We have done many deployments that have been LCS 2005 to OCS 2007 R2 migrations, however recently we encountered our first experience where migrating the global settings from the System Container to the Configuration Container in Active Directory was requested by the customer.
This process is outlined in documentation provided by Microsoft that can be found here: http://www.microsoft.com/downloads/details.aspx?FamilyID=23236784-508e-44c9-809d-30ff245928d8&displaylang=en
The important thing to note here is that the documentation is clearly outlined for OCS 2007 R1 to R2 migration scenarios, NOT LCS 2005 Sp1 to OCS 2007 R2 Migration Scenarios. The documentation states this works for LCS as well as OCS however, we ran into a bunch of flaws in the documentation that I will outline below with workarounds.
First off, LCS was never meant to work with the configuration container, Microsoft released an update here: http://support.microsoft.com/kb/911996 that supposedly would fix this. Basically if you had not installed that KB Update and tried to use LCSCmd to prep the forest with the /global:configuration switch it would error out with Invalid Parameters. Once you install this patch, the LCSCmd will take the /global:configuration switch and report a success. The interesting part here is that any version of LCS 2005 Sp1 Forest or Domain prep will not perform the correct functions on the Global Settings if they are stored in the configuration container and the system container at the same time. The hard thing about this is that the documentation states to wait to delete the system container information until testing all services, unfortunately this is impossible.
Here are the various issues I ran into while performing this migration. First off, the scripts do their job just as they should, the script would successfully migrate the Global Settings containers to the Configuration Container. We did however start running into some minor issues when we went to update the user DN References. We noticed the user DN references script was not making any changes and kept saying it was not complete.
We decided to check the msRTCSIP-PrimaryHomeServer setting to see if these changes had indeed been made, we viewed users in different OUs and confirmed they were pointing to the configuration data for their home server.
From here we started to panic so we decided to test if we could start the LCS Service. The LCS Service would fail to start with the error messages shown below:
When using lcserror.exe to lookup the error code provided in the last error this was the response:
In the LCS Management Console there were two pools showing up, both with the same name. One pool would have no servers and users, and the other would have all of the servers and users. This was a good way for us to confirm that all users and servers were pointing to the Configuration Container for their information. The above error states it cannot find the AD objects it needs, which still didn’t seem to make sense because it was pointing to the configuration container. When checking the objects through ADSI Edit I noticed that the global settings containers were in the correct places, however none of the proper permissions had been applied to them, this usually happens during Domain Prep, which as I had mentioned above will not work with the global settings being in the System and Configuration Container at the same time. We manually added the RTCDomain groups to the containers with the proper permissions however the services still would not start.
Microsoft was able to confirm that the LCS Services would not start with the information in the System Container as well as the Configuration Container. After using the migration script to delete the System Container information the service still failed to start. I ran a domain prep check on the domain and was able to see the Microsoft container was not showing as ready. Once the domain prep was run again, all permissions were correctly added to the objects in the Configuration Container and the LCS Services would start and everything was functioning again.
To summarize key things to note about the process that differs from the documentation:
- You must delete the information from the system container before running domain prep or else Domain Prep will not be able to add the permission correctly and the LCS Services will not start.
- When updating the user DN References it may not always show as completed, however you can verify by checking the msRTCSIP-PrimaryHomeServer setting through ADSI Edit.
Hopefully Microsoft can get this documentation updated soon, or atleast an announcement about this in a public blog, I have to imagine this is causing a lot of havoc on the LCS to OCS Migrations.