Windows Messenger users cannot sign in to Live Communications Server, and event ID 29 appears in the application log (835970)


The information in this article applies to:

  • Microsoft Office Live Communications Server 2003
  • Microsoft Windows Messenger 5.0

SYMPTOMS

After you install and configure Microsoft Office Live Communications Server 2003, Microsoft Windows Messenger users cannot sign in to Live Communications Server. Additionally, the following event appears in the application log on the Live Communications Server computer.Event Source: Live Communications Active Directory Connector
Event Category: None
Event ID: 29
Date: date
Time: time
Event Type: Error
Computer: computername
Description: Encountered an unknown failure while attempting to process a user entry. The entry came from naming context DC=contoso,DC=com. This error has caused the replication cycle to fail. It will be retried.
Diagnostic information: User DN attribute value: CN=Guest,CN=Users,DC=contoso,DC=com Guid Active Directory attribute name: objectGUID Guid Active Directory attribute value: {A5E68767-26D9-4843-9B07-FDE285F87996} The error occurred while processing attribute isDeleted. The description of the error that occurred is: Decoding Error (hr=0x8007003b).

CAUSE

This issue occurs if the following groups do not have sufficient permissions to the user objects in the Active Directory directory service:
  • RTCHSDomainServices
  • RTCDomainServerAdmins
  • RTCDomainUserAdmins
This scenario may occur if you remove permission inheritance from the domain container in Active Directory before you install Live Communications Server.

Sometimes, this issue occurs because authenticated users may not have Read permissions for a user objects container and for the user objects in the container. If authenticated users has been removed or denied Read permissions, you must grant the RTCHSDomainServices group Read permissions on the user objects in the container and on the container.

RESOLUTION

To resolve this issue, verify the permissions that are assigned to Live Communications Server-related groups in Active Directory. The following table lists the appropriate permission assignments for these groups.
Group namePermissionProperty name
RTCHSDomainServicesReadRTCPropertySet
RTCHSDomainServicesReadRTCUserSearchPropertySet
RTCDomainServerAdminsReadRTCPropertySet
RTCDomainServerAdminsWriteRTCPropertySet
RTCDomainUserAdminsReadRTCPropertySet
RTCDomainUserAdminsWriteRTCPropertySet
RTCDomainUserAdminsReadRTCUserSearchPropertySet
RTCDomainUserAdminsWriteRTCUserSearchPropertySet
RTCDomainUserAdminsReadPublic Information
RTCDomainUserAdminsWritePublic Information
Assign the correct permissions to each of the Active Directory containers that contain user objects. To assign these permissions to a user objects container, follow these steps.Warning If you use the ADSI Edit snap-in, the LDP utility, or any other LDAP version 3 client, and you incorrectly modify the attributes of Active Directory objects, you can cause serious problems. These problems may require you to reinstall Microsoft Windows 2000 Server, Microsoft Windows Server 2003, Microsoft Exchange 2000 Server, Microsoft Exchange Server 2003, or both Windows and Exchange. Microsoft cannot guarantee that problems that occur if you incorrectly modify Active Directory object attributes can be solved. Modify these attributes at your own risk.
  1. Start the ADSI Edit tool, and then connect to a domain controller. To start ADSI Edit, click Start, click Run, type adsiedit.msc, and then click OK.

    Note ADSI Edit is included with the Microsoft Windows Server 2003 Support Tools. To install the Windows Support Tools, double-click Suptools.msi in the Support\Tools folder on the Windows Server 2003 CD.
  2. Expand Domain [domaincontrollername.example.com], right-click the user objects container where you want to assign permissions, and then click Properties. For example, right-click CN=Users, and then click Properties or right-click OU=organizational-unit-name, and then click Properties.
  3. Click the Security tab, and then click Advanced.
  4. Click Add, type rtchsdomainservices, click Check Names, and then click OK.
  5. In the Permission Entry for ContainerName dialog box that appears, click the Properties tab.
  6. In the Apply onto list, click User objects.
  7. In the Allow column, click to select both of the following check boxes:

    Read RTCPropertySet
    Read RTCUserSearchPropertySet

  8. Click OK.
  9. Click Add, type rtcdomainserveradmins, click Check Names, and then click OK.
  10. Click the Properties tab, click User objects in the Apply onto list, and then in the Allow column, click to select both of the following check boxes:

    Read RTCPropertySet
    Write RTCPropertySet

  11. Click OK.
  12. Click Add, type rtcdomainuseradmins, click Check Names, and then click OK.
  13. Click the Properties tab, click User objects in the Apply onto list, and then in the Allow column, click to select all the following check boxes:

    Read Public Information
    Write Public Information
    Read RTCPropertySet
    Write RTCPropertySet
    Read RTCUserSearchPropertySet
    Write RTCUserSearchPropertySet

  14. Click OK three times to close all dialog boxes.
  15. Follow steps 2 through 14 to assign the correct permissions to the other containers that contain Live Communications Server users.
  16. When you are finished modifying permissions, quit ADSI Edit.
Modification Type:MajorLast Reviewed:6/29/2004
Keywords:kbprb KB835970 kbAudITPRO
©2004 Microsoft Corporation. All rights reserved.