Lync 2010 SBA with RODC – How to get it work…

Hi.
Lately I have been troubleshooing a Lync 2010 SBA installed in a Lync 2010 infrastructure.
The SBA was unstable, and the Lync Registrar service (Lync FrontEnd) didn’t always start.
Yes – Not Always !
Sometimes it started, and sometime is didn’t…..

My experience is that the following Active Directory Supportability statement don’t make much sence.
Statement:

Support for Read-Only Domain Controllers

Lync Server 2010 supports Active Directory Domain Services (AD DS) deployments that include read-only domain controllers or read-only global catalog servers, as long as there are writable domain controllers available.

I asked Microsoft what this statement really ment, and I got the following reply:

We are aware of the statement, but not sure if it means “We work with an
RODC as long as we need to read and require a RWDC if we need to write” or “We
have no problem with RODC’s being there but we ignore them and can only work
with a normal DC”.

The reply really got me thinking, and didn’t bring calm to my chest !!

I created a MS Support ticket for this – As I need to get to the bottom of this…

While I was waiting for the reponse on the Support Ticket, I did some Wireshark trace on the SBA during the start of the Lync FrontEnd service.

The Active Directory in this case is designed with multiple AD Sites. The site where the SBA is placed only contains a RODC, but RWDC are available at other sites – And accessible from the SBA.

This is, as I see it, covered by the Active Directory Supportability!

During the analyse of Wireshark traces, I saw that the SBA was randomly selecting DC’s to talk to based on DNS lookup – This is as expected, and I didn’t find any issues with this.
What I did notice is that the RODC was never among the DC’s that is was initialy communication with.
This is also expected as the RODC only register sites spesfic info in DNS.
Further into the Wireshark trace, I saw the following:

  1. When the Lync FrontEnd service was able to start, the SBA was communicating with the RODC.
  2. When the Lync FrontEnd service didn’t start, the SBA did never communicate with the RODC.

This lead me back to Active Directory Sites and Services, and the following – How can I ensure that the SBA is communicating with the closest RWDC ?

I have previously been told that “Lync ignores the configuration in Active Directory Sites and Services, and is not AD Sites and Services Aware – As Exchange are.”

Well, I was really not sure about the AD Sites and Services part, so I did a change !

I added the IP address of Lync SBA into the closest AD Site with a RWDC.

I added the following in Subnets:
– IP: “Lync SBA IP/32”

I added the host IP address newly added in Subnets to the closest AD Site with a RWDC.

The SBA was restarted to make the server pick up that AD Sites and Services change.
Once restartet, I used the following command to verify the change: nltest /dsgetsite
The command verified that the server had changed AD Site, and is now belonging to a AD Site with RWDC’s

The Lync Management Shell was used, and the following command was issued: start-cswindowsservice

To my big surprise, the services started immidiately!
This lead to more questions that answers, and I’m currently working the MS Support Case to get the full story around Lync 2010/2013 supportability for RODC!

For now the SBA is running without issues, and I have not reverted it back to the original AD Site.
I am awaiting the final conclusion of the MS Support Ticket.

To be continued……

Advertisements

Lync 2010 Federation with AOL – Fixed !!

Hi.

One of mine customers where having issues with federation between Lync 2010 and AOL.
I did some investigation, and found that they had applied for both MSN and AOL a long time ago.
Then I did some background check to see if something has been changed – DNS name, IP’s and so on – No change had been made.

Then at the 12th of December, some Windows Update patches was released.
One of them was Root CA Update, and after this patch was installed the Lync Phone devices started to act strange

They did a sign out and sign in each 30 seconds !!!

Lync 2010 FrontEnd Server:

Some investigation was made, and the following Registry change was implemented on the Lync FrontEnd Server.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Created the following DWORD value:

SendTrustedIssuerList with a HEX value of 0

After this change the Lync Phone devices did start to behave normal, and has stayed signed in and running since 🙂

Hello – What does this has to do with AOL Federation issues ??
Right – The above didn’t solve my AOL issues, but I am certain that it helped 🙂

Lync 2010 Edge Server:

After som searching on the Internet, we found some article telling that we had to change to SSL Cipher Suite Order on the Lync Edge Server.
I started with GPEDIT.MSC as stated in the article, but did find that the GPEDIT.MSC has characters limitations, and didn’t accept the complete cipher string !! (It was just copied out, altered and when I where to past it back in – the string didn’t fit !!)

Again searching the net, finding that we could use the Registry to change the value.
Starting up RegEdit, and navigating to the following location:

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL0010002
Added the following:

Key: Functions
Value:
TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,
TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA

This change require a reboot of the Lync Edge, after the reboot the issue was still not solved – ARG !!

Further investigating lead me to the fact that the Lync Edge Server was running with IPv6 fully enabled, so I decided to disable IPv6 on the server.
Did that with the following script: Set-Lync2010Features

Once again disabling of IPv6 requires a reboot of the server.
Reboot was done, and VOILA – Federation with AOL worked !!

I’m not 100% sure of what actually fixed the issue, but I belive that all three changes helped in the resolution of the customers AOL issues.

Enable users for Lync, via AD Group Membership

Hi.

I have written a small Powershell script that reads an Active Directory group, and Lync Enables users in that group or in any Groups-in-Groups.
The users e-mail address is used when enabling the user for Lync.

Changes will come to the script, in terms of more error checking and other improvments.

Requirements:

  • Needs access to Active Directory and Lync PowerShell modules

Please feel free to use the script AS-IS, and I’ll be happy for feedback, any kind 🙂

I have successfully created a scheduled task at several customers – They are all happy 🙂

Updates:

  • Changed the requirements of Log folder – Script creates logfile from where the command is called
  • Changed the format of Logfilename, Convertet to uFormat – Should cover most 🙂

Changes are based on feedback 🙂


#############################################################################################
# Enable-LyncUsers.ps1
#
# v1.0 - April 2012 by Trond Egil Gjelsvik-Bakke (https://trogjels.wordpress.com)
# v1.1 - October 2012
#        Changed script regarding to LogFile creation.
#
# Syntax:
#	Enable-LyncUsers AD-GroupName
#
#############################################################################################
param($CSGroup)

Import-Module ActiveDirectory
Import-Module Lync

#Check if AD Group contains members
$Members = Get-ADGroupMember $CSGroup -Recursive
if ($Members -eq $NULL)
{
    write-host "AD Group $CSGroup don't contain any users. Please add members to this group before continuing" -foregroundcolor red -backgroundcolor black
    exit 0
}

#Create LogFile
$LogFile = "Enable-LyncUsers-Log-"+(get-date -uformat %d%m%Y-%H%M%S)+".txt"
$LogTXT = "Processing Users.....`n"

Out-File -FilePath $LogFile -InputObject $LogTXT

Write-Host "Processing Users.....`n" -foregroundcolor Yellow -backgroundcolor Black

ForEach ($user in $Members)
{
	$samaccountname = $user.samaccountname

	$ADUser = get-csaduser -Filter {SamAccountName -eq $SamAccountName}

	$display = $ADUser.FirstName + " " + $ADUser.LastName

	write-host "Processing:" $display

	$adexist = get-csaduser | where {$_.samaccountname -eq $samaccountname}

	if ($adexist -eq $null)
    	{
        	$usernotinad = $true
		write-host "User " $samaccountname " not in AD"
    }

    else
    {
        $usernotinad = $false
    }

    if ($usernotinad -ne $true)
    {
        $enabled = Get-CsUser -filter {SamAccountName -eq $SamAccountName}

	# Check if user is enabled for for OCS/Lync
	if ($enabled)
	{
		# Check if user is enabled for OCS
	        if ($enabled.RegistrarPool -eq $null)
        	{
			Write-Host "User is on OCS, enabling for Lync" -foregroundcolor Yellow -backgroundcolor Black

			$pool = get-csservice -registrar | where {$_.ServiceID -eq "1-Registrar-1"}

			Move-CsLegacyUser -Identity $ADUser.SipAddress -Target $pool.PoolFQDN -Force -Confirm:$false
			$LogTXT = "Successfully moved $display to Lync Server 2010"

			Write-Host "Successfully moved $display to Lync Server 2010"
        	}

		else
		{
			Write-Host "User is already on Lync - Skipping..." -foregroundcolor Yellow -backgroundcolor Black
			$LogTXT = "$display is already on Lync Server 2010, skipping....."
		}
	}
	else
	{
		Write-Host "Enabling user for Lync - Processing..." -foregroundcolor Yellow -backgroundcolor Black

                $pool = get-csservice -registrar | where {$_.ServiceID -eq "1-Registrar-1"}

		get-csaduser | where {$_.samaccountname -eq $samaccountname} | Enable-Csuser -registrarpool $pool.PoolFQDN -sipaddresstype EmailAddress
		$LogTXT = "Successfully enabled $display for Lync Server 2010"

		Write-Host "Successfully enabled $display for Lync Server 2010" -foregroundcolor Yellow -backgroundcolor Black
	}
    }
	#Write Log
	Out-File -FilePath $LogFile -InputObject $LogTXT -Append
}

Lync Disable – AD Disabled users

Hi.

Have written a short powershell script that disables AD disabled Lync users.
This will prevent some warnings in Lync Eventlog.

Script changed with regards to some of the feedback.
Not changed with regards to the comment around Syntetic Transactions – Work in progress….


#####################################################################################
# Disable-AdDisabledCsUsers.ps1
#
# v1.0 - August 2012 by Trond Egil Gjelsvik-Bakke (trogjels.wordpress.com)
# v1.1 - October 2012
#        Changed script regarding to LogFile creation.
#
#
# Pulls all AD disabled users from AD and disables them for Lync as well
#
# Writes automatically to auto created logfile
# Can optionally write to screen using -verbose
#
# Example usage.
#
# .Disable-AdDisabledCsUsers.ps1 -verbose $true
#
####################################################################################
param($verbose)
Import-Module active*

#Create LogFile
$LogFile = "DisabledAdUsers-"+(Get-Date -uFormat %Y-%m-%d-%H%M%S)+".txt"
$LogTXT = "Processing Users.....`n"
Out-File -FilePath $LogFile -InputObject $LogTXT

$disabledADusers = Get-CsAdUser | ?{$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled -eq $true}

Foreach ($user in $disabledADusers)
{
    $displayname = $user.FirstName + " " + $user.LastName
    
    #Disable-CSUser -Identity $identity
    if ($verbose -eq $true)
    {
        Write-Host "Disabled AD user $displayname is now disabled for Lync as well"
    }
    $LogTXT = "$displayname is disabled in AD, and now disabled for Lync"
    Out-File -FilePath $LogFile -InputObject $LogTXT -Append
}

Lenovo Video Issues with Communicator – Lync & OCS 2007 R2

Hi.

Lately I have been asked about Video issues in Lync and R2 Communicator – Communicator freezes once you accept inbound video call.
I did search the net, and came across the following article written by Chad McGreanor – thanks 🙂

This issue are related to the nVidia display driver with Lenovo T420s, T520 & W520.

Lenovo has been working on updating their site with the current Nvidia drivers, but as far as I know – It’s not updated yet !
Go to Nvidia directly and download the current driver that solves this issue.
Link: http://www.nvidia.com/Download/index.aspx?lang=en-us

After upgrading nVidia drivers, everything works 🙂

Outbound call from Lync fails – TimeOut Issues

I was working on a strange issue at a customer regarding Enterprise Voice from Lync.
The issue:
– Some calls fails before call setup completes !!

Lync environemt was configured with standalone Mediation server, with direct SIP connection to Telecom provider.

The issue was reported to the Telecom provider, and they responded quickly with a knowledge of this issue.
The response was:

The Lync Mediation Server is sending a CANCEL on call setup, after a very short time.
After some update from Microsoft, Lync has become unpacient, and if the remote party hasn’t reponded with more that “100 Trying” during 10 sec the Mediation Server sends a CANCEL !!
This timer was earlier 30 – 40 seconds, but is now only 10 !!
The remote party can’t respond with more that “100 Trying”, until they have received anyting from the Called Party.

The best part is that the Telecom provider has been in contact with Microsoft regaring this, and they got a FIX 🙂

The fix:

Configuring Parameters

Some of the above timeouts can be configured. The file which has the configurable parameters is ‘OutboundRouting.exe.config”  Use caution when changing these values, as a rule of thumb try not to increase or decrease the value by more than 25% of its original value.

From OutboundRouting.exe.config

<configuration>

    <appSettings>

      <add key=”FailOverTimeout” value=”10000″/> – The problem line 🙂

      <add key=”MinGwWaitingTime” value=”1″/>

      <add key=”MaxGwWaitingTime” value=”20″/>

      <add key=”FailuresForGatewayDown” value=”10″/>

      <add key=”FailuresForGatewayLessPreferred” value=”25″/>

      <!– Valid values are between 5 and 600 –>

      <add key=”HealthMonitoringInterval” value=”300″/>

      <!– Valid values are between 60 and 3600 –>

      <add key=”GatewayStateReportingInterval” value=”1800″ />

  </appSettings>

</configuration>

The FailOverTimeout should be increased to the desired time limit.
The file is found under C:\Program Files\Microsoft\Lync Server 2010\Server\Core on the FrontEnd Server.

Changing the value from 10000 (10 sec) to 20000 (20 sec) solved the issue.

After changing this value, it’s recommended to reboot the server.

Best Practice installing Lync CU4 and Lync Mobility

Lync Mobility was released som time ago, and after several installations and configuration I decided to write this article to describe steps needed to successfully install and configure Lync Mobility.

Lync CU’s are updates that comes in a cumulative form, that means they include older CU’s and new fixes. They are like a service pack, but yet again so different.

Prerequisites

Before starting on any installation, it should be wise to have downloaded needed software. I have included links to official documentation and software.

A very important requirement, is that Lync Mobility service isn’t supported on a Lync FrontEnd server with a collocated Lync Mediation server when the server has two NIC’s.

Prepare the Lync environment

There are certain configurations that are required, and I’ll describe them here.

Internal DNS

We need to create internal DNS record for each defined SIP domain in Lync topology. We can utilize both CNAME and A records, and I have choosen to create them as following:

CNAME record for lyncdiscoverinternal pointing to Lync FrontEnd Server or to the Lync Director server (If deployed)
A record for lyncdiscover pointing to  reverse proxy public IP.

External DNS

Create the following record:

A record for lyncdiscover pointing to  reverse proxy public IP.

CU4 Installation

Start the update process by logging into your Lync Server, and start the Lync Management Shell. Before the update installation starts, it would be nice to s check if there are some ongoing calls or meetings. By running Get-CsWindowsServer, we get a glimpse of whats going on with out Lync Infrastructure.

After we have checked for ongoing sessions, there would be great to prevent any new further sessions. This can be done with – Stop-CsWindowsService -Graceful, or if it’s a planned downtime, services can be stopped by – Stop-CsWindowsService.

Next thing would be to stop the World Wide Web service, do this by –  net stop w3svc

Once all services has been stopped, launch LyncServerUpdateInstaller.exe package, and select Install Updates. Once th update package has run, verify that all installed versions is checked green.

If a restart is required, please restart the server.

Run the CU4 installer on any other Lync Servers in the environment, so that all Lync Servers run with the same versions.

The next stage, very important and almost always forgotten, is the update the Lync databases. The CU’s release notes should be read, to check if a database update is required or not.
To update the databases, follow these steps:

  • Start Lync Management Shell
  • If Enterprise Edition Back End Server databases are not collocated with any other databases, such as Archiving or Monitoring databases, at the command line, type the following:
    Install-CsDatabase –Update –ConfiguredDatabases –SqlServerFqdn <SQL Server FQDN>
  • If Enterprise Edition Back End Server databases are collocated with other databases, such as Archiving or Monitoring databases, at the command line, type the following:
    Install-CsDatabase –Update –ConfiguredDatabases –SqlServerFqdn <SQL Server FQDN> –ExcludeCollocatedStores
  • For Standard Edition, type the following:
    Install-CsDatabase –Update –LocalDatabases

The database is now updated, and we are ready to start Lync Services and IIS again. At the command line, type:

  • net start w3svc
  • Start-CsWindowsService

 Lync Mobility Listening Ports

Before installing the Lync Mobility, we ned to update the topology with internal and external listening ports. This configuration is needed on ALL Lync FrontEnd servers in the environment.

  • Start Lync Management Shelland issue the following commands:
    • Set-CsWebServer -Identity <Lync Pool FQDN> -McxSipPrimaryListeningPort 5086
    • Set-CsWebServer -Identity <Lync Pool FQDN> -McxSipExternalListeningPort 5087
  • Publish the topology changes:
    • Enable-CsTopology

Mobility Server Installation

Even though the same installation package is used on all Lync FrontEnd and Director servers, the installation will only install services required for that role. FrontEnd server will have both Autodiscover and Mobility, but Director Server will only have the Autodiscover parts.

IIS Requirements

Mobility requires some additional IIS services on the FrontEnd servers only.
On Windows 2008 R2 use the Lync Management Shell to install the required.

  • Import-Module ServerManager
  • Add-WindowsFeature Web-Server, Web-Dyn-Compression

Mobility and Autodiscover Installation

The Lync Mobility installation package isn’t a ordinary installation package, even if it’s an MSI package.
Put the downloaded McxStandalone.msi into the following directory on each server

  • C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577\setup\

Use the Lync Management Shell to issue the following commands:

  • cd “C:\Program Files\Microsoft Lync Server\Deployment\”
  • .\Bootstrapper.exe

The Bootstrapper will verify prerequisites and install needed components.
For FrontEnd it will install both Feature_WebComponent_Autodiscover and Feature_WebComponent_Mcx components.
For Director it will only install Feature_WebComponent_Autodiscover component.

Certificates Updates

Since the Mobility installation uses new DNS entries, both internal and external, we need to update both the internal and the external certificates.

Internal Certificates

To complete the installation and configuration of internal Lync Mobility, we need to update the internal certificates. We update the certificates by running the Lync Server Update wizard. Run “Install or Update Lync Server System” – “Request, Install, or Assign Certificates” and click Run Again.

Expand the “Default Certificate”, and select Request. This will start the Certificate Request Wizard.

Run through the wizard and verify that lyncdiscoverinternal and lyncdiscover is included as SAN Names in the certificate.

Once the wizard completes, verify that Assign this certificate to Lync Server is selected. This will automatic and immediately assign the newly created certificate.

At this point the internal installation is complete, and it’s good practice to reboot the server.

External Access

To complete the installation/configuration for external access, we need to rerequest the external certificate and update what ever publishing rule that is used to publish Lync Web Components.

External Certificate

Request new certificate to be used on the Reverse Proxy, and make sure that lyncdiscover is included in the certificate.

Use whatever routine you use to request this certificate.

If you would like to use TMG to request this certificate, use the following guide:

Thanks to Chad McGreanor for this greate article.

TMG Publishing

Update whatever publishing rule to reflect the additional lyncdiscover as a public name.

Push Notification

Push Notification is used by Windows and iOS mobile devices which do not support traditional application backgrounding like the Android client does. Federation services between an on-premises Lync deployment and Office 365’s Lync Online are used as the conduit between Lync and the online Push Notification services for Microsoft.

Configuration
  • Use the Lync Management Shell to create new entry for HostingProvider
    • New-CsHostingProvider -Identity “LyncOnline” -Enabled $true -ProxyFqdn “sipfed.online.lync.com” -VerificationLevel UseSourceVerification
  • Use the Lync Management Shell to create new entry for new SupportedDomain
    • New-CsAllowedDomain -Identity push.lync.com -Comment “Mobile Push Notification”

Push notification isn’t enabled by default, so we need to enable them for both services.

  •  Use the Lync Management Shell to enable one or both services.
    • Set-CsPushNotificationConfiguration -EnableApplePushNotificationService $true -EnableMicrosoftPushNotificationService $true

If federation services for some reason hasn’t been enabled, we enable this with the following Lync Management Shell command:

  • Set-CsAccessEdgeConfiguration -AllowFederatedUsers $true
Test Federation

To verify that federation is working as expected, we can use the following Lync Management Shell command:

  • Test-CsFederatedPartner -TargetFqdn <Edge Pool FQDN> -Domain push.lync.com -ProxyFqdn sipfed.online.lync.com

Firewall

Official documentation discusses the requirement of traffic over TCP port 5223 for push notification.
To make sure that internal mobile devices should be able to use push notifications, the outbound firewall must be configured to allow outbound traffic over TCP port 5223 from Wireless network.

Verify Connectivity

To verify that autodiscover service is working as expected, use a normal browser to access http://lyncdiscover.”SIP Domain”
Open the file downloaded with a TXT reader, and inspect to content of the file.

Make sure that requests are redirected into the Reverse Proxy published url.