Error message if you try to enable the telephony server on a domain controller that is running Windows Server 2008: "No call appearance available"

If you try to enable the telephony server on a domain controller that is running Windows Server 2008, you receive an error message that resembles the following message:Additionally, the telephony server is not enabled.

This problem occurs if the service connection point (SCP) is not published under the computer object in Active Directory.

To resolve this problem, grant the appropriate permissions to the Network Service account. These permissions are the required permissions to enable the telephony server on the domain controller that is running Windows Server 2008. To grant these permissions, follow these steps.

Important These steps may increase your security risk. These steps may also make the computer or the network more vulnerable to attack by malicious users or by malicious software such as viruses. We recommend the process that this article describes to enable programs to operate as they are designed to or to implement specific program capabilities. Before you make these changes, we recommend that you evaluate the risks that are associated with implementing this process in your particular environment. If you decide to implement this process, take any appropriate additional steps to help protect the system. We recommend that you use this process only if you really require this process.

1. Log on to the domain controller that is running Windows Server 2008 by using a user account that has domain administrator credentials.
2. Click Start, click Run, type ldp.exe, and then click OK.
3. On the Connection menu, click Connect, and then press ENTER to connect by using the default options.
4. On the Connection menu, click Bind, and then press ENTER to bind by using the default options.
5. On the View menu, click Tree, and then press ENTER to display the tree view of the domain.
6. In the navigation pane, expand the entry, and then double-click the domain controller.
7. In the list of domain controllers, right-click the computer that acts both as the domain controller and as the telephony server, point to Advanced, click Security Descriptor, and then click OK.
8. In the DACL list, click any entry, and then click Add ACE.
9. In the Trustee box, type NT AUTHORITY\Network Service, and then click to select the following check boxes in the Access mask area:
   • Read property
   • Read permissions
   • Create child
   • Delete child
10. Click OK. Then, click Update.
11. On the Connection menu, click Exit.

Notes

• This procedure may cause security issues if some malicious code runs in the Network Service context on the domain controller that is running Windows Server 2008.
• This procedure is for only a domain controller that is running Windows Server 2008. Additionally, permissions have to be modified only for the specific domain controller that acts as the telephony server.
• To enable the telephony server in earlier versions of the Windows Server operating system, you have to configure the TAPI service to run in a domain account that is a member of the built-in administrators group. This procedure is not required in earlier versions of the Windows Server operating system. Additionally, this procedure is not applicable in earlier versions of the Windows Server operating system.
• On a domain controller that is running Windows Server 2008, follow this procedure before you run the "Tapimgmt.msc" command to enable the telephony server. Do not configure the TAPI service to run under a different account instead of under the Network Service account.
• On a computer that is running Windows Server 2008 that is not a domain controller, no steps are required before you run the "Tapimgmt.msc" command to enable the telephony server. Do not configure the TAPI service to run under a different account instead of under the Network Service account.

To remove the permissions that are granted to the Network Service account to enable the telephony server on the domain controller that is running Windows Server 2008, follow these steps:

1. Repeat step 1 through step 7 in the "Resolution" section.
2. In the DACL list, click the NT AUTHORITY\NETWORK SERVICE entry under the Trustee column.
   
   Note Make sure that the NT AUTHORITY\NETWORK SERVICE entry has the following items listed under the Rights column:
   • Read property
   • Read permissions
   • Create child
   • Delete child
3. Click Delete ACE. Click Yes when you are prompted.
4. Click Update.
5. On the Connection menu, click Exit.

When you enable the telephony server, you publish the SCP under the computer object in Active Directory. When the computer account uses default permissions, the computer account has the required permissions to enable the telephony server. However, when the Network Service account uses default permissions, the Network Service account does not have the required permissions to enable the telephony server.

The TAPI service runs under the Network Service account. When the domain controller is a remote computer, the TAPI service appears to be running under the computer account. Therefore, the SCP is published successfully. If the domain controller is a local computer, the TAPI service appears to be running under the Network Service account. Therefore, the SCP is not published.