            ----------
First Organization                      ListChildren                            True
UM DialPlan Container                   ListChildren, ReadProperty              True
UM AutoAttendant Container              ListChildren, ReadProperty              True
Administrative Groups                   ListChildren, ReadProperty              False

PoolFqdn                                UMIPGateway                             DialPlans
--------                                -----------                             ---------
pool.domain.com                         pool                                    {Contoso Dial Plan}

You may notice that some ObjectNames have "Configured" status as "False".
In the event log "MSExchange Management" (Applications and Service Logs) following event maybe registered after running this script:

Log Name:      MSExchange Management
Source:        MSExchange CmdletLogs
Date:          10/03/2017 10:38:07
Event ID:      6
Task Category: (1)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      computer1.domain.com


The following information was included with the event:


Add-ADPermission -InheritanceType "All" -AccessRights ("ListChildren, ReadProperty") -Identity "Administrative Groups" -Debug "True" -User "domain.com\RTCUniversalServerAdmins" -ErrorVariable "ErrorList"
domain.com/UMAdmin
Local-ConsoleHost-Unknown
12164 powershell.exe
00:00:53.5386187
View Entire Forest: 'True',
Microsoft.Exchange.Configuration.Tasks.ManagementObjectAmbiguousException: There are multiple objects matching the identity "Administrative Groups". Please specify a unique value.

The same error occurs if to run script commands manually (obviously):

Add-ADPermission -InheritanceType "All" -AccessRights ("ListChildren, ReadProperty") -Identity "Administrative Groups" -User "domain.com\RTCUniversalServerAdmins"  

Add-ADPermission -InheritanceType "All" -AccessRights ("ListChildren, ReadProperty") -Identity "Administrative Groups" -User "domain.com\RTCComponentUniversalServices"  

Cause


In my case my domain.com forest had Organization Unit (OU) named like "Administrative Groups" and created manually by helpdesk group.  As you probably know "Administrative Groups" AD container with the same exact name is used for Exchange AD objects by Microsoft design. But I'm sure the same issue occurs if you have OU named like: "First Organization", "UM DialPlan Container", "UM AutoAttendant Container". Don't name OUs with such system names and you'll never get this problem.

Solution


Rename OU "Administrative Groups" created by helpdesk to something else (ex. "Admin Groups") and run ExchUCUtil.ps1 script again.
How to determine where this "smart" OU is located?

Get-ADPermission -Identity "Administrative Groups" | Select-Object Identity | Sort-Object Identity | Get-Unique -AsString

I my case I got something like:

Identity
--------
Administrative Groups
contoso.com/HelpDesk Groups/Administrative groups

where "contoso.com/HelpDesk Groups/" is a path to the OU with a source of problems