Error code 1603 – Skype for Business upgrade

Skype for Business server 2015 is here, and with it comes a time for “firsts”. Today, I’ve done my first In-place upgrades on servers from Lync 2013 to SfB 2015.

One thing I noted on a couple of servers was that the install failed during “Installing local management services” with this error:

Error returned while installing OcsCore.msi(Feature_LocalMgmtStore), code 1603.

I tried the “retry” option in the wizard, but it did no difference. A reboot of the server did the trick in both instances and the install continued perfectly.

I saved the logs and went through them afterwards, and found these lines

Error 0x80070430: failed to set security info for object: RTCCLSAGT error code: 1072
Error 0x80070430: failed to set security info for object: REPLICA error code: 1072

A quick google search shows that this error means “The specified service has been marked for deletion.” So for some reason the wizard hasn’t been able to completely delete the service. Seems that the easiest way to resolve this error is a quick reboot of the server, but to avoid getting it here’s a couple of checks:

  • Be sure to have closed all mmc instances on the server, including
    • Services
    • Event viewer
  • Close Task manager

I’m pretty sure there are other causes for the error as well, but again, in all cases a reboot should solve the issue.

Powerpoint presentations not working externally

I just had a problem with powerpoint presentations in Lync 2013 that behaved strangly.

All internal users could share and view powerpoints as they should, but all external users and guests could not. It behaved the same way in Lync 2013 clients as in the web app. It would just show “connecting” or “Waiting for the presentation to begin” before failing with a message that the network had gone down or the server was busy. There were no errors logged on the WAC server and no failures recorded on the monitoring database. I could also reach the through the TMG rule. Really weird.

After a bit of googling I found a forum post on technet where someone referenced a setting on the HTTP filter called “Verify Normalization”. The setting is found on the “Traffic” tab on the rule, like this:

Verify Normalization

Unticking this box solved the issue.

The rule is explained here, but it is basically a security mechanism that blocks URLs containing % sign if they are double encoded in the URL, although they can end up blocking legitimate traffic as well which is the case here. I do not know if this is a bug in WAC/OWAS or if it is by design though. Removing “Verify Normalization” from the rule will solve the issue in any case.

The URL the clients were accessing looked something like this, and contains a lot of url encoded characters.<fs=FULLSCREEN&><rec=RECORDING&><thm=THEME_ID&><ui=UI_LLCC&><rs=DC_LLCC&&gt

ACE warnings when publishing topology

Now and then when publishing the topology, I’ve gotten some warnings that just states one or more of these:

Warning: Ace DOMAIN\RTCUniversalGlobalReadOnlyGroup; Allow; ReadProperty; None; None

and also later in the log

Warning: One or more group access control entries (ACEs) are not ready.

This means that not all ACEs are ready after the forest prep, for whatever reason. Just run a


which should reset the permissions, and you should be fine.

Presence issues with the calendar integration in CU2?

I just had a case where the users experienced that presence in the Lync client did not update based on the calendar information unless they restarted the client completely. Relogging did not help.

The weird thing was that on the users contact card they would be listed as busy, but their presence was still available.

After quite a bit of troubleshooting and some help from colleagues, I ended up removing CU2 (the April 2011 update, gives version .275 to the client). This removed the problem completely. So, if you are having presence issues with Lync, try removing CU2 for now.

This might be a bug?

Communicator Phone Edition – Update Issues

After following several guides to configuring the device update service in OCS 2007 R2, including Rui Silvas trilogy and Rick Varvels guide, I still couldn’t get the phones to update the software.

All logs were showing that it had worked, the Update service logs showing that the phone had found the right sw, and IIS logs showing me a 200 OK sent to all phones…

Troubleshooting finally led me to try downloading the CPE.nbt file manually from


which just gave me a blank page.

I tried comparing the IIS configuration to one I knew was working, and saw that I had a lot less IIS roles installed on the one that was not working.

When I installed this Front End server, i used the commands in this post to install the prereqs. Turns out that if you are going to use CPE, you will probably also need the “Static Content” role service in IIS to configure the correct MIME types on the fileextensions the update serrvice uses.

There exists default MIME types for both the .xml and the .cat extensions that is used by the updater. There is however no default for the .nbt extension.

If this role service is not installed, the updater does not work. You will have to add this feature, and then manually add the correct MIME types to the DeviceUpdateFiles_Int/ and DeviceUpdateFiles_Ext/ folders, which should be:

<mimeMap fileExtension=”.nbt” mimeType=”binary/octet-stream” />

<mimeMap fileExtension=”.cat” mimeType=”binary/octet-stream” />

(I have no idea as to why the bottom one is smaller than the other, but I cant get them equal size for some reason :S)

Hey presto! The phones update themselves like magic has happened!

OCS 2007 R2 Bug

Seems there is a bug in OCS 2007 R2 that makes the edge server behave strangely. You will fail validation, and you might also get a “Limited External calling” message in the OC client.

The solution is posted here: