Per Microsoft guide you try to integrate Exchange Server (2013/2016) with Skype for Business (or Lync Server 2013) for UM. You run ExchUCUtil.ps1 integration script with required permissions (Exchange Organization administrator, Exchange Recipient administrator)
C:\Program Files\Microsoft\Exchange Server\V15\Scripts>
.\ExchUCUtil.ps1
at the end you get something like:
Grants Skype for Business Server 2015 permission to read Exchange UM Active Directory Domain Services objects
Configuring UM IP Gateway objects...
Pool: pool.domain.com
A UMIPGateway already exists in Active Directory for the Lync Server pool. A new UM IP gateway wasn't created for the po
ol.
IsBranchRegistrar: False
MessageWaitingIndicatorAllowed: True
OutcallsAllowed: True
WARNING: The command completed successfully but no settings of 'pool' have been modified.
Dial plans: Contoso Dial Plan
Permissions for group domain.com\RTCUniversalServerAdmins
ObjectName AccessRights Configured
---------- ------------ ----------
First Organization ListChildren True
UM DialPlan Container ListChildren, ReadProperty True
UM AutoAttendant Container ListChildren, ReadProperty True
Administrative Groups ListChildren, ReadProperty False
Permissions for group domain.com\RTCComponentUniversalServices
ObjectName AccessRights Configured
---------- ------------ ----------
First Organization ListChildren True
UM DialPlan Container ListChildren, ReadProperty True
UM AutoAttendant Container ListChildren, ReadProperty True
Administrative Groups ListChildren, ReadProperty False
PoolFqdn UMIPGateway DialPlans
-------- ----------- ---------
pool.domain.com pool {Contoso Dial Plan}
The following event could be logged (Applications and Service Logs - "MSExchange Management") after running this script:
Log Name: MSExchange Management
Source: MSExchange CmdletLogs
Date: 10/03/2017 10:38:07
Event ID: 6
Task Category: (1)
Level: Error
Keywords: Classic
User: N/A
Computer: computer1.domain.com
The following information was included with the event:
Add-ADPermission -InheritanceType "All" -AccessRights ("ListChildren, ReadProperty") -Identity "Administrative Groups" -Debug "True" -User "domain.com\RTCUniversalServerAdmins" -ErrorVariable "ErrorList"
domain.com/UMAdmin
Local-ConsoleHost-Unknown
12164 powershell.exe
00:00:53.5386187
View Entire Forest: 'True',
Microsoft.Exchange.Configuration.Tasks.ManagementObjectAmbiguousException: There are multiple objects matching the identity "Administrative Groups". Please specify a unique value.
The same error occurs if to run script commands manually (obviously):
Add-ADPermission -InheritanceType "All" -AccessRights ("ListChildren, ReadProperty") -Identity "Administrative Groups" -User "domain.com\RTCUniversalServerAdmins"
Add-ADPermission -InheritanceType "All" -AccessRights ("ListChildren, ReadProperty") -Identity "Administrative Groups" -User "domain.com\RTCComponentUniversalServices"
Cause
In my case my domain.com forest had custom Organization Unit (OU) named like "Administrative Groups" and created manually by accident. As you probably know "Administrative Groups" AD container with the same exact name is used for Exchange AD objects by Microsoft design. I guess the same issue occurs if you have custom OU named like: "First Organization", "UM DialPlan Container", "UM AutoAttendant Container". Don't name custom OUs with "system container" names and you'd never get this issue.
Solution
Just rename custom OU "Administrative Groups" to something else (ex. "Admin Groups") and run ExchUCUtil.ps1 script again.
How to determine where this custom OU (with the same name as system container) is located?
Get-ADPermission -Identity "Administrative Groups" | Select-Object Identity | Sort-Object Identity | Get-Unique -AsString
I my case I got something like:
Identity
--------
Administrative Groups
contoso.com/HelpDesk Groups/Administrative groups
where "contoso.com/HelpDesk Groups/Administrative groups" is a path to the custom OU which creates Exchange UM integration issues.
Great Article
ReplyDeleteFinal Year Project Domains for CSE
JavaScript Training in Chennai