Step#1: Remove permissions
To removes the original Lync permissions from the active director, follow below steps.
- Open Active Directory Users and Computers
- Right click on your top level domain being cleaned and select Properties
- From the Properties windows, select the Security tab.
- Remove all security users titled RTC*
These are usually
– RTCUniversalServerReadOnlyGroup
– RTCUniversalUserReadOnlyGroup
– RTCUniversalUniversalServices
– RTCUniversalUserAdmins
- Repeat the same steps for each of the following AD Folders and OUs
NOTE: Not all RTC permissions will exist in each AD Folder or OU, but these three OUs do:
– Domain Controllers
– System
– Users
Step#2: Remove the RTC Services branch
- Open ADSI Edit
New to ADSI? See this link: http://technet.microsoft.com/en-us/library/cc773354 - Open the Naming Context Configuration for the domain being cleaned
- Drill down to the following path:
CN=Configuration[ your domain] CN=Services - Delete the CN=RTC Service entry
Step#3: Reverting A.D Preparation
- Reverting the domain preparation
To remove the permissions lists for the groups run the cmdlet:
Disable-CsAdDomain [-Domain < Fqdn > AD] [-DomainController < Fqdn of domain controller >] [-Force] [-GlobalCatalog <Fqdn>]
The -Force parameter indicates that the cmdlet will run Perforce. If this option is not present the cmdlet verifies the presence of some active Front End in the domain if the server role is found the cmdlet does not run. If the option is this removal action is taken regardless of which server roles are active in the field.
The -Verbose option is used to generate an html file with the status of the cmdlet. The log should show the task executed successfully.
- Reversing the forest preparation
To remove Active Directory Domain groups are created by the installation wizard of Lync run the cmdlet:
Disable-CsAdForest [-Force] [-GroupDomain < FQDN of the domain in which universal groups were created >]
The parameter-Forceindicates that the cmdlet will run Perforce. If this option is not present the cmdlet verifies the presence of some active Front End in the domain if the server role is found the cmdlet does not run. If the option is this removal action is taken regardless of which server roles are active in the field.
The option-Verboseis used to generate an html file with the status of the cmdlet. The log should show the task executed successfully.
To finish removing Lync Server you must remove the machine account from Active Directory.
Access the Active Directory management console, locate the Remove Server account.
With this procedure all Lync configuration are removed, except for the change in the Schema that are irreversible.
Step#4: Additional AD cleanup
- Open Active Directory Users and Computers
- Drill down as follows
[Your Domain] Program Data Distributed KeyMan - Delete LyncCertificates
NOTE: This may not exist in all scenarios.
- Delete all RTC* and CS* users created by Lync
I.E. CSAdministrator, CSHelpDesk, RTCComponentUniversalServices, Etc.
Step#5: Cleanup existing users
To resets Lync attributes for any domain users and contacts, follow below steps.
- Open Active Directory Users and Computers
- Click View from the menu and activate Advanced Features
- Right click on your domain and select Find
- Set the Find: option to Custom Search
- Select the Advance Tab
- Enter the following LDAP Query: (msRTCSIP-PrimaryHomeServer=*)
- Click Find Now
- Note each returned user or object
- Close Find
- Right click on each user or object found in the search
- Select Properties
- Select the Attribute Editor tab
- Find and reset all msRTCSIP* attributes for the user/object
