I’d been pretty busy lately and haven’t got much time to blog. With finally some quiet time, I’m gonna share a bit of my experience on a recent deployment on Lync where it involves a Parent-Child Active Directory layout.

After publishing the topology and running the installation wizard, when we (my colleague and I) was about to enable a couple of users for pilot testing, here we hit into an error at the Lync Control Panel:

 Active Directory operation failed on DC1.child.domain.com. Insufficient access rights to perform the operation to create or enable users

Crossed check the account that belongs to the following groups:

  • Domain Admin
  • CSAdministrator

Well, everything looks fine, we were able to communicate with the Domain Controllers without any issues and querying to the Active Directory schema looks OK.

So we’re pretty sure that it has something got to do with the parent-child relationship where we’ve deployed the Lync services under the child domain and there might be some permissions that couldn’t be pass down from the parent domain. As we undergo some research, we finally found the solution: by enabling Inheritence Permissions at the Active Directory User Objects.

To perform this, go into any writable Domain Controllers and activate the Advance Features:

  1. Locate the user that is to be enabled and open up its property dialog window
  2. Select the Security Tab
  3. Select Advance
  4. Enable the check box Include Inheritable Permissions from this object’s parent

Logged back into the Lync Control Panel and that’s it! The user is now enabled and ready to logged into Lync.

Special thanks to my Chee Wai and also Mark A King from the TechNet forum (http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/c90a7df8-ac4c-4297-a5a8-aa589e1d163d/)