The other day when moving users between an OCS 2007 R2 pool and a new Lync pool I received the following error:

Unable to connect to some of the servers in pool <name> due to a Distributed Component Object Model (DCOM) error

After a brief hunt around the net I turned up a few posts that indicated some errors around migration when using a hardware load balancer. The only problem is that my environment was a single enterprise edition server so there was no load balancer!

For reference the HWLB posts were:

After checking the logs on the OCS server i noticed the following in the event log:

The application-specific permission settings do not grant Remote Launch permission for the COM Server application with CLSID

{91BC037F-B58C-43CB-AD9C-1718ACA70E2F}

and APPID

{91BC037F-B58C-43CB-AD9C-1718ACA70E2F}

to the user DOMAIN\LYNCSERVER1$ SID (S-1-5-21-796845957-436374069-854245398-24703) from address 10.253.0.210. This security permission can be modified using the Component Services administrative tool.

image

The “fix”

The following is a way to work around the issue, its not really a fix and is a bit of a “hack”. In my environment I was migrating users away from OCS and was due to decommission it so it wasn’t worth troubleshooting further.

  • Log onto the OCS server you are trying to move the users away from
    • This might need to be repeated on all the OCS servers in a pool?
  • Open “Component Services” from “Administrative Tools”
  • Expand “Component Services/Computers/My Computer/DCOM Config”
  • Find “RTC Store Access Interface Class”

image

  • Edit the properties and you should see that the “Everyone” group is Denied for Local & Remote Launch

image

  • Remove the “Deny” for “Everyone” on “Remote Launch”
  • Scroll down the permissions to find “RTC Server Local Group”
  • Give this group “Remote Launch” permissions

image

  • Retry the move from the Lync admin interface

 

Please be careful following these instructions and if it doesn’t work for you then make sure you put everything back as it should have been! I’m not sure what is causing this issue, when I checked the permissions against a working OCS server they were the same as the broken one so that probably means there is another underlying issue rather than just these DCOM permissions. Like I said before this really is just a “hack” so that I could get users moved and OCS decommissioned. I would not advice changing these settings if the machine was going to remain in production.

 

While I’m on the topic of moving users I then had an AD permissions issue that was easily solved: Cannot move Lync 2010 user to new pool