OneLiner: Move Lync users to another Lync pool, based on AD Group

Hi.

The following PS OneLiner move users to another pool, based on AD Group.

Get-ADGroup “AD GroupName” | Get-ADGroupMember -Recursive | ForEach-Object {Move-CsUser $_.SamAccountName -MoveConferenceData -Target “New Lync Pool FQDN” -Confirm:$false}

This might come in handy, when you need to move users based on AD Groups.

Thanks to Joakim Erdal in Atea, for helping with command sequence..

Advertisements

Lync 2013 Mobility and IIS ARR

Since MS TMG server was withdrawn from the marked, IIS ARR has become the most common solution to publish Lync, Exchange and Sharepoint solutions.

There are good guides on how to configure IIS ARR and hos to publish Lync 2013.

One thing that I have been noticing, is that mobile users have been complaining about the following Message: “Your server configuration has changed. Please restart Lync”

LyncConfig

After some searching on the topic, there was some info that told us to increase the Proxy Timeout value.
One very important info is:

You will need to increase the Proxy Timeout value for the Web External Publishing Rule.

I have had success with increasing the value to 960 Seconds.

Lync Server 2013 on Windows Server 2012 R2

Hi.
As you all probably know, Lync Server 2013 is fully supported on Windows Server 2012 R2.
To gain Lync Server 2013 Support on Windows Server 2012 R2, Update Lync 2013 With the latest CU.

One very important change is to alter the TLS mechanism in Windows Server 2012 R2.
Windows Server 2012 R2 has changed how the TLS sessions are being cached, and this doesn’t work well with Lync 2013.
The following article describes a required registry modification:
http://support.microsoft.com/kb/2901554/en-us

As the article describes – “Lync Server 2013 is supported by Windows Server 2012 R2 when this registry workaround is performed.”

Continue to Lync – Happy Lync’ing 😉

IIS ARR as Reverse Proxy for Lync 2013

I have recently been trying to get IIS ARR to work as a reverse proxy for Lync 2013, and today I made a breakthrough 🙂

I have been following the NextHop article on how to set it up, but I didn’t manage to get it working 100% with all services – Office WebApps Server, LyncDiscover and Lync SimpleURL.

The issues I had was that I didn’t manage to get all services to respond correctly at the same time – And that must be one of the goals 🙂

After some “trial and error”, I came up with a URL ReWrite ruleset that worked.
The following URL Rewrite ruleset worked:
IISARR-RuleSet

After I enabled the abowe ruleset Office WebApp Server, LyncDiscover and Lync SimpleURL’s gave the expected result.

Hope this helps anyone facing the same issues….

Lync 2010 SBA with RODC – How to get it work…

Hi.
Lately I have been troubleshooing a Lync 2010 SBA installed in a Lync 2010 infrastructure.
The SBA was unstable, and the Lync Registrar service (Lync FrontEnd) didn’t always start.
Yes – Not Always !
Sometimes it started, and sometime is didn’t…..

My experience is that the following Active Directory Supportability statement don’t make much sence.
Statement:

Support for Read-Only Domain Controllers

Lync Server 2010 supports Active Directory Domain Services (AD DS) deployments that include read-only domain controllers or read-only global catalog servers, as long as there are writable domain controllers available.

I asked Microsoft what this statement really ment, and I got the following reply:

We are aware of the statement, but not sure if it means “We work with an
RODC as long as we need to read and require a RWDC if we need to write” or “We
have no problem with RODC’s being there but we ignore them and can only work
with a normal DC”.

The reply really got me thinking, and didn’t bring calm to my chest !!

I created a MS Support ticket for this – As I need to get to the bottom of this…

While I was waiting for the reponse on the Support Ticket, I did some Wireshark trace on the SBA during the start of the Lync FrontEnd service.

The Active Directory in this case is designed with multiple AD Sites. The site where the SBA is placed only contains a RODC, but RWDC are available at other sites – And accessible from the SBA.

This is, as I see it, covered by the Active Directory Supportability!

During the analyse of Wireshark traces, I saw that the SBA was randomly selecting DC’s to talk to based on DNS lookup – This is as expected, and I didn’t find any issues with this.
What I did notice is that the RODC was never among the DC’s that is was initialy communication with.
This is also expected as the RODC only register sites spesfic info in DNS.
Further into the Wireshark trace, I saw the following:

  1. When the Lync FrontEnd service was able to start, the SBA was communicating with the RODC.
  2. When the Lync FrontEnd service didn’t start, the SBA did never communicate with the RODC.

This lead me back to Active Directory Sites and Services, and the following – How can I ensure that the SBA is communicating with the closest RWDC ?

I have previously been told that “Lync ignores the configuration in Active Directory Sites and Services, and is not AD Sites and Services Aware – As Exchange are.”

Well, I was really not sure about the AD Sites and Services part, so I did a change !

I added the IP address of Lync SBA into the closest AD Site with a RWDC.

I added the following in Subnets:
– IP: “Lync SBA IP/32”

I added the host IP address newly added in Subnets to the closest AD Site with a RWDC.

The SBA was restarted to make the server pick up that AD Sites and Services change.
Once restartet, I used the following command to verify the change: nltest /dsgetsite
The command verified that the server had changed AD Site, and is now belonging to a AD Site with RWDC’s

The Lync Management Shell was used, and the following command was issued: start-cswindowsservice

To my big surprise, the services started immidiately!
This lead to more questions that answers, and I’m currently working the MS Support Case to get the full story around Lync 2010/2013 supportability for RODC!

For now the SBA is running without issues, and I have not reverted it back to the original AD Site.
I am awaiting the final conclusion of the MS Support Ticket.

To be continued……

Lync Conference 2013

Hi.

Last week I was attending the first ever Lync Conference in San Diego, California.
– What an experience 🙂

The participation was a great success, and I found the Conference very usefull in more than one matter.
Takeaways for the Conference:

  • Lync Room Systems:
    • These systems are very nice, and have the potential of revolutionize the video conferencing solutions
  • Lync Monitoring Service:
    • By making this as a service and not a separate server makes it even easier to install.
      • There is now no excuse for not “installing” this role…
      • This role should be a part of every Lync installations.
    • This service provides data to be both proactive and reactive in dealing with user issues.
  • Skype Integration:
    • There has been lots and lots of questions and rumors about Microsofts intentions around Skype
    • With new information presented at the conference, this is now more clear.
    • The to solutions will be 100% integrated in near future, providing real B2X (Business to Any) communication.
  • Lync Mobility:
    • Mobile devices will be able to act as real Lync Clients, being able to utilize both voice and video over both WLAN and 3G/4G in addition to aleady existing functionality.
  • General:
    • Very great technical content covering new and improved features.
    • All recorded sessions and PPT’s are available to participants to review after the Conference.
  • Networking:
    • I did speak to several conference participants, and received great tips, and found that my experience did help others in solve their issues.

The participation in this conference was a greate experience and a confirmation, that the choice I did several years ago when I decided to shift my career from being a general Windows consultant to specialize in Microsoft Unified Communications was the right choice for me. Microsoft Lync with all it’s capabilities keeps me in focus of always improving my work, and to help customers to really cut communication cost by providing them with the best Unified Communication solution on the marked.

Microsoft Lync Rules !!

Lync 2010 Federation with AOL – Fixed !!

Hi.

One of mine customers where having issues with federation between Lync 2010 and AOL.
I did some investigation, and found that they had applied for both MSN and AOL a long time ago.
Then I did some background check to see if something has been changed – DNS name, IP’s and so on – No change had been made.

Then at the 12th of December, some Windows Update patches was released.
One of them was Root CA Update, and after this patch was installed the Lync Phone devices started to act strange

They did a sign out and sign in each 30 seconds !!!

Lync 2010 FrontEnd Server:

Some investigation was made, and the following Registry change was implemented on the Lync FrontEnd Server.

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Created the following DWORD value:

SendTrustedIssuerList with a HEX value of 0

After this change the Lync Phone devices did start to behave normal, and has stayed signed in and running since 🙂

Hello – What does this has to do with AOL Federation issues ??
Right – The above didn’t solve my AOL issues, but I am certain that it helped 🙂

Lync 2010 Edge Server:

After som searching on the Internet, we found some article telling that we had to change to SSL Cipher Suite Order on the Lync Edge Server.
I started with GPEDIT.MSC as stated in the article, but did find that the GPEDIT.MSC has characters limitations, and didn’t accept the complete cipher string !! (It was just copied out, altered and when I where to past it back in – the string didn’t fit !!)

Again searching the net, finding that we could use the Registry to change the value.
Starting up RegEdit, and navigating to the following location:

HKLM\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL0010002
Added the following:

Key: Functions
Value:
TLS_RSA_WITH_RC4_128_MD5,TLS_RSA_WITH_AES_128_CBC_SHA256,
TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,
TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384,
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,
TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,
TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384,
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384,
TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,
SSL_CK_RC4_128_WITH_MD5,SSL_CK_DES_192_EDE3_CBC_WITH_MD5,
TLS_RSA_WITH_NULL_SHA256,TLS_RSA_WITH_NULL_SHA

This change require a reboot of the Lync Edge, after the reboot the issue was still not solved – ARG !!

Further investigating lead me to the fact that the Lync Edge Server was running with IPv6 fully enabled, so I decided to disable IPv6 on the server.
Did that with the following script: Set-Lync2010Features

Once again disabling of IPv6 requires a reboot of the server.
Reboot was done, and VOILA – Federation with AOL worked !!

I’m not 100% sure of what actually fixed the issue, but I belive that all three changes helped in the resolution of the customers AOL issues.