Lync/SfB Server: Checking for duplicate entries in the Active Directory Configuration Partition

While troubleshooting the issue described in Checking for “ms-RTC-SIP-TrustedServer” multiple Active Directory entries with PowerShell, we encountered more duplicates for the same server, so we decided to compile all in one place.

Like in our previous post Checks to do in the Lync/SfB Certificate Store, this list will also be updated and, again, you are welcome to add a comment with a test you think that should be included in it.

Note: Replace DC=gears,DC=lab with the value for your domain.

Global Setting (msRTCSIP-TrustedServer)

Get-ItemProperty -Path “AD:CN=*,CN=Global Settings,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedServerFQDN,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-TrustedServerFQDN | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-TrustedServer”} | Select cn,msRTCSIP-TrustedServerFQDN,whenChanged,whenCreated | ft -AutoSize

Pools (msRTCSIP-PoolDisplayName)

Get-ItemProperty -Path “AD:CN=*,CN=Pools,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-PoolDisplayName,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-PoolDisplayName | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-Pool”} | Select cn,msRTCSIP-PoolDisplayName,whenChanged,whenCreated | ft -AutoSize

Trusted MCUs (msRTCSIP-TrustedMCU)

Get-ItemProperty -Path “AD:CN=*,CN=Trusted MCUs,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedMCUFQDN,msRTCSIP-MCUType,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-TrustedMCUFQDN,msRTCSIP-MCUType| Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-TrustedMCU”} | Select cn,msRTCSIP-TrustedMCUFQDN,msRTCSIP-MCUType,whenChanged,whenCreated | ft -AutoSize

Trusted Services (msRTCSIP-TrustedService)

Get-ItemProperty -Path “AD:CN=*,CN=Trusted Services,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-TrustedService”} | Select cn,msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType,whenChanged,whenCreated | ft -AutoSize

Trusted WebComponentsServers (msRTCSIP-TrustedWebComponentsServer)

Get-ItemProperty -Path “AD:CN=*,CN=Trusted WebComponentsServers,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedWebComponentsServerFQDN,objectClass,whenChanged,whenCreated | Group-Object -Property msRTCSIP-TrustedWebComponentsServerFQDN | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | ?{$_.objectClass -eq “msRTCSIP-TrustedWebComponentsServer”} | Select cn,msRTCSIP-TrustedWebComponentsServerFQDN,whenChanged,whenCreated | ft -AutoSize

Checking for “ms-RTC-SIP-TrustedServer” multiple Active Directory entries with PowerShell

While publishing and enabling a topology, we were getting this error:

Enable-CsTopology: Multiple Active Directory entries were found for type”ms-RTC-SIP-TrustedServer” with ID “<SERVER FQDN>”.

The publishing was successful but then the enabling was showing this error.

The next step was to check the duplicates in the Active Directory Configuration Partition. For those who have already browsed this, you probably know it has too many entries:

dupTrustedService01

An easy way to check duplicates is to use PowerShell. For this we need a server/desktop with the Active Directory PowerShell module installed, because┬áthe AD:\ won’t be available if we don’t load the AD module:

dupTrustedService02

Get-ItemProperty : Cannot find drive. A drive with the name ‘AD’ does not exist.
At line:1 char:1
+ Get-ItemProperty -Path “AD:CN=*,CN=Trusted Services,CN=RTC Service,CN=Services, …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (AD:String) [Get-ItemProperty], DriveNotFoundException
+ FullyQualifiedErrorId : DriveNotFound,Microsoft.PowerShell.Commands.GetItemPropertyCommand

To import the Active Directory module simply run:

Import-Module ActiveDirectory

dupTrustedService03

And to check the duplicates we use the following PowerShell cmdlet:

Get-ItemProperty -Path “AD:CN=*,CN=Trusted Services,CN=RTC Service,CN=Services,CN=Configuration,DC=gears,DC=lab” -Name cn,msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType,whenCreated,whenChanged | Group-Object -Property msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType | Where-Object {$_.Count -gt 1} | Select-Object -ExpandProperty Group | Select cn,msRTCSIP-TrustedServerFQDN,msRTCSIP-TrustedServiceType,whenCreated,whenChanged | ft -AutoSize

Note: Replace DC=gears,DC=lab with the value for your domain.

dupTrustedService04

Now we know which values are duplicated. Please take special attention when changing values in the Active Directory Configuration partition, as you should have a backup of all values before doing any change.

Lastly, a special thanks to the blog Hey, Scripting Guy for this post:

Hey, Scripting Guy! How Can I Use Windows PowerShell to Retrieve the Non-Unique Items in a List?
http://blogs.technet.com/b/heyscriptingguy/archive/2008/01/31/how-can-i-use-windows-powershell-to-retrieve-the-non-unique-items-in-a-list.aspx