New blog articles in Skype for Business

The Next Version of Skype for Business Server

João Loureiro — Fri, 25 Sep 2020 17:03:32 GMT

This week, at Ignite, we announced that the next version of Skype for Business (SfB) Server will be available in the second half of 2021, and will only be available with the purchase of a subscription license. Subscription entitles access to support, product updates, bug and security fixes. We will share additional details around the official name, pricing and availability, later.

The next version of SfB Server will support in-place upgrade from SfB Server 2019 for a period of approximately two years following release. This feature will allow the admin to easily upgrade existing servers running SfB Server 2019 to the subscription-based codebase without needing to add or change servers.

The next version of SfB Server will continue to support side-by-side deployment and migration from earlier versions of SfB, as has been the case over the last few releases, but we have increased the number of versions it can be installed alongside. Customers with Lync Server 2013, SfB Server 2015 or SfB Server 2019 can install the next version of SfB Server into their existing organization.

We highly recommended that customers with existing Lync Server 2013 or SfB Server 2015 deployments and who expect to keep on-premises servers in the future, should start planning and installing SfB Server 2019 today. Once the next version of SfB is released, they will then be able to perform an in-place upgrade to that version, making the move to SfB Server 2019 the last major upgrade they will ever need to do.

We will have more details on this change over the coming months.

-SfB Server Team

Emerging Issue - Remote Access is disabled External Access Policy and NTLM is Disabled

Sri Todi — Thu, 23 Apr 2020 01:16:02 GMT

Emerging Issue - Remote Access is disabled External Access Policy and NTLM is Disabled

If legacy Authentication methods are turned-off externally by following https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/modern-authentication/turn-on-modern-auth, and remote access for the user is also disabled by External Access Policy a bug has emerged that causes clients on the external network to be in a infinite loop, trying to authenticate and get a 403 Forbidden error. This generally would happen whenever the client is not connected to VPN.

The bug manifests in many ways, some of which are mentioned below

Size of LCSCDR database can increase considerably, especially for the dbo.Registration table
CDR/QOE Reports may be delayed
In rare cases replication would show a single secondary as opposed to both active secondaries and would auto-correct after several hours

LYSS Database can experience an increase in size too, and you will notice

EVENT ID	Event id text	Notes
32056	Space Used by LYSS DB is within normal range	DB Utilization > 0% and < 40%
32057	Space Used by LYSS DB is at or above the Warning Threshold.	DB utilization > =40% and < 60%
32059	Space Used by LYSS DB is at or above the Critical Threshold	Db Utilization is >= 60%

Depending on the extent of time the issue has been occurring, the size of the environment and other factors as user-behavior the following EVENT IDs may also be see

Event id	Event ID text	Notes
32075	A full flush of all queue items for LYSS DB has started.
32076	A full flush of all queue items for LYSS DB has completed.
32089	A flush of queue items from the LYSS DB was initiated, and items were exported to the file system.
32090	Flushed queue Items from the LYSS DB have been left unattended to for some amount of time and require attention to be imported back.
32103	Fabric service id 'ROUTING GROUP GUID' is running with a reduced replication set.	Get-CsPoolFabricState will show that routing groups are in missing secondaries

You can run a SQL Query against LYSS database to confirm if indeed you have been experiencing issues with 4003 by running

Use lyss;

SELECT SUBSTRING ( CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])), CHARINDEX( '<MsDiagId>', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader]))) + 10, CHARINDEX( '</MsDiagId>', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])))- (10+CHARINDEX( '<MsDiagId>', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader]))))) 'MsDiag' ,Count(1) 'Count' FROM [lyss].[dbo].[ItemQueue]

WHERE CHARINDEX( '<MsDiagId>', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader]))) > 0

Group by SUBSTRING ( CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])), CHARINDEX( '<MsDiagId>', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader]))) + 10, CHARINDEX( '</MsDiagId>', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])))- (10+CHARINDEX( '<MsDiagId>', CONVERT(VARCHAR(MAX), CONVERT(VARBINARY(MAX), [ItemHeader])))))

Order by 2 desc

The output should look like

This issue has been fixed in a client update with version 16.0.11901.10000, but the default behavior hasn’t been updated. In-order to remediate the issue, you would need a client policy ( or a GPO) along with an updated client.

The fix to be effective we need a regkey ForbiddenRemoteAccessIsPermanentError as shown below.

Path: HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\16.0\Lync

KeyName: ForbiddenRemoteAccessIsPermanentError

Value: 1

The key can be pushed through client policy entry for e.g. adding the policy entry to global client policy

$a = New-CsClientPolicyEntry -name ForbiddenRemoteAccessIsPermanentError -value "True"

Set-CsClientPolicy -Identity Global -PolicyEntry @{Add=$a}

In-order for the client policy to be applied, a successful logon is required, so users need to sign-in atleast once, so the data is cached and used for subsequent failures

Once appropriate changes have been accomplished users will experience the following error message when logging on remotely

Please Note: At this point in time, only Skype for Business 2016 Client has a fix, and there are no planned changes for Skype for Business 2015 Client

We understand that updating the clients may take some time, and while the clients are being updated, organizations may want a work-around to prevent any work disruptions. At this point in time, we are recommending the following

Update Storage Service behavior to disable Auto Import functionality to allow for a controlled method for import of data and prevent any potential issues by running

Set-CsStorageServiceConfiguration -EnableAutoImportFlushedData $false

Perform a FULL Flush of storage service before the beginning of the day to prevent automatic export under load to happen during business hours, as it's resource-intensive ( CPU / Memory/ Disk / Network) by running
Invoke-CsStorageServiceFlush -FlushType FullFlush -PoolFqdn POOLFQDN

This may also prevent FabricReplicationSetReduction happening in your organization, if it was previously occurring

Finally, it's possible that XML files have been written to your file share that may needed to be imported for regulatory and/or compliance purposes. Please reach out to Microsoft Support to help you find ways how/when the data can be imported safely.

On-Premises Diagnostics for Skype for Business Server Are Now Available

Corbin Meek — Wed, 02 Dec 2020 15:05:57 GMT

November 12th, 2020 Update: Be sure to check out Joao's comment for an incremental update! Bug fixes and a few small enhancements.

The NextHop team is very pleased to announce the release of On-Premise Diagnostics (OPD) for Skype for Business Server. OPD is a collection of diagnostic scenarios, analyzers, rules and insights for diagnosing common issues in Skype for Business 2015 and 2019 on-premises and hybrid environments based on real world support expertise from Escalation Engineers in CSS.

Getting started

First you'll need to Install or upgrade to the latest version of OPD. Next, check out the instructions on How to use OPD. Then determine which scenario you would like to test for. Note that each scenario will have one or more unique tests. For our initial release, we're offering diagnostics for some of the top support issues for On-Premises Skype for Business Servers:

Scenario	Types of tests
Contact List	User contact list is not available
Federation	Federation is not working (On-Premises deployment) Federation is not working (Hybrid deployment)
Hybrid	IM and Presence problems between on premise and online users
Services	Skype for Business Server Frontend service is not starting
Exchange Integration	Checks the integration between Skype for Business Server and Exchange Hybrid deployment Checks the integration between Skype for Business Server and Exchange Online deployment Checks the integration between Skype for Business Server and Exchange On-Premises deployment

In the following screenshot we've chosen the Federation Scenario, here's a little teaser of what this looks like:

Please go try these in your environments and let us know how it's going by providing feedback to the team. We not only look forward to your feedback, we need it to make OPD better for you! We'd love to hear if these diagnostics solved issues for your or your customers' environments, any issues you encounter, and your top 3 to 5 scenarios you would like to see next.

Quick Links:

Install or upgrade to the latest version of OPD
How to use OPD
Provide feedback

Thanks!
The NextHop Team

Skype for Business 2019 - Control Panel Phase 2 Released

Hiren_Shah — Fri, 20 Mar 2020 06:19:56 GMT

Today, we have released the update for Skype for Business Server Control Panel! Please find the update here. This is a continuation to our earlier introduced phase one of modern control panel in July 2019 here.

We had covered ‘Home’ and ‘Users’ tab in first phase, in this second phase we introduce ‘Conferencing’ and ‘Federation and External Access’ tabs. The ‘Dial-In Access’ sub-tab in Conferencing is not ready yet and it will be part of the next phase.

We have also enabled Role Based Access Control (RBAC) to the Admin panel and the mechanism to provide different access permissions remains similar to the old Silverlight based panel.

We are working on the feedback received in the preview and will be addressing them in future updates. Top enhancements in the roadmap are - Auto redirect for URL to avoid remembering pool name, and Admins need not be SIP enabled, Single Sign On for tenant. As always, we’re happy to get feedback on the new Panel as we work on the next phase.

Now that CU3 has been released, we hope you’ll adopt it for better day-to-day admin experience.

Installation Instructions:

The installation steps are similar to Phase-1.

If you are installing the Control Panle for first time , see the steps below.

After running SSUI, you must run Bootstrapper.exe (this is necessary to install the required components) and run SSUI again.

Please install Management OData if not installed using below steps:

Open PowerShell in Administrator mode

Run command - Add-WindowsFeature ManagementOData

The administrator account must have CsAdministrator role privileges and must be SIP enabled

Launching and Using the Control Panel

Please put in https://<your pool FQDN>/macp manually in a supported browser, and the Control Panel should open. You can also click on the blue banner at the top of the old Control Panel to launch the new Panel. We are aware that the URL needs to be simplified and admins need not remember the pool name. This is in our pipeline and will be addressed in next CU. The login screen looks like the following:

Figure 1 : Login Screen

Once you hit the login screen, log in with your admin credentials.

Please try out the scenarios as you would in everyday usage, for ‘Conferencing’ and ‘Federation and External Access’ tabs such as creating, modifying Conferencing Policy, PIN policy, setting up Federation Domains, Setting up External Access Policy.

Figure 2 : Conferencing Policy screen

Figure 3 : External Access Policy Screen

Modern UI Experience

The control panel is designed with modern UI experience and has features to reflect the look and feel of modern-day admin page. The admin panel is responsive in design and supports 200% zoom for accessibility. Some highlighted UI experience items are as below -

Picker panel slides in and it is displayed in a right pane.

Figure 4 : Flyout panel from right for picker panel (Selecting site or pool from list)

Breadcrumb trail is displayed at the top which gives easy reference to the current stage in workflow.

Figure 5 : Breadcrumb trail

Role Based Access Control (RBAC)

For admin with full permissions the Admin panel looks as below –

Figure 6 : Full Access Admin panel

For Admin with limited permissions, the Admin panel will look like below –

Figure 7 : Limited Permissions Admin Panel

As mentioned earlier, the mechanism to provide different access permissions remains similar to the old Silverlight based panel.

 Providing Feedback

As always, we’re happy to get feedback on the new Panel as we work on the next phase. In the top right corner, you’ll see your login name. Click on the adjacent arrow, and you should see a drop-down. Hit ‘Give Feedback’, and you should see a browser window open with the discussion forum. Please do check the discussion to see if your question has already been addressed. We look forward to hearing from you!

Known Issue: Skype Directory Search Service Connections May Fail if TLS 1.2 Is Not Enabled on Edge

Corbin Meek — Thu, 05 Mar 2020 19:00:47 GMT

Our investigation determined TLS 1.0/1.1 were disabled pre-maturely on Skypegraph.skype.com - based on your feedback we re-enabled those protocols. We apologize for the inconvenience.

We’re investigating an emerging issue with Skype Directory Search for Skype for Business On-Premises to Skype Consumer chat capability. When searching for a Skype account in the Skype for Business Client, you might get the following error message:

An error occurred during the search. Please try again, and contact your support team if the problem continues.

Additionally, you may find the following error in the Lync event log on the impacted Edge servers:

Log Name:      Lync Server
Source:        LS Web Components Server
Date:          1/13/2020 8:53:26 AM
Event ID:      4106
Task Category: (1074)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      CE1210R2.contoso.com
Description:
The server selected for next hop could not be reached, or did not reply.

A server selected as a proxy target for HTTP traffic could not be reached or did not reply: skypegraph.skype.com. 
Performance Counter Instance:  
Failure occurrences: 4, since 1/13/2020 4:51:18 PM. 
Failure Details: WebException: The underlying connection was closed: An unexpected error occurred on a send.
Cause: The remote server may be experiencing problems or the network is not available between these servers.
Resolution:
Examine the event logs on the indicated server to determine the cause of the problem.

Based on our initial investigation it appears that the Skype Directory Search endpoints are refusing TLS 1.0 connections.

Workaround:

To fix this issue you need to enable your Edge servers to use TLS 1.2. Your Lync or Skype for Business Servers may require dependency updates, including .Net framework updates. All the requirements for enabling TLS 1.2 are documented here:

Disable TLS 1.0/1.1 in Skype for Business Server 2015

Note, this procedure is also supported on Lync Server 2013, for more information refer to the following blog post:

Disabling TLS 1.0/1.1 in Skype for Business Server 2015: Part 1

Once all the pre-requisite software updates are completed, you then need to deploy the prerequisite registry keys. This will enable your Edge servers to negotiate TLS 1.2 connections to the Skype Graph web service endpoints. You do NOT need to disable TLS 1.0 on the impacted Edge servers.

More Information:

Our investigation determined TLS 1.0/1.1 were disabled prematurely on skypegraph.skype.com endpoints. You should no longer have to set pre-requisites to work around this issue. We apologize for the inconvenience.

Lync and Skype for Business Server Base OS Upgrade Supportability

Corbin Meek — Mon, 06 Jan 2020 18:27:39 GMT

With the imminent end-of-life of support for Windows 2008 and Windows 2008 R2, we’ve received questions from customers surrounding the supportability of upgrading the base OS with Lync or Skype for Business Server installed on it. With this in mind, we wanted to provide a few key points in this area.

It is not supported to upgrade the base OS with Lync or Skype for Business Server installed.
All servers within a pool must run the same OS.
Paired pools must run the same OS.

Attempting to do so will cause problems, up to and including catastrophic failure of the pool.

The recommendation is to build a new pool to replace the existing pool and move users to the new pool. The previous hardware or resources can be used once the old pool has been drained of all users and workloads; this is known as the 'swing' upgrade method. Effectively, it would be a similar process to migrating Lync or Skype for Business Server versions.

Resources:

Migration:

Migration from Lync Server 2010 to Lync Server 2013

Migrating to Skype for Business Server 2019

Pool Pairing Guidance:

Supported pool pairing options and best practices for Lync Server 2013

When you plan which pools to pair, you must keep in mind that only the following pairings are supported:

Enterprise Edition pools can be paired only with other Enterprise Edition pools. Similarly, Standard Edition pools can be paired only with other Standard Edition pools.
Physical pools can be paired only with other physical pools. Similarly, virtual pools can be paired only with other virtual pools.
Pools that are paired together must be running the same operating system.

Released: Skype for Business Server 2019 CU1!

Rohit Gupta (SKYPE) — Wed, 24 Jul 2019 10:09:43 GMT

Earlier this month, we released the much awaited first Cumulative Update for Skype for Business Server! Please find the update here. We’ve been hard at work to ensure adherence to the high levels of stability that you expect from us. Now that CU1 (July 2019) has been released, we hope you’ll give it a try. Besides several bug fixes, this update also contains some of the features that you may have seen us talking about at our presentation in Ignite 2018.

The most notable feature is a React-based, Silverlight-less version of the Server Control Panel. If you’ve been working with the Skype for Business Server for some time, there most likely have been moments where you’ve wished the Control Panel was more modern, more sleek, and more reliable. With the first phase of the Control Panel included in this update, we’ve taken the first step towards improving the Control Panel experience. Please find more information about the Control Panel here. As always, we’re happy to get feedback on the Panel as we work on the next phase.

The next feature is also one that the Skype for Business community has been requesting for a while now – SEFAUtil cmdlets in PowerShell! We’re certain that this tool needs no introduction. We’ve gone ahead and built the SEFAUtil functionality directly into standard cmdlets that you can run from the PowerShell console. Please find more information about the cmdlets here.

Last but not the least, we’ve also built-in the ability to include RGS data in the standard Server backup feature. You will no longer have to manually export and import RGS data to back it up! Please find more information on this here.

In conclusion, we’d like to assure you that the Skype for Business Server product team is fully committed to supporting the product, and we’d love to keep getting feedback so we know which improvements to prioritize in order to improve the community’s experience with the Server. So, please keep the feedback coming!

On behalf of the product team,

Rohit Gupta

Program Manager, Skype for Business Server

Introducing Skype for Business Server 2019 Control Panel

Rohit Gupta (SKYPE) — Sun, 28 Jul 2019 08:39:11 GMT

Last week, we announced the availability of the first phase of the Skype for Business Server 2019 Control Panel, as part of the Skype for Business Server 2019 July 2019 Cumulative Update! As you’re probably aware from our presentation in Ignite 2018, we have been working to create a modern version of the Control Panel that does not rely on the Silverlight technology, which will be out of support soon, but instead is based on React. While the new Control Panel will not have all the functionality of the older Control Panel, we will be including a core functionality set that should cover most of your organization’s needs.

The first phase of the Control Panel consists of the ‘Home’ and ‘Users’ tabs, which let you perform the same tasks as in the old Control Panel. Future phases will ship in upcoming CUs, and we’ll keep the blog updated with the latest. Please note that this feature is in preview, so you may see some rough edges occasionally. If you do, we’d love it if you could report issues via the ‘Give Feedback’ link in the Control Panel. Read on for details.

Pre-requisites

After running SSUI, you must run Bootstrapper.exe (this is necessary to install the required components)

Please install Management OData if not installed using below steps:

Open PowerShell in Administrator mode
Run command - Add-WindowsFeature ManagementOData

You must have a recent version of one of the following browsers:

Microsoft Edge (version 44.17763.1.0 or higher is recommended)
Google Chrome (version 72.0.3626.121 or higher is recommended)
Mozilla Firefox (version 65.0.2 or higher is recommended)

Your administrator account must have CsAdministrator role privileges and must be SIP enabled.

Enable Contacts functionality is not yet implemented for the Users tab. RBAC isn’t implemented yet either, but will be implemented in a later update.

Launching and Using the Control Panel

Once you hit the login screen, log in with your admin credentials.

Please try out the scenarios as you would in everyday usage, for Home and Users tabs, such as moving users to Teams, setting up Hybrid, changing user properties, etc.

Users TabThe following additional step is required before running Move to Teams and Setting up Hybrid scenarios:

Run this script and provide your Office 365 Admin credentials.

The above step will create an Azure AD Application on Azure. This will help in signing into Office 365 using OAuth in the new Control Panel.

Providing Feedback

In the top right corner, you’ll see your login name. Click on the adjacent arrow, and you should see a drop-down like the below:Providing feedback

Hit ‘Give Feedback’, and you should see a browser window open with the relevant discussion forum. Please do check the discussion to see if your question has already been addressed. We look forward to hearing from you!

On behalf of the product team,

Rohit Gupta

Program Manager, Skype for Business Server

Skype for Business Server Public IM Federation is changing

Paul Cannon — Thu, 18 Jul 2019 20:54:28 GMT

If you currently have connected you Skype for Business Server to consumer IM federation, you will want to read this and insure you are configured for the future.

Federation between Skype for Business on-premise deployments and Skype (Consumer) will change on 8/15/2019 to use federated partner discovery, which is the same mechanism required for federation with Skype for Business Online. The pic.lync.com website that was formerly used to manually provision on-premise deployments for public IM connectivity will be shut down due to end of life. Communication between any on-premise Skype for Business deployment and Skype users via the existing Public IM infrastructure now requires the on-premise edge server configuration to be compatible with Skype for Business Online.

If the customer’s SfB deployment is currently using public IM connectivity but is not able to federate with Skype for Business Online due to their edge proxy FQDN configuration and/or their certificate is incompatible with federated partner discovery, they will need to update their deployment configuration by 8/15/2019. Failure to do so could lead to an interruption to public IM connectivity.

Please note this change may require the purchase of a new certificate.

Please visit our documentation on this issue to learn more.

Screen sharing from Skype Meetings App now supports Video-based Screen Sharing

Phillip Garding — Thu, 18 Jul 2019 20:08:11 GMT

Starting today, users who share their screen into a meeting from the Skype Meetings App (the web-downloadable meetings app for Skype for Business) can get the significantly improved performance of Video-based Screen Sharing (VbSS). While you won't see any changes in the way you present on-screen content during your meetings, you will notice that the connection time is drastically reduced, and the screen presentation is always in sync between presenter and viewer. Not only is VbSS faster, but it also more reliable and works better in case of low network bandwidth conditions.

When you start sharing, the app automatically chooses how to share your screen, but it will always choose VbSS when possible. In some cases, it may continue to use the older Remote Desktop Protocol if VbSS is not supported by the Skype for Business server hosting the meeting, someone is recording the session, or an attendee is using an older client version that does not support VbSS. Click here for information on VbSS technology and supported server and client versions.

For users who have previously downloaded and installed Skype Meetings App, this update will automatically download when they next join a meeting. We hope you enjoy the improved experience!

Application Sharing Failures after Applying July, 10 2018 Windows Security Fixes

NextHop_Team — Tue, 21 May 2019 00:57:12 GMT

First published on TECHNET on Jul 18, 2018
We are aware of an issue impacting Application Sharing on Lync Server 2013 and Skype for Business Server 2015 after applying the July 10, 2018 Security Patches for Windows operating systems. The Windows team has removed all bad packages from Windows Update and systems should no longer attempt to download an update which exposes this problem. New updates are being published through Windows Update and should be available for all operating systems by end of day July 17th.

The NextHop Team recommends that customers use Windows Update or update the catalogs on their own SUS servers to ensure the latest version of the update is available for installation on your Lync Server 2013 and Skype for Business Server 2015 Servers. Doing so will avoid any possible disruption to the ASMCU service which was impacted by the July 10th update.

Problem: Desktop or Application Sharing fails while in a meeting

The following events might be reported:

Log Name:      Lync Server

Source:        LS ApplicationSharing Conferencing Server

Event ID:     32011

Level:         Error

Description: The Application Sharing Server has failed to create a conference because of an internal failure.

Log Name:      Lync Server

Source:        LS User Services

Event ID:      32026

Level:         Warning

Description: Conference rollover failed.

Resolution:

Updated packages are now available via the regular release channels: Windows Update, Catalogue, WSUS. These updates should be applied based upon the operating system version you are using with Lync Server 2013 or Skype for Business Server 2015. When using Windows Update to apply an update, you will need to initiate a manual request in the Windows UI to find and download updates.

For Windows 2016, the update will be applied as a replacement to the package delivered on July 10th. Customers running Skype for Business Server 2015 on Windows Server 2016 should ensure that the latest operating system updates are applied. These updates are available now and can be applied to a production system regardless of previous updates installed.

For operating systems prior to Windows 2016, the update will be applied as an additional update to the updates released on July 10th. This means you must apply the July 10th update and then may need to execute Windows Update again to receive the additional update to fully resolve the issue. The updates for these operating systems should be fully published to all geographies on Windows Update by end of day July 18th (PDT).

The table below outlines the impacted KB for each operating system and the associated KB which must be applied to resolve the issue. In the case where there are multiple updates listed for an operating system, only one of the updates should be required. The presence of two updates is indicative of whether a rollup or individual security update is being used to update the operating system.

Operating System	Impacted Update	Update which must be applied
Windows Server 2016	KB 4338814	KB 4345418
Windows Server 2012R2	KB 4338824	KB 4345424
Windows Server 2012R2	KB 4338815	KB 4338831
Windows Server 2012	KB 4338820	KB 4345425
Windows Server 2012	KB 4338830	KB 4338816
Windows Server 2008R2 SP1	KB 4338823	KB 4345459
Windows Server 2008R2 SP1	KB 4338818	KB 4338821
Windows Server 2008	KB 4295656	KB 4345397

Get-CsPoolUpgradeReadinessState shows as Ready, Active Front-Ends count doesn’t match

Sri Todi — Thu, 13 Jun 2019 17:06:23 GMT

First published on TECHNET on Jun 20, 2018
Recently, I come across a particular scenario where Get-csPoolUpgradeReadinessState was showing as READY and Front-End Services were started across all Front-Ends, but the TotalActiveFrontEnds showed a number that was different from the total active Front-Ends in the Pool.

You will notice that UpgradeDomain3 has 1 Front-End Server associated, but then the Total Active Front-Ends is Zero. You will also notice that that the total Front-Ends ( in summary) only shows a 2 Active Front-Ends Servers.

Interestingly, Get-csPoolFabricState was not throwing any errors or warnings !!!

To troubleshoot the issue, we started by First checking, if the Front-End Server was failed-over and so we tried to Failback, but to our surprise, the server was not in a failed-over state, and hence Failback was not working ( expected).

Next, we started investigating by checking Windows Fabric Logs from C:\Program Data\Windows Fabric\Logs and then running a CLS Logging using a scenario called PowerShell.

In the plain-text log, we noticed the following

TL_WARN(TF_HADR) [LYNCPOOL01\LYNCENT03]8554.13B2C::06/18/2018-23:57:49.112.0000200D (PowerShell,FrontEndState.ReadPerfCounters:poolupgradereadinessstate.cs(568)) (000000000261B13F ) FE LYNCENT03.contoso.com is not connected to Fabric Pool Manager according to perf counter.

Based on this we decided to follow a blog entry, Get-CsPoolUpgradeReadinessState showing NOT READY or BUSY and found that the server LYNCENT03.contoso.com was indeed missing the permissions for RTC Server Local Group

So we first added the Local Group

And then updated the permissions to Full Control, and rebooted the server. Once the server was back online and services were running, we noticed that the output for Get-csPoolUpgradeReadinessState was showing Total Active Front-Ends as 3

Attention to detail is indeed important when patching a pool with multiple servers, to ensure that the pools are reporting healthy when indeed, there could be an issue with one or more servers reporting its state.

Disabling TLS 1.0/1.1 in Skype for Business Server 2015 On-Premises Part 3: Advanced Deployment Scenarios

NextHop_Team — Tue, 21 May 2019 00:56:06 GMT

First published on TECHNET on May 11, 2018

In Part 1 of our blog series we covered supportability scope, and prerequisites. In Part 2 , we covered how to update existing Skype for Business 2015 deployments. Here in Part 3, we will discuss some advanced implementation scenarios.

Because some dependency prerequisites are required to support TLS 1.2 in Skype for Business Server 2015, installing from RTM media will fail on any system where TLS 1.0 and 1.1 have been disabled.

Deploying New Standard Edition Servers or Enterprise Edition Pools once TLS 1.0 and 1.1 have been disabled in your environment

Option 1 : Use SmartSetup . Note that we are updating SmartSetup to accommodate the updated SQL binaries in a future CU, and will update this blog upon release.

Option 2 : Pre-install local SQL instances (RTCLOCAL and LYNCLOCAL)

Download and copy SQL Express 2014 SP2 (SQLEXPR_x64.exe) to local folder on FE. Let’s say folder path <SQL_FOLDER_PATH>

Launch PowerShell or Command Prompt and navigate to <SQL_FOLDER_PATH>

Create the RTCLOCAL SQL instance by running the command below. Wait until SQLEXPR_x64.exe finishes before proceeding:

- SQLEXPR_x64.exe /Q /IACCEPTSQLSERVERLICENSETERMS /UPDATEENABLED=0 /HIDECONSOLE /ACTION=Install /FEATURES=SQLEngine,Tools /INSTANCENAME=RTCLOCAL /TCPENABLED=1 /SQLSVCACCOUNT="NT AUTHORITY\NetworkService" /SQLSYSADMINACCOUNTS="Builtin\Administrators" /BROWSERSVCSTARTUPTYPE="Automatic" /AGTSVCACCOUNT="NTAUTHORITY\NetworkService" /SQLSVCSTARTUPTYPE=Automati

Create the LYNCLOCAL SQL instance by running the command below. Wait until SQLEXPR_x64.exe finishes before proceeding to the next step:

- SQLEXPR_x64.exe /Q /IACCEPTSQLSERVERLICENSETERMS /UPDATEENABLED=0 /HIDECONSOLE /ACTION=Install /FEATURES=SQLEngine,Tools /INSTANCENAME=LYNCLOCAL /TCPENABLED=1 /SQLSVCACCOUNT="NT AUTHORITY\NetworkService" /SQLSYSADMINACCOUNTS="Builtin\Administrators" /BROWSERSVCSTARTUPTYPE="Automatic" /AGTSVCACCOUNT="NTAUTHORITY\NetworkService" /SQLSVCSTARTUPTYPE=Automatic

Run Skype for Business Server 2015 RTM setup.

Follow the remaining steps from Part 2.

Option 3 : You may also manually replace binaries in a local installation media directory as follows:

Install Prerequisites Software for Skype for Business Server 2015 https://technet.microsoft.com/en-us/library/dn933900.aspx

Install .NET 4.7:
- Note : We first introduced support for .Net 4.7 in Skype for Business Server 2015 CU5+ (6.0.9319.281). Therefore, in later steps below we will be updating Core Components prior to the main install.
- Download: https://www.microsoft.com/en-us/download/details.aspx?id=5516
- Reference: https://technet.microsoft.com/en-us/library/dn951388.aspx#Software

Copy ISO Files/Folders:
- With the Skype for Business Server 2015 ISO attached, open the root directory of the drive it is attached as (Ex: D:\) in File Explorer.
- Copy all folders and files to a folder on a local disk (Ex: C:\SkypeForBusiness2015ISO)
- Note : Prior to installing components, some files will need to be updated for support of TLS 1.2.

Replace MSI/EXE Packages:
- Replace the existing MSI and EXE packages in the /Setup/amd64/ folder of the installation media on the local machine.
- SQL 2014 SP2 Express: https://www.microsoft.com/en-us/download/details.aspx?id=53167
  - Rename to SQLEXPR_x64 on the local machine, and replace the existing file in the Setup/amd64/ folder of the installation media.
- SQL Native Client: https://www.microsoft.com/en-us/download/details.aspx?id=50402
  - Note : Rename this if necessary to sqlncli.msi, and then replace the existing file that exists in the Setup/amd64/ folder of the installation media.
- SQL Management Objects: https://www.microsoft.com/en-us/download/details.aspx?id=53164
  - Note : The Feature pack will have a lot of items that can be downloaded. Select to download SharedManagementObjects.msi only.
  - Note: Replace the existing file that exists in the Setup/amd64/ folder of the installation media.
- SQL CLR Types: https://www.microsoft.com/en-us/download/details.aspx?id=53164
  - Note : The Feature pack will have a lot of items that can be downloaded. Select to download CQLSysClrTypes.msi only
  - Note : Replace the existing file that exists in the Setup/amd64/ folder of the installation media.

Install Core Components:
- Run Setup.exe from the Setup/amd64/ folder of the installation media. Follow the instructions to install Core Components
- Close Core Components.

Update Core Components:
- Download the Skype for Business Update Installer.
- Run the installer to update Core Components and install the performance counters.
- Note : As of the release of CU6HF2, the auto-update feature currently only will install up to CU6. Therefore, the updater must be run separately to update Core Components to 6.0.9319.516
- Reference: https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015

Install Administrative Tools (Optional):
- This will install the Microsoft SQL Server 2012 Native Client, SQL Server 2014 Management Objects (x64), and Microsoft System CLR Types for SQL Server 2014 (x64) using the updated files. Additionally, Skype for Business Server 2015's Topology Builder and Control Panel will be available on the local machine.

Install Local Configuration Store (Step 1):
- Open the Deployment Wizard, click Install or Update Skype for Business Server System, and click on Run at Step 1: Install Local Configuration Store.
- Click Next on the Install Local Configuration Store window.

Review the results, and ensure that the Task Status is Completed. Review the resulting log file by clicking View Log.

When done, click Finish.

9. Setup or Remove Skype for Business Server Components (Step 2):

Open the Deployment Wizard, click Install or Update Skype for Business Server System, and click on Run at Step 2: Setup or Remove Skype for Business Server Components.

Click Next at the Set Up Skype for Business Server Components window.

Review the log using View Log, and validate that setup completed without issues.

When done, click Finish.

10. Proceed with additional installation and configuration as required (you can resume normal installation procedures at this point).

Disabling TLS 1.0/1.1 in Skype for Business Server 2015–Part 2

NextHop_Team — Tue, 21 May 2019 00:55:32 GMT

First published on TECHNET on Apr 18, 2018
May 24, 2018 Update: Deployment steps have been updated based on additional validation testing. The steps have changed and now include pre-requisite registry keys. Please review the following document carefully!

In Part 1 of our Disabling TLS 1.0 and 1.1 Support for On-Premises Skype for Business deployments blog we covered the pre-requisites and supportability scope. In this blog we will go over how to disable TLS 1.0 and 1.1 in your environments.

Please review Part 1 to ensure all your servers, clients and devices are in scope, and that you have a plan to address any gaps. Except where noted in Part 1 , once TLS 1.0 and 1.1 are disabled out-of-scope servers, clients and devices will longer function properly, or at all. This may mean you need to pause and wait for updated guidance from Microsoft. Once you are satisfied you meet all requirements and have a plan to address gaps, proceed.

At a high level, this requires installing Skype for Business Server 2015 CU6 HF2, applying pre-requisite updates to .Net and SQL, deploying pre-requisite registry keys and finally a separate round of OS configuration updates, i.e. disabling TLS 1.0 and 1.1 via registry file import. It is critically important that you complete installation of all prerequisites, including Skype for Business Server 2015 CU6 HF2, prior to disabling TLS 1.0 and 1.1 on any server in your environment. Every Skype for Business Server, including Edge role and SQL Backends, require the updates. Also ensure that all supported (in-scope) clients have been updated to the required minimum versions. Don’t forget to update management workstations as well.

We want to follow the usual order of operations of "inside out" for upgrading Skype for Business servers. Treat Director pools, Pchat and Paired Pools in the same manner you normally would. Order and methods for upgrade are covered here and here .

High level process:

Test all steps in your lab prior to configuring production servers

Backup and preserve a copy of exported registry on each and every individual server to be updated. You cannot share registries between Servers, they contain unique machine based keys.

Upgrade all Skype for Business 2015 Servers to CU6 HF2 or higher

Install all pre-requisites to all servers

Deploy pre-requisite registry keys

Ensure all in-scope clients are updated (covered in Part I)

Disable TLS 1.0 and 1.1 via registry import

Validate workloads are functioning as expected
1. If problems encountered, troubleshoot and resolve or
2. Restore registry from step 2 to re-enable TLS 1.0 and 1.1

Validate only TLS 1.2 is being used

Install Pre-Requisites to All Servers

Extensive dependency updating is required before you begin to disable TLS 1.0 and 1.1 at the operating system level in your Skype for Business Server 2015 deployments. The following are the minimum versions that can support TLS 1.2. Deploy all pre-requisite updates across every Skype for Business server in your environment before you begin disabling TLS 1.0 and 1.1.

Skype for Business Server 2015 CU6 HF2 6.0.9319.516 ( March 2018 update ) or higher

. NET Framework 4.7 or higher with SchUseStrongCrypto enabled in the registry (provided below)

SQL must be updated on all Skype for Business 2015 servers and backends. Update Enterprise Edition Pool SQL Backends first, then their respective FEs.
- SQL Server 2014 SP1 + CU5 ( link ), or higher / SQL Server 2012 SP2 + CU16 or higher/ SQL Server 2014 RTM + CU12 ( link ) or higher / SQL Server 2014 SP2
- SQL Server Native Client for SQL Server 2012 ( link )
- Microsoft ODBC Driver 11 for SQL Server ( link ), or higher
- Shared Management Objects for SQL Server 2014 SP2 ( link )
- SQLSysClrTypes for SQL server 2014 SP2 ( link )

Basic steps to install pre-requisites, in recommended order of operations:

Install the Skype for Business Server CU6HF2 (6.0.9319.516) update to all servers.
1. Install the update to components using the updater.
2. Update databases according to documented procedures. Instructions are documented at https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015 .
3. Validate product functionality in the deployment prior to moving forward with any other changes.

Download .NET 4.7 Offline Installer
1. Reference: https://www.microsoft.com/en-us/download/details.aspx?id=55167
2. Ensure Skype for Business Server 2015 services are stopped on the Front End server.
3. Reference: https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015
4. Ex (Standard Edition): Stop-CsWindowsServices
5. Ex (Enterprise Edition): Invoke-CsComputerFailover
6. Run the installer package.
7. Reboot the server.

Update SQL Express 2014 on all Servers
1. Reference: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server .
2. Download SQL 2014 SP2
  1. Reference: https://www.microsoft.com/en-us/download/details.aspx?id=53168
3. Copy the installation media to a folder on the server (Ex: C:\01_2014SqlSp2)
4. Ensure Skype for Business Server 2015 services are stopped on the Front End server
  1. Ex (Standard Edition): Stop-CsWindowsService
  2. Ex (Enterprise Edition): Invoke-CsComputerFailove
5. Open an Admin Command Prompt, and upgrade all installed components and instances
  1. Example: C:\01_2014SqlSp2\SQLServer2014SP2-KB3171021-x64-ENU.exe /qs /IAcceptSQLServerLicenseTerms /Action=Patch /AllInstances

Update SQL Native Client
1. Reference: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server .
2. Download from https://www.microsoft.com/en-us/download/details.aspx?id=50402
3. Ensure Skype for Business Server 2015 services are stopped on the Front End server.
  1. Ex (Standard Edition): Stop-CsWindowsServices
  2. Ex (Enterprise Edition): Invoke-CsComputerFailove
4. Stop the SQL instances installed from running
  1. Ex: Get-Service 'MSSQL$RTCLOCAL' | Stop-Servic
  2. Ex: Get-Service 'MSSQL$LYNCLOCAL' | Stop-Servic
  3. Ex (Standard Edition Only): Get-Service 'MSSQL$RTC' | Stop-Servic
5. Install the update.

Update ODBC Driver 11 for SQL Server
1. Reference: https://support.microsoft.com/en-us/help/3135244/tls-1-2-support-for-microsoft-sql-server .
2. Download from https://www.microsoft.com/en-us/download/confirmation.aspx?id=36434
3. Ensure Skype for Business Server 2015 services are stopped on the Front End server
  1. Ex (Standard Edition): Stop-CsWindowsService
  2. Ex (Enterprise Edition): Invoke-CsComputerFailove
4. Install the update.

Deploy pre-requisite registry keys

Pre-requisite registry keys:

Copy/paste the following test into Notepad and rename TLSPreReq.reg or a name of your choice, then import:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v2.0.50727]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v2.0.50727]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

"SchUseStrongCrypto"=dword:00000001

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000AA0

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp]

"DefaultSecureProtocols"=dword:00000AA0

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]

"DisabledByDefault"=dword:00000000

"Enabled"=dword:00000001

For SQL Back ends for Enterprise Edition Pools, pre-requisites and TLS disable should be treated as any SQL or OS updates would; refer to: https://docs.microsoft.com/en-us/skypeforbusiness/manage/topology/patch-or-update-a-back-end-or-standard-edition-server

While both the pre-requisite application and TLS disabling steps can be combined, we strongly recommend all pre-requisites be applied before proceeding with disabling of TLS 1.0 and 1.1 at the operating system level. The best practice approach would be to prepare the environment by deploying all pre-requisites, validating workloads all function correctly and as expected - then proceed with TLS 1.0/1.1 disable at a later time.

Disable TLS 1.0 and 1.1 via Registry Import

Before you proceed with the next steps, make sure you have completed all prerequisites and updated Skype for Business Servers .

Copy the following text into a notepad file and rename it TLSDisable.reg :

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL\00010002]

"Functions"="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256_P256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA256"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]

"AllowInsecureRenegoClients"=dword:00000000

"AllowInsecureRenegoServers"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 128/128]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\AES 256/256]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\DES 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\NULL]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 128/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC2 56/56]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 64/128]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Triple DES 168]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\MD5]

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA256]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA384]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Hashes\SHA512]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\Diffie-Hellman]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\ECDH]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\KeyExchangeAlgorithms\PKCS]

"Enabled"=dword:FFFFFFFF

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]

"DisabledByDefault"=dword:00000001

"Enabled"=dword:00000000

Import the .reg file on each server you wish to disable TLS 1.0 and 1.1. Reboot the server. Once the services have come back online, move to the next server. The approach for Enterprise Edition Pools is the same you would take for any OS update.

You may have noticed we are doing more than just disabling TLS 1.0 and 1.1 here. We are supporting Cipher Suite re-order (as shown above) and the disabling of some older weak ciphers. This is the first time we have officially supported these changes to SCHANNEL and Crypto API on Skype for Business Server, and it is important to note these changes are the only ones we support and have tested at this time. We may consider additional configurations in the future, but for now, please do not modify the registry import file in your implementation.

Validate Workloads are functioning as expected

Once TLS 1.0 and 1.1 have been disabled in your environment, check to ensure that all your main workloads are functioning as expected, such as IM & Presence, P2P calls, Enterprise Voice, et cetera.

Validate only TLS 1.2 is being used

Have your Security Team perform a new audit of Skype for Business traffic to ensure the older protocols TLS 1.0 and 1.1 are no longer in use.

Alternatively, you can use Internet Explorer to test TLS connections to web services from Skype for Business Server 2015 after TLS 1.0 and TLS 1.1 have been disabled.

Launch Internet Explorer

Select Tools > Internet Options

Select the Advanced tab

Under Settings, scroll to the bottom

Verify that TLS 1.0, TLS 1.1, and TLS 1.2 are enabled

Browse the Internal Web Service URL of your SfB 2015 pool (should connect successfully)

Go back into IE and disable the option to Use TLS 1.2 only

Browse the Internal Web Service URL of your SfB 2015 pool again (should fail to connect)

Disabling TLS 1.0/1.1 in Skype for Business Server 2015: Part 1

NextHop_Team — Tue, 26 Nov 2019 15:15:40 GMT

First published on TECHNET on Apr 18, 2018
May 16, 2019: Updates for SRSv2 Support for Skype for Business Server 2015, 2019

March 29, 2019: Updated information for Lync Room Systems (SRSv1)

August 8, 2018: Important Update to Lync Server 2013 Edge Role Supportability for TLS Disable

August 2, 2018: Clarified Support for SBA and SBS

May 24, 2018: Added In-place Upgrade scenarios to Supported; made changes to Pre-requisites and TLS Disable reg files based on additional validation testing; please review Parts 1 & 2 carefully as the deployment steps have changed.

Announcing Support for Disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises

We are pleased to announce supportability for disabling TLS 1.0 and 1.1 in Skype for Business Server 2015 On-Premises. In this blog series we'll cover the main drivers for disabling older TLS protocols in your On-Premises environment, what is in-scope, and out, for Supportability, and the steps required to disable TLS 1.0 and 1.1. This blog post will serve as the table of contents and will be updated as we publish additional guidance. This information is authoritative and should be considered official Microsoft documentation from the Skype for Business Product Group.

Note that we are not covering Office 365 in this series of blog posts with the exception of preparing your On-Premises environment to communicate with Office 365 in Hybrid or Federation scenarios once TLS 1.0 and 1.1 are deprecated. For more information see Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business.

Also note we have not made any changes to our Pseudo-TLS implementation. Pseudo-TLS is not impacted by disabling TLS 1.0/1.1 on Skype for Business Servers and an in-depth discussion of MS-TURN Pseudo-TLS is beyond the scope of this blog series. However, all previous guidance still applies - some HTTP proxies or firewalls may interfere with the MS-TURN protocol and prevent Lync/Skype for Business clients and servers from functioning properly. In releasing support for disabling TLS 1.0/1.1 in your Skype for Business Server On-Premises environments we are not suggesting you begin actively monitoring and blocking MS-TURN (Lync/Skype) Pseudo-TLS on HTTP proxies and firewalls, in fact this practice remains unsupported.

Blogs in this Series

Part 1: Introduction and Scope (this blog)

Part 2: How-to Update an Existing Topology

Part 3: Advanced Deployment Scenarios

Introduction

The purpose of this blog series is to provide the necessary guidance for you to prepare for and implement disabling TLS 1.0 and 1.1 in your environments. This process requires extensive planning and preparation. Please carefully review all of the information in this blog series as you make your plan to disable TLS 1.0 and 1.1 if required for your organization. Note that there are many external dependencies and connectivity that could be impacted by disabling TLS 1.0/1.1 so extensive planning and testing is warranted.

Background

The primary drivers for providing TLS 1.0 and 1.1 disable support for Skype for Business Server On-Premises are Payment Card Industry (PCI) Security Standards Council and Federal Information Processing Standards requirements. More information for PCI requirements can be found here . Microsoft cannot provide guidance on whether or not your organization is required to adhere to these or other requirements. You must determine if it is required for you to disable TLS 1.0 and/or 1.1 in your environments.

Microsoft has produced a whitepaper on TLS available here , and we also recommend the background reading available over at the Exchange blog .

Supportability Scope

Scope refers to supportability boundaries. For Skype for Business Server On-Premises, in scope means we fully support and have tested disabling of TLS 1.0 and 1.1 for the listed product versions. Currently being investigated means just that; we are actively investigating bringing these products into scope for TLS disable support. Out of scope means these product versions do not support disabling TLS 1.0 or 1.1 and will not work, with noted exceptions.

Fully tested and supported Servers:

Skype for Business Server 2015 CU6 HF2 6.0.9319.516 ( March 2018 update ) and higher on
In-place Upgraded Skype for Business Server 2015, with CU6 HF2 and higher on

Exchange Connectivity and Outlook Web App with Exchange Server 2010 SP3 RU19 or higher, guidance here

Survivable Branch Appliance (SBA) with Sfb Server 2015 CU6 HF2 or higher (it is the vendor's responsibility to package the appropriate CU and provide it, be sure to confirm with your vendor that the updates have been made available for your appliance)

Survivable Branch Server (SBS) with SfB Server 2015 CU6 HF2 or higher

Lync Server 2013 Edge Role Only**

Fully tested and supported Clients:

Lync 2013 (Skype for Business) Desktop Client, MSI and C2R, including Basic 15.0.5023.1000 and higher

Skype for Business 2016 Desktop Client, MSI 16.0.4678.1000 and higher , including Basic

Skype for Business 2016 Click to Run Require the April 2018 Updates :

Skype for Business on Mac 16.15 and higher

Skype for Business for iOS and Android 6.19 and higher

Skype Web App 2015 CU6 HF2 and higher (ships with Server)

Skype Room Systems v2 (a.k.a. SRSv2 or Microsoft Teams Rooms) version 4.0.64.0 and higher with Skype for Business Server 2015 May 2019 Cumulative Update
Surface Hub v1 with
May 28, 2019—update for Team edition based on KB4499162* (OS Build 15063.1835)
*Requires Skype for Business Server 2015 May 2019 Update or Skype for Business Server July 2019 Update (CU1)

Call Quality Dashboard version 9319.17 and higher

Out-of-Scope

Except where noted, the following products are not in scope for TLS 1.0/1.1 disable support and will not function in an environment where TLS 1.0 and 1.1 have been disabled. What this means: if you still utilize out-of-scope servers or clients you must update or remove these if you need to disable TLS 1.0/1.1 anywhere in your Skype for Business Server on-premises deployment.

Lync Server 2013**

Lync Server 2010

Windows Server 2008 and lower

Lync for Mac 2011

Lync 2013 for Mobile - iOS, iPad, Android or Windows Phone

Skype for Business for Windows Phone - retired

Lync "MX" Windows Store client

All Lync 2010 clients

Lync Phone Edition - updated guidance here .

2013 based Survivable Branch Appliance (SBA) or Survivable Branch Server (SBS)

Cloud Connector Edition (CCE)***

Lync Room System (a.k.a. SRSv1) - updated guidance here .

Exceptions

Call Quality Dashboard:

Versions of On-Premises Call Quality Dashboard prior to 9319.31 have a dependency on TLS 1.0 during new install (first time installing into your On-Premises environments). This is now fixed, refer to Call Quality Dashboard installation fails if TLS 1.0/1.1 isn't enabled correctly or disabled on Skype for Business Server 2015

**Lync Server 2013:

Lync Server 2013 now supports TLS 1.2 with the July, 2018 Cumulative Update , a.k.a. "CU10". We're providing TLS 1.2 support to enable co-existence, migration, Federation and Hybrid scenarios. This does not mean, however, that we support disabling TLS 1.0 or 1.1 on Lync Server 2013. In fact, doing so will render Lync Server 2013 nonoperational.

Lync Server 2013 ( all roles except Edge ) takes a dependency on Windows Fabric version 1.0. In the design phase for Lync Server 2013, Windows Fabric 1.0 was chosen for its compelling and new distributed architecture to provide replication, high availability and fault tolerance. Over time, both Skype for Business Server and Windows Fabric have greatly improved this joint architecture with significant re-design in subsequent versions. Current Skype for Business 2015 Server uses Windows Fabric 3.0, for example.

Unfortunately, Windows Fabric 1.0 does not support TLS 1.2 . Therefore it remains unsupported to disable TLS 1.0 or 1.1 on all roles of Lync Server 2013 except Edge.

We are now providing support for disabling TLS 1.0 and 1.1 on Lync Server 2013 Edge role only . Because Edge role does not have a dependency on Windows Fabric 1.0, this means you can disable TLS 1.0 and 1.1 on your 2013 Edge servers and they will continue to function properly. For example it is supported to disable TLS 1.0 and 1.1 on Lync Server 2013 Edge servers with Lync Server 2013 Front End pools, as long as all pre-requisites are met, especially Lync Server 2013 CU10. All pre-requisites and configuration steps that apply to Skype for Business Server 2015 in this blog series also apply to 2013 Edge. Follow the same instructions for disabling TLS 1.0 and 1.1 on Lync 2013 Edge.

If your organization is required to disable TLS 1.0 and 1.1 on an unsupported server version/role, we recommend you begin your planning process now with the possibility you may have to In-place upgrade or Side-by-Side migrate (new pools, move users) to Skype for Business Server 2015 or higher. Or you may want to accelerate migration to Skype for Business Online.

***Cloud Connector Edition (CCE):

CCE currently works with and supports TLS 1.2 when connecting to Skype for Business Online. However, it remains unsupported to disable TLS 1.0 and 1.1 on CCE systems. Further, attempting to do so will render CCE systems inoperable.

3rd Party Devices

On 3rd party devices such as 3PIP phones, Video conferencing, Reverse Proxies and Load Balancers, be sure to validate TLS 1.2 supportability, test carefully, and contact the vendor if needed.

Federation Considerations when disabling TLS 1.0/1.1 on Edge Servers

You must carefully plan for and consider the impact of disabling TLS 1.0/1.1 on your Edge servers. Once TLS 1.0 and 1.1 are disabled, you may find that other organizations are no longer be able to Federate with your organization.

You may opt to keep TLS 1.0/1.1 enabled on your Edge servers to maintain backward compatibility with non-patched (SfB 2015, Lync 2013) or older (2010) external systems.

Further, we highly recommend reading Preparing for TLS 1.0/1.1 Deprecation - O365 Skype for Business. If you operate a Hybrid Lync or Skype for Business Server organization or Federate with Office 365 Skype for Business Online customers, this may impact you.

Microsoft cannot provide advice or recommendations on whether or not your Edge network (or any network) falls under PCI standard, that must be determined by the individual company.

Skype for Business Online is capable of TLS 1.2 today, so no impact to Hybrid/Federation with Online is expected.

PIC (Public IM Connectivity) to Skype Consumer service: We do not expect disabling TLS 1.0/1.1 to impact Skype Connectivity ; Microsoft PIC Gateways are already TLS 1.2 capable.

In the next post we'll detail all the prerequisites and necessary steps to disable TLS 1.0/1.1 in your Skype for Business Server 2015 environment.

SFB online Client Sign in and Authentication Deep Dive ;Part 7 (Hybrid)

Mohammed Anas Shaikh — Tue, 21 May 2019 00:55:08 GMT

First published on TECHNET on Apr 13, 2018
Scenario: SFB Hybrid environment, SFB user is homed Online, ADFS is Configured, MA (Modern Auth) is enabled ON premise through On premise AD (NOT Hybrid MA EVOSTS) and also enabled in O365

NOTE:

I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication.

How Does it Work?

Below is a High level explanation on how the SFB online Client Sign in process works

SIP URI of the user - ex3@cloudsfb.com

SFB client Queries DNS for Lyncdiscover.domain.com. This should point to External web services URL (ON Premise Reverse Proxy) which in this case is webext.cloudsfb.com

SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com

The Client is then redirected to Autodiscover

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket

The Client then sends a POST request to Webticket Service

Webticket Service Redirects the Client to ON PREM Modern Auth Provider ( https://sts.cloudsfb.com/adfs/oauth2/authorize )

Now in order to authenticate the client reaches out to https://sts.cloudsfb.com/adfs/oauth2/authorize and requests a Token, The intention here is to Get a Token from https://sts.cloudsfb.com/adfs/oauth2/authorize

The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, https://sts.cloudsfb.com/adfs/oauth2/authorize will issue the modern Auth Token to the client

The Client then submits this token that it received https://sts.cloudsfb.com/adfs/oauth2/authorize to Webticket Service

Webticket service now will grant a Webticket to the Client

The client then submits this webticket to Autodiscover

Since the SFB user is homed Online, In Response Autodiscover will provide the Online Autodiscover webservices URL's names ( https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=cloudsfb.com )

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket

The Client then sends a POST request to Webticket Service

Webticket Service Redirects the Client to Modern Auth Provider (login.windows.net)

Now in order to authenticate the client reaches out to Login.windows.net and requests a Token, The intention here is to Get a Token from login.windows.net

From this point onwards we will see that login.windows.net will redirect the client to login.microsoftonline.com

Since the tenant is enabled for ADFS the client is then redirected to the ON Premise ADFS server

SFB client will then send a request to ADFS server and request a token

The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, ADFS will issue a Token to the client

The Client then submits this token to login.microsoftonline.com which in turn passes the client to Login.windows.net

The Client then submits this token that it received from Login.windows.net to Webticket Service

Webticket service now will grant a Webticket to the Client

The client then submits this webticket to Autodiscover

In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in

The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443)

It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc ) in the 401 unauthenticated response

The SFB client then sends a request to Certprov

Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket

The Client had already Obtained a webticket in step 26 above

The client will submit the same webticket obtained in step 26 to the Cert provisioning service

The Client then receives a certificate

The SFB client can now send a Register again and use the certificate it downloaded for authentication

Below is a graphical representation of the SFB online Client Sign in process

Detailed Explanation of SFB online Client Sign in process with LOG Snippets:

SIP URI of the user - ex3@cloudsfb.com

When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in the SFB client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover.

The SFB Client learns that it needs to Contact https://webext.cloudsfb.com/ (This is the External webservices URL for autodiscover on the ON Premise SFB environment)

It then tries to Do a TCP handshake with webext.cloudsfb.com, Followed by a TLS handshake. (I haven't included the TCP and TLS handshake screen shots here, you can see those if you collect a Network trace while signing in)

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service.

Now since we have Modern Auth enabled ON Premise the Web Ticket Service will redirect the client to the MA provider URL for ON PREM - <af:OAuth af:authorizationUri= https://sts.cloudsfb.com/adfs/oauth2/authorize xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" />

We can see this below

The Client will Now send a Request to https://sts.cloudsfb.com/adfs/oauth2/authorize to get the MA Token, You will see several HTTP GET and POST messages exchanged between Client and https://sts.cloudsfb.com/adfs/oauth2/authorize during this process. Below screen shot lists some of them

During the above process the Client will be challenged for password by MA or if the user had signed in before and the password is saved in Credential manager then this password will be passed and user may not see the Prompt.

Finally the Client will receive a Token from MA provider, you can see this below

The Client will then Submit this token to the Webticket service which will then issue a Webticket, This can be seen below

The Client will Then Submit this web ticket back to the AutoDiscover User URL - /Autodiscover/AutodiscoverService.svc/root/user?originalDomain=cloudsfb.com&sipuri=ex3@cloudsfb.com

In response it will now receive the Online Autodiscover webservices URL names

You can see this in the trace below

Now the Client will send a Unauthenticated Get request to Webdir2a.online.lync.com and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. Now since Modern Authentication is enabled on the Tenant, in order to grant the webticket the client will first need to get a Token from the Modern Auth provider so the client is redirected to the Modern Auth provider URL - <af:OAuth af:authorizationUri="https://login.windows.net/common/oauth2/authorize" xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" />

The Client then sends a request to the MA/Oauth URL to request a Token, The intention here is to Get a Token from login.windows.net

From this point onwards we will see that login.windows.net will redirect the client to - login.microsoftonline.com.

Below is the Request that client sends to the MA/OAUTH URL and in response it is redirected to AD - login.microsoftonline.com

We have to remember that "The intention here is to Get a Token from login.windows.net" we will see several exchanges happening between client to login.microsoftonline.com. Below are screen shots showing these exchanges.

Now, Since the customer has ADFS, the Modern Auth provider will redirect the client to the ADFS Server. Below is the screen shot showing login.microsoftonline.com redirecting the client to ADFS

The Client will then reach out to ADFS to get an ADFS Token. The Next Two Screen shots show that;

(This is where the user might get prompted to enter credentials or if his credentials are already stored in credential manager then those credentials will be passed in the background and the user may not see the prompt)

The Client will then Submit this Token to Login.microsoftonline.com, where it will be redirected again to https://Login.windows.net and https://Login.windows.net will finally provide the client with the Modern Auth Token, This is shown in the two screen shots below

Now the client will submit this token to the webticket URL, and the Webticket service will issue the webticket, Shown below

The client will then submit this webticket to Autodiscover and in return it will receive the POOL names where it has to send the Register to Sign in.

Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. . You can see that in the Client UCCAPI log file. This is shown in the snippet below

In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication)

The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below

This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours.

Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service.

The Process for this will again be the same, The client will send a request to the Cert Provisioning URL where it will be challenged to get a Webticket. The client has to first get a Web ticket from the webticket service URL, to get a web ticket it needs to get a Token from Modern Auth Provider, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication.

The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below

The Client then submits the Web Ticket that it had received previously to the Cert provisioning URL it received above, after this it receives a 200 OK in which it receives the Certificate

The clients will then submit this certificate back to the pool and will receive a 200 OK in response. The Sign in is then complete

Sign in is NOW Complete!!!

SFB online Client Sign in and Authentication Deep Dive ;Part 6 (Hybrid)

Mohammed Anas Shaikh — Tue, 21 May 2019 00:49:21 GMT

First published on TECHNET on Apr 13, 2018

Scenario: SFB Hybrid environment, SFB user is homed Online, ADFS is Configured, MA (Modern Auth) is enabled ON premise through On premise AD but Disabled in O365

NOTE:

I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication.

How Does it Work?

Below is a High level explanation on how the SFB online Client Sign in process works

SIP URI of the user - ex2@cloudsfb.com

SFB client Queries DNS for Lyncdiscover.domain.com. This should point to External web services URL (ON Premise Reverse Proxy) which in this case is webext.cloudsfb.com

SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com

The Client is then redirected to Autodiscover

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket

The Client then sends a POST request to Webticket Service

Webticket Service Redirects the Client to ON PREM Modern Auth Provider ( https://sts.cloudsfb.com/adfs/oauth2/authorize )

Now in order to authenticate the client reaches out to https://sts.cloudsfb.com/adfs/oauth2/authorize and requests a Token, The intention here is to Get a Token from https://sts.cloudsfb.com/adfs/oauth2/authorize

The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, https://sts.cloudsfb.com/adfs/oauth2/authorize will issue the modern Auth Token to the client

The Client then submits this token that it received https://sts.cloudsfb.com/adfs/oauth2/authorize to Webticket Service

Webticket service now will grant a Webticket to the Client

The client then submits this webticket to Autodiscover

Since the SFB user is homed Online, In Response Autodiscover will provide the Online Autodiscover webservices URL's names ( https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=cloudsfb.com )

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket

The Client then sends a POST request to Webticket Service which requires the client to provide a Token from Org ID (login.microsoftonline.com)

Now in order to authenticate the client reaches out to Ord ID and requests a Token

Since the tenant is enabled for ADFS the client is redirected to the ON Premise ADFS server https://sts.cloudsfb.com

SFB client will then send a request to ADFS server and request a token

The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, ADFS will issue a Token to the client

The Client then submits this token to Org ID

ORG ID will now issue its own Token to the client

The Client then submits this token that it received from ORG ID to Webticket Service

Webticket service now will grant a Webticket to the Client

The client then submits this webticket to Autodiscover

In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in

The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443)

It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc ) in the 401 unauthenticated response

The SFB client then sends a request to Certprov

Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket

The Client had already Obtained a webticket in step 24 above

The client will submit the same webticket obtained in step 24 to the Cert provisioning service

The Client then receives a certificate

The SFB client can now send a Register again and use the certificate it downloaded for authentication

Below is a graphical representation of the SFB online Client Sign in process

Detailed Explanation of SFB online Client Sign in process with LOG Snippets:

When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in the SFB client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover.

The SFB Client learns that it needs to Contact https://webext.cloudsfb.com/ (This is the External webservices URL for autodiscover on the ON Premise SFB environment)

It then tries to Do a TCP handshake with webext.cloudsfb.com, Followed by a TLS handshake. (I haven't included the TCP and TLS handshake screen shots here, you can see those if you collect a Network trace while signing in)

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service.

Now since we have Modern Auth enabled ON Premise the Web Ticket Service will redirect the client to the MA provider URL for ON PREM - <af:OAuth af:authorizationUri= https://sts.cloudsfb.com/adfs/oauth2/authorize xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" />

We can see this below

The Client will Now send a Request to https://sts.cloudsfb.com/adfs/oauth2/authorize to get the MA Token, You will see several HTTP GET and POST messages exchanged between Client and https://sts.cloudsfb.com/adfs/oauth2/authorize during this process. Below screen shot lists some of them

During the above process the Client will be challenged for password by MA or if the user had signed in before and the password is saved in Credential manager then this password will be passed and user may not see the Prompt.

Finally the Client will receive a Token from MA provider, you can see this below

The Client will then Submit this token to the Webticket service which will then issue a Webticket, This can be seen below

The Client will Then Submit this web ticket back to the AutoDiscover User URL - /Autodiscover/AutodiscoverService.svc/root/user?originalDomain=cloudsfb.com&sipuri=ex2@cloudsfb.com

In response it will now receive the Internal and External addresses of the Pool names where the user is Homed.

You can see this in the trace below

Now the Client will send a Unauthenticated Get request to Webdir2a.online.lync.com and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service and in response it receives the actual individual Web ticket service URL's

The Client has to submit a Request to this web ticket URL now in order to obtain a web ticket. But if it does that then it will need to authenticate first, unless the Client authenticates itself it will not be issued a web ticket. Since this user is Homed in SFB online the Client needs to reach out to O35 AD (Org ID) to get authenticated first

The Client sends a POST request to Reach Org ID to get a Token, Here it learns that the tenant is enabled for ADFS and is Redirected to ADFS URL

You can see that below

The Client then Reaches ADFS and requests a Token and in Response ADFS will provide the client a Token

The Client Will Submit the ADFS token back to Org ID and in response Org ID will issue a Token to the Client

You can see that below

Once the Client receives a Token from O365 AD (Org ID) it then submits this token to the Web Ticket Service https://webdir2a.online.lync.com/WebTicket/WebTicketAdvancedService.svc/WsFed_bearer

In Response the Web Ticket Service will now Issue the Client a Web Ticket. You can see this in the Trace below

The Client will Then Submit this web ticket back to the AutoDiscover User URL - https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=cloudsfb.com&sipuri=ex2@cloudsfb.com

In response it will now receive the Internal and External addresses of the Pool names where the user is Homed.

You can see this in the trace below

Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. . You can see that in the Client UCCAPI log file. This is shown in the snippet below

In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication)

The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below

This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours.

Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service.

The Process for this will again be the same, The client will send a request to the Cert Provisioning URL where it will be challenged to get a Webticket. The client has to first get a Web ticket from the webticket service URL, to get a web ticket it needs to get a Token from Org ID, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication.

The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below

The Client then submits the Web Ticket that it had received previously to the Cert provisioning URL it received above, after this it receives a 200 OK in which it receives the Certificate

The clients will then submit this certificate back to the pool and will receive a 200 OK in response. The Sign in is then complete

Sign in is NOW Complete!!!

SFB online Client Sign in and Authentication Deep Dive ;Part 5 (HYBRID)

Mohammed Anas Shaikh — Tue, 21 May 2019 00:44:45 GMT

First published on TECHNET on Apr 13, 2018
Scenario: SFB Hybrid environment, SFB user is homed Online, ADFS is Configured, MA (Modern Auth) is Disabled ON premise but is Enabled in O365

NOTE:

I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication.

How does it Work?

Detailed Explanation of SFB online Client Sign in process with LOG Snippets:

SIP URI of the user - test2@sfbisgreat.info

SFB client Queries DNS for Lyncdiscover.domain.com. This should point to External web services URL (ON Premise Reverse Proxy) which in this case is webext.cloudsfb.com

SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com

The Client is then redirected to Autodiscover

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket

The Client then sends a POST request to Webticket Service

Here the Client has to Authenticate (NTLM). The Client may receive a Password prompt (or previously saved password from credential manager is passed)

Once the password is provided, Webticket service will issue a Webticket to the client.

The client then submits this webticket to Autodiscover

Since the SFB user is homed Online, In Response Autodiscover will provide the Online Autodiscover webservices URL's names ( https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root?originalDomain=sfbisgreat.info )

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service where it can request a Webticket

The Client then sends a POST request to Webticket Service

Webticket Service Redirects the Client to Modern Auth Provider (login.windows.net)

Now in order to authenticate the client reaches out to Login.windows.net and requests a Token, The intention here is to Get a Token from login.windows.net

From this point onwards we will see that login.windows.net will redirect the client to login.microsoftonline.com

Since the tenant is enabled for ADFS the client is then redirected to the ON Premise ADFS server

SFB client will then send a request to ADFS server and request a token

The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, ADFS will issue a Token to the client

The Client then submits this token to login.microsoftonline.com which in turn passes the client to Login.windows.net

The Client then submits this token that it received from Login.windows.net to Webticket Service

Webticket service now will grant a Webticket to the Client

The client then submits this webticket to Autodiscover

In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in

The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443)

It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc ) in the 401 unauthenticated response

The SFB client then sends a request to Certprov

Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket

The Client had already Obtained a webticket in step 23 above

The client will submit the same webticket obtained in step 23 to the Cert provisioning service

The Client then receives a certificate

The SFB client can now send a Register again and use the certificate it downloaded for authentication

Below is a graphical representation of the SFB online Client Sign in process

When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in the SFB client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover.

The SFB Client learns that it needs to Contact https://webext.sfbisgreat.info/ (This is the External webservices URL for autodiscover on the ON Premise SFB environment)

It then tries to Do a TCP handshake with webext.cloudsfb.com, Followed by a TLS handshake. (I haven't included the TCP and TLS handshake screen shots here, you can see those if you collect a Network trace while signing in)

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. In response it will receive a 401 and the authentication method supported is listed as NTLM, You can see that in the screen shot below

The Next few exchanges between the Client and Webticket service will be for NTLM Challenge and response. You will see multiple POST requests and 401 between the Client and Webticket service

Finally the client will provide the password (the user may get prompted to enter their password here or the existing password in Credential manager might be used)

Once the correct password and username is provided the Webticket service will issue a Web Ticket to the Client. You can see that below

The Client will Then Submit this web ticket back to the AutoDiscover User URL - https://webext.sfbisgreat.info/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=sfbisgreat.info&sipuri=test2@sfbisgreat.info

In response it will now receive the Internal and External addresses of the Pool names where the user is Homed.

You can see this in the trace below

Now the Client will send a Unauthenticated Get request to Webdir2a.online.lync.com and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. Now since Modern Authentication is enabled on the Tenant, in order to grant the webticket the client will first need to get a Token from the Modern Auth provider so the client is redirected to the Modern Auth provider URL - <af:OAuth af:authorizationUri="https://login.windows.net/common/oauth2/authorize" xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" />

The Client then sends a request to the MA/Oauth URL to request a Token, The intention here is to Get a Token from login.windows.net

From this point onwards we will see that login.windows.net will redirect the client to - login.microsoftonline.com.

Below is the Request that client sends to the MA/OAUTH URL and in response it is redirected to AD - login.microsoftonline.com

We have to remember that "The intention here is to Get a Token from login.windows.net" we will see several exchanges happening between client to login.microsoftonline.com and login.windows.net. Below are screen shots showing these exchanges.

Now, Since the customer has ADFS, the client will now be redirected to the ADFS Server. Below is the screen shot showing login.microsoftonline.com redirecting the client to ADFS

The Client will then reach out to ADFS to get an ADFS Token. The Next Two Screen shots show that;

(This is where the user might get prompted to enter credentials or if his credentials are already stored in credential manager then those credentials will be passed in the background and the user may not see the prompt)

The Client will then Submit this Token to Login.microsoftonline.com, where it will be redirected again to https://Login.windows.net and https://Login.windows.net will finally provide the client with the Modern Auth Token, This is shown in the two screen shots below

Now the client will submit this token to the webticket URL, and the Webticket service will issue the webticket, Shown below

The client will then submit this webticket to Autodiscover and in return it will receive the POOL names where it has to send the Register to Sign in.

Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. . You can see that in the Client UCCAPI log file. This is shown in the snippet below

In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication)

The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below

This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours.

Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service.

The Process for this will again be the same, The client will send a request to the Cert Provisioning URL where it will be challenged to get a Webticket. The client has to first get a Web ticket from the webticket service URL, to get a web ticket it needs to get a Token from Modern Auth Provider, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication.

The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below

The Client then submits the Web Ticket that it had received previously to the Cert provisioning URL it received above, after this it receives a 200 OK in which it receives the Certificate

The clients will then submit this certificate back to the pool and will receive a 200 OK in response. The Sign in is then complete

The Sign in is now Complete

Skype for Business Application Sharing Fails Intermittently

NextHop_Team — Tue, 21 May 2019 00:39:52 GMT

First published on TECHNET on Apr 11, 2018
Author: Kenn Guilstorf , Senior Escalation Engineer, Skype for Business

We’ve seen a large number of cases come through recently where application sharing with 32-bit Skype for Business 2015 and 32-bit Skype for Business 2016 clients (collectively, S4B) is failing intermittently. This usually happens when S4B has been running continuously for a long period of time (think many days or even weeks) and/or when Skype for Business is running on a display containing multiple monitors. The latter case is especially true when several of the existent monitors are running with a high resolution (such as running several 2k monitors, 4k monitors or above; a 2k monitor is any monitor with a horizontal resolution of 2,000 pixels or more and 4k monitors are those that support a horizontal resolution of 4,000 pixels or more).

The problem here isn’t really with S4B but rather with the 32-bit architecture. When Skype for Business 2015 or 2016 is used for application sharing, it needs to be aware of every pixel on every monitor because the end-user can move the window for the shared application to any monitor at any time. S4B keeps track of this data by creating a buffer that is large enough to accommodate the color of every pixel on every monitor. To do this, it adds up the horizontal resolution of all of the monitors and multiplies that total by the largest vertical resolution of any of the monitors. Once S4B has calculated width times height, it multiplies that total by the maximum number of color bit-planes supported by any of the monitors.

An example might describe this process better. Let’s say you have three monitors on your computer with resolutions of 800x600x8bpp, 3440x1900x32bpp, and 1900x1600x16bpp respectively. S4B adds up the horizontal resolutions (800 + 3440 + 1900 = 6140) and multiplies the total by the largest of the vertical resolutions (1900, in this case). Finally, it multiplies the product by the highest bitplane (32bpp or 32 bits-per-pixel, in this case). That equation becomes 6140 x 1900 x 4 bytes (since a byte is 8-bits, then 32 bits is 4 bytes) for a total of about 46.7 megabytes of contiguous buffer space required – that is, the buffer memory CANNOT be segmented; it must be in one long array of bytes.

In 32-bit architecture, each process only has 4GB because a 32-bit register can only address 4GB of memory space. This 4GB is then cut in half so that the process really only has 2GB and the Operating System gets the other 2GB (note that this changes if every binary in a process is large address aware – but Skype isn’t large address aware because some of the dynamic link libraries it loads aren’t).

2GB of memory seems like a lot and, when S4B is first opened, it really is. When it is first run, the Skype for Business 2015/2016 32-bit client generally uses between 100 and 300k of memory. However, Skype has a great many objects of various sizes that it needs to keep track of – things like contacts, folders, presence and so on. After the client has been running for a long period of time without being restarted (days or weeks depending on how many meetings are joined, how many IMs are sent and so on) the constant creation and destruction of these objects can cause Skype’s memory to become fragmented and the footprint of Skype to grow. After such a time, it can become impossible for Skype to allocate enough contiguous memory to satisfy the need to store the display bitmap necessary for application sharing on high definition displays. The higher the resolution of the set of monitors, the worse this will become. This is a reason why S4B (even the 64-bit version) supports only a single high-resolution monitor for application sharing scenarios.

If there is a need to use multiple 2k/4k/UHD devices or many high-resolution monitors, Microsoft recommends that customers test using 64-bit S4b (which, although still not officially supporting multiple high-resolution monitors, is not limited by 32-bit architecture) or use desktop sharing rather than application sharing; desktop sharing basically bifurcates the display device stream which requires a much smaller buffer and shouldn’t cause as many memory restriction issues.

Skype for Business Recording Manager Fails to Publish Video

Sri Todi — Tue, 21 May 2019 00:39:44 GMT

First published on TECHNET on Apr 11, 2018

Skype for Business Administrators can configure a client policy to allow recordings during meetings. When the policy is configured, users will have the ability to record a meeting, and then publish either some or all contents in the meetings. A common example would include content shared during trainings, so the material can be used again and again.

When recording is started, several streams of video are recorded and then saved onto the following path %userprofile%\AppData\Local\Microsoft\Communicator\Recording Manager\Temporary Recording Files\ and once recording has stopped, Skype for Business Recording Manager (OCPubMgr.exe) is launched to allow a user to publish the recording.

This process (OCPubMgr.exe) is responsible to combine the different streams of Audio and Video and publish the requested items as a single MP4 Video, which by default is configured at 15 fps ( to change the VideoFrameRate to 30 fps please see: When a recording is published using Lync or Skype for Business 2015/2016, the quality seems sub-par, deteriorated or jerky ). Since the process is mixing several audio and video streams, it will consume both memory and processing, and it’s best to publish recording, when other applications are closed, to ensure the best possible BitRate in the published video. If a system is running on battery, then Publishing Manager will not start the mixing process, and will have the status as “ Pending… ”.

In some cases, especially in the MSI install method we can seen that content shared using Desktop Sharing on some random machines seem to fail when publishing the video. To further elaborate, Application Sharing or Desktop Sharing can occur either using Video Based Screen Sharing (VBSS) or by relying on RDP to capture tiles, and transmit the tiles, when RDP is used, we do not use on H.264 video codec, but create the screensharing video using a proprietary codec called MS ATC Screen Codec ( often referred as MSA1 CODEC).

Upon investigation, we found that the Skype Client uses the CODEC directly to encode the video and write the files to disk, and when Skype for Business Recording Manager (OCPubMgr.exe) is used to publish the video, it relies on the binaries for Windows Media Player to combine all the videos into a single video in MP4 Format.

In-order to troubleshoot we would suggest to check the list of CODECs that are registered in Windows Media Player

How can I find out which codecs are installed on my PC?

1. On the Help menu in Windows Media Player, select About Windows Media Player.

If you can't see the Help menu, select Organize, select Layout, and then select Show menu bar.

2. In the About Windows Media Player dialog box, select Technical Support Information.

Your web browser will open a page that includes a lot of detailed info about the related binary files, codecs, filters, plug-ins, and services installed on your PC. You might be able to use this info to help troubleshoot problems.
Source: CODEC: Frequently Asked Questions

If you do not have Windows Media Player installed in your Install of Windows 10, please install the same

Open Settings , go to Apps > Apps & Features , and click on Manage optional features .
Select Add a feature and then scroll down to the Windows Media Player entry and click on Install .

If you try to play the file AppSharing_ xx .wmv, you should get the following error in Windows Media Player

To remediate the issue, we can register the CODEC. This can be accomplished by running the following from an elevated command prompt.

Note: The exact location of the SCDEC.dll would very depending on the version of Office installed (i.e Office 2013 or Office 2016 and 32 bit or 64 bit) .

Now, if we see the list of installed CODECs, we should see the codec installed and registered in Windows Media Player

Now, if we re-encode the video, the Publishing Manager should be able to publish the video successfully. If you still are experiencing an issue, we suggest to ensure that the RAW data not be modified, and you open a Service Request

SFB online Client Sign in and Authentication Deep Dive ;Part 4

Mohammed Anas Shaikh — Tue, 21 May 2019 00:38:52 GMT

First published on TECHNET on Apr 09, 2018
Scenario: Pure Online (O365) environment, SFB user is homed Online, ADFS is Configured, MA (Modern Auth) is Enabled in O365

NOTE:

I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication.

How Does it Work?

Below is a High level explanation on how the SFB online Client Sign in process works

SIP URI of the user - NJ@JohnsonDataSystems.com

SFB client Queries DNS for Lyncdiscover.domain.com. This should point to Webdir.online.lync.com

SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com

The Client is then redirected to Autodiscover https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=johnsondatasystems.com

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service ( https://webdir2a.online.lync.com/WebTicket/WebTicketService.svc ) where it can request a Webticket

The Client then sends a POST request to Webticket Service

Webticket Service Redirects the Client to Modern Auth Provider (login.windows.net)

Now in order to authenticate the client reaches out to Login.windows.net and requests a Token, The intention here is to Get a Token from login.windows.net

From this point onwards we will see that login.windows.net will redirect the client to login.microsoftonline.com

Since the tenant is enabled for ADFS the client is then redirected to the ON Premise ADFS server https://sts.cloudsfb.com

SFB client will then send a request to ADFS server and request a token

The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, ADFS will issue a Token to the client

The Client then submits this token to login.microsoftonline.com which in turn passes the client to Login.windows.net

The Client then submits this token that it received from Login.windows.net to Webticket Service

Webticket service now will grant a Webticket to the Client

The client then submits this webticket to Autodiscover

In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in

The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443)

It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc ) in the 401 unauthenticated response

The SFB client then sends a request to Certprov

Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket

The Client had already Obtained a webticket in step 16 above

The client will submit the same webticket obtained in step 16 to the Cert provisioning service

The Client then receives a certificate

The SFB client can now send a Register again and use the certificate it downloaded for authentication

Below is a graphical representation of the SFB online Client Sign in process

Detailed Explanation of SFB online Client Sign in process with LOG Snippets:

SIP URI of the user - NJ@JohnsonDataSystems.com

When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in the SFB client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover.

You can see the request and Response below

The SFB Client learns that it needs to Contact https://webdir2a.online.lync.com/

It then tries to Do a TCP handshake with webdir2a.online.lync.com, Followed by a TLS handshake. (I haven't included the TCP and TLS handshake screen shots here, you can see those if you collect a Network trace while signing in)

The client then sends a request to the Autodiscover URL for its own domain (in my case @ JohnsonDataSystems.com ) and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service. Now since Modern Authentication is enabled on the Tenant, in order to grant the webticket the client will first need to get a Token from the Modern Auth provider so the client is redirected to the Modern Auth provider URL - <af:OAuth af:authorizationUri="https://login.windows.net/common/oauth2/authorize" xmlns:af="urn:component:Microsoft.Rtc.WebAuthentication.2010" />

The Client then sends a request to the MA/Oauth URL to request a Token, The intention here is to Get a Token from login.windows.net

From this point onwards we will see that login.windows.net will redirect the client to - login.microsoftonline.com.

Below is the Request that client sends to the MA/OAUTH URL and in response it is redirected to AD - login.microsoftonline.com

We have to remember that "The intention here is to Get a Token from login.windows.net" we will see several exchanges happening between client to login.microsoftonline.com. Below are screen shots showing these exchanges.

Now, Since the customer has ADFS, the Modern Auth provider will redirect the client to the ADFS Server. Below is the screen shot showing login.microsoftonline.com redirecting the client to ADFS

The Client will then reach out to ADFS to get an ADFS Token. (This is where the user might get prompted to enter credentials or if his credentials are already stored in credential manager then those credentials will be passed in the background and the user may not see the prompt) The Next Two Screen shots show that

The Client will then Submit this Token to Login.microsoftonline.com, where it will be redirected again to https://Login.windows.net and https://Login.windows.net will finally provide the client with the Modern Auth Token, This is shown in the two screen shots below

Now the client will submit this token to the webticket URL, and the Webticket service will issue the webticket, Shown below

The client will then submit this webticket to Autodiscover and in return it will receive the POOL names where it has to send the Register to Sign in.

Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. . You can see that in the Client UCCAPI log file. This is shown in the snippet below

In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication)

The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below

This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours.

Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service.

The Process for this will again be the same, The client will send a request to the Cert Provisioning URL where it will be challenged to get a Webticket. The client has to first get a Web ticket from the webticket service URL, to get a web ticket it needs to get a Token from Modern Auth Provider, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication.

The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below

The Client then submits the Web Ticket that it had received previously to the Cert provisioning URL it received above, after this it receives a 200 OK in which it receives the Certificate and sign in is now complete

SFB online Client Sign in and Authentication Deep Dive ;Part 3

Mohammed Anas Shaikh — Tue, 21 May 2019 00:35:30 GMT

First published on TECHNET on Apr 09, 2018
Scenario: Pure Online (O365) environment, SFB user is homed Online, ADFS is Configured, MA (Modern Auth) is Disabled in O365

NOTE:

I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication.

How Does it Work?

Below is a High level explanation on how the SFB online Client Sign in process works

SIP URI of the user - NJ@JohnsonDataSystems.com

SFB client Queries DNS for Lyncdiscover.domain.com. This should point to Webdir.online.lync.com

SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com

The Client is then redirected to Autodiscover https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=johnsondatasystems.com

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service ( https://webdir2a.online.lync.com/WebTicket/WebTicketService.svc ) where it can request a Webticket

The Client then sends a POST request to Webticket Service which requires the client to provide a Token from Org ID (login.microsoftonline.com)

Now in order to authenticate the client reaches out to Ord ID and requests a Token

Since the tenant is enabled for ADFS the client is redirected to the ON Premise ADFS server https://sts.cloudsfb.com

SFB client will then send a request to ADFS server and request a token

The Client may receive a Password prompt (or previously saved password from credential manager is passed) and once the correct password is provided, ADFS will issue a Token to the client

The Client then submits this token to Org ID

ORG ID will now issue its own Token to the client

The Client then submits this token that it received from ORG ID to Webticket Service

Webticket service now will grant a Webticket to the Client

The client then submits this webticket to Autodiscover

In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in

The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443)

It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc ) in the 401 unauthenticated response

The SFB client then sends a request to Certprov

Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket

The Client had already Obtained a webticket in step 14 above

The client will submit the same webticket obtained in step 14 to the Cert provisioning service

The Client then receives a certificate

The SFB client can now send a Register again and use the certificate it downloaded for authentication

Below is a graphical representation of the SFB online Client Sign in process

Detailed Explanation of SFB online Client Sign in process with LOG Snippets:

SIP URI of the user - NJ@JohnsonDataSystems.com

When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in the SFB client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover.

You can see the request and Response below

The SFB Client learns that it needs to Contact https://webdir2a.online.lync.com/

It then tries to Do a TCP handshake with webdir2a.online.lync.com, Followed by a TLS handshake. (I haven't included the TCP and TLS handshake screen shots here, you can see those if you collect a Network trace while signing in)

The client then sends a request to the Autodiscover URL for its own domain (in my case @ JohnsonDataSystems.com ) and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service and in response it receives the actual individual Web ticket service URL's

The Client has to submit a Request to this web ticket URL now in order to obtain a web ticket. But if it does that then it will need to authenticate first, unless the Client authenticates itself it will not be issued a web ticket. Since this user is Homed in SFB online the Client needs to reach out to O35 AD (Org ID) to get authenticated first

SO right now the Client has to First reach out to Org ID in order to authenticate and Get a Token.

The process of reaching out to Org ID is initiated with the help of Microsoft Online Sign in Assistant (also known as IDCRL) that is installed on the Computer.

You may not always see this in the fiddler trace, this attempt to get Token from AD is called Org ID auth and is captured in IDCRL logs on the client PC

The Client will try to reach Org ID (O365 AD) to get a token, but since the Tenant is Enabled for ADFS the O365 AD (org ID) will redirect the client to the ADFS Server URL and the client will have to request a Token from ADFS

The way this works is

The client first tries to reach Org ID (O365 AD) to request a Token

Here it learns that the tenant is enabled for ADFS so it has to now go to the ADFS URL first and ask for a token from ADFS

The client reaches out to ADFS and requests a Token

ADFS will challenge for authentication which will cause a Password prompt to appear, or the user credential stored in the credential manager will be passed to ADFS in which case the user will not be prompted for password

Once the password is provided ADFS will provide the client a Token

The client will then submit this token back to Org ID (O365 AD)

Org ID will in turn provide the client the Org ID token

You can view all the above if you open the IDCRL log (MSOTrace folder) in the IDCRL parser, A successful token retrieval from ADFS and Org ID should look like below in the Parser (A more detailed explanation can be found in the bottom of this document if needed for reference)

Once the Client receives a Token from O365 AD (Org ID) it then submits this token to the Web Ticket Service https://webdir2a.online.lync.com/WebTicket/WebTicketAdvancedService.svc/WsFed_bearer

In Response the Web Ticket Service will now Issue the Client a Web Ticket. You can see this in the Trace below

The Client will Then Submit this web ticket back to the AutoDiscover User URL - https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=johnsondatasystems.com&sipuri=nj@johnsondatasystems.com

In response it will now receive the Internal and External addresses of the Pool names where the user is Homed.

You can see this in the trace below

Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. . You can see that in the Client UCCAPI log file. This is shown in the snippet below

In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication)

The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below

This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours.

Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service.

The Process for this will again be the same, the client has to first get a Web ticket, to get a web ticket it needs to get a Token from O365 AD, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained now to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication.

The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below

The Client then submits the Web Ticket that it had received to the Cert provisioning URL it received above, after this it receives a 200 OK and sign in is now complete

Sign in is now complete!!

__________________________________________________________________________________________________________________________________________

More Information:

Detailed log snippets showing the client requesting and receiving Token from Org ID and ADFS.

We Discussed above that in order to obtain a webticket the Client has to get authenticated with O365 AD. We described this process as below

The client first tries to reach Org ID (O365 AD) to request a Token

Here it learns that the tenant is enabled for ADFS so it has to now go to the ADFS URL first and ask for a token from ADFS

The client reaches out to ADFS and requests a Token

ADFS will challenge for authentication which will cause a Password prompt to appear, or the user credential stored in the credential manager will be passed to ADFS in which case the user will not be prompted for password

Once the password is provided ADFS will provide the client a Token

The client will then submit this token back to Org ID (O365 AD)

Org ID will in turn provide the client the Org ID token

We can see this in the IDCRL Logs which are located on the Client PC in the MSOTrace folder on the C:\Drive.

Below are snippets from IDCRL logs showing all the above steps in detail for reference.

Below is the Client finding out that it needs to go to ADFS URL to authenticate

<?xml version="1.0" encoding="UTF-8"?><RealmInfo Success="true">

<Login>nj@johnsondatasystems.com</Login>

<NameSpaceType>Federated</NameSpaceType>

<DomainName>JOHNSONDATASYSTEMS.COM</DomainName>

<FederationGlobalVersion>-1</FederationGlobalVersion><AuthURL>https://sts.johnsondatasystems.com/adfs/ls/</AuthURL>

<IsFederatedNS>true</IsFederatedNS>

<STSAuthURL>https://sts.johnsondatasystems.com/adfs/services/trust/2005/usernamemixed</STSAuthURL>

<FederationTier>0</FederationTier><FederationBrandName>JOHNSONDATASYSTEMS.COM</FederationBrandName>

<AllowFedUsersWLIDSignIn>false</AllowFedUsersWLIDSignIn>

<MEXURL>https://sts.johnsondatasystems.com/adfs/services/trust/mex</MEXURL>

<SAML_AuthURL></SAML_AuthURL><PreferredProtocol>1</PreferredProtocol>

The Client then sends a request to the ADFS URL to get a Token

<s:Header>

<wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>

<wsa:To s:mustUnderstand="1">https://sts.johnsondatasystems.com:443/adfs/services/trust/2005/usernamemixed</wsa:To>

<wsa:MessageID>1507666614</wsa:MessageID>

<wsse:Security><wsse:UsernameToken wsu:Id="user">

<wsse:Username>nj@johnsondatasystems.com</wsse:Username>

<wsse:Password>*********</wsse:Password>

</wsse:UsernameToken><wsu:Timestamp Id="Timestamp"><wsu:Created>2017-10-10T20:16:53Z</wsu:Created><wsu:Expires>2017-10-10T20:21:53Z</wsu:Expires>

</wsu:Timestamp></wsse:Security>

</s:Header>

<wst:RequestSecurityToken Id="RST0">

<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>

<wsp:AppliesTo><wsa:EndpointReference><wsa:Address>urn:federation:MicrosoftOnline</wsa:Address></wsa:EndpointReference></wsp:AppliesTo>

<wst:KeyType>http://schemas.xmlsoap.org/ws/2005/05/identity/NoProofKey</wst:KeyType></wst:RequestSecurityToken></s:Body></s:Envelope>

It will then receive the Token from ADFS

<s:Body>

<t:RequestSecurityTokenResponse xmlns:t="http://schemas.xmlsoap.org/ws/2005/02/trust">

<t:Lifetime>

<wsu:Created xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-10-10T20:16:55.065Z</wsu:Created>

<wsu:Expires xmlns:wsu="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd">2017-10-10T21:16:55.065Z</wsu:Expires>

</t:Lifetime>

<wsp:AppliesTo xmlns:wsp="http://schemas.xmlsoap.org/ws/2004/09/policy">

<wsa:EndpointReference xmlns:wsa="http://www.w3.org/2005/08/addressing"><wsa:Address>urn:federation:MicrosoftOnline</wsa:Address></wsa:EndpointReference>

</wsp:AppliesTo>

<t:RequestedSecurityToken>**********</t:RequestedSecurityToken>

Once the Client receives the Token from ADFS it then submits this token to O365 AD (Org ID) and requests a token from Org ID

Below is the request that the client sends to Org ID asking for a token

<s:Header>

<wsa:Action s:mustUnderstand="1">http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue</wsa:Action>

<wsa:To s:mustUnderstand="1">https://login.microsoftonline.com:443/rst2.srf</wsa:To>

<wsa:MessageID>1507666615</wsa:MessageID>

<ps:AuthInfo xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="PPAuthInfo">

<ps:HostingApp>{0000003F-002B-0000-4C0A-AE614E000000}</ps:HostingApp>

<ps:BinaryVersion>7</ps:BinaryVersion>

<ps:UIVersion>1</ps:UIVersion>

<ps:Cookies></ps:Cookies>

<ps:RequestParams>AQAAAAIAAABsYwQAAAAxMDMz</ps:RequestParams>

</ps:AuthInfo><wsse:Security>*********</wsse:Security>

</s:Header>

<s:Body>

<ps:RequestMultipleSecurityTokens xmlns:ps="http://schemas.microsoft.com/Passport/SoapServices/PPCRL" Id="RSTS">

<wst:RequestSecurityToken Id="RST0">

<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>

<wsp:AppliesTo>

<wsa:EndpointReference><wsa:Address>http://Passport.NET/tb</wsa:Address></wsa:EndpointReference>

</wsp:AppliesTo>

</wst:RequestSecurityToken><wst:RequestSecurityToken Id="RST1">

<wst:RequestType>http://schemas.xmlsoap.org/ws/2005/02/trust/Issue</wst:RequestType>

<wsp:AppliesTo>

<wsa:EndpointReference><wsa:Address>https://webpooldm12a05.infra.lync.com/WebTicket/WebTicketAdvancedService.svc/WsFed_bearer</wsa:Address></wsa:EndpointReference></wsp:AppliesTo>

</wst:RequestSecurityToken></ps:RequestMultipleSecurityTokens>

</s:Body>

Org ID then issues a Token to the client which we can see below

<wst:RequestedProofToken><wst:BinarySecret>x5hTCJZbYuSHUl0mKtoAab/zN4DE+YLW</wst:BinarySecret></wst:RequestedProofToken>

</wst:RequestSecurityTokenResponse><wst:RequestSecurityTokenResponse>

<wst:TokenType>urn:oasis:names:tc:SAML:1.0</wst:TokenType>

<wsp:AppliesTo xmlns:wsa="http://www.w3.org/2005/08/addressing">

<wsa:EndpointReference><wsa:Address>https://webpooldm12a05.infra.lync.com/WebTicket/WebTicketAdvancedService.svc/WsFed_bearer</wsa:Address></wsa:EndpointReference>

</wsp:AppliesTo>

<wst:Lifetime><wsu:Created>2017-10-10T20:16:56Z</wsu:Created><wsu:Expires>2017-10-11T04:16:56Z</wsu:Expires></wst:Lifetime>

<wst:RequestedSecurityToken>**********</wst:RequestedSecurityToken>

SFB online Client Sign in and Authentication Deep Dive ;Part 1

Mohammed Anas Shaikh — Tue, 21 May 2019 00:33:04 GMT

First published on TECHNET on Apr 09, 2018
Scenario: Pure Online (O365) environment, SFB user is homed Online, NO ADFS, MA (Modern Auth) is Disabled in O365

NOTE:

I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication.

How Does it Work?

Below is a High level explanation on how the SFB online Client Sign in process works

SIP URI of the user - e1@mshaikh.onmicrosoftcom

SFB client Queries DNS for Lyncdiscover.domain.com. This should point to Webdir.online.lync.com

SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com

The Client is then redirected to Autodiscover ( https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=mshaikh.onmicrosoft.com )

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service ( https://webdir2a.online.lync.com/WebTicket/WebTicketService.svc ) where it can request a Webticket

The Client then sends a POST request to Webticket Service which requires the client to provide a Token from Org ID (login.microsoftonline.com)

Now in order to authenticate the client reaches out to Ord ID and requests a Token

The Client may receive a Password prompt and once the correct password is provided Org ID will issue a Token

The Client then submits this token to Webticket Service

Webticket service now will grant a Webticket to the Client

The client then submits this webticket to Autodiscover

In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in

The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443)

It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc ) in the 401 unauthenticated response

The SFB client then sends a request to Certprov

Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket

The Client had already Obtained a webticket in step 10 above

The client will submit the same webticket obtained in step 10 to the Cert provisioning service

The Client then receives a certificate

The SFB client can now send a Register again and use the certificate it downloaded for authentication

Below is a graphical representation of the SFB online Client Sign in process

Detailed Explanation of SFB online Client Sign in process with LOG Snippets:

SIP URI of the user - e1@mshaikh.onmicrosoftcom

When a SFB client wants to Sign in, It needs to know where it can send its request to be able to Sign in. Whenever a user enters his SIP URI to sign in to the SFB client, The client forms an autodiscover URL using the domain name that it extracts from the users SIP URI to start the discovery process and then it sends an Unauthenticated Get request to the URL, lyncdiscover.domain.com. The response code for this request will be '200 ok' and in the response we should receive the external webservices URL for autodiscover.

You can see the request and Response below

The SFB Client learns that it needs to Contact https://webdir2a.online.lync.com/

It then tries to Do a TCP handshake with webdir2a.online.lync.com

You can see that in a Network trace, refer Screen shot below

Once the Initial TCP handshake is Complete, The Client will perform a TLS Handshake,

You can see that in a Network trace, refer Screen shot below

The client then sends a request to the Autodiscover URL for its own domain (in this case @mshaikh.onmicrosoft.com) and in Response it receives the Autodiscover URL's specific to the users Tenant. You can see the request and Response below

The client then sends a request to the user URL. We are here trying to discover a specific users home pool, hence the request will go to the “User” URL.

In the response, the Client receives a Web ticket URL, which provides the location of the WebTicketService.

You can see the request and Response below

The Client then needs to send a Request to the Web ticket service URL in order to obtain a Web ticket. The client will send this request in a POST message to the web ticket Service and in response it receives the actual individual Web ticket service URL's

The Client has to submit a Request to this web ticket URL now in order to obtain a web ticket. But if it does that then it will need to authenticate first, unless the Client authenticates itself it will not be issued a web ticket. Since this user is Homed in SFB online and was created directly in O365 AD the Client needs to reach out to O365 AD (also known as Org ID) to get authenticated first. Once it is authenticated by Org ID then the Client will receive a Token from Org ID that will prove that the client has been authenticated. The Client will then reach out back to the Webservice URL and submit the Token it received from Org ID.

SO right now the Client has to First reach out to Org ID in order to authenticate and Get a Token.

The process of reaching out to O365 AD is initiated with the help of Microsoft Online Sign in Assistant that is installed on the Computer. You can find logging for this in C:\MSOTraceLite\MSOCredprov.txt

The Org ID is located at https://login.microsoftoline.com

You can see the Client reaching out to https://login.microsoftoline.com and requesting a Token and subsequent responses will show that it receives a Token from https://login.microsoftoline.com after entering the password when prompted.

Once the Client receives a Token from Org ID it then submits this token to the Web Ticket Service https://webdir2a.online.lync.com/WebTicket/WebTicketAdvancedService.svc/WsFed_bearer

In Response the Web Ticket Service will now Issue the Client a Web Ticket. You can see this in the Trace below

The Client will Then Submit this web ticket back to the AutoDiscover User URL - /Autodiscover/AutodiscoverService.svc/root/user?originalDomain=mshaikh.onmicrosoft.com&sipuri=e1@mshaikh.onmicrosoft.com

In response it will now receive the Internal and External addresses of the Pool names where the user is Homed.

You can see this in the trace below

Once the Client receives the pool names it will then Send a SIP REGISTER message to the SFB pool in order to sign in. Depending on the Users location this will ideally be sent to the SFB online Edge pool. You can see that in the Client UCCAPI log file. This is shown in the snippet below

In response the Client will now receive a 401 Unauthorized message again and the server will again ask the client to authenticate itself. Here the ONLY method of authentication that is available is TLS-DSK (Cert based authentication)

The SFB online server will provide the Client a Cert provisioning URL in the 401 you can see that in the snippet below

This means that the Client now needs to present a Certificate that can then be used to authenticate the client. Since this is the first time the client is signing in it will NOT have the certificate installed. This certificate is ideally downloaded after the client signs in for the first time and is valid for about 8 hours.

Since the client does not have a valid certificate it now has to Re-Authenticate to the Cert provisioning service.

The Process for this will again be the same, the client has to first get a Web ticket, to get a web ticket it needs to get a Token from O365 AD, but we know that the client has already done these steps earlier. SO it already has a Web Ticket from the Web services URL. The Client needs to submit this same web ticket that it had obtained now to the Cert provisioning Service and once it submits the web ticket it will serve as a proof of authentication.

The Client learns about this by first sending a Mex request to the Cert provisioning URL. You can see that in the Trace below

The Client then submits the Web Ticket that it had received to the Cert provisioning URL it received above, after this it receives a 200 OK and a Certificate is now downloaded.

The clients will then send a SIP REGISTER again to the SFB Pool in which it submit this certificate the pool and in response it will receive a 200 OK.

Sign in is NOW complete!!!

SFB online Client Sign in and Authentication Deep Dive ;Part 2

Mohammed Anas Shaikh — Tue, 21 May 2019 00:29:59 GMT

First published on TECHNET on Apr 09, 2018
Scenario: Pure Online (O365) environment, SFB user is homed Online, NO ADFS, MA (Modern Auth) is Enabled in O365

NOTE:

I have tried my best to ensure the information below is accurate. Some of the terms I use to describe things like Modern Auth provider, O365 AD, Org ID etc. may not be standard terminology, I use them solely to make the understanding simpler. My intention here is to explain what happens in the background when a SFB client signs in so that it helps engineers and customers troubleshooting issues related to Sign in and Authentication.

How Does it Work?

Below is a High level explanation on how the SFB online Client Sign in process works

SIP URI of the user - e1@mshaikh.onmicrosoftcom

SFB client Queries DNS for Lyncdiscover.domain.com. This should point to Webdir.online.lync.com

SFB Client then sends a unauthenticated GET request to Lyncdiscover.domain.com

The Client is then redirected to Autodiscover ( https://webdir2a.online.lync.com/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=mshaikh.onmicrosoft.com )

SFB Client then sends a Request to Autodiscover to discover its pool for sign in.

The Client is then challenged and is provided the URL for Webticket service ( https://webdir2a.online.lync.com/WebTicket/WebTicketService.svc ) where it can request a Webticket

The Client then sends a POST request to Webticket Service

Webticket Service Redirects the Client to Modern Auth Provider (login.windows.net)

Now in order to authenticate the client reaches out to Login.windows.net and requests a Token, The intention here is to Get a Token from login.windows.net, From this point onwards we will see that login.windows.net will redirect the client to login.microsoftonline.com. We will see several exchanges happening between client, login.microsoftonline.com and Login.windows.net

The Client may receive a Password prompt and once the correct password is provided a token will be issued by Login.windows.net

The Client then submits this token to Webticket Service

Webticket service now will grant a Webticket to the Client

The client then submits this webticket to Autodiscover

In Response Autodiscover will provide the Pool names (sipfed2a.online.lync.com" port="443) where the client can send Register to Sign in

The SFB client now sends a SIP register to the Online Edge pool (sipfed2a.online.lync.com" port="443)

It is then challenged for authentication again, here the ONLY supported method of authentication is TLS-DSK, The client is provided a Cert provisioning URL ( https://webdir2a.online.lync.com:443/CertProv/CertProvisioningService.svc ) in the 401 unauthenticated response

The SFB client then sends a request to Certprov

Here again the Client is challenged for authentication and is redirected to webticket service to get Webticket

The Client had already Obtained a webticket in step 11 above

The client will submit the same webticket obtained in step 11 to the Cert provisioning service

The Client then receives a certificate

The SFB client can now send a Register again and use the certificate it downloaded for authentication

Need to open a ticket with CSS? Here’s the data we need…

Kris Waters — Tue, 21 May 2019 00:26:30 GMT

First published on TECHNET on Mar 13, 2018

Author: Tushar Pathak, with assistance from Shea Caperoon

Log collection

When opening a support issue it’s critical that we have the right information to fully investigate the issue. Support engineers often get asked by customers what data would be most useful to provide in order to have the case move forward as efficiently as possible. Having this data in first instance speeds up the resolution and avoids going back in circles.

Please refer to following chart for log collection based on the issue. When possible please submit these logs to the support engineer who is assigned to the case.

SfB Client side
User unable to join a SFB meeting (intra & inter company)	Client Logs + meeting url + Time of the issue
User is unable to sign in	Client Logs + packet capture
SFB client is crashing or hanging	Client Logs + eventviewer logs + Time of issue
SFB is not connecting to Exchange error	Client Logs + SfB Configuration Info
Client is not saving conversation history	Client Logs + SfB Configuration Info
IM and Presence related issues	Client Logs + Sip address + Time of issue
A/V or App sharing failing w/ network issues	Client Logs + Network Capture + Time of issue
Meeting Schedule Delegation issues	Client Logs + SfB Config Info
Mobility issues (sign-in, meeting join, AV issues)	Go to settings -->Logging --> Ensure logging is turned on and click send logs
PSTN Calling / Conf issues	Meeting ID/caller-Calle number + timestamp

Procedures:

Collecting Client Logs

From SfB/Lync Client, sign out or Cancel sign in

From the client sign in screen, select Delete My Sign In Information

From Tools > Options > enable client-side logging Options > Tools > General tab.
- Turn on logging = Full (This is default in 2013/2016 client)
- Select "Also collect troubleshooting info using Windows Event Logging"

Exit the SfB/Lync client entirely (Alt + File > Exit)

Exit Outlook entirely

Go to Start > Run > type
- For SfB 2016
  - %localappdata%\Microsoft\Office\16.0\Lync
- For SfB/Lync 2013
  - %localappdata%\Microsoft\Office\15.0\Lync

Delete folders starting with sip_

Rename the Tracing folder to Tracing_bak

Restart SfB/Lync client, and then reproduce the error condition – please capture a screen shot of error condition and the system time so error logs can be correlated.

Exit client completely again and gather logging

Zip entire \Tracing\ folder from location above

SFB Configuration Information

1. Navigate down to the taskbar and do a CTRL + RightClick on the Skype for Business icon.
2. On the menu shown, select the Configuration Information option.
3. A pop-up window will open. Click on the button named Copy and paste the clipboard into a text file or reply email

Network

Troubleshooting network related
issues

For eg. ICE issues, TLS/TCP handshake issues, Audio quality issues, etc

Related tools for capturing network packets

1st option, full Netmon

https://www.microsoft.com/en-in/download/details.aspx?id=4865

2nd option
Netmon

Netmon Oneclick (no install required)

https://www.microsoft.com/en-us/download/details.aspx?id=6537&751be11f-ede8-5a0c-058c-2ee190a24fa6=True

3rd option
Netsh trace

Built in to Windows, just run the following cmdlets in cmd with elevated rights

netsh trace start capture=yes scenario=internetclient

Reproduce the issue

netsh trace stop

netsh trace start scenario=netconnection capture=yes

Reproduce the issue

Netsh trace stop

https://blogs.msdn.microsoft.com/canberrapfe/2012/03/30/capture-a-network-trace-without-installing-anything-capture-a-network-trace-of-a-reboot/

4th option
Message analyzer

https://www.microsoft.com/en-in/download/details.aspx?id=44226

Network Capture on windows (GUI)

Download full netmon client from above website per the operating system bitness

Install full netmon on the affected machine

Run netmon as an Administrator (see here if you need instructions)

Start capture, reproduce the issue and stop capture. For best results, close all other windows or applications that are not needed to reproduce the issue

Save the netmon trace

Network Capture on windows

Open a Command Prompt as Administrator

Create a folder on the local disk by running the followingcommand:
- c:\> mkdir c:\css-temp

Run the command:
- c:\> netsh trace start scenario=netconnection capture=yes packettruncatebytes=512 tracefile=c:\ css-temp\%computername%_nettrace.etl maxsize=2000 filemode=circular overwrite=yes report=yes

Wait for the command to finish

Reproduce the problem

Run the command:
- c:\> netsh trace stop and wait for the command to finish

Prepare to upload the two files in c:\css-temp to the case (ask for instructions from your support professional)

Network Capture Mac

Open a Terminal session

Run the follwing commands:
- sudo tcpdump -w ~/Desktop/CaptureMSFT.pcap

Enter the admin credential to elevate

Reproduce the problem

Press CTRL+C to stop the capture

Ask customer to upload the file CaptureMSFT.pcap from the Desktop

SaRA now available for Skype for Business

Kris Waters — Tue, 21 May 2019 00:26:23 GMT

First published on TECHNET on Feb 22, 2018

The Supportability and Digital Support teams are pleased to announce the official launch of the SaRA Sign-In diagnostic for Skype for Business.

The Skype for Business SaRA sign-in scenario supports the following versions of Skype for Business:

Skype for Business 2015
Skype for Business 2016

Online Checks

Determines if the user is provisioned for Skype for Business in Office 365
Analyze SipProxyAddress vs. UPN for miss-match
Checks to see if user is soft deleted:

Actions it can take

Enables and Disables IDCRL logging
Clear Sign-in Cache
Check and Clear Check for ClockSkew DWORD in the registry

Persistent Chat room lock-up and become unavailable when a user is either added/removed from the Room/Category

Sri Todi — Tue, 28 May 2019 22:17:17 GMT

First published on TECHNET on Feb 16, 2018

The latest update for Lync Server 2013 ( July 2017 ) has the following fix

KB4023320 "Your chatroom access may be limited due to an outage" error when you add or remove users in Lync Server 2013

KB4023322 Event ID 53106 "Unable to save message" is logged in Lync server 2013 Persistent Chat Compliance Server

The update for Skype for Business Server 2015 ( May 2017) has the following

KB4015910 Event ID 53106 "Unable to Save Message" occurs in Skype for Business Server 2015 Persistent Chat Server

It could happen that though the updates are installed ( or a higher CU) is installed, the issue could persist in the environment.

Log Name:      Lync Server
Source:        LS Persistent Chat Server
Date:          10/10/2017 1:01:02 PM
Event ID:      53508
Task Category: (1098)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      PCHATServer.contoso.com
Description:
Failed to release the admin lock. Administrative command processing cannot proceed.

Log Name:      Lync Server
Source:        LS Persistent Chat Server
Date:          10/10/2017 5:44:36 AM
Event ID:      53555
Task Category: (1098)
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      PCHATServer.contoso.com
Description:
An inconsistent state between the server cache and the database was detected and the server cache will be reloaded.

The Persistent Chat server will reload its cache from the database.

Cause: This can be caused by Persistent Chat servers failing to communicate with each other.

Log Name:      Lync Server
Source:        LS Persistent Chat Compliance Server
Date:          10/8/2017 1:29:31 PM
Event ID:      53106
Task Category: (1097)
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      PCHATServer.contoso.com
Description:
Unable to save message 10/8/2017 8:24:59 PM PART ma-chan://contoso.com/6f41dceb-69ae-434a-9699-123e8eb5f675 0 39000 to database due to exception:
CmdID: c5409a64-b11d-4d49-90f5-fa694cd4555f The server could not restore db connection within the allowed time (00:10:00) using connection string: Data Source=sql01.contoso.com\RTC;Initial Catalog=mgccomp;Integrated Security=SSPI;Failover Partner=sql02.contoso.com\RTC. at

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.Database.DbCommand.executeUntilSuccessOrTimeout[TR](Fun`2 executeDelegate, RetryInfo retryInfo)

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.Database.DbCommand.executeImp[TR](Fun`2 executeDelegate, Int32 retryTimeoutInMs)

at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.Database.DbCommand.ExecuteNonQuery(Int32 retryTimeoutInMs)

at Microsoft.Rtc.Internal.Chat.Server.Compliance.ComplianceDataAccess.Save(RawComplianceData data)

at Microsoft.Rtc.Internal.Chat.Server.Compliance.ComplianceServer.Save(RawComplianceData data).

This issue stems from design and from scalability. When Persistent Chat servers were designed it wasn't expected that users would be removed/added on continual basis. Also to ensure that only participants who are in the chat room have access, even though a single user was added/removed, we verify the permissions for every user and every category and every chatroom. This works well in small environments, but as the usage scales, the solution fails to scale. Now, about the trade-off, we added a new flag that can be modified to change the behavior, where no checks are performed and the actions are simply implemented. What does it mean in daily usage, if a user was removed from say a chat room, under the current scenario, the chat room access is also removed from the client immediately. The trade-off that businesses will now have to make is for performance, and to prevent SQL lock-ups, that may have to wait for a client to sign-out and sign-in, causing access to the chat room to be revoked.

RESOLUTION:

Connect to MGC database in your environment and then get me the contents of the dbo.tblConfig table. It should be like

configLabel configPoolID configContent

pool 9CFB3493-89B2-447C-8487-9C19C13E1694 < ?xml version="1.0"....

We are interested in the ConfigContent. It should look like

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

< configuration version="1">

< pool>

< db>

< retry_ms>600000</retry_ms>

< lossdetection_ms>120000</lossdetection_ms>

< /db>

< channelserver>

<ADConnect>

< GlobalCatalog>

< findgc>True</findgc>

< host></host>

< adsynchfreq>480</adsynchfreq>

< /GlobalCatalog>

< /ADConnect>

< adupdate>

< batchsize>5000</batchsize>

< sleeptime_ms>10000</sleeptime_ms>

< accesspoll_ms>604800000</accesspoll_ms>

< accesspoll_size>50</accesspoll_size>

< accesspoll_enabled>False</accesspoll_enabled>

< /adupdate>

< serverbackchat>

< cache_size_limit>2500000</cache_size_limit>

< /serverbackchat>

< watermarks>

< batch_message_count_max>20</batch_message_count_max>

< async_send_max>100</async_send_max>

< async_send_max_lo>90</async_send_max_lo>

< outbound_queue_max>100000</outbound_queue_max>

< outbound_queue_max_lo>90000</outbound_queue_max_lo>

< low_priority_queue_max>500</low_priority_queue_max>

< inbound_queue_size_max>10000</inbound_queue_size_max>

< channelinvitemax>50</channelinvitemax>

< /watermarks>

< /channelserver>

< webservice>

< maxchunksizeinkb>1024</maxchunksizeinkb>

< /webservice>

< /pool>

</configuration>

Please see highlighted section in bold. We will need to edit the contents to insert the line <notify_users>0</notify_users> at that particular location. Once this is done, we would recommend to restart the services for PCHAT.

<?xml version="1.0" encoding="utf-8" standalone="yes"?>

<configuration version="1">

<pool>

<db>

<retry_ms>600000</retry_ms>

<lossdetection_ms>120000</lossdetection_ms>

</db>

<channelserver>

<ADConnect>

<GlobalCatalog>

<findgc>True</findgc>

<host></host>

<adsynchfreq>480</adsynchfreq>

</GlobalCatalog>

</ADConnect>

<adupdate>

<batchsize>5000</batchsize>

<sleeptime_ms>10000</sleeptime_ms>

<accesspoll_ms>604800000</accesspoll_ms>

<accesspoll_size>50</accesspoll_size>

<accesspoll_enabled>False</accesspoll_enabled>

</adupdate>

<serverbackchat>

<cache_size_limit>2500000</cache_size_limit>

<notify_users>0</notify_users>

</serverbackchat>

<watermarks>

<batch_message_count_max>20</batch_message_count_max>

<async_send_max>100</async_send_max>

<async_send_max_lo>90</async_send_max_lo>

<outbound_queue_max>100000</outbound_queue_max>

<outbound_queue_max_lo>90000</outbound_queue_max_lo>

<low_priority_queue_max>500</low_priority_queue_max>

<inbound_queue_size_max>10000</inbound_queue_size_max>

<channelinvitemax>50</channelinvitemax>

</watermarks>

</channelserver>

<webservice>

<maxchunksizeinkb>1024</maxchunksizeinkb>

</webservice>

</pool>

</configuration>

For user removals, it could be possible that you could run Revoke-csClientCertificate for the removed user, and the user will be signed-out from all end-points that do not use UCWA. They can then sign-in and continue using the service. This commandlet may disrupt the calls and conferences or IM conversations the user is on.

Please check your business requirements and the available trade-offs to decide if you want to proceed with altering the configuration. Also note that a service restart is required.

Skype for Business Client-Side Anti-Virus Scanning

NextHop_Team — Tue, 21 May 2019 00:25:58 GMT

First published on TECHNET on Feb 06, 2018

by Steve Schiemann

Microsoft has found that some client-side issues can arise because of anti-virus interference with normal operations. These issues include but are not limited to downloading the address book, response problems when performing various tasks, or outright crashes.

To ensure that the antivirus scanner does not interfere with the operation of Skype for Business (SfB) clients, customers should exclude client tracing/profile directories, and the Office installation directories on each workstation on which you run a file-level antivirus scanner.

Note:

Folder and file locations listed below are the default locations for various client installations. For any locations for which you did not use the default, exclude the locations you specified for your installation instead of the default locations specified in this writing.

Important:

Please note that some antivirus programs may need absolute, not relative paths, for their exclusion list.

Client Tracing / Profile Directories

Office 2016:

%userprofile%\AppData\Local\Microsoft\Office\16.0\Lync

Office 2013:

%userprofile%\AppData\Local\Microsoft\Office\ 15.0 \Lync

Office 2016 Installation Directories

Click-to-Run:

C:\Program Files (x86)\Microsoft Office\root\Office16

MSI-based Installations:

· 64-bit Office on 64-bit Windows:

C:\Program Files\Microsoft Office\Office16\

· 32-bit Office:

C:\Program Files (x86)\Microsoft Office\Office16\

Office 2013 Installation Directories

· 64-bit Office on 64-bit Windows

C:\Program Files\Microsoft Office\Office15\

· 32-bit Office:

C:\Program Files (x86)\Microsoft Office\Office15\

Must I Exclude These Directories?

The short answer is no, but please take into consideration that we in Microsoft Customer Service and Support have resolved many issues by simply taking A/V scanning out of the picture. This happens both server- and client-side. Often customers push back when asked to remove A/V software, or simply disable it for testing purposes. We understand your concerns, but this software can be very intrusive. Even if disabled, hooks are left in place which can interfere with Skype for Business clients. For another perspective, please see this this blog . Here is an excerpt: “AV or security software manufacturers tend to understand “Disabled” as a “I’ll continue with all my intrusive way of doing, only that if I detect something suspicious I won’t tell anyone. But I can keep being the cause of performance problems, memory leaks, or memory corruptions. “

Eicar Test

The Eicar (European Institute for Computer Antivirus Research) test allows anyone to see if a certain folder on their machine is being scanned. Simple copy/paste the 68-byte ASCII text into notepad, and save it locally. Your scanner should pick up this innocuous file and flag it as a threat. I did this, and saved it to my Lync/Sfb profile folder, and immediately was informed of a “severe” thread by Windows Defender. If I suspected A/V of causing issues with SfB, I would have excluded this folder from scanning.

Grab the Eicar test and details from http://www.eicar.org/86-0-Intended-use.html

Conclusion

In most SfB client cases, A/V software runs fine without any special configuration and does not interfere with SfB functionality. If you have read this page however, you understand why customers might be asked to exclude certain directories from scanning, or to disable, or remove A/V software for testing purposes.

Note:

We are not aware of a risk of excluding the specific files or folders that are mentioned in this article from scans that are made by your antivirus software. However, your system may be safer if you do not exclude any files or folders from scans.

Resources

Antivirus scanning exclusions for Lync Server 2013

https://technet.microsoft.com/en-us/library/dn440138(v=ocs.15).aspx

Plan antivirus scanning for Outlook 2013

https://technet.microsoft.com/en-us/library/dn769141.aspx?f=255&MSPPError=-2147217396

Analyzing XML File Content written by Lync Server Storage Service (LYSS)

Sri Todi — Thu, 13 Feb 2020 20:09:27 GMT

First published on TECHNET on Jan 17, 2018
In Skype for Business Server 2015, we added functionality, where contents flushed by Lyss (EVENT ID 32089) is automatically imported every 30 minutes. This configuration can be enabled or disabled by using Set-CsStorageServiceConfiguration and when the contents are successfully imported, we would see EVENT ID 32097 and if the import fails, EVENT ID 32099 would be written to disk

Log Name: Lync Server

Source: LS Storage Service

Event ID: 32097

Computer: lyncstd01.contoso.com

Description:

One or more files were automatically imported back into Storage Service successfully.

The following automatic flushed file import success events occurred.

#CTX#{ctx:{traceId:10001, activityId:"a35a9699-53fb-440d-bbd4-058729dd284f"}}#CTX# File:
\\contoso.com\LyncRootDFS\RTCShare\1-WebServices-1\StorageService\DataExport\ 2014

0625\SKYPEFE01.contoso.com\1c5de83aaf4e5d41a767576ed27f333f__0.xml, items imported: 249

Cause: A background task will look for eligible flushed files from the web service file store or from the local front end which were created at least a certain time ago and import back into Storage Service. These items could have been flushed out from the DB due to high DB size or from
manually invoking pool failover or flushing cmdlets.

Resolution:

No action needed.

Log Name: Lync Server
Source: LS Storage Service
Event ID: 32099
Computer: SKYPEFE01.contoso.com
Description:
Attempt to automatically import a flushed file back into Storage Service encountered error.
The following automatic flushed file import error events occurred.
#CTX#{ctx:{traceId:10001, activityId:"8454c5d4-57f6-437a-9cf7-46fc15960492"}}#CTX# File:
\\contoso.com\LyncRootDFS\RTCShare\1-WebServices-1\StorageService\DataExport\ 2014

0625\SKYPEFE01.contoso.com\0640daf8d97b5199b82663737356b525__14.xml , items deserialized 3, items failing re-import: 3

#CTX#{ctx:{traceId:10001, activityId:"8454c5d4-57f6-437a-9cf7-46fc15960492"}}#CTX# File:
\\contoso.com\LyncRootDFS\RTCShare\1-WebServices-1\StorageService\DataExport\ 2014
0625\SKYPEFE03.contoso.com\b20f02d8943b53dc89ddcb2ff106f912__29.xml , items deserialized 1, items
failing re-import: 1

#CTX#{ctx:{traceId:10001, activityId:"8454c5d4-57f6-437a-9cf7-46fc15960492"}}#CTX# File:
\\contoso.com\LyncRootDFS\RTCShare\1-WebServices-1\StorageService\DataExport\ 2014
0625\SKYPEFE03.contoso.com\b20f02d8943b53dc89ddcb2ff106f912__6.xml , items deserialized 2, items failing re-import: 2
:
Cause: Bad input data, or error calling Storage Service, or other errors.
Resolution:
Please look at event details and use the correlation ID to view corresponding traces to resolve the error.

To investigate, I would get started with the XML files. First, I would simply view them in a Browser or another application to view the contents. A quick visual spot check could provide information, about the failures

<?xml version="1.0"?>
-<LyssQueueItem Version="1" xmlns="http://schemas.microsoft.com/RtcServer/2012/11/lyssimpexp">
-<QueueItems>
+<ItemQueue ItemQueueID="0282d738-9468-e711-8108-0050569e79b5" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="e081e54a-9468-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="82c21bcb-9768-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="3cd27fce-9a68-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="48b5359a-a368-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="44bb9767-a768-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="8b35a1e5-be68-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="4ff14355-c068-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="b6e98870-c168-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="c0204b47-c568-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="6c59d707-c668-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="90482b96-c768-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
+<ItemQueue ItemQueueID="6c76a50e-ca68-e711-8108-0050569e79b6" GroupID="38e63176-1723-5d4d-8a40-ff2e2c436899">
</QueueItems>
</LyssQueueItem>

Here we can count the number of items as 13 items, and may be able to investigate individually. Let's say, if there were many items, we would want to not manually count the errors and then manually check what’s wrong.

So we can run use PowerShell to help us out, this can be accomplished by running

[XML] $a=Get-Content '.\LYSS_Sample.XML'
$a.LyssQueueItem.QueueItems.ChildNodes.Count

1289

Disclaimer: Importing a XML file in PowerShell can be very resource extensive, and it highly recommended to not be performed on a LYNC or Skype for Business Server

Next, we can look into the characteristics about the issue, simply by running the below script. We can see that the content in this XML file is all tagged as Item Status 3 with a particular AdapterID.

$a.LyssQueueItem.QueueItems.ItemQueue | ft ItemStatus,AdapterID

ItemStatus AdapterID
---------- ---------
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f
5          cde2bace-f515-444d-a3f1-858a7fc8728f

If all the items have ItemStatus 5 and the AdapterID is cde2bace-f515-444d-a3f1-858a7fc8728f, and you have users that are enabled for Skype for Business, but have mailboxes hosted in an email system that’s either non-Microsoft Solution ( EWS doesn’t exist) or doesn’t allow for OAuth ( Exchange Server 2010 and earlier) then these messages mostly would be Server-Side Conversation History for the account, but conversations cannot be saved. If the goal is not to move the mailbox to Exchange Server 2013 or higher, then these files can be ignored. (Updated 08-March 2018) In-order to prevent more data to be written to the file-share, it is recommended that you use New-csClientPolicy to create a new policy for these users and then disable Server-Side Conversation History for the users.

$a.LyssQueueItem.QueueItems.ItemQueue | Group-Object AdapterID | FT Count, Name
Count       Name
-----       ----
60         cde2bace-f515-444d-a3f1-858a7fc8728f
12         36AA818F-00BB-43BC-88E7-6840ECA732C6
5          0947BCF3-7D50-40A7-9E3A-F07B9DC4CEF1

If the name matches "CDE2BACE-F515-444D-A3F1-858A7FC8728F" you might want to follow instructions The LCSLog SQL Database is not logging any archiving content .
If the name matches "36AA818F-00BB-43BC-88E7-6840ECA732C6" it could be possible that you also have issue with EVENT ID 56208 – Resolving Issues with CDR Throttling
If the name matches “0947BCF3-7D50-40A7-9E3A-F07B9DC4CEF1”, if could be possible that you have issues with EVENT ID 56416 – Failed to post QoE report to External Consumer

If there are more than 2,000 items in any XML file ( shouldn’t typically happen), then it could happen that the Auto-Import functionality may fail parsing the file. In such a case, we would recommend to use ImportStorageServiceData.exe or reach out to Microsoft Premier Support

If the contents of the folder have data older than your retention period ( CDR, QoE, IM&WebConf retention) say for example the XML files are generated 12 months ago, but the retention periods are 90 days, then it would be safe to delete the XML files from >90 days ago.

If you have multiple XML Files, you could use a script like the following to wite the headers of the file to a different file for analysis

$LYSSPath = Get-ChildItem -Path "Folder path contating XML Files" -Recurse | where { ! $_.PSIsContainer } foreach ($xmlpath in $LYSSPath) { [xml] $xmLFileContent = Get-Content $xmlpath.FullName foreach ($CurrentLyssItem in $xmLFileContent.LyssQueueItem.QueueItems.ItemQueue) { $Itemheader = $CurrentLyssItem.ItemHeader [xml] $Base64DecodedString=[System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($Itemheader)) Add-Content -Path "Path\Base64Decodedheaders.txt" -Value $Base64DecodedString.LyncMessageHeader.InnerXml } }

As always, when in doubt, we request you to open a Service Request with Microsoft Premier Support

SDN Interface Setup/Configuration Recommendations

NextHop_Team — Tue, 21 May 2019 00:25:43 GMT

First published on TECHNET on Nov 28, 2017
Author: Steve Schiemann

Introduction and Background:

This writing is intended for customers currently implementing or planning for the Software Defined Networking Interface (SDN) implementation for Lync/Skype for Business on-premise servers. As noted in my previous blog post , the SDN Interface uses open protocols to apply software control to network hardware. There are three primary components to the SDN Interface:

· The Dialog Listener that captures signaling and quality observations about media traffic between Skype for Business endpoints. The Listener component (a.k.a. “LDL”, or Lync Dialog Listener) needs to be installed on each Front-End server.

· At least one SDN Manager that collects data from Dialog Listeners and distributes to third-party network management systems (“Subscribers”, or network controllers). If a single Manager or manager failover configuration is deployed, call quality data is stored in memory on each manager. This is transient data, meaning that as soon as it is sent to a controller, it goes away. In a manager pool configuration, a data store that maintains the shared state among all SDN Managers in a single pool is required. The data store could be a SQL database or Redis cache system.

· One or more Subscribers. These controllers support a RESTful (REpresentational State Transfer) web service to receive and analyze the call- and media-quality data posted from the SDN Managers. Based on the call quality data received, these third-party network management systems can make real-time adjustments to optimize network traffic.

This blog post applies primarily to the Manager component . This component can be deployed in different ways:

· In a manager pool

· In a failover configuration

· As a single manager

· Manager and Listener components collocated on the same server.

For more context, please refer to my previous blog post, online SDN Interface documentation , and/or the documents downloaded with each version of the SDN Interface.

Statement:

If deploying multiple SDN Interface managers, the Skype for Business product group is now strongly recommending installing SDN Manager pools, instead of deploying managers in a failover configuration.

Why?

Failures triggered by various connection issues reaching limits cause the DialogListener to fail over. The problem is that there is no coordination among them. Failover configuration is really targeted for a disaster mitigation solution. If failover is configured, the limits in the parameters (such as submitqueuelen and maxretrybeforefailover in our documentation ) should be set high enough to prevent a failover happening in unintended situations. Details regarding these parameters are beyond the scope of this post.

When a disconnected Dialog Listener attempts to deliver messages to the primary SDN Manager, a failover protection algorithm will switch to the alternative SDN Manager to ensure that the SDN Interface provides continuous service when server failures occur. In this case, the alternate SDN Manager becomes the new primary service provider. Call states are lost during the failover transition , because state is kept in memory on the primary SDN Manager. This may cause inconsistent or incomplete message reporting delivered to subscribers until the new active SDN Manager can establish a consistent view of the ongoing media streams.

In the event of fail over, the secondary computer is promoted to the new primary node. Restoring the second node will automatically make it the secondary node, and the new primary node will stay in place until it fails over. Listeners will not “fail back” automatically to their original manager.

Why is an SDN Manager Pool Better than a Failover configuration?

In a Skype for Business SDN Interface pool configuration, all Dialog Listeners are connected to a DNS load-balanced pool of SDN Manager servers.

In this configuration, the size of the pool scales with the message load produced by the Skype for Business Servers and Dialog Listeners. The pool automatically handles most server failures. Network controllers (subscribers) connected to this SDN Manager pool receive a consistent state about applicable media streams handled by the connected Skype for Business Server front end pools.

Disaster scenarios can be dealt with by defining the SDN Manager pool across different locations. The failover configuration is there for similar failover, but it needs careful configuration and therefore not really recommended at all. Setting up an SDN Manager pool across different locations is preferred.

The disadvantage is that you need a data store (Redis or SQL) for a manager pool, but the advantage is load-sharing within the pool, instead of having a passive backup.

Summary

Although the documentation that is downloaded with each version of the SDN Interface treats each possible manager deployment equally, the product group is considering deprecating the failover scenario. If deploying multiple SDN managers, strongly consider using one or more manager pools.

Have you heard the one about he delegate who accepted the meeting request?

NextHop_Team — Tue, 21 May 2019 00:25:36 GMT

First published on TECHNET on Oct 05, 2017
Author: DJ Ball , Senior Escalation Engineer, Microsoft CSS Support

Another day supporting Skype for Business, and another topic to discuss. Today we will look at delegation, and how to troubleshoot it.

The case came in as a customer reporting that several of their Administrative Assistances could not create a Skype for Business meeting on behalf of one specific VIP user.

This VIP had configured delegates in Outlook for 4 different assistants. All four would get this error when they clicked the “Skype Meeting” button on a calendar item they were creating for their manager.

“The person you are scheduling on behalf of is not UC enabled or there may be configuration issues with the account. Make sure you are signed in to the same account you use for Microsoft Outlook. If the problem continues, please contact your support team.”

There are two ways that Skype can be configured for delegation. The most common scenario is for the manager to assign a delegate using Outlook. This post covers setting up delegates and the various permissions that can be granted. The Skype for Business client has a process, UCMapi.exe, that will sync down delegates that are configured in the mailbox. So once this is set in Outlook, within a few minutes the delegate should see the yellow banner in the client showing they were added as a delegate.

.

So how do we troubleshoot this? The first thing to verify is that the delegate can open the Manager’s calendar using Outlook. Then verify the delegate can create a regular meeting on behalf of the manager without clicking the “Skype Meeting” button. Once we established these are working, we could move on to more in depth poking.

I had the manager remove the delegate, wait several minute and re-add them back. We noticed the delegate never receives the yellow banner. The next thing to check is the EnableExchangeDelegateSync attribute on the assigned Client policy.

This must be set to True to allow delegates to schedule meetings on behalf of someone. Once this was enabled, the delegate’s saw the yellow banner message that they were added as a delegate. However, they still got the same error message for a Skype meeting.

You can check the registry to see if a client ever dismissed the yellow banner. We have two keys that track this. They are the Last DelegatorList and Dismissed DelegatorList. You can verify these keys under this path.

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Lync\user@domain.com

Name: Dismissed DelegatorList

Type: REG_MULTI_SZ

Data: disabledmanager@djball1.lab

Name: Last DelegatorList

Type: REG_MULTI_SZ

Data: disabledmanager@djball1.lab

managertwo@djball1.lab

The Skype for business client includes an Outlook Add-in named “Skype Meeting Add-in for Microsoft Office 2016”. When the “Skype meeting” button is clicked, code from this add-in is run. To crack this case, I had to turn to debugging the functions that run when this button is clicked. My debug session led me to an old Lync 2010 article that talks about the possible Add-In error messages. The chart has a very similarly worded error, but it was different enough that previous searches never found it. The possible cause is listed as “…Lync 2010 located the SMTP address of the person you are scheduling a meeting for but cannot determine his or her SIP address from Exchange Server or Lync”.

When the “Skype Meeting” button is clicked, we look up the Manager’s contact in the Global Address book. We then loop through all the proxy addresses looking for a matching SIP: address. If we do not find this, we fail and log the error message. This behavior has not changed since the 2010 days.

This was a hybrid deployment for Skype for Business Server, and Exchange 2013. The Manager and Delegates were all fully moved to the cloud for both services. We found that the on premises Exchange Global Address List did have the correct SIP address for the manager, but this attribute had not correctly replicated to the cloud. We worked with their on premises Exchange team and the Office 365 operations team to correct this. Once replication took place all Admins could create the Skype meetings without any issue, another problem solved.

But wait, remember I said there were two ways to setup delegates? When the Skype for Business user is enabled for Enterprise Voice, a “Call Forwarding” option is lit up in Tools/Options. This allows you to explicitly set up a Skype for Business delegate that can create meetings, but also allow the delegate to answer incoming phone calls. This delegation is not configured when the manager creates the Outlook delegate. This method is used for scenarios where Outlook is not used by the clients.

https://support.office.com/en-us/article/Set-up-a-Lync-Meeting-on-behalf-of-someone-else-DD35D8E8-147A-4B51-ABF2-9B02121EA3C3

EVENT ID 56416 - Failed to post QoE report to External Consumer

Sri Todi — Mon, 24 Feb 2020 21:09:26 GMT

First published on TECHNET on Sep 27, 2017 (Updated 11-JUN-2019)

Starting in Lync Server 2010, we added functionality to enable our partners to provide insights into Call Quality by means of a sending a copy of the Voice Quality Report (VQReport) directly from the server. At that time, I knew of a handful of companies that would allow you to configure QoEConfiguration, so they could generate some reports and provide insights about your network and configuration. Over time, with Call Quality Methodology and later with Call Quality Dashboard , and also integrating CQD Online some of the same functionality was available for free. With Skype for Business Server 2019, Microsoft introduced "Call Data Connector" to allow for data in Hybrid Environments to be analyzed and for insights to be gained

To send your QoE Reports to a third party, all you had to do within Lync was to Run

Set-CsQoEConfiguration -EnableExternalConsumer $true –ExternalConsumerName <Friendly Name of the Third Party Consumer> -ExternalConsumerURL "HTTPS URL Provided by the third party "

As soon as replication was complete, and presuming DNS, Certificates, Firewall was in order, all new QoE Reports would also be sent to the third-party. If the third-party was busy or unavailable, the messages would be queued-up and then be retried. The queues would be MSMQ in Lync Server 2010 and in LySS Database on the SQL Instance LyncLocal on each Front-End Server, in versions Lync Server 2013 and above .

If say, for some reason, the organization decided to change its course and use either Call Quality Methodology or Call Quality Dashboard , you could use Set-csQoEConfiguration to set EnableExternalConsumer $False

It could be possible that over time, with all the changes, the strategy may have changed, but the configuration has existed, and the 3rd party provider has chosen to block connection from your organization, or a new pool is deployed, and outbound connections to port 443 to the external consumer is no longer accessible, in such cases, you could see EVENT ID 56416 occur in your organization.

Time:     5/2/2017 2:49:54 PM

ID:       56416

Level:    Error

Source: LS Data Collection

Machine: SKYPESTD01.contoso.com

Message: Failed to post QoE report to External Consumer.

Error: System.Net.WebException: Unable to connect to the remote server ---> System.Net.Sockets.SocketException: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond <IP Address of the Provider >:443

at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)

at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket, IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Exception& exception)

--- End of inner exception stack trace ---

at System.Net.HttpWebRequest.GetRequestStream(TransportContext& context)

at System.Net.HttpWebRequest.GetRequestStream()

at Microsoft.Rtc.Server.UdcAdapters.QoE.HttpSender.SendReports(LyncMessageDetails msgDetails)

at Microsoft.Rtc.Server.UdcAdapters.QoE.QoEProcessor.ProcessQueueItems(LyssQueueItem queueItem)

Cause: Configurations for the external reports consumer are not set correctly.

Resolution:

Check the External Consumer configurations. If the problem persists, notify your organization's support team with the relevant details.

Depending on the cause, and if the intent is to send the data to third-party then updating it would be a matter of checking why a connection to port 443 is failing and correcting the same. Once the connection issue has been resolved, it’s just a matter of waiting for all the VQReports to be delivered to the third-party. It may take a couple of hours, depending on the robustness of the third-party system, and the time for which you have been experiencing the failure.

If the intent is no longer to send the data to the third-party, then, you may want to run Invoke-csStorageServiceFlush to move all the data from the existing queues to the Network file share, so resources like CPU, RAM and SQL Storage are not wasted in retrying and failing and then move the XML files that were generated.

If the issue is only for a period of time, and your contract/connection with the External QOE Provider is expected to be reinstated, then you could use Set-CsStorageServiceConfiguration to configure EnableAutoImportFlushedData to $False, so data isn't imported automatically and then run Invoke-csStorageServiceFlush to move all the data from the existing queues to the Network file share, so resources like CPU, RAM, and SQL Storage are not wasted in retrying.

To understand the robustness of LYSS See: Testing IM and Web-Conferencing Archiving set to Critical

High Glitch rate in QoE Report

Sri Todi — Tue, 21 May 2019 00:24:39 GMT

First published on TECHNET on Sep 22, 2017

If your organization uses Lync Monitoring Reports, CQM you may occasionally see high glitch rate in one or more calls. Both reports typically show you calls with very high glitch rate.

In-order to resolve the issue, we first need to understand what a glitch really is.

A glitch is defined as a short-lived fault in a system. It is often used to describe a transient fault that corrects itself, and is therefore difficult to troubleshoot.

In a Lync or Skype for Business related setting, a Glitch is a short span of time, when the application was unable to have exclusive control of the device. This can be caused, because either another application wanted to use the device, like a Browser wanting to auto-play a video, or a PowerPoint presentation that has audio in it.

Our recommendations for glitch are as follows

AudioSpeakerGlitchRate
Average glitches per five minutes for the loudspeaker rendering. For good quality, this should be less than one per five minutes. Not reported by A/V Conferencing Servers, Mediation Servers, or IP phones.

AudioMicGlitchRate
Average glitches per five minutes for the microphone capture. For good quality this should be less than one per five minutes. Not reported by A/V Conferencing Servers, Mediation Servers, or IP phones.

See: https://technet.microsoft.com/en-us/library/gg398064.aspx

Every Lync call has audio sampling at either 8,000 Samples/Sec (narrowband) or 16,000 samples/sec (Wideband) and a glitch is failure to capture one or more consecutive samples.

If your organization is using a capture and render device that is optimized for Lync then you should indeed expect few glitches.

Our certification Process requires the following

Lync User Experience

Plug and play: once connected, a device registers on Lync server and is ready to use

First run experience: Automatic detection of a device with a direct link to user guide and other useful tools and documentation

Mute/unmute across PC and device

Audio quality (embedded in the device): no echo or excessive glitches, echo cancellation across devices, wideband / Microsoft media platform with RT audio

Anti-flicker support for webcams (global powerline frequency) admin experience

See: https://technet.microsoft.com/en-us/office/dn788944.aspx

If you do experience an issue with Glitches, I would recommend, to begin troubleshooting, by first updating any/every device driver that’s used for Audio and Video on the PC where the glitch rate is high, simply by downloading and installing the latest versions from the appropriate vendor’s web-site.

Next, I would suggest to test again, and if the issue continues to occur, and/or isn’t reduced drastically, to check all USB peripherals, and then to update the devices. If you are using a say, a Universal Docking Station, please download the device drivers from the vendor for the same.

If say, you are using a USB Hub or or are connecting the device using a docking station, it would be prudent to test with a direct connection. Even using a different USB port may help.

To troubleshoot the issue, I would typically perform the following

Request the user to Run MSInfo32.exe and then Click File –> Save ( Save in NFO format)

Run the following in PowerShell to get a list of all available drivers
dir C:\windows\System32\drivers\*.* | %{ $_.VersionInfo} | ConvertTo-Html > C:\Windows\Temp\drivers.html

Collect Data using Windows Performance Recorder (WPR)
1. Download and Install Windows Assessment and Deployment Kit (Windows ADK) from https://developer.microsoft.com/en-us/windows/hardware/windows-assessment-deployment-kit for your operating System
2. Once you have installed Windows ADK, can you please search for Windows Performance Recorder (WPR) and select Scenario Audio Glitches, and ensure to de-select “First Level Triage”, also change the logging to Verbose and Logging Mode to File
3. Start Click on Start, and then attempt a call in Lync / Skype for Business
4. Once you have about 60 seconds in the call click on SAVE in Windows Performance Recorder (WPR)
5. At this point, we have the ETL file
6. We would also want to click SAVE in the next window.

Once you have data from above, it can be used by Microsoft Premier Support to analyze

If you are interested to learn, what’s in the data that was collected, and how we analyze them, you might want to view https://channel9.msdn.com/Shows/Defrag-Tools/Defrag-Tools-151-Media-eXperience-Analyzer-part-3-Audio-Glitch-Analysis

Help! My Director is consuming all my resources!

NextHop_Team — Tue, 21 May 2019 00:24:21 GMT

First published on TECHNET on Sep 20, 2017
Author: DJ Ball, Senior Escalation Engineer, Skype for Business

Recently I worked on a couple of cases where the administrators were reporting higher than average CPU consumption on their Director pool servers. They reported seeing sustained 80 to 90% CPU consumption during peak business hours. This was most noticeable around the top of each hour. Then, a few hours before the end of their day, the CPU would begin to fall back to their normal 20 to 30% average (normal for these customers, every customer should have their own baseline!).

As we began to troubleshoot the issue over several days, we noticed that only two or three servers in the pool would have high CPU consumption on a given day. We were able to confirm that every server in the pool had high CPU consumption at some point, so this problem was definitely affecting all members of the pool (just not all at the same time) .

Watching Task Manager was enough to figure out that RTChost.exe was the top consumer of CPU time. Now we needed to determine what was causing the problem. Was it load not well balanced among servers in the pool? Was something different on the problem servers (or problem servers on problem days)? Was there were any increase in users or devices on problem days?

A custom perfmon counter log was needed to dig deeper and understand why this service was consuming more CPU. Here is the Logman command line that allowed the customer to easily create the counter log on each server. I have provided the Performance Counter text file that contains all the counters that we used.

PerformanceCounters1

Create command:

logman -create counter SFBPERF -f bin -v mmddhhmm -cf PerformanceCounters.txt -o %systemdrive%\Perflog\%COMPUTERNAME%.LOG -y -cnf 24:00:00

Start command:

logman start SFBPERF

Stop command:

Logman stop SFBPERF

I had the customer run these perfmon logs on each server on issue and non-issue days (so we could compare problematic vs. non-problematic). Once I had this data, it was a time-consuming task to pick it apart.

In reviewing the perfomns, I started off adding these two counters. They showed that the RTCHost.exe process trended up exactly as the total CPU usage. Rtchost was using ~20% of the Processor time\_Total.

Process\% processor Time\RTCHost

Processor\% processor Time\_Total

Then I overlaid these additional counters to look at user load:

LS:SIP protocol\SIP - Incoming Messages /Sec

LS:SIP - Load Management\SIP - Average Holding Time For Incoming Messages

It was very clear that SIP - Incoming Messages /Sec went from an average of 3080, and jumped to 4380. That is about a 40% jump in traffic over the course of ~3 minutes. SIP - Average Holding Time For Incoming Messages also rose from basically 0, to 13.9 just at this same time. But when I compared these peaks against other servers in the pool, they were no higher than other servers that were not having high CPU. I had established was that the 10:00 am hour was a peak time for users joining meetings.

What is RTChost doing when it is consuming so much CPU? Next was to add these counters to the view:

Process\Private bytes\RtcHost

Memory\Available Mbytes

.Net CLR Memory\% Time in GC

Private Bytes counter showed that RtcHost process grew from consuming about 1Gb of memory to a peak just over 13GB in the span of 9 minutes. Available Mbytes counter showed that total system memory went from averaging ~14GB free, then dropped to 3.6GB free over that same period. % Time In GC is a counter that shows .Net Garbage Collection that is occurring for that process. Our jump in user load is what caused the process to consume much more memory, which causes GC to start kicking into overdrive, which drove up the CPU usage.

Now that we knew GC was our bottleneck, I discovered the customer was still running the old . Net 4.0 framework . .Net 4.6.2 release has improved memory management performance and Skype for Business Server has supported .Net 4.6.2 since the February 2017 update . We do not support .Net 4.7 version as it has not been fully tested. The 4.6.2 version can be found here .

The .Net Garbage Collector serves as the automatic memory manager for applications written in .Net. While GC is running, the other worker threads are blocked until GC finishes. The more often GC is running, the less often other work can be done. As a process becomes busier, GC will run more often and for longer periods of time.

Garbage Collection has two modes, Server and a Workstation. The Rtchost process is configured to use workstation mode by default. Workstation mode will have 1 thread to perform GC, and 1 memory heap, where as Server mode will have 1 heap per logical CPU core and 1 GC thread per CPU core. These differences can cause a process to consume as much as 2.5 times the amount of memory. You need to check the Memory\Available Mbytes counter closely to ensure you have enough system memory to handle this change. For a deep dive on GC, the Fundamentals of Garbage Collection is a great resource and the Exchange Team Blog has this excellent post .

Once the servers were updated with .Net 4.6.2, I had the customer enable server mode GC with concurrency in the Rtchost config file as shown below. You should make a backup of this file before adding the two lines to the <runtime> section. This change does require reboot to be picked up.

Default path - "C:\Program Files\Skype for Business Server 2015\Server\Core\RtcHost.Exe.config"

<?xml version="1.0" encoding="utf-8" ?>

<configuration>

<runtime>

<generatePublisherEvidence enabled="false"/>

<gcServer enabled="true"/>

</runtime>

<system.serviceModel>

<services>

If you think this change may help your environment, you need to consider the following caveats:

Per Server requirements for Skype for Business Server 2015 , Director role servers are recommended to have 16GB of memory. You need to closely monitor the Memory\Available Mbytes counter before and after making this change. You should have at least 1.5GB free during peak times.

Future Cumulative updates may overwrite your custom RtcHost.Exe.config. You will need to check this setting after each update. This is a custom configuration that needs to be set for each environment.

Thanks for reading!

DJ.

Understanding the relationships between UCMA Trusted Application objects

NextHop_Team — Tue, 21 May 2019 00:23:47 GMT

First published on TECHNET on Sep 18, 2017
Author: Zack Campbell , Service Engineer, Microsoft Skype for Business Online Services

I was recently engaged by the owner of multiple high-visibility and business-critical UCMA Trusted Applications, requesting my assistance to replace the Trusted App Computers associated to a large list of Endpoints. I didn't know the full backstory, but apparently their servers were VMs, hosted to Hyper-V hosts which they were under a hard deadline to vacate. Anyway, the initial request seemed simple enough, but as I dug in, I quickly realized that there was no direct relationship between their Trusted App Computers and their Endpoints.

I also realized (not so quickly) that there was not a one-to-one relationship between those objects. I knew I had the data I needed to figure out those relationships, but -- being the ~~smart~~ lazy SfB admin that I am -- I started by digging around the Internet for some background, only to come up empty.

Anyone who has worked much with UCMA Trusted Apps probably already understands this, but I was just then realizing that I had some quick scrambling to do to ensure I didn't cause an outage for their Trusted Apps… while implementing a change to prevent a different outage. That's never a good day.

You're really going to make me work at this, huh?

Up to this point, I had been able to slide by on most UCMA change work, without having a super clear understanding of the relationships between UCMA Trusted Apps and their respective Pool, Endpoint, and Computer objects.

This time, however, while the app owner was somewhat confident of the App Pools and Apps associated with his various Computers and Endpoints, he wasn't totally certain, nor was he sure which ones corresponded with which. Unfortunately, that's not good enough, when doing change work… so it fell to me to really figure this whole model out, so I could give the App owner solid consulting advice, make the right changes at the right times, and help him avoid any impact.

Getting all the pieces together

Not having found any help on the Internet, I got to work, picking through my company SfB deployment's various existing Trusted Apps, Computers, App Pools and Endpoints, looking closely at the object properties that tied them together. I made several interesting observations, which I was later able to stitch together into a fairly simple model:

Trusted App Computers are directly related to single Trusted App Pool .
1. The property that ties them together is the App Pool 's PoolFqdn (corresponding to the Trusted App Computers ' Pool property).
2. A Trusted App Pool requires at least one Trusted App Computer .

Trusted Apps are directly related to a single Trusted App Pool .
1. The property that ties them together is the App Pool 's PoolFqdn (corresponding to the Trusted Apps ' TrustedApplicationPoolFqdn property).
2. The App Pool has a corresponding Applications multivalued property, populated by all the Trusted Apps associated with it (via their ApplicationId properties).
3. A Trusted App Pool doesn't have to have any Trusted Apps associated with it (it doesn't do much good without them, but there's nothing preventing this from happening).

Trusted App Endpoints are directly related to a single Trusted App .
1. The property that ties them together is the Trusted App 's ApplicationId (corresponding to the Trusted Apps Endpoints ' OwnerUrn property).
2. A Trusted App doesn't have to have any Trusted App Endpoints associated with it.

Ok, that's not so bad

These observations were helpful, but not the kind of thing that's easy to remember or use. More to the point, I prefer pictures, so I made one. Nice, huh? This is a lot easier…

Application

With this model in hand, it was a simple matter to build the list of all Trusted App Pools and respective Trusted App Computers associated with the Endpoints my customer provided, and it helped them as well, to see/understand how their objects related to each other.

My hope is that it'll be useful to other SfB admins, as well. Don't hesitate to provide comments and feedback. I'll be happy to update this, as needed.

EVENT ID 56208 - Resolving Issues with CDR Throttling

Sri Todi — Tue, 21 May 2019 00:23:31 GMT

First published on TECHNET on Aug 11, 2017

In my previous blog post, I had explained what causes EVENT ID 56208 and had alluded changing the threshold as a work-around. Here is a work-around to resolve identify the issue further, and apply a work-around.

Running a simple SQL query mentioned below will be able to be provide a list of top 10 MS-Diagnostic IDs which occur the most in this environment within the last 30 days.


[sourcecode language='sql'  padlinenumbers='true']
Use LcsCDR 
Go 
Select Top 10 DiagnosticId, Count(DiagnosticId) as 'Frequency' From [LcsCDR].[dbo].[SessionDetails] 
Where (SessionIdTime >= dateadd(day, datediff(day, 0, getdate())-30, 0)) and SessionIdTime <dateadd (day, datediff(day, 0, getdate()), 0) 
Group By [LcsCDR].[dbo].[SessionDetails].DiagnosticId 
Order by Frequency Desc 
Go 
[/sourcecode]

The query can easily be modified to change the period from 30 day currently (getdate()-30) to say 1 day, 7 days, 15 days or 365 days, which would help understand if the issue has been occurring for longer periods of time, but has just reached the tipping point(s).

Let's say MSDiagID 52094 has the highest frequency, and has had this frequency only in the last 1 week, not in data collected from the last say perhaps 30 days.

[sourcecode language="sql"]
Use LcsCDR
Go

Update dbo.MsDiagMetaData
Set ThrottleLimit =20 where MsDiagId = 52094
Go
[/sourcecode]

Once the threshold has been modified, you will notice considerable improvement over the next couple of hours as any data backlogged will now be committed.

Please be aware that this is not a solution, but just a work-around within Lync to prevent problems within Lync and Skype for Business. In-order to find a solution, we may need to use the find the actual reason behind it. Some of the examples are:

Why do clients report MS-DiagnosticID 52094 ? - A temporary loss in WiFi can cause this issue

Why do we have this event mostly from a few IP Addresses? - This probably can help limit the source to a location or geography

Why do PC clients only report the issue ? - Most users at the location were using PC Clients

Why do we have mobile clients not report this issue? - Mobile devices probably used data networks ( 3G/4G/ LTE networks)

Why do we have this MS-DiagnosticID only for this period of 1 week ? - A large conference was hosted last week where say a large population from the company was invited, and the temporary WiFi Set-up was suffering from issues, and an AP in particular was problematic.

Like I mentioned, I can only provide a workaround to provide relief in Lync or Skype for Business Servers and monitoring. The real issue will have to be investigated separately. Getting clear answer to above question will pretty much point you to the actual cause and its resolution.

Skype for Business Server Address Book Normalization Rules–Failing Normalization

Sri Todi — Tue, 21 May 2019 00:23:24 GMT

First published on TECHNET on Jul 07, 2017
Recently I was working on a Service Request, where the address book normalization was not able to normalize simple 10 Digit numbers. I tried about half a dozen normalization rules, trying to make sure that the pattern would capture the phone numbers, but kept failing continuously.

As I was reading Ken’s Blog ( See: http://ucken.blogspot.com/2015/05/skype4b-address-book-normalization.html ), I noticed that the default E164 rule was indeed missing

(UPDATE 2015-Aug-13: Hany Elkady noted in the comments below that removing the E164 rule seemed to stop AD phone numbers already stored in E.164 format from appearing in the address book. I personally ha ven't seen this occur but you might want to leave that rule in place .)

I decided to rebuild the default Normalization rule by running the following and noticed that Normalization started to occur.

New-CsAddressBookNormalizationRule -Parent Global -Name 'Generic_E164' -Description "Generic_E164" -Pattern E164 -Translation NULL

Since then our Documentation for New-CsAddressBookNormalizationRule ( See: https://technet.microsoft.com/en-us/library/dn985803.aspx ) has been updated

Note :E164 is a well-known keyword which translates to tel:+digits-that-match. If E164 is specified and the phone number doesn't need to be translated then NULL is an expected response

and also

Note :If the pattern is E164 then NULL is a valid value for Translation since the number doesn't need to be translated.

.net Framework 4.7 and Skype for Business (&Lync) Server

Kris Waters — Tue, 21 May 2019 00:23:09 GMT

First published on TECHNET on Jun 23, 2017
UPDATED 12/19/17

Please refer to the article here for .NET version support for Skype for Business.

Simplified Port Requirements for Skype for Business Online

Kris Waters — Tue, 21 May 2019 00:23:02 GMT

First published on TECHNET on Jun 13, 2017
Hi all,

Please visit our Techcommunity to read Thomas Binder's new blog on Simplified port requirements for Skype for Business Online !

Thanks,

Kris Korff, Sr. Supportability Program Manager, Skype for Business

Retirement of the Lync Connectivity Analyzer Tool

Kris Waters — Tue, 21 May 2019 00:22:55 GMT

First published on TECHNET on Jun 13, 2017
As some of you may have noticed, the Lync Connectivity Analyzer tool has been retired and is no longer available for public download. We are interested in hearing how you used the tool, and what we could provide in the form of a tool that would better assist you in troubleshooting connectivity or sign-in issues.

Thanks,

Kris Korff, Sr. Supportability Program Manager

Lync Backup Service - EVENT ID 4060 - The server principal "CONTOSO\skype-pool1-FE2$" is not able to access the database "msdb" under the current security context.

Sri Todi — Mon, 24 Feb 2020 21:06:01 GMT

First published on TECHNET on May 25, 2017

Recently, I was working on a case with pool-pairing with a unique twist. The import status for Conferencing Module was working, but for User Module was failing . Upon looking further, I noticed EVENT ID 4060 with the following text

Log Name: Lync Server

Source: LS Backup Service

Date: 5/16/2017 11:25:48 AM

Event ID: 4060

Task Category: (4000)

Level: Error

Keywords: Classic

User: N/A

Computer: skype-pool1-FE2.contoso.com

Description:

Skype for Business Server 2015, Backup Service user store backup module failed to complete import operation.

Configurations:

Backup Module Identity:UserServices.PresenceFocus

Working Directory path:\\ contoso.com \SFBShare\1-BackupService-2\BackupStore\Temp

Local File Store Unc path:\\ contoso.com \SFBShare\1-BackupService-2\BackupStore

Remote File Store Unc path:\\ contoso.com \ SFBShare \2-BackupService-1\BackupStore

Additional Message:

Exception: Microsoft.Rtc.BackupService.ImportOperationException: Import operation (from zip archive ) is failed due to: Failed to execute stored procedure XdsQueryReplicaStatus. Native Error: 916, Exception: The server principal "CONTOSO\skype-pool1-FE2$" is not able to access the database "msdb" under the current security context. . Retriable: False. Cookie: . ---> System.Data.SqlClient.SqlException: The server principal "CONTOSO\skype-pool1-FE2$" is not able to access the database "msdb" under the current security context.

at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction)

at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose)

at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady)

at System.Data.SqlClient.SqlDataReader.TryHasMoreRows(Boolean& moreRows)

at System.Data.SqlClient.SqlDataReader.TryReadInternal(Boolean setTimeout, Boolean& more)

at System.Data.SqlClient.SqlDataReader.TryNextResult(Boolean& more)

at System.Data.SqlClient.SqlDataReader.NextResult()

at Microsoft.Rtc.Common.Data.DBCore.ParseResults(SprocContext sprocContext, SqlDataReader sqlReader)

at Microsoft.Rtc.Common.Data.DBCore.Execute(SprocContext sprocContext, SqlConnection sqlConnection, SqlTransaction sqlTransaction)

--- End of inner exception stack trace ---

at Microsoft.Rtc.BackupService.BackupModules.XdsBackupModuleBase.QueryBackupStatus()

at Microsoft.Rtc.BackupService.BackupModules.UserStoreBackupModule.GetBackupCookie()

at Microsoft.Rtc.BackupService.BackupModuleHandler.ReceiveBackupDataTask.GetBackupCookie(Boolean& isModuleInitialized)

at Microsoft.Rtc.BackupService.BackupModuleHandler.ReceiveBackupDataTask.InternalExecute()

at Microsoft.Rtc.Common.TaskManager`1.ExecuteTask(Object state)

Cause: Either network or permission issues. Please look through the exception details for more information.

Resolution:

Resolution

So I decided to collect logs the built-in scenario HADR. The scenario HADR has the following components

BackupService

PowerShell

RtcDbSyncAgent

UserServices

Since the scenario included both BackupService and UserServices, I was optimistic that I would certainly nail-down the issue. However, the logs were not leading me to any solution. It was only providing the name of the sproc XdsQueryReplicaStatus . However, this sproc exists on the Front-End Server and the Back-End Servers, so I needed more information on which database to troubleshoot.

Next I decided to collect a memory dump using the command

ProcDump.exe -ma -e System.Data.SqlClient.SqlException LyncBackupService.exe

Upon investigation, I finally found that the sproc XdsQueryReplicaStatus was connecting to the Lync Back-end Server. Now that I know the issue was with SQL, it certainly seemed like a Permissions issue, and so I double-checked the permissions with permission in a working environment. But was unable to find anything within the permissions of the databases used by Skype for Business Server 2015.

Finally, I decided to check the permissions for System Databases, and found that in the failing scenario, GUEST login was removed from MSDB (system database). So I decided to grant GUEST user the Connect permissions for MSDB database by running


[sourcecode language='sql'  padlinenumbers='true']
USE msdb;
GRANT connect to Guest;
GO
[/sourcecode]

Next, since this was an update to the System Database, we restarted the SQL Services, and the issue was resolved.

Resource:

You should not disable the guest user in the msdb database in SQL Server

What does the status reported by Get-CsBackupServiceStatus mean?

Configuring Alternate Login ID for Skype for Business

Kris Waters — Tue, 21 May 2019 00:22:40 GMT

First published on TECHNET on May 05, 2017
Please note that it is now possible to configure an alternate login ID (in some circumstances) for Skype for Business/Lync. This will most likely be of interest in cases where end users have email or SIP addresses that differ from their UPN and/or a UPN that is non-routable (jdoe@contoso.local).

You can read full requirements and other important technical details in the Windows IT Center.

Configuring Alternate Login ID

Understanding User Replicator in Lync Server 2013 and Skype for Business Server 2015

Sri Todi — Mon, 24 Feb 2020 21:04:53 GMT

First published on TECHNET on Apr 17, 2017
Reference: https://docs.microsoft.com/en-us/archive/blogs/toml/lcs-2005-user-replicator-faq

This post starts of with a reference at the top, only because it is indeed a very well written blog post from a little over 10 years ago. Since LCS 2005, we have had User replicator and while a lot has changed, the principles for User Replicator is essentially the same.

User replicator runs under the Front-End Service context, rather than a different service. It now writes to the SQL Express installation on each server (RTCLocal Instance), and runs on every server in the pool. It runs on any server that has the registrar role installed.

What does User Replicator do?

User Replicator is responsible for ensuring that the Lync Server or Skype for Business Server database and Active Directory are synchronized. What this means is that any time an user object or contact object is created or modified in Active Directory, it is User Replicator’s responsibility for ensuring that the changes are propagated to database. To accomplish this, User Replicator first performs a Full-Sync (or Initial Sync) and then subscribes to a Delta Sync (Incremental Changes) using DirSync.

What setting in User Replicator are configurable ?

With Lync Server 2010 we introduced Set-CsUserReplicatorConfiguration to allow an organization to control the user replicator. Here we discuss the different switches

ReplicationCycleInterval - Since UserReplicator only tracks delta changes from the Active Directory (AD), the using a smaller replication interval like 5 minutes, ensures that the Distribution List Expansion (DL Expansion) and Address Book Web-Query (ABWQ) provide accurate information. It also allows for users to be created in Active-Directory and be provisioned in Lync or Skype for Business within minutes. It is to be noted that since we only subscribe to delta changes, the load on a domain controller is negligible.

ADDomainNamingContextList - specifies the Domains that may have user objects and contact objects, that need to be synchronized. When this is not-set, User replicator will try to locate all the different domains and perform replication. ADDomainNamingContextList can be used to exclude say an empty root domain, or a domain if it's was used only to store computer accounts.

SkipFirstSyncAllowedDowntime - This was introduced only in Skype for Business Sever 2015. It sets the Front-End Service (RTCSrv) from pending to started, even though a the initial Sync hasn't been completed.

DomainControllerList - This was introduced only in Skype for Business Sever 2015, and allows to specify a list of domain controllers, however, we suggest to to leave this to default. I will explain why in a little bit.

Can I control which DC’s User Replicator connects to in order to perform synchronization?

In Skype for Business Server 2015 ( not in previous versions) , while its configurable, its not recommended, because the User replicator uses a Windows API called DsGetDcName to connect to a Domain Controller. The response of the DsGetDcName API really depends on how your Active Directory Administrator has configured the AD Sites and Services in your organization. The response is either (i) An in-site Domain Controller or (ii) An out-of-site Domain Controller

It is to be noted, that an the definition of Site here is an AD Site, which is defined by a list of Subnets and should typically be a representation of your physical site.

To know which site your Lync / Skype for Business Server belongs to, all you need to do is run nltest.exe /DSGetSite from a command-prompt. If the server is not associated to a site, chances are User Replicator will connect to a less than optimal domain controller for both initial Sync and delta syncs.

If AD Sites are configured correctly, either an in-site domain controller ( if one exists) is chosen, or an out-of-site, which has the lowest cost (based on the cost configured in AD Sites and Services). If the Lync or Skype for Business Server is not a member of any AD site, then the Lync / Skype for Business Server will connect to a random domain controller, which may not even be in the same continent.

How long does the initial replication cycle typically take?

There are a number of variables that affect the length of the initial cycle, chief among them the number of objects ( User object and Contact Objects combined) being synchronized, the domain controller that was chosen, the available band-width and load on the domain controller. Assuming minimum spec hardware or better and no serious network latency/bandwidth issues, an initial cycle with 100,000 objects will take about 30 minutes. In contrast, an SBA server can be in a remote location with limited bandwidth and potentially no in-site domain controller, in such a case, the initial sync can take considerably longer.

Examples #1:
A SBA server didn't exist in any AD Site and this caused for User Replicator Initial Sync to connect to a Domain Controller in a different Continent, with poor network connectivity, eventually taking well over 6 hours to Synchronize, causing Front-End Service to be in Starting Mode for 6+ Hours. A simple AD Site configuration change caused the service to start in ~ 45 minutes when the initial Sync was interrupted, and the service was restarted. With Skype for Business Server 2015, the SkipFirstSyncAllowedDowntime parameter for Set-csUserReplicatorConfiguration would have been useful. This is one of the many reason why we recommend not to configure the DomainControllerList parameter using Set-csUserReplicatorConfiguration

Examples #2:
In a particular case that I handled several months ago, we found that AD replication between sites was configured to occur only between 06:00 PM and 06:00 AM in 30 minute intervals. This caused users in a site to be able to communicate with a new hire almost immediately, while it took several hours ( up to 12 hours) for users on another site to view the newly created user. Once the AD replication interval was set to perform replication in 30 minute intervals, round the clock, we a newly created user was accessible in ~ 30+ minutes from both sites.

After an in-place upgrade to Skype for Business Server 2015 Response Group Workflows Fail to work

Sri Todi — Tue, 21 May 2019 00:22:26 GMT

First published on TECHNET on Apr 10, 2017
In a peculiar case, we noticed that after an in-place upgrade from Lync Server 2013 to Skype for Business Server 2015, Response Group Workflows stopped working. The initial troubleshooting involved verifying (i) that the Response Group Service is starting, (ii) the work-flow is defined in Skype for Business Server 2015 after the upgrade, (iii) the AD Object for the workflow exists.

To troubleshot further, as a simple step, we deleted and re-created the workflow, and could reproduce the error. From the logs on client, we could see 500 Internal Server Error , so I wanted to first make sure the permissions on AD are set correctly based on Issue: Calls to certain Response groups fail with an Error "500 Internal Server Error" . Once I could verify that the issue was indeed not to do with AD permissions, I started to investigate further.

Looking through the built-in scenarios, a scenario called RGS exists, but I wasn’t sure, if the components would suffice.

Description	Centralized Logging Tool Scenario	Logging Tool Components
Response Group Service	RGS	RgsClientsLib

I decided to create a custom scenario, call it RGSCustom and perform logging. I used the below commands to create my custom scenario

$SIPStack = New-CsClsProvider -Name "SIPStack" -Type "WPP" -Level "Debug" -Flags "All"
$S4 = New-CsClsProvider -Name "S4" -Type "WPP" -Level "Debug" -Flags "All"
$RGSClientLib = New-CsClsProvider -Name "RGSClientLib" -Type "WPP" -Level "Debug" -Flags "All"
$RgsCommonLibrary = New-CsClsProvider -Name "RgsCommonLibrary" -Type "WPP" -Level "Debug" -Flags "All"
$RgsDatastores = New-CsClsProvider -Name "RgsDatastores" -Type "WPP" -Level "Debug" -Flags "All"
$RgsDeploymentApi = New-CsClsProvider -Name "RgsDeploymentApi" -Type "WPP" -Level "Debug" -Flags "ALL"
$RgsDeploymentLibrary = New-CsClsProvider -Name "RgsDeploymentLibrary" -Type "WPP" -Level "Debug" -Flags "ALL"
$RgsDiagnostics = New-CsClsProvider -Name "RgsDiagnostics" -Type "WPP" -Level "Debug" -Flags "All"
$RgsHostingFramework = New-CsClsProvider -Name "RgsHostingFramework" -Type "WPP" -Level "Debug" -Flags "ALL"
$RgsMatchMakingService = New-CsClsProvider -Name "RgsMatchMakingService" -Type "WPP" -Level "Debug" -Flags "All"
$RgsDBSyncAgent = New-CsClsProvider -Name "RgsDBSyncAgent" -Type "WPP" -Level "Debug" -Flags "ALL"

New-CsClsScenario -Identity "Global/RGSCustom" -Provider @{Add=$SIPStack,$S4,$RGSClientLib,$RgsCommonLibrary,$RgsDatastores,$RgsDeploymentApi,$RgsDeploymentLibrary, $RgsDiagnostics, $RgsHostingFramework, $RgsMatchMakingService, $RgsDBSyncAgent}

Next it was time to start logging and while we were logging to restart the Response Group Service, so that I would have any failure encountered during service state captured

Start-CsClsLogging -Scenario "RGSCustom" -Pools SFBSTD01.contoso.com
Stop-CsClsLogging -Scenario "RGSCustom"
Search-CsClsLogging -Pools SFBSTD01.contoso.con -OutputFilePath "C:\Windows\Temp\RGSCustom.txt" -StartTime (get-date).AddMinutes(-30)

As I was investigating the CLS logs, I noticed the a peculiar error “ Message: CALLCONTROL: Call declined because CallControl is not started ”

TL_INFO(TF_COMPONENT) [SFBSTD01\SFBSTD01] 208D8.4700::05/03/2016-19:46:01.484.0000A42D (RgsCommonLibrary,RgsLogMessage.ReportMessageInternal:rgslogmessage.cs(452))
_rgs_message_begin_
Direction: Incoming
From: sip:sritodi@contoso.com
To: sip:sampleworkflow@contoso.com
Message: CALLCONTROL: Call declined because CallControl is not started
WorkflowId: c338e8ba142042b9b30023269d29daa0
_rgs_message_end_

I decided to look through the event logs when the service was starting and noticed EVENT ID 31067

This sounded a little strange as I was aware that every Lync Server 2013 pool has 2 Application Contacts, one RGS Presence Watcher and another RGS Announcement Service. This event was speaking about 3 RGS Presence Watcher Contact objects.

I decided to query the number of RGS Presence Watcher contact objects

Get-CsApplicationEndpoint | Where-Object DisplayName -eq "RGS Presence Watcher" | Ft Identity, DisplayName, RegistrarPool

This could also be accomplished by running

Get-ADObject -Filter 'msRTCSIP-OwnerUrn -eq "urn:application:RGS"' -SearchBase 'CN=Configuration,DC=contoso,DC=Com' -Properties msRTCSIP-PrimaryUserAddress, displayName | ft msRTCSIP-PrimaryUserAddress, displayName –AutoSize

I quickly realized that for the pools that were upgraded from Lync Server 2013 to Skype for Business Server 2015 and where calls to response group were failing, only had a single RGS Presence Watcher contact object

Solution: We decided to republish the topology by running

Enable-CsTopology -Verbose

Once topology was republished, we could see 3 RGS Presence Watcher contact objects. A service restart to the RGS service, and calls started to work as expected.

Testing IM and Web-Conferencing Archiving set to Critical

Sri Todi — Tue, 28 May 2019 21:58:53 GMT

First published on TECHNET on Apr 01, 2017
Organizations often chose to enable IM Archiving for multiple reasons, while some may be for record keeping purposes, others may have a regulatory /compliance requirement to ensure IM Archiving is occurring for every IM and Web-Conferencing Session.

When an organization is archiving for regulatory /compliance purposes, it may be possible that they are required to stop the service, if Archiving is failing. In Lync Server 2013 and Skype for Business Server 2015, we offer this by means of a setting in the commandlet Set-CSArchivingConfiguration called BlockOnArchiveFailure

Parameter	Required	Type	Description
BlockOnArchiveFailure	Optional	System.Boolean	If True, then the IM service will be suspended any time instant messages cannot be archived. If set to False (the default value), IM will continue even if instant messages cannot be archived.

This can also be accessed from the Control Panel and would look similar-to the image below.

Just as organizations perform Disaster Recovery Exercises / Routines, to validate that their infrastructure works as intended, and the organization ( or Organizational unit) is prepared with up to date documentation, if, a Disaster event occurs, organizations may also want to test and/or prove that IM and Web-Conferences would fail, if archiving was to fail.

With Lync Server 2013 and Skype for Business Server 2015, proving that IM and Web-Conferencing would stop, if Archiving was to fail can be a little challenge. Here’s why

Challenge#1
If the Archiving Database is Offline, Lync will export storage data to Web-Service File-share (fo r example \\contoso.com\LyncFileShare\1-WebServices-1\StorageService\DataArchive\20161122\LyncStd01.contoso.com\ )

Challenge#2
If the Archiving Database is offline, and the Web-Services File-share has not access we would see EVENT ID 32080 and the System would fail-back to C:\ProgramData\Microsoft\Skype for Business Server 2015\StorageService

Challenge #3
If the Archiving Database is offline, and the Web-Services File-share has not access we would see EVENT ID 32080 and access to the path C:\ProgramData\Microsoft\Skype for Business Server 2015\StorageService is also blocked. The local Database can have 5,000 Items or upto 10 GB ( SQL Express Limitation)

The challenges mentioned above, can certainly make it ceretainly operationally challenging to undo. There can be a lot of delay in undoing the efforts, which can cause of productivity.

Solution #1
Stop LyncLocal Instance on all Lync Front-End Server in the pool, where we want to simulate a failure. Since this is rather common solution, people might want to introduce another solution.

Solution #2
Set the LySS Database offline in SQL, so all access from a communications server is blocked. This can be accomplished by running the following query on each Front-End Server

ALTER DATABASE LySS SET OFFLINE WITH ROLLBACK IMMEDIATE

As soon as this is completed on an Enterprise Edition Pool or a Standard Edition pool, IM messages will stop transmitting from the pool. Presence will still be available, but both IM and Web-Conferencing would be failing.

In-order to bring services back to business as usual, one will have to bring the database online by running

ALTER DATABASE LySS SET ONLINE

Once the databases in your routing group is online, you will be able use IM and Web-Conferencing again.

Here are some-event logs, which may be useful during testing. I am adding them so the web-page is indexed, and administrators come to an authoritative source, when they search for EVENT ID's or Descriptions.

EVENT ID	Source	Event ID Description
56717	LS Data Collection	IM was blocked in critical archiving mode due to local Storage Service is full or unavailable. Cause: Storage Service or its dependent components are not running. Resolution: Ensure the local Storage Service database is not full and target storages such as SQL Server or Exchange Server are available.
56800	LS Data Collection	Failed to commit session data into the local Storage Service database . Error: SessionUpdateException: code=Success, r eason=, Unable to finalize session, no session items removed, no new items enqueued at Microsoft.Rtc.Internal.Storage.Queue.LyssQueueDal.FinalizeSession(StoreContext ctx, Guid adapterID, HashSet`1 sessionIDs, List`1 queueItemList)at Microsoft.Rtc.Server.UdcAdapters.UcSessionAdapter.WrapperFinalizeSession(StoreContext ctx, LyssQueueDal dal, HashSet`1 sessionIds, List`1 queueItems)at Microsoft.Rtc.Server.UdcAdapters.UcSessionAdapter.FinalizeSession(StoreContext ctx, LyssQueueDal dal, HashSet`1 sessionIds, List`1 persistItems)at Microsoft.Rtc.Server.UdcAdapters.UcSessionAdapter.PersistSession(StoreContext ctx, LyssQueueDal dal, SessionState entry, Boolean isCriticalMode)Cause: Storage Service or its dependent components are not running.Resolution:Ensure the local Storage Service database is not full and target storages such as SQL Server or Exchange Server are available.
32042	LS Storage Service	Storage Service API failed to add a message to the queue. Add Queue Message failure. EnqueueException: code=ErrorQueueUnhealthy, reason=Unable to Enqueue Message: Storage Queue is not healthy due to errors: Storage Service Database is full. . Please retry later. at Microsoft.Rtc.Internal.Storage.Api.StorageService.BeginEnqueueMessages(EnqueueMessagesRequest enqueueMessagesRequest, AsyncCallback asyncCallback, Object state) Cause: Authentication or authorization failure, bad input parameters, fabric errors, timeouts, other errors. Resolution: Check event details. Ensure that the caller of Storage Service is properly authenticated using windows authentication, and has the required authorization based on security group membership. Verify that inputs were valid. If problem persists, notify your organization's support team with the event detail.
32008	LS Storage Service	Unexpected exception. Message=Error: Path \\contoso.com\LyncFileShare\1-WebServices-1\StorageService\DataArchive\20161122\LyncStd01.contoso.com\ failed to be read for flushed data. Error details: System.IO.IOException: The network path was not found . at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileSystemEnumerableIterator`1.CommonInit() at System.IO.FileSystemEnumerableIterator`1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost) at System.IO.Directory.GetFiles(String path, String searchPattern, SearchOption searchOption) at Microsoft.Rtc.Internal.Storage.Sql.LyssDal.CheckFilePathForFlushedFiles(StoreContext ctx, String parentFilePath, Boolean checkArchived, Boolean& errorOccurred, Int32& numDataFilesToReport) Exception: The network path was not found. Stack Trace: at System.IO.__Error.WinIOError(Int32 errorCode, String maybeFullPath) at System.IO.FileSystemEnumerableIterator`1.CommonInit() at System.IO.FileSystemEnumerableIterator`1..ctor(String path, String originalUserPath, String searchPattern, SearchOption searchOption, SearchResultHandler`1 resultHandler, Boolean checkHost) at System.IO.Directory.GetFiles(String path, String searchPattern, SearchOption searchOption) at Microsoft.Rtc.Internal.Storage.Sql.LyssDal.CheckFilePathForFlushedFiles(StoreContext ctx, String parentFilePath, Boolean checkArchived, Boolean& errorOccurred, Int32& numDataFilesToReport) Cause: Unexpected exception. Resolution: If problem persists, notify your organization's support team with the event detail.
32013	LS Storage Service	Cannot perform a LYSS database operation. Message=#CTX#{ctx:{traceId:18446744072925107599, activityId:"c0af1230-6791-473f-a13a-76795835de80"}}#CTX# FinalizeSession sproc failed: SprocNativeError = [1105] Exception: System.Data.SqlClient.SqlException (0x80131904): Could not allocate space for object 'dbo.ItemQueue'.'CL_ItemQueue' in database 'lyss' because the 'PRIMARY' filegroup is full. Create disk space by deleting unneeded files, dropping objects in the filegroup, adding additional files to the filegroup, or setting autogrowth on for existing files in the filegroup. at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, SqlDataReader ds, Boolean describeParameterEncryptionRequest) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean asyncWrite) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader() at Microsoft.Rtc.Common.Data.DBCore.Execute(SprocContext sprocContext, SqlConnection sqlConnection, SqlTransaction sqlTransaction) ClientConnectionId:8d59a7be-4c40-4747-9d00-33b889057e0c Error Number:1105,State:2,Class:17 Stack Trace: at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection, Action`1 wrapCloseInAction) at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj, Boolean callerHasConnectionLock, Boolean asyncClose) at System.Data.SqlClient.TdsParser.TryRun(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj, Boolean& dataReady) at System.Data.SqlClient.SqlDataReader.TryConsumeMetaData() at System.Data.SqlClient.SqlDataReader.get_MetaData() at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString) at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async, Int32 timeout, Task& task, Boolean asyncWrite, SqlDataReader ds, Boolean describeParameterEncryptionRequest) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, TaskCompletionSource`1 completion, Int32 timeout, Task& task, Boolean asyncWrite) at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method) at System.Data.SqlClient.SqlCommand.ExecuteReader() at Microsoft.Rtc.Common.Data.DBCore.Execute(SprocContext sprocContext, SqlConnection sqlConnection, SqlTransaction sqlTransaction) Cause: Cannot perform an LYSS database operation. Resolution: Verify that the data is valid and that the LYSS database is available and healthy. If this error caused by Violation of UNIQUE KEY constraint 'CL_ItemQueue', then most likely it is due to at attempt to load a duplicate item from the file share. If so, find flushed xml file that contains duplicated key and move the xml file to somewhere else. In addition, please verify the file share is healthy.
32059	LS Storage Service	Space Used by Storage Service DB is at or above the Critical Threshold. SQL Edition=Express Edition (64-bit); Space Used Percent=87.5; Critical Threshold Percent=80 queue item counts summary: owned: True, status: 2, critical: True, count: 356 Total queue items: 356, total archived items: 0 Cause: The DB size can grow bigger under heavier usage as the data in the Storage Service Queue and/or Cache grows. Once Storage Service finishes processing the data, the db will shrink back to normal size. However breaching the critical threshold implies that the normal processing of the data is slow or blocked resulting in so much excessive DB growth that service functionality is now affected and blocked. Resolution: Check event details to find the root cause of why data is not getting processed. Resolve the root cause to allow Storage Service to start shrinking the DB down naturally. If problem persists, notify your organization's support team with the event details.
32089	LS Storage Service	A flush of queue items from the Storage Service DB was initiated, and items were exported to the file system. Queue size: Error, flushed 1 files to the filesystem. success: True. Files: \\contoso.com\LyncFileShare\1-WebServices-1\StorageService\DataArchive\20161122\LyncStd01.contoso.com\ e1dc38d13ed15269b601a5460e8f9631__1.xml Cause: Periodically, or in reaction to the size of the Storage Service queue, we may purge items from the database, exporting them to the file system in order to ensure performance isn't impacted due to the accumulation of data. These items should be re-imported after the root cause of the accumulation is resolved. Typically this would occur due to an outage of a data storage endpoint (like Exchange), or could be due to a sustained period of high system load. Resolution: The resource kit tool is available to import exported items back into the DB for processing.
32090	LS Storage Service	Flushed queue Items from the Storage Service DB have been left unattended to for some amount of time and require attention to be imported back. Parent Path \\contoso.com\LyncFileShare\1-WebServices-1\StorageService\ . 112 data files are over 5 days old. Cause: Periodically, or in reaction to the size of the Storage Service Queue, we may purge items from the database, exporting them to the file system in order to ensure performance isn’t impacted due to the accumulation of data. These items should be re-imported after the root cause of the accumulation has been resolved. Typically this would occur due to an outage of a data storage endpoint (like Exchange), or could be due to a sustained period of load
32080	LS Storage Service	A queue flush operation has encountered a file error. Preliminary primary fileShareName parameter: \\contoso.com\LyncFileShare\1-WebServices-1\StorageService is unusable. Exception: System.IO.DirectoryNotFoundException: Failed to get DirectoryInfo of \\contoso.com\LyncFileShare\1-WebServices-1\StorageService at Microsoft.Rtc.Internal.Storage.Sql.LyssDal.ValidateFileShareName(StoreContext ctx, String fileShareName, String timestamp, LyssDBUsageStatus usageLevel, Boolean isTenantMigration) Cause: There may be permission issues to the file share, local file location, temporary directory, or disk is full. Resolution: Please check event detail and trace log for more information. Please ensure there is write permission to required file locations.

References:
Import Storage Service Data
Archiving Options in Lync Server 2013
The LCSLog SQL Database is not logging any archiving content
Understanding Monitoring and Archiving on Lync Server 2013

Understanding Monitoring and Archiving on Lync Server 2013

Sri Todi — Tue, 21 May 2019 00:21:53 GMT

First published on TECHNET on Mar 27, 2017
Monitoring and Archiving has undergone major changes since Lync Server 2010. For Lync Server 2010 and prior versions, we had Message Queuing (MSMQ), have messages stored on a communications server, which were transported to the Monitoring Server and the Archiving Server, using MSMQ, and then were consumed into respective server roles using an Agent. In Lync Server 2013, we introduced Lync Server Storage Service (LySS), as a replacement for Message Queuing(MSMQ). The LySS database is part of the LyncLocal Instance on all servers.

LySS can have different types of data, but mostly has the following types of data

Monitoring Data ( CDR & QoE Reports) which are sent to your Monitoring Server, defined in the topology

Archiving Data ( for Content Archiving if enabled) , which are sent to the Archiving Server, defined in the topology

Since LySS is an SQL Express Instance it has some of the limitations of SQL Express Installation like 1 GB Maximum RAM Utilization, 1 CPU Max Utilization, and 10 GB Max DB Size. These limitations, generally speaking, work extremely well with LySS, as there is little data on the database, before it gets committed to the respective back-end servers, like a monitoring server or an archiving server. In the unlikely event that your Monitoring or Archiving Server is/are offline for an extended period of time ( or not configured correctly) , the 10 GB Max DB limit may certainly be a challenge.

Each LyncLocal instance can expand up to 10 GB in size, which can queue-up several hundred thousand messages, given most CDR/QOE reports are very small, Archiving data is fairly small too. Additionally, there are fail-safe mechanisms in place, to export the content from SQL Express to the either a Web service file share (for example \\contoso.com\LyncFileShare\1-WebServices-1\StorageService\DataArchive\20161122\LyncStd01.contoso.com\ ), if access to the file-share is available, while the other possibility is the local Application Data directory of each front-end server ( for example C:\ProgramData\Microsoft\Skype for Business Server 2015\StorageService ).

The resource Kit for for Lync Server 2013 and Skype for Business Server 2013 have a tool called ImportStorageServiceData that can be used to re-import these files into the local LyncLocal instance.

In-order to help troubleshoot, we also have a built-in scenario called MonitoringAndArchiving , which will collect relevant logs from the servers, where the scenario has been running.

Description	Centralized Logging Tool Scenario	Logging Tool Components
Monitoring and Archiving logging	MonitoringAndArchiving	UDCAgent

A friendly note to all Lync Administrators, since this Database can have Content Archiving , which may be required for legal / regulatory / compliance purposes in your organization, before you scorch a server or delete this database, always take a back-up.The UDCAgent is an application that is responsible to transfer messages from LySS database to the appropriate back-end database.

Skype for Business Cloud Connector Version 1.4.2 Release

Carolyn Blanding (MS TEAMS) — Tue, 21 May 2019 00:21:45 GMT

First published on TECHNET on Mar 20, 2017

Skype for Business Cloud Connector Version 1.4.2 Release

This is an important update as it is the first update that will automatically update all existing installed Skype for Business Cloud Connector (Cloud Connector) 1.4.1 appliances based on the update schedule that administrators have configured for their Cloud Connector Hybrid PSTN Sites. For details please refer to Understanding the automatic update process for Cloud Connector Edition .

Be sure to read Prepare for Cloud Connector Edition Release 1.4.2 prior to your update schedule to insure a successful update.

If you are running version 1.3.8, please refer to the manual update instructions Upgrade a single site to a new version in the Cloud Connector Edition configuration guide. Also, be sure to export a new sample Cloud Connector configuration file after 1.4.2 has been installed and update your existing configuration file with new parameters, e.g., HardwareType and WSUS Server.

For more details on this release, please see posting in our Skype for Business Hybrid Voice blog: https://blogs.technet.microsoft.com/sfbhybridvoice/2017/03/20/skype-for-business-cloud-connector-version-1-4-2-release/

Insertion of an error report was throttled to prevent flooding of the Call Detail Recording (CDR) Database

Sri Todi — Tue, 21 May 2019 00:21:38 GMT

First published on TECHNET on Mar 20, 2017
Often a Lync Administrator will see EVENT ID 56208 - Insertion of an error report was throttled to prevent flooding of the Call Detail Recording (CDR) Database on their Front-End Servers, potentially on other server roles like a Mediation Server too.

While most administrators chose to ignore this alert, this blog-post sheds light on what this alert represents and when is it safe to ignore the same,

A CDR report is generated by each party that is in a Peer-to-Peer IM Session, Multi-Party IM Session, and/or Conferencing Session. In case of PSTN calls, the mediation server will generate a CDR report.

Since CDR reports are generated by by P2P conversations and by conferences, lets first focus on conferences.

P2P and Multi-Party IM Conversations - Each party will generate a CDR Report, when the session is ended (I.e user closes their active tab or the session is timed-out, due to inactivity).

Conferences typically start at the top of the hour or at the 30 minute mark and then conclude at the end/top of the hour or at the 30 minute mark. This means that at every hour and 30 minute interval after the same, during core-business hours, CDR reports are expected to be generated at higher volumes.

Conferences / Meetings also present a unique scenario where people may either be walking to a conference room, switching from one Wireless Access Point to another and/or not responding to IM sessions that are already in progress, as they are just joining/exiting a meeting causing a session timed-out due to inactivity.

In case of a session involving audio and/video, a Quality of Experience (QoE) report is also generated, but the volume of QOE reports is often much lesser than the volume of CDR reports.

Both in Lync Server 2013 and Skype for Business Server 2015, we have a throttle set to on the monitoring server to only allow for only 10 reports with a particular MS-Diagnostic ID to be inserted into the LcsCDR database per second. This throttle was deliberately introduced to distribute the load on the server over a longer period of time, so that report creation isn’t impacted, if the monitoring and reporting servers are collocated.

The above mentioned throttle can be seen in the dbo.MSDiagMetaData table in the LCSCDR database. One common example would be

DiagnosticId	ReasonString	Description
52094	Conversation suspended due to a loss of network	The signaling session was terminated due to a loss of network. This typically occurs when a wireless connection drops or a machine enters hibernation mode. Audio calls will typically continue if audio is still flowing. If the network dropped, the client will attempt to re-establish and send any queued instant messages once connectivity is restored.

The way our product is designed, these reports are held in SQL LyncLocal instance in the LYSS database., and are retried again and again until the messages are eventually committed to the Monitoring servers.

In rare instances, mostly either in very large environments that use a centralized Monitoring Server or in environments, where the Monitoring Server has been offline for a considerable period, we have see issues where the threshold hasn’t necessarily worked.

Generally speaking it is safe to ignore EVENT 56208. However, if EVENT ID 56208 is fired during periods of low business activity (weekends or holidays), it is certainly concerning. In such a case focusing on EVENT ID 56206 and EVENT ID 56207 can help understand, if the aggregate volumes are increasing or decreasing. If the volumes are decreasing, we recommend to wait till the queues drain out. It is suggested to prevent additional load on the monitoring server, not to generate reports on your reporting server.

If there are indeed issues in the environment, based on the type of issue, you may see other events in the LYNC Server event log from source LS Storage Service . Also, it could be possible that your reporting server reports will not have data for the current or prior day. In such cases, we would recommend that you engage Microsoft Support .

Prepare for Cloud Connector Edition Release 1.4.2

Carolyn Blanding (MS TEAMS) — Tue, 21 May 2019 00:21:22 GMT

First published on TECHNET on Mar 10, 2017
Expected release date for this is 3/20/2017 pending final testing. Look for release announcement here.

This update is important, as it is the first to automatically update all existing installed Skype for Business Cloud Connector 1.4.1 appliances, based on the update schedule that administrators have configured for their Cloud Connector Hybrid PSTN Sites. For managing auto update, see Understanding Cloud Connector Edition Auto Update .

For details on understanding how to prepare for Cloud Connector Edition Release 1.4.1, please our Skype for Business Hybrid Voice Team blog.

The Skype for Business Software Defined Networking (SDN) Interface

NextHop_Team — Tue, 21 May 2019 00:21:13 GMT

First published on TECHNET on Mar 08, 2017
Author: Steve Schiemann

SDN Definition and Short History

What is Software Defined Networking?

At a high level, SDN uses open protocols (XML in our case) to apply software control to network hardware. This hardware/firmware can receive and understand application-specific data, and make adjustments to optimize network traffic.

Short History

Consider this a primer for the Skype for Business Software Defined Networking Application Programming Interface. Later versions are simply called the Skype for Business SDN Interface.

There is no programming involved with installation/configuration. It provides an interface to a third-party network controller or monitoring application. The controllers are made by Cisco, Aruba, Nectar, HP, or other providers.

The SDN API sends Lync/SfB diagnostic data, Quality of Experience to the controller(s), which then can optimize network traffic and security. Administrators can view records of Unified Communications call quality, or even see a problem in real time and address it quickly. The controllers themselves can respond to media stream quality data, and prioritize network traffic for real-time vs. non-real-time data, UC-related data vs. web browsing data. Lync/SfB media steams are encrypted, but the SDN API allows the controllers to see what type of media stream is involved, and adjust the network accordingly, per policies, without seeing the data contents.

The Microsoft Skype for Business SDN Interface is a RESTful (Representational state transfer) interface through which subscribed systems ("subscribers", a.k.a. the third-party controllers) receive active call data, and the end-to-end measured quality of media streams.

Big Picture: Software Defined Networks began in the mid-1990s-early 2000’s, A.K.A “Active Networking”. AT&T had one of the first implementations of this idea. The Microsoft Lync/SDN API is one of many SDN Applications written by various vendors for other applications.

Considerations Before Deploying

1.) We recommend that installation/configuration is done in a lab first.

2.) Microsoft recommends using the latest version of the SfB SDN Interface that is compatible with Lync/SfB Servers, and the third-party controllers. What version does the controller manufacturer recommend? Keep in mind that there are various schemas available in the interface for compatibility purposes , so if a particular schema is needed, perhaps a later version of the SDN Interface can be used with a non-default schema .

3.) Is this a new deployment, or perhaps an upgrade from a previous version? Read the Help and Release notes that come with each version of the Interface.

Versions

Version 1.0 was released in 2012, and 1.2 was released in late 2013. Neither of these versions are publicly available now. Versions 2.1.1, 2.2, 2.4, 2.4.1, and 3.0 are in use by customers today.

Version 3.0 just released on Feb 2, 2017 https://www.microsoft.com/en-us/download/details.aspx?id=54685&WT.mc_id=rss_alldownloads_all It is not compatible with Lync 2010.

Improvements in later versions include but are not limited to sending in-call quality updates as opposed to just begin/end-call updates, fully load-balanced and redundant pools, SDN Managers shared database, move some computations from Listener to Manager. Check the release notes for each version for more information. The release notes are available in the same group of download files for each SDN version.

Versions prior to 3.0 work with Lync 2010, 2013, and SfB 2015

Whatever operating system the Lync Server Front End servers use will be used by the API, since one component (Listener) is required to be installed on all FE servers.

Architecture

Components

Conceptually, the Skype for Business SDN Interface consists of the following components:

· The Dialog Listener that captures signaling and quality observations about media traffic between Skype for Business endpoints.

· The SDN Manager that collects the data from one or more Dialog Listener and distributes to third-party network management systems.

· A data store that maintains the shared state among all SDN Managers in a single pool. The data store could be a SQL database, Redis, or local memory cache.

· One or more subscribers, generally network management systems, also known as network controllers, or ITPro tools that support a RESTful web service to receive and analyze the call- and media-quality data posted from the SDN Manager.

Data Flow

The data flow looks like this:

Clients → (Front Ends / Lync Dialog Listener (LDL)) → Lync SDN Manager (LSM) → third-party controller

There should be a Listener on each front-end server (FE) to receive data from users homed on them, and one or more Managers to send (XML) data to the controller. The diagram below shows the Skype for Business/Lync clients in the upper left, sending data to the Listener component which is installed on each FE. The Listeners then send data to the Manager(s), who send it on to the controllers (Network Management System).

Installation/Configuration

For the most part, customers install each component on appropriate servers, configure it, and it just works. The primary configuration steps are done in the installation wizard; some environments may require more customization.

Pre-installation tasks include but are not limited to planning your deployment (how many listeners/managers?), Activating QoE recording, setting up DNS service location record, setting up a database (Redis, or SQL), and/or installing certificates.

We recommend that you run SkypeforBusinessSDNManager.msi before you run the SkypeforBusinessDialogListener.msi . This will ensure that the SDN Manager is running and ready when the Dialog Listener attempts to connect to the SDN Manager.

You should install SDN Manager on a separate application server to maximize the performance of the Skype for Business Server front end.

Installing LDL and LSM on same FE is not recommended, but in a lab environment it can work.

Screen shots and details of Manager (LSM) component setup can be found at https://msdn.microsoft.com/en-us/library/office/dn785203.aspx .

Screen shots and details regarding the Listener (LDL) component can be found at https://msdn.microsoft.com/en-us/library/office/dn785202.aspx .

Command-line/PowerShell options

You can use the command line or PowerShell to view or modify SDN settings, or even perform unattended setup.

Command Line

Details regarding command line options are described at https://msdn.microsoft.com/en-us/library/office/mt148356(v=office.16).asp x. Below is an example of changing the submituri parameter via command line. I customized my installation path, so yours may not be exactly the same.

The ‘p’ means “put” or change something, the ‘l’ means listener, “sfb.contoso.com” is where a standard edition or enterprise pool is referenced, and “submituri=…” is the parameter being changed. This change is saved in the database being used by the API, not the config files used by LSM or LDL components. Earlier versions used the config file for everything. Config file parameter are still important but are not now used for Listener, Subscriber and Manager configuration.

C:\Program Files\Microsoft Skype for Business Server\Microsoft Skype for Business SDN Manager 3.0>sdnmanager p l sfb.contoso.com submituri=http://webapps.contoso.com:9333/LDL

Response code: SUCCESS Detail: Merged 1 parameters, Timestamp: 2017-02-27T17:22:45.7550618Z

Response code: SUCCESS Detail: TimeStamp: 2017-02-27T17:22:45.7550618Z

<Configuration Version="2.0" culture="en-US" Kind="Listener" Identifier="SFB.CONTOSO.COM">

<parameter key="submituri">http://webapps.contoso.com:9333/LDL</parameter>

<parameter key="alternativeuri"></parameter>

<parameter key="clientcertificateid"></parameter>

<parameter key="submitqueuelen">1000</parameter>

<parameter key="maxbackoff">30</parameter>

<parameter key="maxdelaylimit">5</parameter>

<parameter key="maxopen">100</parameter>

<parameter key="maxretry">100</parameter>

<parameter key="maxretrybeforefailover">10</parameter>

<parameter key="requester">sfb.contoso.com</parameter>

</Configuration>

PowerShell

Details regarding PowerShell options can be found at https://msdn.microsoft.com/en-us/library/office/mt642927%28v=office.16%29.aspx / Version 2.4 and later have the option of using Powershell cmdlets. Here is an example of using PS to get Manager (LSM) settings from my Standard Edition SfB 2015 Server:

PS C:\Users\Administrator.CONTOSO> Get-CsSdnManager -SdnPoolUri http://localhost:9333/Settings

Performance

Our data store (SQL, Redis, or local cache) only maintains configuration data, and info for all concurrently ongoing calls. So the databases should be fairly small, relative to the call volume. No historical data is preserved.

Regarding the Manager component, from the SDN API 2.2 help file, SkypeForBusiness_SDNInterface_2.2.chm

"The SDN Manager is also a lightweight Windows service that we recommend you run on a separate virtual or hardware application server that uses Windows Server 2008 or later… The SDN Manager is responsible for processing the various events received from the Dialog Listener. It maintains state of the individual real-time streams—including whether the stream has started, ended, updated, and more in the associated data store (either Redis, local cache, or SQL Server database)—and sends the resulting XML data to the configured data receivers. The SDN Manager requires .NET Framework 4.5 or a later."

“Performance Benchmarks” are found in the SkypeForBusiness_SDNInterface_2.2.pdf that was downloaded with the 2.2 API. They have not changed for later versions:

Sample machine configuration:

Stand-alone SDN Manager server : Windows Server 2012 R2

CPU : 8 Cores, 8GB of memory

Hard drive : 1 TB

From the SkypeForBusiness_SDNInterface_2.2.chm that is downloaded with the API,

Applies to: Lync Server 2010 | Lync Server 2013 | Skype for Business 2015

Version 2.2 of the Skype for Business SDN Interface was tested in a production environment and in lab setups but no formal scalability testing has been conducted. Nevertheless, the following performance data should give you an idea what you can expect. Please consider these numbers as example only.

Performance benchmarks

A pool of three SDN Manager servers can support the traffic from 48 Skype for Business front-end servers, with separate REDIS/SQL clustered DB servers. This configuration may be able to support up to 80,000 users in one continent.

Memory consumption is fairly low and stable.

Sample machine configuration:
- Stand-alone SDN Manager server : Windows Server 2012 R2
- CPU : 8 Cores, 8GB of memory
- Hard drive : 1 TB

In lab scenarios, we execute load of 400 audio calls per minute against two front-end servers and two SDN Manager instances. These topologies consist of virtual machines only with not more than two cores and 8 GB of memory each.

Bandwidth includes the RTCP stream, which may use a different port.

If a pool configuration is used around a database, the SQL Server is expected to be production level server with state-of-the art memory and CPU. Similarly, a REDIS cache server must be configured to handle the load.

Troubleshooting and Data Collection

Logging is on by default, but debug logging can be enabled via the config files for each component. The config file for the Listener component is found by default at C:\Program Files\Microsoft Skype for Business Server\Microsoft Skype for Business Dialog Listener\ DialogListener.exe.config. The Manager component config file is at C:\Program Files\Microsoft Skype for Business Server\Microsoft Skype for Business SDN Manager\SDNManager.exe.config.

To enable debug logging, search for the <loggingConfiguration> section and make appropriate changes to entries under the component elements.

For example, change the switch value from “Off” to “All”.

<add switchValue="Off" name="Debug">

<listeners>

<add name="LNEAppLog" />

</listeners>

</add>

Basically, you want to verify that the listener is getting data from the clients, and sending it to the manager. Then, verify that the manager is sending data to the subscriber (controller) in the correct format. That’s it.

The SDN API is quick and easy to install in a lab. As previously mentioned, both components can be co-located on an FE server.

Info on listener logging:

https://msdn.microsoft.com/en-us/library/office/dn439303.aspx

Info on manager logging:

https://msdn.microsoft.com/en-us/library/office/dn775151.aspx

Other Resources

Getting ready to install Skype for Business SDN Interface

https://msdn.microsoft.com/en-us/library/office/dn785199(v=office.16).aspx

Software-Defined Networking: An Overview for Unified Communications

https://channel9.msdn.com/Events/TechEd/NorthAmerica/2014/OFC-B343

Software-Defined Networking: The New Norm for Networks

https://www.opennetworking.org/images/stories/downloads/sdn-resources/white-papers/wp-sdn-newnorm.pdf

Open Networking Foundation (ONF)

http://www.OpenNetworking.org

The International Mulitmedia Telecommunications Consortium

http://www.imtc.org/

The Road to SDN: An Intellectual History of Programmable Networks

https://www.cs.princeton.edu/courses/archive/fall13/cos597E/papers/sdnhistory.pdf

Conclusion

This writing is not intended to cover advanced topics. I hope it is useful to those new to the SfB SDN Interface. The Help that comes with each version of the Interface is extensive, and covers most questions that customers have about the product. But if your questions are not answered, open a support ticket and we’ll be glad to help.

Updated Support Statements for .NET Framework

Kris Waters — Tue, 21 May 2019 00:20:57 GMT

First published on TECHNET on Mar 06, 2017
https://blogs.technet.microsoft.com/nexthop/2016/02/11/on-net-framework-4-6-1-and-skype-for-businesslync-server-compatibility/?preview_id=3412&preview_nonce=db56893bba&_thumbnail_id=-1&preview=true

Cloud Connector Edition Auto Update

Carolyn Blanding (MS TEAMS) — Tue, 21 May 2019 00:20:50 GMT

First published on TECHNET on Feb 23, 2017
Starting with Skype for Business Cloud Connector (Cloud Connector) 1.4.1, we introduced an automated update process: Cloud Connector automatically updates based on the update schedule that administrators have configured for their Cloud Connector Hybrid PSTN Sites.

Auto update handles both Cloud Connector Edition updates, and Windows operating system updates for all Cloud Connector virtual machines and the host appliance.

For details on understanding how auto updates work with Cloud Connector, please our Microsoft Tech Community blog: Understanding Cloud Connector Edition Auto Update .

When a recording is published using Lync or Skype for Business 2015/2016, the quality seems sub-par, deteriorated or jerky

Sri Todi — Tue, 21 May 2019 00:20:42 GMT

First published on TECHNET on Feb 14, 2017
Author: Sri Todi

You record a meeting, so the content can be published internally for later use. After the recording has been completed, a pop-up dialog Box appears from Skype for Business Recording Manager. You chose appropriate options and then select Publish.

When reviewing the published video, you realize that the video quality is sub-par or deteriorated, when compared to the video that participants in the meeting were observing. If your meeting allows for HDVideo, we will allow for video resolution to be upto 720p and upto 30 fps. The content by itself is saved in the same configuration on the local.

The Skype for Business Recording Manager, in-order to optimize the recording ( file size generated) will encode the video from 30 fps to 15 fps, which can cause the rendered video to be choppy/ flaky / in-consistent, depending on the amount of motion in the source video. This was deliberate design, to allow for smaller files that can be saved and published for later use.

Resolution:

Skype for Business Recording Manager has an option to publish the video at 30 fps. This can be done by modifying the registry key called VideoFrameRate from Decimal 0 to Decimal 30 at the following location(s):

For Skype for Business 2016 clients:

\HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Lync\Recording

For Lync 2013 / Skype for Business 2015 clients

\HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Lync\Recording

While this is a great action to perform before the meeting has occurred, the same registry key can also be used AFTER the meeting has been published as well. If a registry key is modified and the video is re-published ( on the same machine, where the original meeting recording occurred and where the video was published), the newly published video will be at 30 fps.

The LCSLog SQL Database is not logging any archiving content

Sri Todi — Tue, 21 May 2019 00:20:35 GMT

First published on TECHNET on Feb 14, 2017
Author: Sri Todi , Microsoft Support Escalation Engineer

When the ExchangeArchivingPolicy (commandlet: Get-csUser) is set to UNINITIALIZED, Skype for Business Server 2015 is designed to first connect to Exchange to verify, if the mailbox has an in-place (or Litigation) hold. If a In-Place (or litigation hold) is active, archiving is done in Exchange, else Archiving is performed on Skype for Business Server 2015 / Lync Server 2013 Archiving Database (DBName: LCSLog).

Cause:

In-order for content logging to occur when ExchangeArchivingPolicy is set to UNINITIALIZED for a user, the following should be set-up correctly

Exchange Auto-Discover ( DNS, Certificates and connectivity from Skype for Business Server 2015 Pools)

OAuth Certificates ( Both in Skype for Business Server 2015 environment and Exchange Server Environment need to have the certificate imported)

Trusted Application Partner Relationship between Exchange Server Environment and Skype for Business Server Environment

References:

Manage server-to-server authentication (OAuth) and partner applications in Skype for Business Server 2015

Assign a server-to-server authentication certificate for Skype for Business Server 2015

Configure Skype for Business Server 2015 in a hybrid environment

Configure an on-premises partner application for Skype for Business Server 2015

Configure OAuth between Skype for Business Server and Exchange Online

Configure a cross-premises environment in Skype for Business Server 2015

When the above mentioned pre-requisites are configured correctly and are working as intended; we will see a successful connection to Exchange, query to ensure that the mailbox doesn't have an in-place hold, then and only then, will the Skype for Business 2015 service determine that the Archiving should be done on a Lync / Skype for Business Archiving Server. If an in-place hold is found on the mailbox, the archiving will be conducted on Exchange Server.

If a connection cannot successfully established then, the connection is retried, until a successful connection is established.

Test-CsExStorageConnectivity can be used to verify successful connection between Exchange and Lync/Skype for Business.

If the configuration wasn't working as intended, say because of an expired certificate or missing configuration, the messages are queued up on each Front-End Server, in the LYSS database (Database Instance LYNCLOCAL), to be committed when a connection to Exchange Server is successful.

Resolution: Ensure that the Pre-requisites are configured correctly

Exchange Auto-Discover ( DNS, Certificates and connectivity from Skype for Business Server 2015 Pools)

OAuth Certificates ( Both in Skype for Business Server 2015 environment and Exchange Server Environment)

Trusted Application Partner Relationship between Exchange Server Environment and Skype for Business Server Environment

Run Test-CsExStorageConnectivity , to verify successful connectivity

Once the connection is successful, for every user Exchange will be queried to verify if an in-place hold exists, and if it does, the messages will be archived in Exchange, otherwise, they will be archived on Lync / Skype for Business Servers

Work-Around:

One work-around is to prevent Exchange from being contacted, and writing all messages directly to the archiving server for Lync/ Skype for Business. In-order to do so, you will have to perform the following

Configure all users with the ExchangeArchivingPolicy to use UseLyncArchivingPolicy. This can be established by running

Get-CsUser | Where-Object {$_.ExchangeArchivingPolicy -ne “UseLyncArchivingPolicy”} |Set-CsUser -ExchangeArchivingPolicy UseLyncArchivingPolicy

Update your User provisioning scripts, to ensure that the ExchangeArchivingPolicy is configured to be UseLyncArchivingPolicy for all new users.

Note : This work-around will cause all newly created archiving content to be sent to Lync/ Skype for Business Server Archiving Server Role.

Since Archiving is a compliance / regulatory requirement, organizations may want all the data, currently in queue to be sent to Archiving Server role in Lync/Skype for Business. In-order to do so, you will have to run a script on every Front-End Server in the environment, to tag, older messages ( messages when ExchangeArchivingPolicy was not set to UseLyncArchivingPolicy).

Before the script is run, please ensure to take Full-Backups of your Skype for Business 2015 Server, and to ensure that you also have taken backups of all your databases ( Front-End, Back-End, Monitoring, Archiving, CMS etc..)

NOTE: Caution should also be exercised , as the script can cause messages from several days ( or even months) that have been queued-up to be committed, thereby increasing, CPU and Disk Utilization both in the Front-End Pool and the Archiving Server. Also since the data will be transmitted over the wire, you can see significantly increased network traffic.

Use Lyss
Go
set nocount on
 
-- do not process archiving data while we reroute
insert AdapterSkip select 'CDE2BACE-F515-444D-A3F1-858A7FC8728F', 'reroute data to legacy archiving', getutcdate() 
where not exists (select top (1) 1 from AdapterSkip where AdapterID = 'CDE2BACE-F515-444D-A3F1-858A7FC8728F')

insert AdapterSkip select '00606210-86E4-41DC-BCD9-0808C0AF1897', 'reroute data to legacy archiving', getutcdate() 
where not exists (select top (1) 1 from AdapterSkip where AdapterID = '00606210-86E4-41DC-BCD9-0808C0AF1897')
 
-- ensure in-flight data completes processing
waitfor delay '0:05:00'
 
-- reroute exchange archiving to legacy
begin try
    begin transaction
 
    update ItemEndpoint set AdapterID = '00606210-86E4-41DC-BCD9-0808C0AF1897'
    where AdapterID = 'CDE2BACE-F515-444D-A3F1-858A7FC8728F'
    print 'ItemEndpoint rows updated: ' + cast(@@ROWCOUNT as varchar)
 
    update ItemQueue set AdapterID = '00606210-86E4-41DC-BCD9-0808C0AF1897'
    where AdapterID = 'CDE2BACE-F515-444D-A3F1-858A7FC8728F'
    print 'ItemQueue rows updated: ' + cast(@@ROWCOUNT as varchar)
 
    print 'reroute succeeded'
    commit
end try
begin catch
    select 'reroute failed', 'Error:', ERROR_NUMBER(), 'Message', ERROR_MESSAGE()
    rollback
end catch
 
-- re-enable archiving processing
delete AdapterSkip where AdapterID in ('00606210-86E4-41DC-BCD9-0808C0AF1897', 'CDE2BACE-F515-444D-A3F1-858A7FC8728F')
go

This script is expected to take atleast 5 minutes per Front-End Server, and should be run on one server in a pool at a time. Once the script execution has completed, you may move to the next server in the pool.

Finally, please wait for the CPU, Disk and Network utilization to come to normal values both on the Front-End Server and Archiving Servers. This can easily be upwards of 4 hours, depending on the amount of days, for which archiving data that needs to be committed. It is recommended, not to add load on the archiving server, especially if it's also your monitoring server, by generating reports.

It is highly recommended that you partner with Microsoft Support when running the script to ensure that they can help you, in-case you experience difficulties.

List CLS Scenario information in Html

Kris Waters — Tue, 21 May 2019 00:20:28 GMT

First published on TECHNET on Jan 14, 2017

When I am trying to troubleshoot a situation in Skype or Lync with the Centralized Logging Service (CLS), one of the biggest challenges is knowing which scenario to use. I found that it was cumbersome to search with the Cmdlets every time I needed to gather logs for something new. Sometimes I would need to check which components a scenario used and their levels and flags and other times I knew a component but not which scenario it was in. So, I wrote a script that would allow me to quickly find either of these things. I am sure you may find more ways to use it than I did.

The way I use it is to create a shortcut on my taskbar to the HTML file. That way the information is easy to access and quick to search. When it is open, I simply press Ctrl + F and start typing what I am looking for.

Let’s look at the Output

Here are a couple of sample shots to see what it will look like:

As you can see, it lists the Scenario Name, Components with each of their Levels and Flags. This will allow you to check to see if the scenario you are running will gather the correct information. If it doesn’t, you can always run my Create-CsClsCustomSceneario.ps1 script found here with the corresponding NextHop blog found here .

How to Use

This one is not too complex. Just run the script with the –OutputFolder parameter and point it to the folder you wish to save the output. If the folder doesn’t exist, it will stop the script.

.\List-CsClsScenariosHtml.ps1 –OutputFolder C:\Temp

Once the script is done, it will launch the browser and open the file.

To start collecting CLS Logging, check out my blog on Collecting CLS Logging easily .

Download

To Download this script, visit the TechNet Gallery

REQUIREMENTS

Windows PowerShell 3.0
Must be run from a Front End server
1. This is needed because the CLS .Net assemblies have to be available and are only available on front end servers (From what I have found)
Lync/Skype on premises administrator with RTCUniversalServerAdmins, CsServerAdministrator, or CsAdministrator rights.
1. This is required by the Lync/Skype Cmdlets to create CLS Scenarios without throwing access errors.
PowerShell opened in “Run as Administrator” mode
1. This is required by the script Cmdlets to gather the correct information without throwing access errors.

Create Custom CLS Logging Scenarios with Ease

NextHop_Team — Tue, 21 May 2019 00:20:03 GMT

First published on TECHNET on Jan 11, 2017

I am continually needing to create custom scenarios for logging components in CLS Logging (Centralized Logging Service). Typically, this is because either the "Canned" Scenarios don't have the combination of components that I need, or they don't have the Flags or Levels that I need. So, I put together a script so that I can create custom scenarios quickly and easily. Since I like to share and I know others run into the same dilemma, I am writing this post for you.

If you need to find a list of scenarios and which components, levels and flags are in each, see my blog on Listing CLS Scenarios in HTML

Now, you might be familiar with the TechNet Cmdlet articles that show what you need or Richard Schwendiman's Article on the subject. I am not trying to take away from any of these. In fact, Richard's article is great and explains things in more detail than I will do here. There isn't any reason to reinvent the wheel.

My main purpose for this article and script is to give you the ability to create a custom scenario quickly and get to logging your problem fast.

This script should help you create a custom scenario by putting some logic and validation into it. It validates that the components that you chose are valid components and found in the default.xml used by the CLS Logging service and also verifies that you don't already have a scenario with this name. Here are examples of this logic:

Invalid Component:

As you can see, these have some misspellings in the component names and that it gives you the option of listing the components so that you can easily correct this.

Scenario Already Exists:

Not only does it show you that this Scenario name already exists, it lists the components in the scenario just in case it has everything you need. It also gives you the syntax to remove the scenario in the event you need to create it again with new parameters.

By Default, the script will create the scenario setting the Level to Verbose and the Flags to All. This may create larger log output files, but are sometimes necessary to get the data you need. It also, by default, creates the scenario in the Global scope. I have a Scope parameter you can pass if you need to create a scenario that is Site specific.

Something else that will come in handy is the ability to run the script with the -ListComponents parameter switch that will list all of the available components for logging. This way, you can go down the list (Like you used to do in the Lync Server Logging Tool) to find the names of the components you need for your scenario.

.\Create-CsClsCustomScenario.ps1 -ListComponents

So, lets jump into creating a custom scenario. One scenario that isn't in the "Canned" scenarios is PersistentChat. So, we will use that as an example. There are 4 PChat Components: ChatCommon, ChatEndpoint, ChatServer, ChatWebService . To create this scenario you would use the following syntax:

.\Create-CsClsCustomScenario.ps1 -Scenario Custom_Pchat -Components ChatCommon,ChatEndpoint,ChatServer,ChatWebService

One thing I want to point out is the scenario name. You can call it whatever you want, but I like to start all of my custom scenarios with Custom_ . I do this so that I can tell the difference between the "Canned" and the Custom scenarios.

The above syntax will create the following output:

You will notice the Yellow line. I put this here to save on confusion. It is said that you need to open a new PowerShell window to use the new scenario. I have found this to be true unless I wait a period of time. I believe this is due to replication and/or the CLS Agent awareness of the new scenario. Regardless, if you want to use the scenario immediately, please open a new PowerShell session.

So that is the way to create a custom scenario with this script.

There are a couple other parameters that are optional in the event that you need to create the scenario in a scope other than global and/or if your default.xml file isn't in the typical locations. (C:\Program Files\Common Files\Skype for Business Server 2015\Tracing [it also checks the similar path for Microsoft Lync Server 2013]). If you installed Lync or Skype server on a different drive or other location, you will have to use the -DefaultComponentFile parameter. You would see something similar to this:

To Correct this, you would use the syntax similar to this:

.\Create-CsClsCustomScenario.ps1 -Scenario Custom_Pchat -Components ChatCommon,ChatEndpoint,ChatServer,ChatWebService -DefaultComponentFile "D:\Program Files\Common Files\Skype for Business Server 2015\Tracing\default.xml"

To use the -Scope parameter, you simply add the Topology Site name. In my lab, it is MainSite . I don't recommend using the scope parameter unless you need to. Most scenarios run best under the Global scope. Here is the syntax for Scope:

.\Create-CsClsCustomScenario.ps1 -Scenario Custom_Pchat -Components ChatCommon,ChatEndpoint,ChatServer,ChatWebService -Scope MainSite

Once you create a custom scenario, check out my blog on gathering logs easily

I really hope this script helps you. Enjoy.

DOWNLOAD

To download this script, visit the TechNet Gallery

REQUIREMENTS

Windows PowerShell 3.0
Must be run from a Front End server
1. This is needed because the CLS .Net assemblies have to be available and are only available on front end servers (From what I have found)
Lync/Skype on premesis administator with RTCUniversalServerAdmins, CsServerAdministrator, or CsAdministrator rights.
1. This is required by the Lync/Skype Cmdlets to create CLS Scenarios without throwing access errors.
PowerShell opened in "Run as Administrator" mode
1. This is required by the script Cmdlets to gather the correct information without throwing access errors.

Collect CLS Logging for Lync Server 2013 and Skype for Business 2015 in PowerShell

NextHop_Team — Tue, 21 May 2019 00:19:20 GMT

First published on TECHNET on Jan 11, 2017

Here I am again with another Script. This time I have tried to simplify the log collection with via PowerShell. It allows you to leverage the power of CLS logging without having to install the Debugging Tools for either Lync or Skype for Business. Also, it simplifies the complex Cmdlet by only requiring 3 switches. Scenario, Pools, OutputFolderPath.

The nice thing about this is that you don't have to remember what time you started and stopped the logging and how to get the output. Sometimes the Search-CsClsLogging cmdlet is confusing. What LogLevel, do I MatchAll or MatchAny, etc. The script uses the basic settings to get the data you need. Now, I will say that this script doesn't handle all of the possibilities of gathering CLS Logging, but it will allow you to get logging against a pool or multiple pools for a scenario easier than running the cmdlets manually.

Well, Lets get to it.

Let us say that you need to get some SIP logging to find out why a federated partner cannot get your IMs. For this I would use the ImAndPresence scenario. (If you need to find the correct scenario, see my blog on Listing CLS Scenarios in HTML . If you need a custom scenario, see my blog on Creating Custom CLS Scenarios . ) This scenario gets the SipStack and UserServices component. Then we need to think about the environment. I will presume you know which pool the user homed on that is having the issue. For this example, I will use KI-Sfb-FE's FQDN and the KI-Edge FQDN since my test user is homed on this FE and will go through this Edge for federation.

The syntax that I would use is:

.\Collect-CsClsLogging.ps1 -Scenario ImAndPresence -Pools ki-sfb-fe.kaosupport.info,ki-edge.kaosupport.info -OutputFolderPath c:\temp

If the OutputFolderPath doesn't exist, it will ask you if you wish to create the path or not.

If you choose "No" then the script will stop, so I am going presume that you selected "Yes"

Next, it will contact the agents to start the logging and notify you when you you can start to Repro your issue. (Note: The screenshots I am showing you are from Skype for Business PowerShell. Lync 2013 PowerShell will be slightly Different.)

So LyncTest1@kaosupport.info tries to send an IM to the federated contact...wait for the failure to show in the client (or what ever error you are trying to repro). When the Repro is complete, hit the enter key in the PowerShell window to stop the logging and create the output file.

Note the path and filename. When you browse out to that folder, if you have Snooper installed, you simply have to double click on the file to start your analysis. Or, you can upload the files to your support engineer for them to analyze the data, but as far as gathering the logs, that is it.

The nice part about this is if you have to repro this several times because something went wrong, you can just hit the up arrow in PowerShell and re-run the script and it will adjust the start and stop times automatically. This way, you know you captured the data for the correct time frame without going over or under.

DOWNLOAD

To download this script, click here .

REQUIREMENTS:

Windows PowerShell 3.0
Must be run from a Front End server
1. This is needed because the CLS .Net assemblies have to be available and are only available on front end servers (From what I have found)
Lync/Skype on premises administrator with RTCUniversalServerAdmins, CsServerAdministrator, or CsAdministrator rights.
1. This is required by the Lync/Skype Cmdlets to collect CLS Scenarios without throwing access errors.
PowerShell opened in "Run as Administrator" mode
1. This is required by the script Cmdlets to gather the correct information without throwing access errors.

Collecting Client Logs for Lync 2013, Skype for Business 2015, & Skype for Business 2016

NextHop_Team — Tue, 21 May 2019 00:18:45 GMT

First published on TECHNET on Jan 11, 2017
Many times in my support role here at Microsoft, I write out the steps for customers to collect Lync or Skype Client logs. I thought that writing a script might make it easier. Here is a sample script that I like to use.

To download the sample script, visit the TechNet Gallery and save it to your desktop or some other familiar location

Once you have downloaded the script, right click on the script and select "Run with PowerShell".

NOTE : You may get a prompt similar to this in PowerShell. If you still wish to run the script, type 'Y' and hit enter:

The first thing the script does is warn you that this data will have personally identifiable information or PII and that you should only transfer over a secure manner. Email is not a secure way of transferring data 100% of the time. This is because not all email servers communicate with TLS or SSL. All it takes is one SMTP relay server in the route to strip the encryption off and now someone can read your data. This is why I show the warning and verify that you understand.

Next, the script checks which version is installed on the client computer so that it can identify the location of the Tracing folder. Since Lync and Skype are bundled with Microsoft Office, this location will change with the different versions.

Office 2013 Lync Tracing Folder: %userprofile%\AppData\Local\Microsoft\Office\ 15.0 \Lync\Tracing
Office 2016 Skype Tracing Folder: %userprofile%\AppData\Local\Microsoft\Office\ 16.0 \Lync\Tracing

Then it checks to see if the client is still running. I do this because if the client is running, some of the tracing files will be locked and will not get collected. You cannot proceed until the client is closed.

Once the client is closed, hit any key to continue. It will check to see if the Lync.exe process is still running and warn you again if it is.

Now the Tracing folder is Zipped an placed on the desktop with a file named Tracing_MM-DD-YYYY_HH.MM.SS.zip. This is the file that you will securely upload to your support engineer.

Next you will be prompted on whether or not you want to re-open the client. Press Y if you do, any other key will simply stop the script.

And that is it. I hope this saves you time when collecting logs for analysis.

Update to Meeting Invites

NextHop_Team — Tue, 21 May 2019 00:17:46 GMT

First published on TECHNET on Dec 15, 2016
Please visit the TechCommunity to learn more about these exciting new updates to Meeting Invites!

Thanks!

Meeting Migration Service and training now available!

NextHop_Team — Tue, 21 May 2019 00:17:39 GMT

First published on TECHNET on Dec 06, 2016
Please visit the Microsoft Tech Community to learn more about the new Meeting Migration Service (MMS).

"Meeting Migration Service automatically sends meeting updates to all meeting invitees when an admin moves the user who is hosting the meeting from on-premises to online or when those users are enabled for Cloud PSTN Conferencing. The new service removes the need for users to run the Meeting Migration tool locally to send meeting updates for all future meetings."

Visit the Skype Operations Framework & Skype Academy Community site to learn more!

Introducing Microsoft Teams - the chat-based workspace in Office 365!

NextHop_Team — Tue, 21 May 2019 00:17:31 GMT

First published on TECHNET on Nov 02, 2016
Please check out the official announcement for the new Microsoft Teams over at blogs.office.com !

Troubleshooting individual calls in Skype for Business Online

NextHop_Team — Tue, 21 May 2019 00:17:25 GMT

First published on TECHNET on Oct 31, 2016

Author: Martin Rinas – Sr. Customer Engineering Architect, Microsoft

I received an email recently ‘Hey Martin, I wanted to call Bob on his mobile phone from Skype for Business this morning. The call didn’t complete, gave me an error. I was at my hotel at that point in time, can you tell me why this call didn’t go through? I’m travelling right now with no coverage, love to hear from you what was going on. Thanks, Joe.’ So far so good, now I need to explain that Joe is the CIO of that company and wanted to call Bob, the CEO. He’s travelling so I won’t be able to get any further details from him, nor will I have access to his machine to get any client-side logs for troubleshooting. It would be just too easy to go to the EventLog of that machine and find an event Source=Lync, EventID=11 highlighting the exact reason. * (see end of blog post)

To start troubleshooting I need logfiles to understand what is going on. I have no chance to get client-side logs as I cannot contact him, what about server-side logs? In an on-premises environment we could leverage the Centralized Logging Service (CLS) to retrieve call details from the Always On scenario. Remember, this scenario is designed to run always so that you access to the log files after an issue occurred without the need to reproduce the scenario. See https://technet.microsoft.com/en-us/library/jj687958.aspx for more details on this.

Joe is hosted online leveraging Cloud Connector Edition for PSTN connectivity, so CLS logger won’t help here. But there’s something similar that I can do, I can retrieve logs from the service by leveraging the Get-CsUserSession cmdlet.

Let’s see what I have, I know the user (Joe) and the time (this morning) and I am a Skype for Business admin in that tenant, that’s all I need.

Collect Sessions

To collect logs, I need to start a PowerShell and connect to the tenant. This article has all the details if you haven’t seen this already: https://technet.microsoft.com/library/dn362831.aspx

$creds = Get-Credential

$s = New-CsOnlineSession -Credential $creds

Import-PSSession $s -AllowClobber

I can now run the Get-CsUserSession cmdlet to retrieve Joe’s logs from this morning:

get-csusersession -User joe@my-uclab.de -StartTime (Get-Date).AddHours(-4)

Instead of specifying a specific date I used the Get-Date cmdlet and subtracted four hours as Joe’s failed call is less than four hours ago. I did not specify the -EndTime parameter to limit the amount of data further.
This cmdlet returns SIP signaling that Joe initiated:

Analyse Session

Now that is great but a pretty long list. So let’s store everything in a variable for easier processing.

$sessions = get-csusersession -User joe@my-uclab.de -StartTime (Get-Date).AddHours(-4)

To find the event I am interested in I need to find the call that Joe was trying to start. To do so, I use the MediaTypesDescription Parameter. Let’s see what MediaTypes are available for my set of logs:

$sessions.MediaTypesDescription

Joe reported that he wanted to place an audio call, so let’s get details for the audio call:

$sessions | where {$_.MediaTypesDescription -eq "[Audio]"}

Okay, that’s better. I can see that Joe tried to place a call to +49 151 4406 3xxx. But I don’t know why this call failed, so let’s check the ErrorReports for details:

$sessions | where {$_.MediaTypesDescription -eq "[Audio]"} | select -ExpandProperty ErrorReports

Okay, so the call was in process but the Gateway responded with a 403 forbidden. After checking the gateway configuration associated to his Cloud Connector Edition it turns out that outbound call routing wasn’t setup correctly to support the number associated with Germany (+49). After fixing this configuration issue Joe, can place outbound calls to Germany.

Other things you can do with Get-CsUserSession

The other interesting thing is that this also allows you to access the QoEReport (aka VQReport) that is sent after every call, just find the QoEReport property of a completed audio call. This is useful in a scenario where you need to troubleshoot quality or call reliability issues for a specific user.

Things to be aware of

The Get-CsUserSession cmdlet is very powerful to troubleshoot issues of an individual user. Some PII data (like phone numbers in this example) is masked and you can only query for data of a single user at any point in time. But this cmdlet does expose quite sensitive information, therefore only Skype for Business admins have access to this cmdlet. Very like access to CLS or CDR/QoE database access for an on-premises environment.

There’s only a short lag of usually less than 5 minutes before the data is available and data is available for up to 365 days (starting from August 2016 onwards).

Where can I find more?

Please see the Skype Operations Framework website for this and more information on troubleshooting and practical guidance for successful deployments all together. https://www.skypeoperationsframework.com/Offers/?pageState=Supportthesolution

Get-CsUserSession on Technet: https://technet.microsoft.com/library/mt715516.aspx

*Shortcut

Here’s the shortcut if I had access to Joe’s machine with ‘Also collect troubleshooting info using Windows Event Logging’ being turned on in the Skype for Business General settings. Please note that Joe has a PC with German language installed, but as you can see the error message itself is still English.

This readiness content is presented by Skype Academy www.skypeoperationsframework.com/academy

Information Regarding all versions of the Lync Hosting Pack

NextHop_Team — Tue, 21 May 2019 00:16:20 GMT

First published on TECHNET on Oct 20, 2016

Microsoft is no longer onboarding new customers for any version of the Lync Hosting Pack. Customers are encouraged to look at the Office 365 Multi-tenant offering as an alternative.

For existing versions of the Lync Hosting Pack, support information is as follows:

Lync Hosting Pack for Lync Server 2010 is OUT of mainstream support, as the mainstream support end date for Lync Server 2010 is 4/12/2016

Existing customers of Lync Hosting Pack for Lync Server 2013 are supported until Lync Server 2013 mainstream support EOL (end of life), which is currently scheduled for 4/10/2018

Customers and Partners can no longer add hosting providers to the list of approved hosting providers in o365. If you have a previously approved hosting provider, additional domains can still be added.

Validate your Lync Server 2013 or Skype for Business 2015 Hybrid Configuration

NextHop_Team — Tue, 21 May 2019 00:16:12 GMT

First published on TECHNET on Sep 27, 2016

Ever wondered if your Skype for Business 2015 or Lync Server 2013 Hybrid Configuration is setup properly? Tony Quintanilla and I have developed a script to help customers troubleshoot their hybrid environments. While the script can diagnose every problem, this one does touch on the main problems that are seen by Microsoft Skype for Business Support Engineers. We hope this script will save you time when trying to troubleshoot issues with your hybrid environment and look forward to hearing your feedback!

NOTE

Special Thanks to TonyQ for coming up with the concept and initial design of this script.  I simply took what he had and added some additional logic and reporting.  This was truly a collaborative effort.  I could not have done it on my own

First things First. You need to meet the following criteria in order to run the script :

Prerequisites and requirements:

Needs to have Skype Online Connector installed
- https://www.microsoft.com/en-us/download/details.aspx?id=39366
  - Installing this module will not require a reboot, but will require you to open a new PowerShell window after install.
User needs to be a member of the RTCUniversalServerAdmins, CsServerAdministrator, or CsHelpdesk domain group
- This is required by the Lync/Skype Cmdlets to gather the correct information without throwing access errors.
User needs tenant admin credentials that have permissions to administer Skype for Business Online
- This is needed to allow access to the Skype for Business Online session
TCP Port 5985 needs to be open from the Front End server to the Federated Edge servers for remote PowerShell
- Remote PowerShell needs to be enabled on the Federated Edge Servers
  - Windows Server 2012 and 2012 R2 is already enabled by default
  - Windows Server 2008 R2 will require enabling PSRemoting: https://technet.microsoft.com/en-us/library/hh849694.aspx
The script needs to be run in a PowerShell window opened as an Administrator
- This is required by the script Cmdlets to gather the correct information without throwing access errors.
Internet Access to allow the Online Connector to sign into the Remote PowerShell Session.
Active Directory PowerShell Module ( RSAT-ADDS Feature )
- This is required on a Front End server, but if you run this from another computer with the Lync/Skype admin tools, you will have to add this feature so that it can verify group membership for the Admin running the script.
PowerShell 3.0+

If you meet all of these requirements then let’s get going!. Here is a list of the items the script checks:

On-Prem Settings
- Sip Hosting Provider
  - ProxyFqdn
  - Enabled
  - VerificationLevel
  - SharedAddressSpace
  - AutodiscoverURL
- Exchange Hosting Provider (UM)
  - ProxyFqdn
  - Enabled
  - SharedAddressSpace
- Access Edge Configuration
  - AllowedFederatedUsers
  - RoutingMethod
- Federated Edge
  - CMS Replication State
  - External Certificate SANs
  - SRV Records for _sipfederationtls._tcp.domain.com and returning A Record
    - Validates Strict DNS for SRV records
  - HOSTS file for Next Hop inbound server(s)
Online Settings
- AllowFederatedUsers
- SharedSipAddressSpace
Compare On-Prem and Online Settings
- Open/Closed Federation
- Allowed/Blocked Domains

Download the script here:

https://gallery.technet.microsoft.com/Validate-your-Lync-Server-017ed501

NOTE: The output files will be saved in the folder they run the script from, so make sure to change to a folder that has rights to.  If your PowerShell opens in C:\Windows\System32, it will save the files to your profile’s Documents folder.

When you execute: Validate-CsHybridConfiguration.ps1 you will be prompted for the Tenant credentials and the Edge Credentials. Here is the expected output:

As you can see in the above output, the last two lines show you the path to the output files. One is the log file that simply shows you the same items that are in the screenshot and the second is an HTML report that will show you Pass/Fail information for the given checks.

Available Script Parameters:

OverrideAdminDomain [Optional]
Use the parameter to pass the onmicrosoft.com tenant domain if you are signing in with your vanity domain
i.e. ContosoTentant.onmicrosoft.com when signing in with cloudadmin@contoso.com

DomainController [Optional]
Use this parameter if the RTCUniversalServerAdmins group is in a different domain than the domain the Front End server is located

BypassAdminGroupCheck [Optional]
Use this switch to skip the RTCUniversalServerAdmins group check. ONLY use this if you have already validated membership and
you continue to get a failure on the group check. If you use this bypass and you don't have the proper rights, you will get
unknown error responses throughout the running of the script.

Examples:

Standard execution:

.\Validate-CsHybridConfiguration.ps1

Using the OverrideAdminDomain which allows you to use your vanity domain credentials instead of having to use an Onmicrosoft.com login.

.\Validate-CsHybridConfiguration.ps1 -OverrideAdminDomain ContosoTentant.onmicrosoft.com

Using the DomainController gives you the ability to tell the script which domain the RTCUniversalServerAdmins group is located in comparison to which domain you are running the script from. This happens when your Front End servers are in a different domain than your RTC Groups.

.\Validate-CsHybridConfiguration.ps1 -DomainController DC.contoso.com

Using the BypassAdminGroupCheck should only be used if DomainController parameter fails and you MANUALLY validated the membership in the RTCUniversalServerAdmins group.

.\Validate-CsHybridConfiguration.ps1 –BypassAdminGroupCheck

We hope this helps you in troubleshooting your Skype or Lync Hybrid Configuration

Your feedback is welcome

CHANGE LOG:

09/25/2016 Original script
09/26/2016 Added SRV Lookup information to the log and report
09/28/2016 Added the ability for the Domain Allowed Lists for On-Premises and Online to be empty
09/29/2016 Added some failure count logic in the Get Credential Functions and Gathering of System and IE proxy values
09/29/2016 Added CMS replication fail note to HTML Report
10/06/2016 Check to see if you are in the System32 directory and change to Userprofile\Documents if you are
10/06/2016 Added the AutodiscoverURL NOTE if you AutodiscoverURL for the LyncOnline Hosting provider fails
10/06/2016 Added the ability to use the -OverrideAdminDomain switch for logging into the tenant.
10/06/2016 Changed the methodology of the RTCUniversalServerAdmins group validation to handle Multi Domains
10/14/2016 Added the check to see if PowerShell is running in the context of an Administrator
10/14/2016 Changed the method of prompting for credentials to keep the credential information more secure
10/19/2016 Added VerificationLevel Validation for the Lync Online Hosting Provider
10/31/2013 Added logic to handle the inability to validate the RTCUniversalServerAdmins group by trying one of the Cmdlets
10/31/2013 Removed the need to be run from a Front-End server
11/13/2016 Added Edge HOSTS file entry checking
11/13/2016 Fixed SRV Lookup reporting for more than one Edge Pool
12/08/2016 Added Strict DNS Checking and added warning messages if it fails.
01/25/2017 Added BypassAdminGroupCheck switch

Disclaimer -

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Time to upgrade your Cloud Connector Editions (for the last time!)

NextHop_Team — Tue, 21 May 2019 00:15:44 GMT

First published on TECHNET on Aug 31, 2016
AUTHOR: Jamie Stark - Microsoft

Skype for Business Cloud Connector Edition has been one of the most exciting new products we've released in the last year, and that's saying quite a lot considering the work we have done - from PSTN Conferencing and Calling to Broadcast Meetings and Mobile. As a reminder, Cloud Connector Edition provides a simple, streamlined way for Office 365 customers to connect their existing telephony environment with Skype for Business Cloud PBX. This allows Cloud PBX to send and receive calls using the customer's existing circuit, carrier and contract anywhere in the world.

We've already done a few articles on NextHop about Cloud Connector Edition - from the initial announcement to detailed papers on configuration and interoperability - there's even a video broadcast you can check out from our bi-weekly series to hear more about it.   The best way to think about Cloud Connector Edition is as a piece of the Skype for Business Online service that just happens to be operating on your premises. And in the same way we keep the cloud always up to date with the latest features, security updates and quality improvements, we are committed to doing the same with Cloud Connector Edition on-premises.

That's why the latest release of Cloud Connector is so important, because it brings automated updates and high availability improvements to the product.   The automated updates will pull down software from the cloud for both the operating system and the core Skype applications, drain all the current calls and then refresh the appliance with the latest software. We do this by building a new set of updated virtual machines in the background while the appliance is running, then when complete and drained of all active traffic move the traffic from the previous VM to the new set.

Just like the rest of the Office 365 environment, all of this happens automatically, without any intervention from the tenant administrator. To ensure reliability and compatibility, we specifically test cloud updates against the current Cloud Connector Edition as well as testing the current Skype for Business Online components against proposed updates to Cloud Connector Edition. The only piece the tenant administrator needs to worry about is setting up the optimal timing for performing the upgrade. Finally, because the prior set of virtual machines are still present on the system, if anything goes wrong during the upgrade that software is still available to handle calls.

So if you already have Cloud Connector Edition operating in your Office 365 environment, now is the time to upgrade!   If you do not upgrade to our auto-update Cloud Connector Edition, it is possible that updates to the cloud part of the service may cause issues with down-level Cloud Connector Edition deployments at some point in the future. The directions to update from either the 1.3.4 or the 1.3.8 versions are located here . Just think, this is the last time you'll have to upgrade the environment!

For those of you who haven't tried out Cloud Connector Edition with Cloud PBX in Office 365, now is the time. You can get started by downloading Cloud Connector Edition at http://aka.ms/getCCE .

Thanks!!

Jamie Stark

@Nomorephones

Lync Server Application Pool on 2013 FE's Crashes- Why?

NextHop_Team — Tue, 21 May 2019 00:15:36 GMT

First published on TECHNET on Aug 30, 2016

by Steve Schiemann , UC Escalation Engineer – Microsoft

Reviewed by - Jason Epperly, Windows Escalation Engineer, Microsoft

Introduction

I am a Skype for Business Escalation Engineer. This means that I see some of the most interesting problems reported by customers. This is one of those issues that I just HAD to write about, because of the odd twists and turns encountered on the way to producing a fix. This is a high-level view of the issue, in that many technical details were left out. But I hope it leads to a better understanding of how a bug actually gets fixed through our internal processes, and why at times, it may seem like progress is not as fast as we (or customers) would like.

Scenario

One of Microsoft’s Premier customers created a support case, because several of the application pools on multiple Lync 2013 Front End Servers would crash several times per week, thus impacting service to end users. These affected processes included the DataMCUSvc, IMMCUSvc, ASMCUSvc, and also (less frequently) RtcHost.exe.

Data

The customer saw an event IDs 1000 and 1026 in quick succession in the application log, for example:

Time: 12/15/2015 2:13:57 AM

ID: 1000

Level: Error

Source: Application Error

Machine: Servername.domain.com

Message: Faulting application name: DataMCUSvc.exe, version: 5.0.8308.0, time stamp: 0x5050e3de

Faulting module name: mscorlib.ni.dll, version: 4.0.30319.36331, time stamp: 0x561e0e38

Exception code: 0xc0000005

Fault offset: 0x00000000005450d4

Faulting process id: 0x23d8

Faulting application start time: 0x01d1367cd6e190fb

Faulting application path: D:\Program Files\Microsoft Lync Server 2013\Web Conferencing\DataMCUSvc.exe

Faulting module path: C:\WINDOWS\assembly\NativeImages_v4.0.30319_64\mscorlib\322be87054b632752961a02ac84a27c7\mscorlib.ni.dll

Report Id: c99ad6ad-a303-11e5-80f9-005056a309a8

Time: 12/15/2015 2:13:57 AM

ID: 1026

Level: Error

Source: .NET Runtime

Machine: Servername.domain.com

Message: Application: DataMCUSvc.exe

Framework Version: v4.0.30319

Description: The process was terminated due to an unhandled exception.

Exception Info: System.NullReferenceException

Stack:

at System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)

User-mode memory dumps were also sent in, from the crashing processes. We had to use special syntax with procdump , to get the context of the crashes:

procdump -ma -e 1 -f NullReferenceException -accepteula DataMCUSvc.exe

This syntax allowed us to capture the dump at the time of the first-chance NullReferenceException, which correlates to the “Exception Info” from the event ID 1026.

Analysis and First-Chance Exception (mine)

I’m not going to go deeply into the analysis of the memory dumps, but here is the faulting call stack:

0:027> kcn

# Call Site

00 ntdll!ZwWaitForSingleObject

01 KERNELBASE!WaitForSingleObjectEx

02 clr!CLREventWaitHelper2

03 clr!CLREventWaitHelper

04 clr!CLREventBase::WaitEx

05 clr!Thread::WaitSuspendEventsHelper

06 clr!Thread::WaitSuspendEvents

07 clr!Thread::RareEnablePreemptiveGC

08 clr!Thread::EnablePreemptiveGC

09 clr!Thread::RareDisablePreemptiveGC

0a clr!Thread::DisablePreemptiveGC

0b clr!EEDbgInterfaceImpl::DisablePreemptiveGC

0c clr!GCHolderEEInterface<0,1,1>::LeaveInternal

0d clr!GCHolderEEInterface<0,1,1>::{dtor}

0e clr!Debugger::SendExceptionHelperAndBlock

0f clr!Debugger::SendExceptionEventsWorker

10 clr!Debugger::SendException

11 clr!Debugger::FirstChanceManagedException

12 clr!EEToDebuggerExceptionInterfaceWrapper::FirstChanceManagedException

13 clr!ExceptionTracker::ProcessManagedCallFrame

14 clr!ExceptionTracker::ProcessOSExceptionNotification

15 clr!ProcessCLRException

16 ntdll!RtlpExecuteHandlerForException

17 ntdll!RtlDispatchException

18 ntdll!KiUserExceptionDispatch

19 KERNELBASE!RaiseException

1a clr!NakedThrowHelper2

1b clr!NakedThrowHelper_RspAligned

1c clr!zzz_AsmCodeRange_End

1d mscorlib_ni!System.Threading._IOCompletionCallback.PerformIOCompletionCallback(UInt32, UInt32, System.Threading.NativeOverlapped*)

1e clr!CallDescrWorkerInternal

1f clr!CallDescrWorkerWithHandler

20 clr!DispatchCallSimple

21 clr!BindIoCompletionCallBack_Worker

22 clr!ManagedThreadBase_DispatchInner

23 clr!ManagedThreadBase_DispatchMiddle

24 clr!ManagedThreadBase_DispatchOuter

25 clr!ManagedThreadBase_FullTransitionWithAD

26 clr!ManagedThreadBase::ThreadPool

27 clr!BindIoCompletionCallbackStubEx

28 clr!BindIoCompletionCallbackStub

29 clr!ThreadpoolMgr::CompletionPortThreadStart

2a clr!Thread::intermediateThreadProc

2b kernel32!BaseThreadInitThunk

2c ntdll!RtlUserThreadStart

Based on dump analysis, the root cause was far from clear, but it seemed that the problem was with the Common Language Runtime (CLR). There isn’t even a Lync Server module present in this stack! The issue continued even after the customer updated to the latest .NET patches. I mean, the event IDs above pointed to a .NET problem. I could also see an error code associated with the first chance exception: E0434F4DSystem.NullReferenceException

Looking this error code up with err.exe :

0x80131506 (2148734214): COR_E_EXECUTIONENGINE - corerror.h: An internal error happened in the Common Language Runtime's Execution Engine

OK, this is a .NET bug! Microsoft Customer Service and Support (CSS) has specialists for just about every product we produce, so I engaged the .NET team for input. Now I can just let them do the heavy lifting and fix their component! Wrong.

The .Net team found no issue with their product. As a matter of fact, they said that this was clearly a Lync Server issue. Lync Server code has not properly synchronized the access to the OVERLAP structure, perhaps double-freeing the NativeOverlapped object. Nothing to see here, move along. Rats!

Next Step

After extensive debugging by myself and the .NET team, there was still no clear cause for the crashes, and no resolution for the customer. So, I engaged the Skype for Business (SfB, formerly Lync) product group (PG) by opening a bug. I stated the symptoms, analysis done so far by all parties, and the .NET team’s suspicions that this was not their problem, but ours.

Fortunately, one of our excellent SfB developers had spent some time developing/debugging core Windows applications. He was able to identify the issue, even without a kernel dump. He had seen it before with a different Lync Server issue . In that case, the PG was able to code around the problem even though it was not truly a Skype for Business problem. With these app pool crashes, the fix had to come from the source component, which was NOT part of Lync Server code.

Root Cause at Last!

This was a Windows problem, that bubbled up through .NET and hit Lync Servers. Short story, the Windows I/O Manager, starting with Vista, has the ability to use thread agnostic I/O . This means that the original thread which issued the I/O no longer has to be present when the I/O it issues completes. In our case, the FO_QUEUE_IRP_TO_THREAD flag on the FILE_OBJECT structure effectively disables this feature, and queues the I/O Request Packet (IRP) to the issuing thread. The status code returned to the issuing thread by CloseHandle was incorrect; the code returned was STATUS_BUFFER_OVERFLOW, rather than STATUS_PENDING. This caused processes on Lync Servers to see unexpected double completions, which resulted in the crashes.

The Road to Releasing a Fix

So, now that the root cause was understood, it was time to engage our Windows support team, and ask them to open a bug with THEIR product group, and get this fixed. I did this, and based on the strong Business Impact Statement (BIS) from my customer, and the fact that several more cases had been opened for this issue, a bug was filed, and the Windows PG agreed to fix this. Yay! Not so fast…first, the problem was also in the next Windows Server version (2016), that wasn’t even released yet. The fix had to be “baked” or tested in our internal labs on Server 2016 for several weeks, and if all went well, backported to Server 2012 R2. The Lync 2013 Server crash cases that had come in were all running this version.

Unfortunately, the first version of the fix did not fully resolve the issue, so the stress tests on Server 2016 had to be restarted, and run again. This time, there was no issue with the fix, and it was backported to Server 2012 R2.

Finding the Fix

It is within this rollup:

3179574 August 2016 update rollup for Windows RT 8.1, Windows 8.1, and Windows Server 2012 R2

http://support.microsoft.com/kb/3179574/EN-US

You can verify that it is installed by looking for KB3179574 in add/remove programs. There is no individual KB for the issue at this time, but it is listed as one of the fixes in the rollup see below.

At Last

The whole process, from the opening the first case, to the release of a public fix, took almost a year. During this time, several support teams and product groups were involved, customers went on vacation, private versions of the fix were tested by various customers, and internal tests failed. But finally, a solid fix is publicly available and this problem should not be seen anymore. We strive daily to make our products better, and need to improve our processes so that customers see resolution to similar issues more quickly. I hope this article gives some insight as to what goes on when a code change is needed in a product- sometimes the product that exhibits the symptom is not really at fault.

Why did this problem affect Lync 2013 Front-End (FE) servers exclusively? Well, these FE servers use the .NET HTTP Listener API to asynchronously retrieve a client certificate. Our certificates tend to be rather large, and do not fit into the default buffer. This results in the asynchronous completion returning STATUS_BUFFER_OVERFLOW. When STATUS_BUFFER_OVERFLOW is returned to the caller, it expects no asynchronous completion. The fix was to return STATUS_PENDING instead.

Configure Toll-free Numbers for Dial-In Conferencing in Office365

NextHop_Team — Tue, 21 May 2019 00:15:11 GMT

First published on TECHNET on Jul 11, 2016

Microsoft’s Matt Soseman has just published a post on this topic. You can check it out here .

Online Meeting Icon Missing from OWA in Exchange Online

NextHop_Team — Tue, 21 May 2019 00:15:03 GMT

First published on TECHNET on Jun 08, 2016

Do you have a missing OWA IM and Scheduling Online Meeting button for your Online Exchange users? This article will help explain why and how to fix this.

Environment

Exchange Online and Skype for Business or Lync Server On Prem or Hybrid

Pre Recs

Power shell modules for MSOL or Windows Azure Active Directory (which ever you use for DirSync), Skype for Business Online and Skype On PREM ADMIN access.

You need to be an admin on prem (RTCUniversal server admins or CSAdmins ) and in the cloud for Skype as well as a Global Admin for your 365 portal.

Software

· "Skype for Business Server 2015, Front End Server" or "Microsoft Lync Server 2013, Front End Server"

· "Microsoft Online Services Sign-in Assistant” - http://go.microsoft.com/fwlink/?LinkID=286152

· "Skype for Business Online, Windows PowerShell Module” - https://www.microsoft.com/en-us/download/details.aspx?id=39366

· Windows Azure Active Directory Module for Windows PowerShell (64-bit version) Windows Azure Active Directory Module for Windows PowerShell (64-bit version)

Find the OAuthCert

To find your Oauth cert run the Skype for Business or Lync Server 2013 Deployment wizard.

Choose Install or Update Skype for Business Server

Choose Step 3 to Request, Install, Assign Certs .

In the pop up choose the OAuthTokenIssuer and the View

You can then see the cert details by click View Certificate Details in the Next pop up.

It should look like below but with your specific Cert Info.

Once you are viewing the certificates please go under details and get the serial number in case you have multiple certs.

Alternatively, you can find your OAuthwith the following:

Get-CsCertificate -Type OAuthTokenIssuer

Next we will export OAuth cert.

Open up an MMC and chose File > Add/Remove Snap-in

In the pop up you will Choose Certificates in the left pane, then click Add in the pop up choose Computer Account

From Here we need to Open Personal > Certificates to find the correct cert. You remembered to get the serial number didn’t you? Open the cert and click on Details and verify the correct cert to export.

Do not export the private key when asked.

Der encoded one is the one we want to export.

Save the export to some place handy.

Importing Modules and Session Connection

NOTE: Please see the Script Center for a script that contains most of these script examples

Open up Windows PowerShell and Run as Administrator and import the following:

· Import-Module msonline

· Import-Module SkypeOnlineConnector

· Import-Module SkypeForBusiness

· Get-Module

For getting the session connected we will need creds.

$cred = Get-Credential

And to connect the session:

$SkypeSession = New-CsOnlineSession -Credential $cred

It is important that you see the name tmp_ and the commands for CsOnline like the above screen shot or you have not a session to Online.

To test we will get your TenantID and make sure to save it off.

Get-CsTenant |FL TenantID

Checking the OAuthServer and PartnerApplication settings

You might not have any old data if this is your first time setting this up. So if these cmdlets come back with nothing, you are good to continue. We will need to check though to remove stale data.

Check for older entries with the following Cmdlet

Get-CsOAuthServer

If it comes back with something we will remove it or if it is black, we can continue.

Remove-CsOAuthServer -Identity <Old OAuthServer identity>

Next we verify if there is already Partner Application setup. If black, we continue, or we will need to remove the old Exchange Partner App.

Get-CsPartnerApplication

Remove-CsPartnerApplication – Identity <Old Exchange Partner App identity>

Creating a new OAuthServer

You need your Tenant ID from above to continue with these next few stesp.

Create a new OAuthServer with the following cmdlet. This is setting up the security token server so applications can talk with one another securely.

New-CsOAuthServer -Identity microsoft.sts -metadataurl "https://accounts.accesscontrol.windows.net/ 2ce7b4b7-YOUR-IDxx-HERE-acc14128eb43/ metadata/json/1"

Replace the highlighted with your Tenant ID.

Non truncated Result:

You know this is correct when you see the Realm match your TenantID

Creating a new Partner Application

We will be creating a partner application to Exchange Online for Skype for Business to exchange security tokens, without having to exchange those tokens by using a 3 ^rd party token server (i.e. Exchange and Skype for business will trust each other.)

New-CsPartnerApplication -Identity Microsoft.exchange -ApplicationIdentifier 00000002-0000-0ff1-ce00-000000000000 -ApplicationTrustLevel Full –UseOauthServer

Now Assign the Configuration for the application

Set-CsOAuthConfiguration -ServiceName 00000004-0000-0ff1-ce00-000000000000

Verify the Configuration

Get-CsOAuthConfiguration

Setup Online Side

Up to now we have found and exported our On Prem OAuth Cert, Created the OAuth Server On Prem, and the Partner Application on prem. The next step is to connect online and provide the cert to the Online services and connect them.

The two services we are going to allow to talk to each other

These are the Lync/Skype and the Exchange Service principles we need talking to each other to get this working.

Get-MsolServicePrincipal -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000

Get-MsolServicePrincipal -AppPrincipalId 00000002-0000-0ff1-ce00-000000000000

In order to do this, we need to get the OAuthCert applied and set.

Create certificate variable and assign it.

$certificate = New-Object System.Security.Cryptography.X509Certificates.X509Certificate

$certificate.Import("C:\LyncTemp\xlync_oauth.cer")

$binaryValue = $certificate.GetRawCertData()

$credentialsValue = [System.Convert]::ToBase64String($binaryValue)

Result should be:

New-MsolServicePrincipalCredential -AppPrincipalId 00000004-0000-0ff1-ce00-000000000000 -Type Asymmetric -Usage Verify -Value $credentialsValue

Set-MSOLServicePrincipal -AppPrincipalID 00000002-0000-0ff1-ce00-000000000000 -AccountEnabled $true

Next we are going to add the tenant’s on premises web services URL(s) to the ServicePrincipal endpoint:

$WebExt = (get-CsService).ExternalFqdn

$SkypeSP = Get-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000
ForEach ($Fqdn in $WebExt){
$SkypeSP.ServicePrincipalNames.Add(“00000004-0000-0ff1-ce00-000000000000/$Fqdn“)
}

Set-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000 -ServicePrincipalNames $SkypeSP.ServicePrincipalNames

Final Result:

You should see your on prem external web services listed.

Get-MSOLServicePrincipal -AppPrincipalID 00000004-0000-0ff1-ce00-000000000000

Authors: Colin Hoag, Tony Quintanilla and Kory Olson

This blog was based in part on Christian Burke's post on the same topic, located here . Thanks Christian! There is also a Script Center post that can help with this issue located here .

Thanks!

UM Service Startup Issue with a large number of dialplans

NextHop_Team — Tue, 21 May 2019 00:12:22 GMT

First published on TECHNET on May 31, 2016

You may encounter an issue where the UM service is not starting. When checking the event log you will see the following events:

Log Name: Application

Source: MSExchange Unified Messaging

Event ID: 1038

Task Category: UMService

Level: Error

Keywords: Classic

User: N/A

Description:

The Microsoft Exchange Unified Messaging service was unable to start. More information: "Microsoft.Exchange. UM .UMService.UMServiceException: The worker process didn't start in the allotted time.

Log Name: Application

Source: MSExchange Unified Messaging

Event ID: 1430

Task Category: UMCore

Level: Error

Keywords: Classic

User: N/A

Description:

The Unified Messaging server shut down process umservice (PID=4048) because a fatal error occurred.

This type of service startup issue can happen after performing one of these actions –

1. Creating a new UM dialplan or IP gateway, or hunt group objects.

2. Installing a /new UM language pack.

3. Running the script (ExchUCUtil.ps1) in order to integrate UM with Lync (Skype for Business) server.

Let’s look at what happens in the background when the UM service starts. When you start a UM service, there are two processes that needs to start – UMService.exe and UMWorkerProcess.exe. UMService.exe is the watcher process for UMWorkerProcess.exe. UMWorkerprocess is the primary process that performs all the functionalities of UM. When the service starts it loads the major UM configuration related objects in its memory. The primary function of UM is to accept incoming calls for voicemail. When a call comes in UM has to determine –

1. Is this call from a valid UM IP gateway ?

2. Which hunt group is a match ?

3. What is the dialplan that corresponds to the hunt group ?

If UM does not have all the major configuration objects in its memory, then it will have to query the AD for each call. The process of querying AD and retrieving all the information is not instantaneous and may cause reasonable delay depending on the network and Global Catalog location. As a result the “real time experience” of a call will be impacted when someone calls the UM server. In order to provide a seamless real time experience, most of the frequently queried objects are already loaded in memory when the UM service starts. Therefore, when a new call comes in UM can answer the call instantly. In addition, UM also loads the compiled GAL grammar file, so that, when a caller calls in to SA or AA and searches the entire GAL of an organization, the GAL is already loaded.

The startup problem arises when there are large number of configuration objects. UMWorkerProcess by default has approximately 240 seconds of total time to start. During this time it has to check certificates, allocate memory, and load UM configuration objects prior to starting the service. If there are a large number of dialplans, hunt groups, IP gateways then it will take long time to start the service and in some cases, the time available may not be enough to complete all the pre-requisites of service startup. In that case, the service startup will fail due to timeout. Similar problem can happen if an organization has a large GAL (over 100k users) and multiple language packs. For this scenario, GAL for each language pack has to be loaded. Note that, just loading the GAL in different language packs does not usually cause problem with service startup, since the process is fairly fast. It is the combination of multiple GALs along with large number of dialplans (and/or other configuration objects), that causes the issue.

A similar situation may arise when you are trying to integrate your UM environment with Lync\Skype for business. In that case, you will run the script that creates UM objects corresponding to each pool. If there are lots of pools in the Lync environment, you will end up with a large number of configuration objects on the UM side.

Is there a hard coded limit on the number of objects that UM service can load in memory during startup?

Unfortunately there are no hard-coded limits. The configuration of each object also impacts what gets loaded in memory. For example, a dialplan with multiple subscriber access number, will take more time to load, compared to a dialplan with single SA number. That is why we cannot say that UM service is fail after loading a specific number of dialplans. Also, the hardware spec for the machine where UM server is installed plays a role. From the cases that we have seen in support, in general, UM service start to experience this issue when they have 150+ dialplans and two or three times more hunt group objects. This number can dramatically change when you have multiple language packs for an organization with 100k+ users. In that case, if the UM server has 70+ dialplans with 5 or 6 language packs, the organization experienced this issue.

How to fix this issue?

For Exchange 2010, make sure UM server is installed in a standalone machine with more than adequate memory and CPU.

Same goes for Exchange 2013 and 2016 server – in this case, the issue is seen in the mailbox server running the UM service - make sure the mailbox server has more than adequate memory and CPU usage.

If adding memory and CPU does not resolve the issue, then you will need to reconsider the overall design of UM and start reducing the number of dialplans. Check the overall usage of each dialplan – typically, a single dialplan can serve entire organization operating in a single geographical location using a single dial code, example, a US based company operating on multiple states in US. . For global organizations, a single dialplan can serve country / Region – since most countries or region has the same numbering plan (meaning number of digits in a DID number). Only time, you need to create multiple dialplans is when, “number of digits” in extension are different and “dialcode” is also different. These are unique properties of dial plan and cannot be changed.

If you have two dialplans with the same values for “number of digits in extension” and “country code” – they can be easily combined into one dialplan. Sometimes UM Admins wind up creating an excessive number of dialplans for administrative purposes. Note that this is not the intent of the dialplan object. Having fewer dialplans decreases administrative overload and reduces chances of a call misroute.

Is this a bug ? Are there any plans to fix this ?

This is not considered a bug – in order to provide real-time experience with UM, Microsoft developed a design that retrieves configuration details in a timely manner. This means, loading the objects in the cache during service startup. Since this design is intentional, it is not considered a bug.

An efficient UM topology, consisting of dialplans that align with PBX systems as well as geographical locatiosn will result in a more manageable number of dialplans and huntgroups. Remember that a smaller number of dialplans is easier to manage and there will not be any service startup issue.

Cloud Connector Edition; Smaller Hardware

NextHop_Team — Tue, 21 May 2019 00:12:12 GMT

First published on TECHNET on May 11, 2016

Author; Korneel Bullens , Senior Customer Engineering Architect, Skype for Business

References;

Planning for Cloud Connector Edition - https://technet.microsoft.com/en-us/library/mt605227.aspx

Configuring Cloud Connector Edition - https://technet.microsoft.com/en-us/library/mt605228.aspx

Hardware Used;

Audiocodes Mediant 800 with integrated OSN

OSN Hardware

32 GB of memory

Core I7 5859EQ

Dual network connections

512 GB SSD

Prerequisites;

Windows Server 2012 R2 installed on the OSN with the latest updates (Standard or Datacenter)

Note: If Standard Edition is used, 2 licenses are needed to license all 4 virtual machines

Hyper-V enabled on the OS

A copy of the Server 2012 R2 ISO is available on the machine

Office 365 with Cloud PBX is available

Active Directory with ADFS and AADSYNC enabled

7 IP addresses in the Internal LAN Range
- 2 of the internal Ip addresses must have internet access (Host IP & Sysprep IP)

1 external IP address

1 external certificate with *.sipdomain & sip.sipdomain

Environment

Internal IP Addresses

IP Address	Host	Subnet Mask	Gateway	DNS Server
172.16.50.150	CCE OSN	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.151	CMS	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.152	Edge	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.153	Mediation	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.154	DC	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.155	BaseVMIP	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.156	Gateway	255.255.255.0	172.16.50.250	172.16.50.1

External IP Addresses

IP Address	Host	Subnet Mask	Gateway	DNS Server	External DNS Name
185.92.71.252	Edge	255.255.255.248	185.92.71.249	172.16.50.1	Ap.korneel.nl

Users

Name	Username	SIP Address	External Phone Number	IP Phone
Korneel Bullens	Kbullens	kbullens@korneel.nl	+31305001484	12345

Domains in use

Korneelb.onmicrosoft.com as the tenant

Korneel.nl as the SIP domain

Additional Servers

Domain Controller

ADFS Server that also runs AADSync

Preparing the environment

Before installing the OSN as a smaller Cloud Connector, perform the following tasks

On the OSN, create 2 network adapters in Hyper-V.
- Network adapter 1 must be named “Internal” and must be connected to the Internal LAN, and select “allow management operating system to share this network adapter”.
- Network adapter 2 must be named “External” and must be connected to the External LAN. Allow management operating system to share this network adapter must NOT be selected
- There is a third network adapter, which is an internal loopback adapter to the gateway. This adapter must be disabled

On the OSN, make sure the latest updates are installed and applied, and Hyper-V is enabled.
- Verify internet connectivity on the OSN and verify the gateway can be reached
- Verify the correct ports are opened as per the planning guide for Cloud Connector
- Verify the entire disk on the OSN is assigned to C

On your AD environment verify that
- Active Directory is installed
- ADFS and AADSYNC is installed and configured correctly
- A tenant is enabled for Cloud PBX and a vanity domain is enabled.

Installing Cloud Connector Edition

From the cloud connector download page, download the latest version of Cloud Connector at https://www.microsoft.com/en-us/download/details.aspx?id=51693

After installing Cloud Connector Edition, this will enable a set of PowerShell scripts.

Create a new directory called “CCE” on the Root folder of C, and a sub folder called Site inside CCE

In this setup we will not create a HA environment so the Site directory does not have to be shared. In a HA environment, we will share the site directory between the different CCE hosts.

To make sure the installation ends up in the pre-configured directories, we have to set the site and appliance directory;

Open PowerShell as an administrator and run the following cmdlets;

Set-CcSitedDirectory “c:\cce\site”

Set-CcApplianceDirectory “c:\cce”

Place the Server 2012 R2 ISO and the Certificate for the Edge Server inside the Appliance Directory, in our case, that is c:\cce

After the ISO is copied, the certificate path must be set with

Set-CcExternalCertificateFilePath –path c:\cce\wildcard.pfx

We are now ready to start the CC Download with

Start-CcDownload

You can check the progress of the download with Get-CcDownloadProgress

After the download is complete, run the cmdlet

Export-CcConfigurationSampleFile

This will export a sample of the configuration file. Go to the CCE Appliance directory and rename it to CloudConnector.INI - your appliance directory should now look like this:

Open and edit the CloudConnector.ini file with your settings. While the complete INI must match your environment, the following values are of special attention

IP Prefix Lengths (Corpnet and InternetIP);
- make sure to use the correct prefix lengths. Use a subnet calculator if necessary

CorpnetSwitchname
- This should contain the name of Hyper-V Virtual Switch name you use for internal traffic, in our example “Internal”

InternetSwitchName
- This should contain the Hyper-V Virtual Switch name you use for your Internet facing traffic. In our example “External”

BaseVMIP
- This is the IP address used to create the BaseVM. This IP must allow the virtual machine full internet access

CorpnetDefaultGateway
- This gateway is not necessary for the functionality of Cloud Connector, however, this gateway is used during the preparation of the BaseVM to provide it internet access so it must be provided for the BaseVM creation. Note that the BaseVM will be recreated if updates are to be applied to Cloud Connector, so we recommend to whitelist the BaseVM IP for Internet Access

CorpNetDNSIPAddress
- This DNS Server is used for the internal machines as well as the BaseVM to resolve DNS queries. While CCE does not have to be registered in the internal DNS, during the BaseVM creation the BaseVM needs DNS Server Access to query the Windows Update Servers

ManagementSwitch/IP/Subnet
- This management switch is used during installation. After installation, this switch si automatically deleted. You should pick IP information here that is different from the production IP information such as the Internal LAN

ExternalMRPublicIPs
- Only complete this if you are using NAT. if not using NAT, leave this empty

Now that the INI file is complete, it is time to start creating the BaseVHD.

Run the following cmdlet to start converting the ISO to a BaseVHD

Convert-CcIsoToVhdx –IsoFilePath c:\cce\Windows_Server_2012R2.iso

After about 2.5 to 3 hours (depending on your internet connection) the total installation will be complete.

You can now run the installation PowerShell cmdlet;

Install-CcInstance –HardwareType minimum

After the installation, it is recommended to validate that all Skype for Business related services are running on the virtual machines

Configuring Office 365

Connect to Skype for Business online using the following cmdlets in an administrative powershell;

Import-Module skypeonlineconnector

$cred = Get-Credential

Enter your admin credentials of your Office 365 Tenant

$Session = New-CsOnlineSession -Credential $cred –Verbose

Import-PSSession $session –allowClobber

First, we set up the Tenant for Hybrid Voice via Cloud Connector by running the following cmdlets;

Set-CsTenantHybridConfiguration -PeerDestination <External Access Edge FQDN> -UseOnPremDialPlan $false

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $True

Now enable the user for Enterprise Voice;

Set-CsUser –identity kbullens@korneel.nl –EnterpriseVocieEnabled $true –HostedVoicemail $true –OnPremlineURI tel:+31305001484

You have now enabled the User to receive incoming calls and make outbound calls.

You'll need to decide whether your users should be able to make international calls. By default, international calling is enabled. You can disable or enable users for international dialing using the online Skype for Business admin center.

To disable international calling on a per user basis, run the following cmdlet in Skype for Business Online PowerShell:

Grant-CsVoiceRoutingPolicy -PolicyName InternationalCallDisallowed -Identity $user

To re-enable international calling on a per user basis after it has been disabled, run the same cmdlet, but change the value for PolicyName to InternationalCallsAllowed .

To complete setup of voice mail for users, do the following:

Check whether a dial plan named BusinessVoice_8D_DialPlan already exisits by running the following cmdlet: Get-CsOnlineUMDialplan | Select Identity

If the dial plan doesn't exist, create it by running the following cmdlet:

New-CsOnlineUMDialplan -Identity BusinessVoice_8D_DialPlan -CountryOrRegionCode 1 -NumberOfDigitsInExtension 8

Note:

After creating dial plan, wait five minutes to allow for changes to be replicated before enabling users.

3. Enable users for UM Mailbox by running the following cmdlet:

Get-CsOnlineUser –identity kbullens@korneel.nl |Enable-CsOnlineUmMailbox

And you are all set! We hope you have enjoyed this post.

Cloud Connector Edition; Interop with Short Digit Dialing

NextHop_Team — Tue, 21 May 2019 00:11:33 GMT

First published on TECHNET on May 11, 2016

Author; Korneel Bullens , Senior Customer Engineering Architect, Skype for Business

References;

Planning for Cloud Connector Edition - https://technet.microsoft.com/en-us/library/mt605227.aspx

Configuring Cloud Connector Edition - https://technet.microsoft.com/en-us/library/mt605228.aspx

Hardware Used;

· Audiocodes Mediant 800 with integrated OSN

· OSN Hardware

o 32 gb of memory

o Core I7 5859EQ

o Dual network connections

o 512 GB SSD

Prerequisites;

· Cloud Connector minimum Edition installed and working

· Office 365 configured

· Connection between PBX and Cloud Connector Edition via Gateway (in this example we use a Mediant 800)

· A client machine that allows the user to sign in and place/receive calls.

· Working routes on the gateway between the PBX and the Mediant

Environment

Internal IP Addresses

Ip Address	Host	Subnet Mask	Gateway	DNS Server
172.16.50.150	CCE OSN	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.151	CMS	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.152	Edge	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.153	Mediation	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.154	DC	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.155	BaseVMIP	255.255.255.0	172.16.50.250	172.16.50.1
172.16.50.156	Gateway	255.255.255.0	172.16.50.250	172.16.50.1

External Ip Addresses

Ip Address	Host	Subnet Mask	Gateway	DNS Server	External DNS Name
185.92.71.252	Edge	255.255.255.248	185.92.71.249	172.16.50.1	Ap.korneel.nl

Users

Name	Username	SIP Address	External Phone Number (Phone Number)	IP Phone
Korneel Bullens	Kbullens	kbullens@korneel.nl	+31305001484	12345
Thomas Binder	TBinder	Tbinder@korneel.nl	+31305001485	54321

In AD, the users are configured with the External Phone Number as their Phone Number, and the IP Phone Number in the Ip Phone Field.

Domains in use

Korneelb.onmicrosoft.com as the tenant

Korneel.nl as the SIP domain

Additional Servers

Domain Controller

ADFS Server that also runs AADSync

Preparing the environment

In our lab, we have connected a desk phone to port FXS1, with the phone number of 12345. This phone will simulate an existing short digit dialing desk phone. The FXS port could also have been a PRI connected to a PBX.

The Scenario

Korneel is using Skype for Business with Cloud Connector Edition. Cloud Connector Edition is connected to the legacy PBX using a Mediant 800. Thomas has not yet been migrated. The PBX is still using Short Digit Dialing. Some users have been migrated to Cloud PBX, some have not.

Users that have been migrated still need to be able to dial users that have not. We will configure the Mediant 800 in such a way, so that it performs an AD Lookup (LDAP Query) to replace the E164 TEL URI in the invite and the from when dialing from Cloud Connector Edition to the PBX with the Extensions\Short Digits of the User, and the other way around.

In example;

Korneel is dialing Thomas, using the E164 number (+31305001485). Reverse Number Lookup is performed by Skype for Business Online, and if Thomas has not been enabled, Reverse Number lookup will fail and will redirect the call on premises. The call then reaches the Mediant, the Mediant performs an LDAP query and will match the E164 number to the phone number in AD. It will then replace it with the IP Phone Number. It will do the same with the from number, so that the extension for callback will match.

When Thomas wants to call Korneel, he dials Korneels extension. The PBX no longer knows this extension and sends this to the Mediant. The Mediant performs an AD lookup, and replaces the To and From number with E164 numbers, making sure the call succeeds.

Configuring the Mediant 800

Enabling AD Lookup

On the Domain Controller, in the OU Users, create a new user called “LDAP”. Make sure the login name is LDAP and set a password.

Then proceed to log in to the gateway for the next step

In the gateway, under VOIP, go to Services, LDAP, LDAP Server Groups.

Note : if you don’t see the services group, you should enable the Advanced View in the top of the screen.

Create a new group, and save the group

In my example I’ve called the group DC01.

Go to LDAP Configuration Table and add a new line.

In my example, I’m using the Voice Network Interface, and my DC (that is connected to ADFS, NOT the CCE DC, has the ip of 172,.16.50.1.) Please note that you must put the user account’s full Distinguished Name in; you can find this under the advanced tab in the users properties in AD.

After this configuration, it should say “LDAP Connected” on the bottom of the screen;

In that same screen, click on LDAP Servers Search Based DNs

Create a new search DN, and make sure this DN is the OU that includes your users, in my case it is “users”

Now that we know where to look for the users, we also need to enable the rules. This is done under VoIP>Gateway>Routing>Gateway Routing Policy. Edit (or create) the default policy and set the LDAP Servers Group Name to the LDAP Servers group name you have created before.

Now that the Mediant can perform LDAP lookups and apply rules, it’s time to create the rules;

Number Manipulation Rules

Go to VoIP>Services>LDAP>Call Setup Rules.

What we want to do is if a call comes in, we take a look at the destination number, match this to a number in AD, then replace it with a different number from AD. For example, if a call goes from CCE to the PBX, the incoming source and destination number will be E164. The PBX will not understand this since it needs extensions. Therefore, we will create a rule that will look at the destination number, match that to the telephoneNumber field in AD and replace it with the ipPhone Field in AD. We do the same thing for the Source Phone Number. This will require 2 rules and we can group them together as one rule set. We will also need to do something similar the other way around (ipPhone to telephoneNumber) for calls from the PBX to Cloud Connector. We will create these 2 rules and group them under another rule set.

The following rules must be created;

Note : Default Values have been omitted from this table. Action Type is always “Modify”

Rules Set ID	Attributes To Query	Attributes To Get	Condition	Action Subject	Action Value
1	'ipPhone=' + param.call.dst.user	telephoneNumber	ldap.attr.telephoneNumber exists	param.call.dst.user	ldap.attr.telephoneNumber
1	'ipPhone=' + param.call.src.user	telephoneNumber	ldap.attr.telephoneNumber exists	param.call.src.user	ldap.attr.telephoneNumber
2	'telephoneNumber=' + param.call.dst.user	ipPhone	ldap.attr.ipPhone exists	param.call.dst.user	ldap.attr.ipPhone
2	'telephoneNumber=' + param.call.src.user	ipPhone	ldap.attr.ipPhone exists	param.call.src.user	ldap.attr.ipPhone

After configuration your rule set should look like this:

Before we continue, let’s take a quick look at what is actually happening inside these rule sets.

If we look at the first rule, what this does, is that if the rule is applied, it queries the “IpPhone” field in AD with the value of param.call.dst.user, which is an internal Audiocodes variable, which holds the value of the phone number of the destination. In our case, this rule would be applied to a call from the PBX to Cloud Connector so it would contain the destinations user extension, as dialed by the user on the PBX. If we get a match, we then get the attribute “telephoneNumber” from that object\user. We then put that value in the variable ldap.attr.telephoneNumber. In the Action Subject, we specify that we want to change the param.call.dst.user, which still holds our variable for the destination's user phone number, and we modify that with the action value ldap.attr.telephoneNumber, which holds the objects telephone number which is in our case the E164 number.

Once the configuration is complete, rule set 1 is now capable of replacing the value in the IPPhone Field with the telephoneNumber field, and rule set 2 is capable of replacing the value in the telephoneNumber Field with the value in the IpPhone Field. Since we put the PBX Extension in the ipPhone Field and the E164 number in the telephoneNumber field, we can now interchange the numbers between CCE and the PBX.

Applying the rules to Routes

Since we have the 2 rule sets active now, they can be applied to the routes. Under VoIP>Gateway>Routing you will find Tel to Ip Routing (PBX to SfB) and IP to Trunk Group Routing (SfB to PBX.

In our LDAP rules, rule set 1 was capable of replacing extensions with E164 so this applied to the Tel to IP Routing. Open up Tel to Ip Routing and edit the Route that enables PBX to SfB Routing. Under “Action” change the “Call Setup Rules Set ID” to “1”.

Save this, and open up IP to Trunk Group Routing. Since Rule Set 2 enabled the replacing of the E164 number with the Extension, we now need to apply rule set 2 to this route.

Open the appropriate route(s) and now under Action, apply Call Setup Rules Set ID 2.

Now that the setup is complete, don’t forget to press the “Burn” button on top of the screen to save the configuration.

Testing the Rules

Now that the rules have been applied, we are testing them by placing a call from Thomas’ Phone to Korneel’s SfB Client.

On the phone, we dial 12345. In the Audiocodes gateway, we see the following;

And on the SfB client the call is correctly identified as coming from Thomas.

Additional Notes:

Please note that the LDAP rules are only applied after matching a voice route. You cannot create a voice route that matches a phone number AFTER the LDAP rule.

If a phone number is assigned to a user in Skype for Business, reverse number lookup will prevent the number being routed to the gateway.

Issue: Calls to certain Response groups fail with an Error "500 Internal Server Error"

Mohammed Anas Shaikh — Tue, 21 May 2019 00:10:01 GMT

First published on TECHNET on May 09, 2016

We Recently came across an issue where calls to ONLY certain Response groups were failing with an Error "500 Internal Server Error" while calls to other response groups would work. This articles may help you understand the one of the causes of this issue and the corresponding solution.

To Understand why we see this issue we have to look into how RGS works and how does it gets initialized.

A response Group has a few important components that are related to it,

Component 1

Every Response group has a Contact Object that gets created for it in Active Directory

This Contact Object Has two specific attributes that are very important, The Attributes are

MSRTCSIP-OwnerURN - "urn:Application:RGS" This Tells a FE server that this Object is actually a Response Group,

MSTRCSIP-UserEnabled - "TRUE" --> This Tells the FE server that This Object is actually Enabled and a Valid Object.

Component 2

Every Response group also has a WORKFLOW assigned to it, this dictates what actions to take or what options to present to the caller whenever this RG is being called.

So Every Response group in your Organization will have a Contact Object in Active directory and the above two attributes will be populated for them. In addition, Every RG will have a workflow associated with it.

Now Whenever You Restart the RGS services on any FE server, or if you Restart the FE server Itself. When it is starting the RGS service will do the following tasks;

Task 1 - It will first reach out to Active directory and find all the Contact Objects that have MSRTCSIP-OwnerURN attribute set to "urn:Application:RGS " This basically means that FE tries to find how many response groups do you have.

Let's Assume in your Organization you have 10 Response Groups created. In that case when RGS service is starting it should find 10 contact objects in your AD that have the MSRTCSIP-OwnerURN attribute set to "urn:Application:RGS"

Task 2 - Once it finds all the Entries the next thing a FE is supposed to do is Find out the corresponding Workflows for these 10 Response Groups in order to create a 1:1 mapping of Response group and its workflow. We call this Successfully registering Endpoint.

In this case in a perfect world When the RGS service starts on the FE it should be able to detect that there are 10 Contact Objects in AD representing 10 response groups and it should also find 10 corresponding Workflows mapping to these 10 Response groups.

Every time the RGS service finds a Contact object for RG in AD and its corresponding Workflow it considers this a "Successfully Registered Endpoint". So if you have 10 Response Groups in your Company then the RGS service while restarting should successfully map 10 Contact objects to 10 Workflows giving you a Total of 10 Successfully Registered Endpoints.

You can easily see how many response groups have been mapped successfully by RGS service by collecting Logs for the RGSHostingFramework Component while the service is restarting and then in the logs search for string "Successfully Registered Endpoint"

In our scenario we knew we had 10 response Groups, However when we collected logs we only saw 4 Successfully registered Endpoints, Which meant that When RGS service was starting it was able to only Map four Contact Objects with their corresponding Workflows and those were the only 4 Response groups that were Working and all others were Failing.

We now tried to Focus on finding out why exactly the FE servers are unable to Successfully Register the 6 or so Response groups.

The reason was apparently very clear,

What we found was that the FE server was not actually Failing to Register the remaining Response groups, It simply was not even Trying to Register them.

This was happening because after successfully registering around 4 Response groups it encountered a Response group named - sip:test@Lync1.com

What we saw that Every FE server would successfully Load 4 Response groups and they would all stop at this specific RG - sip:test@Lync1.com

It Was clear that the RGS service was having an issue trying to Map this Particular RG with its corresponding Workflow. The reason could be that the Response Group workflow was either not created correctly or may have been deleted but the Contact Object for the Same may have not been deleted or was still existing in the database/AD. As a result the RGS service was never able to Map the Response Group correctly with its workflow.

Per Design when a FE server encounters this situation it will keep trying to find a corresponding workflow for sip:test@Lync1.com and will not proceed further until it is done. And since the workflow was not existing FE was never able to find it and it kept trying and it never went ahead to load the Other Response groups.

So Basically FE was able to load all RG's until sip:test@Lync1.com and after sip:test@Lync1.com it never was able to move ahead.

This problem may normally happen IF, you may have deleted/modified the RG either from LYNC control panel or power shell etc. but the AD contact Object for this RG was not deleted and hence this RG was still Active as a Contact Object in AD but the workflow was either deleted or inaccessible. This would happen if the person who tried to delete/modify/create the Response group workflow through the LYNC control Panel did not have Permissions on the RTC service container in AD.

To solve the issue, we need to Delete the Contact object for the RG sip:test@Lync1.com from AD using ADSI Edit.

After We deleted this RG and verified the corresponding Object in AD is also deleted and restarted the RGS service, All Response group calls started working fine.

Conclusion:

If you run into a scenario where calls to certain Response groups in LYNC are failing with "500 Internal Server Error" then the best thing to do would be the following

1. Collect Logs for the RGSHostingFramework Component using OCS/CLS Logger while restarting the Response group service.

2. Convert the ETL log file into Text Format using OCS logger itself and Open the Log file in Notepad/text Analyzer

3. After loading the file filter for string "AEP discovered" this should give all the RGS application endpoint names in the environment that the RGS application has found based on the Contact Objects. Check how many Endpoints were found and make a note of It.

4. Then in the same Logs filter for String "Successfully Registered Endpoints" This will show how many of the endpoint that were discovered in step 3 above have been successfully mapped to their corresponding Workflows.

5. The Total number of "AEP Discovered" Endpoints should be the Same as the total number of Successfully Registered Endpoints.

6. If they are not then that means you may have probably deleted the Workflows of some Response groups from the LYNC control panel but the corresponding AD contact objects for the same were somehow not deleted. As a result whenever a FE server while restarting finds a RGS contact Object which does not have a corresponding Workflow, it keeps trying to find it and it stops processing any other Response groups as a result some Response group calls may work while the rest of them may fail.

7. Find out which is the last Response group that was successfully registered in step 4. Then Find out the Total "AEP Discovered" Endpoints in Step 3. If you have 10 AEP Discovered Endpoints and only 5 Successfully Registered Endpoints than this means that the 6th AEP Discovered Endpoint is causing the issue. This Endpoint belongs to a Response group whose workflow may have been deleted and hence the FE server cannot map the RGS contact Object to its workflow and it stops processing at this point.

8. Delete the Contact Object of the Problem RG from AD.

9. Restart the RGS service.

10. Repeat the steps 1 to 10 if the problem continues. (You can have more than one Problem Response group Objects in your AD)

Policies, Policies, Policies–Online!

NextHop_Team — Tue, 21 May 2019 00:09:45 GMT

First published on TECHNET on Apr 27, 2016
Policies, policies, policies –online

Author: Collin Hoag – Microsoft Skype for Business Sr. Support Escalation Engineer

Creating and managing policies in Skype for Business Online

Have you ever had the need to set up policies for your Skype for Business Online users? Did you know that you are able to do this? It can be a little daunting when you look at the number of policies, but there is a way to simplify this process.

Before you can begin, you need to know the policies that you have access and that you can grant as tenant administrators. According to the following technet article, you can see that you can use the following policies in Skype for Business Online: https://technet.microsoft.com/en-us/library/dn362826(v=ocs.15).aspx .

You need to be connected via remote powershell in order to follow these procedures. Please see this topic for more information on remote powershell. Now that we’ve gotten that taken care of, let’s see how many policies we have access to as tenant administrators.

Powershell

C:\> Get-CsClientPolicy |measure Count : 19 PS C:\> Get-CsConferencingPolicy |measure

Count : 228

PS C:\> Get-CsExternalAccessPolicy |measure

Count : 5

PS C:\> Get-CsVoicePolicy |measure

Count : 7

.

If you add them all up, then that is 259 total policies!!! How do we manage that many? There are a lot of options there; which ones do we choose?

Well, we get this question a lot in support. I have come up with a way to quickly identify what options you want to have enabled or disabled based on the Policies we have. Remember, you currently cannot create custom policies and need to choose from the ones Microsoft has made available to the tenant admins.

First, by running this Powershell cmdlet you can create a CSV where you can easily pick and choose which policies you want to enable or disable.

Powershell

PS C:\> Get-CsConferencingPolicy | Export-Csv c:\temp\SfBo-ConferencingPolicy.csv .

You will get output that looks like the following:

Then, you can remove the first row and the first few columns. If you go to the end of the columns, then you will see the Identity column. I recommend moving this to the first column.

Here are the other columns you can remove: XsAnyElements, XsAnyAttributes, PSComputerName, RunspaceId, PSShowComputerName, Element, ScopeClass, Anchor, Description

Now, you finish up by moving Identity to the front and adding a filter and freezing the top row. Now you can search on all the different policies and see all the ones which would apply to what you want.

Please check out Thomas Binder's post for more information on policies.

Thanks,

Collin Hoag

Sr. Support Escalation Engineer

Skype for Business Online

How to collect EXTRA Trace for Exchange UM Issues

Mohammed Anas Shaikh — Tue, 21 May 2019 00:09:05 GMT

First published on TECHNET on Apr 18, 2016

When You are working on issues related to Microsoft Exchange Unified Messaging there may come a Time when you would want to collect Traces on the Exchange UM server for The Unified Messaging component to conduct some deeper troubleshooting. The Below article describes the Process of collecting EXTRA trace specifically for Issues involving Unified Messaging.

The Process below is for Exchange server 2010. The Extra tracing component is Built in Exchange 2010 however if You are using Exchange server 2013 then you may have to download the MSI for EXTRA tool first and install on your Exchange 2013 server. Once You install the Tool on Exchange 2013, Double click to open the tool and the process from there on is exactly similar to Exchange 2010.

Note: At the moment there is NO publicly available location from where one can Download the MSI for EXTRA for Exchange 2013. The Only supported way of Getting the EXTRA tool for Exchange 2013 is by contacting Microsoft Support.

Launch Exchange Management Console

On your Left Click on Toolbox

On the right screen click on Tracking Log Explorer

You May see one of the two screens below ( fig.b or fig.c ), Irrespective of what screen you see just look for the option Select a Task

Fig. b;

Fig. C

Important: The Section that says "RECORD PATH" is where the logs will be saved, make a note of this.

Remember to Select ALL 8 FLAGS under Trace Types

Now Reproduce the issue and then stop tracing when Repro is done.

Logs will be saved in the path that indicated in Screen shot 6 (RECORD PATH)

Unable to call the UM Auto Attendant configured on UM online with O365.

NextHop_Team — Tue, 21 May 2019 00:07:43 GMT

First published on TECHNET on Apr 16, 2016

We have encountered issues where users are unable to reach the UM auto Attendant configured in O365. This may happen to any newly created UM Auto Attendants and may also affect any previously configured UM Auto Attendants even if they were working fine earlier.

The Primary cause of this issue originates from Custom Greetings and Prompts that a customer records for their Auto Attendants. Any Customer who uses a Custom greeting or Custom Prompts for their UM Auto Attendants may be affected by this issue.

If this is the source of the issue then we should see a specific error in the SIP Stack Logs on the customers On Premise Edge and Front End Servers coming back from Exap.UM.Outlook.com (UM Online)

To Correctly Identify the issue please perform the following actions on your ON Premise Environment

Have an Internal user use their LYNC client to make a call to the Configured UM Auto Attendant Number in O365.

Collect the following Traces,

On the End Users Computer - Client Side UCCAPI Logs from the LYNC client used to make the Call

On Every FE server - Sip Stack, S4, ExUM Routing

On Every Edge Server – Sip Stack and S4

After converting the Logs look for the Following Error on the Sip Stack logs on the Edge Server

SIP/2.0 403 Forbidden

Direction: incoming;source="external edge";destination="internal edge"

Peer: exap.um.outlook.com:5061

ms-diagnostics-public: 15641;source="BLUPR05MB133.namprd05.prod.outlook.com";reason="Prompts are not in a consistent state. Object: XXXXXXXXX"

You will also be able to see the exact same error on the Sip Stack logs for FE server and even in the Client side UCCAPI

SIP/2.0 403 Forbidden

ms-diagnostics-public: 15641;source="BLUPR05MB133.namprd05.prod.outlook.com";reason=Prompts are not in a consistent state. Object: XXXXXXXXX"

If you see a 403 Forbidden and the error in Ms-diagnostics is “Prompts are not in a Consistent state” then this confirms the customer is running into this specific issue with the UM Auto Attendant.

This has been identified as an Issue with the O365 UM Environment. It has been acknowledged and may be considered for a fix in later updates.

The Only workaround for this issue at this point is to Delete all the Custom Greetings and Prompts created for the UM Auto Attendant. Then wait for Replication. This should solve the issue and calls to Auto Attendant should start working but the customer would now hear default system greetings and Prompts. Once this is confirmed to work they can re-add the custom greetings and prompts and then the UM Auto Attendant should work even with the custom Greetings and Prompts.

Below are the instructions on how you can check and delete if the customer has recorded any Custom Greetings and Prompts for their O365 UM Auto Attendant.

Login to the O365 Exchange Admin Portal

Click Unified Messaging Tab on the Left à Select the Dial Plan à Scroll Down to select the UM Auto Attendant in question and double click to open the settings page for this Auto Attendant.

Now you have to check if they have a custom Greeting Recorded for the UM AA and if they do then delete this.

To do this Click on the Greetings Tab, if they have recorded a Custom Greeting than you will see a wav file under Business/Non Business hours greetings. Delete this File by clicking X mark next to the file.

After Removing the Greeting, we have to wait for a few minutes and then test the Calls to AA. If they work now great, we can go back and add the custom greeting again and test again and make sure AA is still working.

However if after removing the greeting File Calls to AA still fail then we have to check if the customer is using Key Mapping/ Custom Menu Prompts and if they do delete them as well.

To do this Click on the Menu Navigation tab

Remove the custom recording under Enable Business hours key Mappings they have for Menu Prompts (white Noise file in the screen shot)

Then delete any Key Mappings under the Business hours and Non Business hours Menu Navigation Field

After This Test the calls to the UM Auto Attendant, If they work then you can re add the custom greetings and the custom Menu prompts plus the key mappings back.

If None of the Above steps help in solving the issue then the last option is to Delete the Auto Attendant itself completely, wait for few minutes and then Recreate the Auto Attendant from Scratch again in O365.

How to Integrate a PBX/IP PBX phone system with O365 Exchange UM online

Mohammed Anas Shaikh — Tue, 21 May 2019 00:07:00 GMT

First published on TECHNET on Apr 16, 2016
IMPORTANT NOTE - Microsoft has announced End of Support for Third party PBX system that used Exchange UM online. Please check for details before investing further into this set up https://blogs.technet.microsoft.com/exchange/2017/07/18/discontinuation-of-support-for-session-border-controllers-in-exchange-online-unified-messaging/

The Purpose of this Post is to provide some guidance to customers who use a PBX/IP-PBX based phone system and wish to Integrate it with Microsoft O365 Exchange UM Online for Voice mail.

Below is a High level Architecture of UM Online looks like for a Customer with a Single Site Integrated with O365 for UM through an ON Premise SBC

Call Flow for Voice Mail - How does it work

User A uses his PBX phone to call User B on his PBX phone

User B does not answer the phone

Call then goes back to the PBX/Phone System and the Phone system has to decide what to do with this call.

The Phone system should be configured to send this call to the On Premise SBC (Session Border Controller). SO the call will now be sent to SBC

The SBC should be configured to send the call to the Forwarding Address that is obtained from the UM IP Gateway field in the O365 Portal

The SBC will First Encrypt the call using the Certificate that is installed on the SBC and will then send the call to the Forwarding address (UM Online SBC)

The UM online SBC will receive the call and it will deduce the Exchange Tenant information from the Forwarding address and will send the call to the correct Exchange servers in the Back End

When the Exchange Servers receive the call they will use the information within the call and find out the extension of the user who did not answer the call.

Exchange will then try to locate if a Valid UM enabled user exists with that extension and if there is then exchange will take the Voice Mail.

In Order to successfully Integrate your On Premise PBX/IP PBX phone system to work with Exchange UM online you have to perform the following actions;

A. Purchase Pre Requisite Hardware and Certificates that are Mandatory for the Configuration

B. Configure UM settings on the O365 Portal

C. Configure your On Premise Phone system to send Voice Mail calls your On Premise SBC

D. Configure your On Premise SBC to forward these Voice Mail calls to O365 Exchange UM online.

The Section below lists the details on each of the above

A. Purchase Pre Requisite Hardware and Certificates that are Mandatory for the Configuration

Purchase a Supported Session Border Controller (SBC)

O365 Exchange UM online has ONLY been tested and Supported to work with specific Session Border Controllers. If you want to Integrate your On Premise PBX/IP-PBX with O365 Exchange UM online then you will have to route your Voice Mail calls From your On Premise PBX/IP-PBX to O365 through a Supported Session Border Controller.

The Table Above lists the Different SBC Devices that are Supported and Tested to work with O365 Exchange UM Online. A more accurate/updated list can be found here - https://technet.microsoft.com/en-us/library/jj673565(v=exchg.150).aspx

For More Information on Supported Devices and how to choose which one is right for you please refer guidelines listed here - https://technet.microsoft.com/en-us/library/jj673565(v=exchg.150).aspx

Do NOT install a Firewall in Front of the SBC

SBCs are designed to sit on the network edge, they also function as a firewall. If you set up an SBC behind your organization’s firewall, it can cause configuration problems and is unsupported for connecting to Office 365 as Per Microsoft Documentation.

This is Documented here - https://technet.microsoft.com/en-us/library/jj673565(v=exchg.150).aspx

Obtain a Public Certificate for The External FQDN of your SBC

Any Traffic Between your On Premise SBC and O365 UM online has to be Encrypted. For this reason you have to Purchase and Install a Public Certificate on your On Premise SBC.

Before Purchasing a Public Certificate for Your SBC you may first have to assign a unique FQDN to the Public/External Interface of your SBC. Example mysbc.mydomain.com

You need to Ensure that this FQDN can be resolved Publicly using a Public DNS server to a correct IP address.

The Subject Name and the Subject Alternative name on the Public Certificate should have the EXACT EXTERNAL FQDN of your On Premise SBC. The Subject name is Case-Sensitive hence it is important to make sure that SN and SAN entered on the Certificate Matches exactly with the External FQDN of your SBC. This is the FQDN that you will Enter on the O365 Portal under IP gateway Tab. (This is discussed further Under B. Configure UM settings on the O365 Portal)

There are Only Certain CA's that are supported with O365. Below is a List of CA's that are Supported with O365.

AddTrust External CA Root

DigiCert Assured ID Root CA

DigiCert Global Root CA

DigiCert High Assurance EV Root CA

Entrust Root Certification Authority - G2

Entrust Root Certification Authority

Entrust.net Certification Authority (2048)

Entrust.net Secure Server Certification Authority

GeoTrust Global CA 2

GeoTrust Global CA

GeoTrust Primary Certification Authority - G2

GeoTrust Primary Certification Authority - G3

GeoTrust Primary Certification Authority

GeoTrust Universal CA 2

GeoTrust Universal CA

Go Daddy Class 2 Certification Authority

Go Daddy Root Certificate Authority - G2

GTE CyberTrust Global Root

Network Solutions Certificate Authority

RSA Security 2048 V3

thawte Primary Root CA - G2

thawte Primary Root CA - G3

thawte Primary Root CA

VeriSign Class 1 Public Primary Certification Authority

VeriSign Class 3 Public Primary Certification Authority - G2

VeriSign Class 3 Public Primary Certification Authority - G2

VeriSign Class 3 Public Primary Certification Authority - G3

VeriSign Class 3 Public Primary Certification Authority - G4

VeriSign Class 3 Public Primary Certification Authority - G5

VeriSign Class 3 Public Primary Certification Authority

VeriSign Class 4 Public Primary Certification Authority - G2

VeriSign Class 4 Public Primary Certification Authority - G2

VeriSign Class 4 Public Primary Certification Authority - G3

VeriSign Universal Root Certification Authority

For a More accurate List and Other details related to Certificates for O365 UM online Refer https://msdn.microsoft.com/en-us/library/gg702672(v=exchsrvcs.149).aspx (This list is currently being updated to reflect all the above certificates)

B. Configure UM settings on the O365 Portal

A O365 account with Enterprise E3 or E4 plan, Educational A3 or A4 Plan, or Government E3 Plan , or a la cart Exchange Online Plan 2 Is Required.

For Users to have Voice Mail in the cloud you have to do the following on the O365 Portal

Step 1 - Create a UM Dial Plan

To create a UM dial Plan

Login to the O365 Portal

On the Top right Hand corner click the drop down box where it says Admin

Select Exchange from the List

Then on the following Page select Unified Messaging at the bottom left Hand Corner

On the resulting page click on UM dial plans Tab at the top

Click the "+" Sign to create a New Dial plan

The New UM dial plan window now opens

On this window enter the details of the Dial Plan

Name - You can enter any name you want, some special Characters like " / \ [ ] : ; | = , + * ? < > are not allowed.

Extension Length - Enter the number of Digits you use for extension number for your users ON Premise

Dial Plan Type - Telephone Extension and E.164 are the only supported Dial plan types for Integrating UM online with PBX/IP PBX.

VoIP Security Mode - Unsecured and cannot be changed

Audio Language - English (depends on your preference)

Country/Region Code - "1" for United States

Click Save

Your Dial Plan is now Created.

Every time you create a New UM Dial Plan a default Mailbox policy is created Automatically that is associated with this dial Plan.

Take a Note of what mailbox policy is Associated with your Dial plan. You can use the below steps to check what Mailbox policy is associated with your dial Plan.

How to check what Mailbox policy is associated with your dial Plan.

Login to the O365 Portal

On the Top right Hand corner click the drop down box where it says Admin

Select Exchange from the List

Then on the following Page select Unified Messaging at the bottom left Hand Corner

On the resulting page Double click on UM dial plan you created

You will be able to see what Mailbox Policy is associated with your UM Dial Plan as shown in the below screen shot,

You can find more detailed explanation on Each of the above properties and UM Dial Plans here - http://technet.microsoft.com/en-us/library/bb123819(v=exchg.150).aspx

Step 2 - Create a UM IP gateway

A UM IP gateway on the O365 Portal represents your On Premise SBC (basically it is the Public/External FQDN of your on premise SBC). You have to create an IP gateway in O365 to tell exchange Online that THIS device (On Premise SBC) will send Voice Mail calls to exchange online.

Below are the steps to create a UM IP Gateway

Login to the O365 Portal

On the Top right Hand corner click the drop down box where it says Admin

Select Exchange from the List

Then on the following Page select Unified Messaging at the bottom left Hand Corner

On the resulting Page

Click UM IP Gateway

Click the "+" sign

A new window named "New UM IP Gateway opens up" on this window Enter the following details

Name - You can provide any name you like for reference purpose

Address - You need to enter the External/Public FQDN of your On Premise SBC

Click Browse

On the resulting Page you have to select the Dial plan that you created in Step 1 (create a UM dial plan) previously in this article.

On the resulting Screen you will now see the UM Dial plan value populated.

Click save.

Once you click save you will now see a UM IP gateway created under the UM IP gateway Tab on the O365 portal.

You have Now Successfully Created a UM IP gateway

For More details refer http://technet.microsoft.com/en-us/library/bb123890(v=exchg.150).aspx

Step 3 - Obtain Forwarding address from the O365 Portal

Once you create the IP gateway you will get A FORWARDING ADDRESS from the O365 portal.

This FORWARDING ADDRESS is actually the Public FQDN of the Microsoft UM Online SBC

You have to configure YOUR On premise SBC to send the calls to this Forwarding address that you get from the O365 portal for Voice Mail to work.

To Obtain the Forwarding address follow the below steps on the O365 Portal

On the O365 Portal, Go to Exchange Admin Center --> Unified Messaging --> UM IP Gateway

Select the UM IP gateway you created in Step 2

Click Edit

The Resulting Window will have the Forwarding Address Displayed.

Note Down this Forwarding address. As mentioned earlier, You have to configure YOUR On premise SBC to send the calls to this Forwarding address that you get from the O365 portal for Voice Mail to work.

See Screen shot below for reference

Your Step 3 is now complete.

Step 4 - Enable O365 Users for Unified messaging

Follow the Below steps to enable a User for UM online on the O365 Portal;

Login to the O365 Portal

Got to the Exchange Admin Center

On the Left Select Recipients

Search the user you want to enable for Unified Messaging

ON the Extreme right hand side Click on Enable under PHONE AND VOICE FEATURES --> Unified Messaging as shown below,

On the resulting Page Click BROWSE

Select the UM Mailbox policy from the List that you want to use for your User

Click OK

Refer Screen shot below for reference

This will take you back to the Enable UM Mailbox Page, Click Next here

On the resulting page, Enter an extension for the user (his extension should be the same as what he uses On his On Premise phone system, The extension and it has to be Unique for every user)

Click Finish

Your User is now Enabled for UM in O365.

NOTE: In this scenario we Enabled the user for UM on the O365 Portal itself. This was because I created My user directly on the O365 portal and My user was previously NOT enabled for UM. If you are in a scenario where you are Migrating your User from Exchange On Premise to Exchange Online and if the User is already enabled for UM in your On Premise environment then to Enable him for UM in O365 you have two options.

Option 1: You can disable UM for the User on the ON Premise Exchange server and then Move his mailbox to O365 and then Enable him again For UM on the O365 Portal following the same instructions as described above.

Option 2: If you Do not wish to Disable and Re-enable the user for UM and would instead like him to stay UM Enabled while you are moving the users Mailbox then to do this you have to create the same Dial plan and Mailbox policies as you use on the ON Premise Exchange UM set up in O365 and then you can move the User with his UM settings to O365. The procedure for this is described very well here - https://msdn.microsoft.com/en-us/library/hh552484(v=exchsrvcs.149).aspx This way his UM extension and Pin will remain the same.

You still will need to provide a Unique Subscriber Access number to your O365 Dial plan if you want your users to be able to call and Check their Voice mails from PSTN or use OVA.

When the User is moved to O365 they will receive an automated email indicating they are enabled for UM and this email will contain the new SA number they can now use for OVA.

C. Configure your On Premise Phone system to send Voice Mail calls your On Premise SBC

When a User A in your Company Calls User B and if User B does not answer the Phone, It is then the responsibility of your Phone system to decide what to do with this call.

You will have to configure your Phone system to forward this call to your On Premise SBC.

You may have to Refer Documentation provided by your Phone system Vendor in order to configure your phone system to achieve that

Please refer the below articles for more details

http://technet.microsoft.com/en-us/library/jj673558(v=exchg.150).aspx

http://technet.microsoft.com/en-us/library/ee364753(v=exchg.150).aspx

http://technet.microsoft.com/en-us/library/ee681657(v=exchg.150).aspx

D. Configure your On Premise SBC to forward these Voice Mail calls to O365 Exchange UM online.

Once you have configured your Phone system/PBX to send Voice mail calls to your On Premise SBC. You then have to configure your SBC to send calls to UM online .

You have to configure your On Premise SBC to Send Voice Mail Calls to the FORWARDING ADDRESS of Microsoft UM online SBC that you obtained in Step 3 (Step 3 - Obtain Forwarding address from the O365 Portal) of this article above (Below is the list of Supported SBC’s with UM online and the corresponding links to their configuration documents)

http://technet.microsoft.com/en-us/library/jj673565(v=exchg.150).aspx

You also have to configure a Certificate for the new On premise SBC to encrypt the traffic between the SBC and UM online which travels over the Internet. The details around this were covered earlier in this article (Under the section - Obtain a Public Certificate for The External FQDN of your SBC) Below is a link that lists the Third Party Public CA’s that are supported for UM online.

http://msdn.microsoft.com/en-us/library/gg702672(v=exchsrvcs.149).aspx

Once you have completed Steps A, B, C and D you have successfully Integrated your On Premise PBX/IP-PBX to work with Microsoft O365 Exchange UM Online.

NOTE: Using EXPRESS ROUTE IS NOT SUPPORTED WITH UM ONLINE.

This is mentioned in the articles below

The Article https://support.office.com/en-us/article/Azure-ExpressRoute-for-Office-365-6d2534a2-c19c-4a99-be5e-33a0cee5d3bd lists all services supported with EXPRESS ROUTE

Although its listed that “Exchange Online” Is supported with Express route the article also has a NOTE: which states “ ¹ Each of these applications have internet connectivity requirements not supported over ExpressRoute, see the Office 365 endpoints article for more information.”

If you then refer the Office 365 endpoints Article here - https://support.office.com/en-us/article/Office-365-URLs-and-IP-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US#bkmk_exo , it clearly states that Express Route is NOT Supported for Unified messaging ☹

Further more if we read the same article it also lists all the Exchange Online IP addresses that are routable through Express Route and the UM Online SBC IP addresses are NOT listed in the Supported List.

The Persistent Chat database connection was lost - Event ID 53530

Mohammed Anas Shaikh — Tue, 21 May 2019 00:04:22 GMT

First published on TECHNET on Apr 16, 2016
We have seen the below issues with customers using PCHAT/Group Chat;

Issue 1: LYNC client would time and again display an error stating Persistent Chat lost connection to the Database.

Issue 2: Pchat servers Crash/Hang or loose connection to the SQL database Often

Issue 3: We see Event ID 53530 Fairly regularly on the PCHAT Servers with Error Description "The Persistent Chat database connection was lost"

Issue 4: We also see the following Warning Events on the Persistent Chat servers time and again,

Notice: Info 9/29/2014 10:38:29 AM customer.com domain is no longer busy and can send us incoming messages normally.

Notice: Warning 9/29/2014 10:38:13 AM customer.com domain is too busy to send us incoming messages.

Notice: Info 9/29/2014 10:38:01 AM customer.com domain is no longer busy and can send us incoming messages normally.

We have come across Multiple cases where customers with large AD infrastructure were seeing one of the above Issues/Symptoms on their PCHAT Servers.

Although some of these warnings self-correct themselves within a very short period of time we tried to focus on finding out why we see these warnings/errors. Because it seemed like every time these errors occur they would cause some or the other issue and the behavior was very Intermittent.

While working on the issue with help of SQL engineers we found that there are several Instances where we see SQL Deadlocks.

When we Investigated further we found that a Certain Stored procedure [dbo].[procProcessADUpdates] seems to be trying to read certain Tables in SQL for a span of about 5-10 minute and this causes the deadlocks.

We then tried to correlate to see if the time when the Deadlocks happen matches with the time we see the errors in the Event logs on the Persistent Chat servers.

To find this we ran SQL PSSDIAG only configured to log instances where this specific Stored Procedure [dbo].[procProcessADUpdates] ran and later analyzed the Results.

Our Priority was to establish a confirm cause and effect relationship between the Errors happening on Persistent Chat and Events taking place on SQL at the same time.

We were able to identified a set Pattern on when the Errors appear on the Persistent Chat server.

The errors happen for a continuous interval of 10 minutes and they do not happen after that for about 101-15 minutes, then they reappear and constantly happen for another period of 10 minutes.

We collected Event logs from the Persistent Chat server and Traces for ProcessADUpdate stored procedure on SQL server.

These errors happened on the Persistent Chat server several times.

The Stored Procedure ran on SQL several times.

The Traces on SQL were collected between 10 am and 4 PM

Between 10 am and 4 PM there were several times when the stored procedure ProcessADUpdate on SQL ran but did not complete

First Occurrence of Stored Procedure running on SQL

Start time                                End time

10:12:09.080                          10:22:09.103

We saw the Event errors on PERSISTENT CHAT Server several times within this 10 minute window when the stored procedure was running between 10.12 am and 10.22 am.

If you see the Highlighted Section above you will see that the events happened between 10.13 am and stopped at 10.20 am. This is exactly the time when the Stored procedure started and stopped. After 10.20 am we did not have any events till 10.33 am.

The next error event was logged at 10.33 am and we kept getting these errors until 10.41 am

So we saw the errors again between 10.33 and 10.41 am and this is exactly the time when the stored procedure started again.

Start Time         End Time

10:32:26.223   10:42:26.237

Below are all the times when the Stored procedure Ran on SQL

Duration          Start time                                 End time                                           Object name

600022417      2015-01-29 10:12:09.080       2015-01-29 10:22:09.103            procProcessADUpdates

600013203      2015-01-29 10:32:26.223       2015-01-29 10:42:26.237            procProcessADUpdates

600104326      2015-01-29 10:52:44.880       2015-01-29 11:02:44.983            procProcessADUpdates

600015001      2015-01-29 11:12:56.007       2015-01-29 11:22:56.023            procProcessADUpdates

600022547      2015-01-29 11:33:15.580       2015-01-29 11:43:15.603            procProcessADUpdates

600022349      2015-01-29 11:53:29.437       2015-01-29 12:03:29.460            procProcessADUpdates

600024296      2015-01-29 12:13:33.150       2015-01-29 12:23:33.173            procProcessADUpdates

600058078      2015-01-29 12:34:17.830       2015-01-29 12:44:17.887            procProcessADUpdates

600044520      2015-01-29 12:54:58.053       2015-01-29 13:04:58.097            procProcessADUpdates

600045646      2015-01-29 13:15:04.677       2015-01-29 13:25:04.723            procProcessADUpdates

600071117      2015-01-29 13:35:07.493       2015-01-29 13:45:07.563            procProcessADUpdates

600039783      2015-01-29 13:57:46.727       2015-01-29 14:07:46.767            procProcessADUpdates

600014348      2015-01-29 14:18:06.810       2015-01-29 14:28:06.823            procProcessADUpdates

600014660      2015-01-29 14:38:25.600       2015-01-29 14:48:25.613            procProcessADUpdates

600018793      2015-01-29 14:58:44.330       2015-01-29 15:08:44.347            procProcessADUpdates

600008529      2015-01-29 15:18:51.800       2015-01-29 15:28:51.807            procProcessADUpdates

600011609      2015-01-29 15:39:00.673       2015-01-29 15:49:00.683            procProcessADUpdates

And on all these times we saw errors on the Persistent Chat servers exactly.

This gave us a Proof that the running of this stored procedure to some extent is directly proportional to the Error Events on the FE server in OUR case..

Which then led us to find out more information on the Stored Procedure that was causing this issue,

About sproc ‘inprocProcessADUpdates’

In the Persistent Chat server, an ActiveDirectoryWatcher’s job is to periodically (default is every 10 minutes) query the AD for any updates and if there are any, the corresponding principals are then updated in the Lync DB and also updates the AD sync cookie. The sproc ‘inprocProcessADUpdates’ finds the principals that were recorded as out of sync with AD and updates the data in the Lync database. The default timeout given for executing this SPROC is 10 minutes which is hardcoded in the code. By ‘hardcoded’ I mean this value cannot be customized. While working with the Product developers we learnt that “this command could take a long time to process based on the complexity of the data”. This is the Reason why a Time Out value was configured to ensure the SPROC does not keep running forever. The Time Out Value as mentioned is 10 minutes. It is NOT recommended to change the Time Out value of this SPROC. However we do Have the ability to Change the Frequency of its Run, meaning we can change how often we want it to Run. Based on the code this can be done by modifying the AD sync frequency timer by setting the adsynchfreq attribute in the server’s configuration file (.exe.config).

About sproc ‘procGetDirtyPrincipalIds’

The sproc gets a list of all principals that are dirty (principals that are out of sync with AD) in the Lync DB and need to be refreshed from AD. It gets batch of dirty principals from the DB at a time and updates those. Default batch size is 20 but is configurable by setting “adupdate/batchsize” in the config file for the server.

Based on the above information about these Stored procedures we learnt the following,

There is no way to modify the time out time of the stored procedure ‘inprocProcessADUpdates’

We do have the ability to modify how often it runs.

Recommendation:

If you are Witnessing the same symptoms as described in the beginning of this Article under Symptoms. Then It is possible you are also running into this problem.

In that case We would recommend the following.

Monitor the Run Cycle of the Stored Procedure [dbo].[procProcessADUpdates]

To confirm that this Stored Procedure is creating an issue intermittently in your PCHAT Environment you can engage a SQL engineer and Run PSSDIAG for the Stored Procedure [dbo].[procProcessADUpdates]

You can run this for the entire day. At the end of the day Note down The Total number of times the SPROC ran and then find out How many times out of that did it Time out at the 10 Minute Mark.

You will be able to see the Exact start and Stop times of the SPROC and for the instances where it Ran for entire 10 Minutes and timed out, Check the Application Event logs on the PCHAT server to see if you had any warnings/error events relate to database connectivity being lost/unavailable at the same time.

Even If you don’t see Errors/warning in the Event logs but you do see that the SPROC ran Multiple Times and timed out after 10 minutes on most occasions then I would still consider this to be a problem that can cause database connectivity issues, Performance issues etc.

Chances are that in a Large AD infrastructure you may encounter this scenario where this Particular SPROC does not complete its execution in 10 minutes and hence times out. The problem is That every time this SPROC runs it Locks certain SQL tables and these tables become unavailable for that amount of time until the SPROC finishes. As a result if some other Application/Sproc tries to access these tables at the same time it will NOT be able to and this will cause Intermittent connectivity issues. You may not be able to find a way to speed up the SPROC such that it completes every time within 10 Minutes or Never times out. Hence to Solve this issue one approach you can use is to Modify the Frequency of How Often this SPROC should run.

By Design This SPROC is programmed to Run Every 10 Minutes. Since this is a Very Intensive Operation it is Ideal NOT to run this SPROC every 10 Minutes specially in a Large AD environment.

So in Short, If you find out that This SPROC Runs Multiple times in your Set up and Does NOT complete every time successfully but Times OUT often then It is Advisable to Change the Frequency of how Often it Runs.

To do this you can follow the Below Instructions,

Modify the Frequency of the SPROC [dbo].[procProcessADUpdates]

Step 1:

Stop LYNC Services on the PCHAT Server

Stop-cswindowsService

Step 2:

Modify the Frequency of the Stored procedure

On the SQL server hosting the Persistent Chat Database (MGC)

Expand the MGC database

Tables

Select dbo.tblConfig

Right Click dbo.tblConfig and select edit top 200 Rows

On the results window under ConfigContent you will see a Long XML file

In this section Modify the Attribute (numerical value) between <adsynchfreq> 10 </adsynchfreq> In your Environment this value will be set at 10 change it to 480 this will mean that the Stored Procedure will run every 8 hours.

[NOTE: There is NO Set Guidance on what this Value should be changed to. You have to make this decision based on your Requirement. Every time you make a change in your Environment related to PCHAT (for example - add a user to Room, Create a Room etc.) This Value Decides how soon will that change take effect. If you do not make changes that often to the PCHAT Settings than it is best to keep this Value as high as possible to avoid Unnecessary running of the Stored Procedure as it is a very intensive Operation. In My example I have set the duration to 480 minutes which is 8 Hours]

Once you make this change Exit out of SQL Server Management studio and re-open it and verify the change stays.

Refer Screen Shot below for reference

Step 3:

Start LYNC services on the Persistent Chat Servers

Once the Above changes are made you would need to Restart the Persistent Chat services on the Persistent Chat server that is currently Live in your environment.

You can either Restart the Persistent Chat server itself or just restart the Persistent Chat services by running the following commands from the windows powershell

Start-cswindowsService

Step 4:

Note Down the EXACT Time when the Server/Services are restarted. (Very Important)

This is the time that will be used as the Reference point by the Stored Procedure to decide when should it run Next.

For Example If you set the <Adsynchfreq> to 480 (8 hours) and you restarted the Server at 1 PM. Then the Stored Procedure will Run After 8 hours from this point onwards so the Next run will be at 9 PM.

I would recommend you restart the Persistent Chat service at a time that will make sure that the Sproc does not run during normal/busy business hours.

Step 5

Repeat Steps 1-5 On all PCHAT Servers in your Environment.

THE END

Policies in Skype for Business online

NextHop_Team — Tue, 21 May 2019 00:03:45 GMT

First published on TECHNET on Apr 12, 2016

Author: Thomas Binder

Reviewer: Jens Trier Rasmussen

This article is about how policies can be managed for users homed in Skype for Business online.

What are policies?

Policies are sets of parameters that determine what users can and cannot do in Skype for Business. Each user has a couple of different polices covering different aspects and workloads of Skype for Business. If there are not specific policies assigned, the global policy will be used.

Pick and choose your policy

It is important to understand that in Skype for Business Online you cannot create any new policies and you also cannot change existing policies (which is a fundamental difference from Skype for Business Server). Instead there is a large list of pre-defined policies that you have to choose from. These policies cover many combinations of parameters – though it does not cover all possible permutations.

So you will have to pick and choose a policy that matches or is at least closest to your desired configuration.

Managing Policies Online

As discussed on TechNet here: https://technet.microsoft.com/en-us/library/dn362826(v=ocs.15).aspx , the following policies types can be granted to your user on Skype for Business Online:

Client Policy
Conferencing Policy
External Access Policy
Voice Policy

In order to look into the details of different policies the best way is to connect via PowerShell to your Online tenant. A comprehensive guide on how to connect to can be found here: https://technet.microsoft.com/en-us/library/dn362831(v=ocs.15).aspx

By running the get command you will be able to get a list of the existing policies – e.g. run get-CsConferencingPolicy to get all conferencing policies. You will realize that this is a quite large amount of policies. In order to get only a relevant subset there are a parameter and a filter we recommend to use in conjunction:

ApplicableTo can be used for Conferencing and External Access policies. It will limit the result set to all policies that can be applied to a specific user based on the user location (not all features are available everywhere) and the license assigned to the user. Get-CsConferencingPolicy -ApplicableTo sip:davidl@contoso.onmicrosoft.com

Additionally you might want to add a filter to get only policies back that have a specific as you require it: Get-CsConferencingPolicy -ApplicableTo sip:davidl@contoso.onmicrosoft.com | ?{$_.AllowAnonymousParticipantsinMeetings -eq $false} | select Identity

Ultimately you can export all policies into a csv file and then use the comforts of Excel to find the policy of your liking. Collin Hoag as an excellent post describing this process.

Strategies

Two strategies have proven successful in to identify the desired polices:

Search via PowerShell
You can use PowerShell to look at existing policies and identify the ones you want to assign to your users. However as stated before you might have to handle an extensive list of policies even if you are smart at using filters.
Configure via GUI
You can also use the Office 365 Admin Center and configure one of the users as your requirements determine. After that you can query what polices are applied to the user via PowerShell and apply the same policies to other users. To query which policy a user has assigned just run Get-CsUser -identity <user SIP uri> and then you can assign the policy to other users by using Grant-CsConferencingPolicy -identity <user SIP uri> -policyname <policy name> (or the appropriate command for other polices)

Applying the policy

Once you identified which policy you want to use, you can easily apply it to a user using the grant cmdlets:

grant-CsConferencingPolicy -identity -sip:davidl@contoso.onmicrosoft.com -PolicyName Tag:BposIAllModality

Obviously you would not run the cmdlet for every single user – this is PowerShell so you can make this part of your user provisioning process, assign to groups of users or import user lists and the policies to assign from csv files.

Summary

In Skype for Business online you cannot create your own policies and you cannot change existing policies. However, there are multiple ways to identify the desired policy from the existing policies. Once you have found it you can grant it to users.

Learn more

Assigning Per-User Lync Online Policies: https://msdn.microsoft.com/en-us/library/dn568008.aspx

Collin Hoag’s post on Policies: https://blogs.technet.microsoft.com/nexthop/2016/04/27/policies-policies-policiesonline/

Worldwide use of Office 365 Cloud PBX Now Simplified

NextHop_Team — Tue, 21 May 2019 00:03:38 GMT

First published on TECHNET on Apr 07, 2016
Today, we're excited to announce the availability of Skype for Business Cloud Connector Edition.

Cloud Connector Edition makes it possible to connect any existing telephone circuit to Cloud PBX in Office 365 using a single server and minimal configuration.   This allows for the user’s phone capability to be managed out of Office 365 while their phone calls continue to use their existing phone number, circuits and PSTN provider contract.   Cloud Connector Edition can be downloaded directly from Microsoft at https://aka.ms/getCCE

The availability of Skype for Business Cloud Connector Edition comes in addition to the existing capability of on-premises PSTN connectivity for existing Lync Server and Skype for Business Server deployments. For existing customers who have Skype for Business Server 2015 or Lync Server 2013 deployed, you can get started planning this topology here. What’s great about Cloud Connector Edition is that now Office 365 customers without Skype for Business on-premises can bring their PSTN circuits to Cloud PBX with minimal infrastructure investment.

Delivered as a set of packaged virtual machines for deployment on-premises, Skype for Business Cloud Connector Edition uses with the same binaries as the full server, but packaged to just the components necessary for cloud connectivity.   So while Edge Server manages connectivity to Office 365 and Mediation Server connects to the next-hop SIP Peer, other components for registration and meetings are excluded. The result is faster to deploy, easier to configure and operated from the cloud.

Because the same software components are being used as the server, the interoperability between Cloud Connector Edition and your existing PSTN circuits is the same as with Skype for Business Server. An extensive array of Gateways, SBCs, IP-PBXs and IP telephony service providers have been tested with Lync Server and Skype for Business and this same infrastructure is supported. You can find the infrastructure qualified with Skype for Business here . For PSTN infrastructure that hasn't yet been tested with Skype for Business, you can use a Gateway or Session Border Controller from our partners including AudioCodes and Sonus.

Everyone who has a subscription to Cloud PBX can get started today with the Skype for Business Cloud Connector Edition and download directly from Microsoft at https://aka.ms/getCCE .    Of course our large network of partners stand ready to help customers plan their deployments and can be found at http://partnersolutions.skypeforbusiness.com . For customers who are interested in deploying themselves, the complete guide to planning your deployment can be found on TechNet here .

Thanks so much!!

Jamie Stark

@nomorephones

Avoid Meeting Glitches with a Checklist

William Bellamy — Tue, 21 May 2019 00:03:23 GMT

First published on TECHNET on Apr 01, 2016
A few minutes often separates success from failure. Personally the Be Prepared motto has served me well. Every pilot knows not to start their engines before stepping through the pre-flight checklist. The Checklist Manifesto generalized this approach from aviation to complex high value activities like surgery. IT folks usually don’t hold people’s lives in their hands, but anomalies impacting our CEO or VP certainly may put our jobs on the line.

Skype Meeting Broadcast shattered the old 250 attendee barrier . When all goes well, you save your company significant production fees. The challenge is to avoid glitches which can easily disrupt a critical meeting. Below is a checklist to ensure successful broadcast and regular Skype for Business meetings:

Know your network . As a rule, always use a wired network connection and turn off Wi-Fi. By running a speed test in the meeting room you can get a point in time measurement. If wired is not feasible, then insure that your access point is broadcasting on 5Ghz. You also need to avoid sources of interference such as microwaves or cordless phones. The bars in the client will give you real time feedback on the network. Consider dropping video if the network cannot keep up.

Use certified AV equipment , preferably wired devices connected directly to the computer. The best devices have built-in echo cancelling technology. For video, use a free standing tripod to avoid table motion. Avoid backlight and noisy backgrounds. Make sure that the microphone has a short clear line of site to the speaker.

Verify that your computer has the latest version of everything especially drivers and Skype for Business. Why experience a bug that’s already fixed?

Use a higher performance computer. Open task manager to verify that another process is not using excessive: CPU, memory, disk or network. For example, perform an antivirus scans and Windows Update well before the meeting is scheduled to begin. Close any applications you don’t absolutely need.

Perform a dress rehearsal using the same room at a similar time of the day.

Join the meeting early along with someone remote to verify the AV and sharing.

Upload your PowerPoint slides to insure that if something goes wrong, everyone else will still have the slides. The next best option is to share your screen with the resolution set to 1024x768 pixels or 800 x 600 pixels portrait for tablets.

Have one computer join the meeting per room which will eliminate the chance of echo.

Avoid background noise by muting everyone except the speaker. You can schedule your meeting with the “Mute all attendees” meeting option set. As a participant, don’t be bashful in muting those who are disrupting the meeting.

Skype Meeting Broadcast requires these additional checks:

Create a test meeting with participants located in critical locations to ensure that Skype Meeting Broadcast is correctly setup for your organization and that the needed URLs are not blocked by filtered by a proxy server.

After scheduling the meeting , customize the Attendee page settings by clicking on the Customize link. Under Troubleshooting and support choose the Custom link button. Copy the default URL in the URL text box. In the Link text box, add something like: “IM <alias> for help.”

Create a shortened URL for attendees and schedule a backup meeting. In the event of a catastrophic event, all you need to do is to start the backup meeting then update the URL.

Limit attendees to the inner meeting and meeting room to speakers and producers.

Have someone monitor the attendee view to insure that the experience is optimal.

If multiple video feeds will be used, do extensive rehearsal to test out the network and equipment. A scripted agenda will enable the producer and speakers to know when each person will speak.

Question & Response works well through Yammer. Senior leaders who aren’t speaking can answer questions and filter which questions to send to the speakers to answer. A designated person in the room can then ask the question to create a more dynamic interview style presentation. The first few questions may take time so you should start with some known questions.

Help us help everyone to have outstanding meetings by sharing your best practices.

Integrate On Premise Lync or Skype for Business with Office 365 UM Online

Mohammed Anas Shaikh — Tue, 21 May 2019 00:03:16 GMT

First published on TECHNET on Mar 29, 2016
Integrate LYNC/SFB Server on premise with O365 Exchange UM online

Author: Mohammed Anas Shaikh

Before we get into this, we need to have a basic understanding of what's happening with voicemail. Below is a Brief Description of what happens in the background when a call is being routed to Exchange UM online for voicemail.

How Does it Work - Call Flow for a Voice mail call

LYNC User A calls LYNC User B

User B does not answer the phone

Call then goes back to the LYNC FE server

LYNC FE server Now has to decide what to do with the call

The FE server Checks User B’s Hosted Voicemail Attribute to see if HostedVoicemail is set to $TRUE

If it is, then it checks the Hosted Voice Mail policy that is applied to the user and finds where to send the call.

The Hosted VM Policy should point to the customers Tenant in O365 and exap.um.outlook.com

Once it finds that the call needs to go to Exchange Um Online (Exap.um.outlook.com) then it generates a new Invite and sends the call to the Edge server.

The Job of FE server is done at this point

Now the edge server receives this call

Edge server checks the CSHostingProvider to see if a Hosting Provider has been created for "Exap.um.outlook.com" to find out if it should send the call out to O365

The CShostingProvider points to exap.um.outlook.com and hence edge creates an INVITE and sends it out to exap.um.outlook.com

Once Edge sends the INVITE it reaches the Microsoft access edge proxies which relay this to the Exchange online UM servers in O365

The exchange Online UM server verifies the tenant, checks Dial Plan, Then Checks the "Callee" Info from the Invite and validates if the "Callee" user has been enabled for VM in O365 and if he is then it accepts the VM

The Procedure to Configure this is Described Below:

Step 1 – Check Pre Requisites

A Working Edge server is a Requirement for LYNC on Premise to work successfully with Exchange UM Online. Make sure you have a working LYNC Edge server. In order to confirm that your edge server is configured correctly make sure you can do the following:

Have a User sign into LYNC remotely through the edge

Have a Internal user establish an IM session with a federated user (If you have Open federation then they should be able to add users from other organizations who have open federation. If you do not have Open federation you have to add someone’s Domain to your allowed list and then try and see if you can establish IM sessions with this domain.

Make sure internal users can Successfully make and receive LYNC calls to federated users and remotely connected users.

The Call flow of FE/Edge sending the call to exchange Um is similar to the call flow of a LYNC call between internal and external or internal and federated users. If that itself isn’t working it for sure will cause problems with UM online and VM.

"One You have verified all the Above Your Step 1 is Complete."

Step 2 - Configure UM settings on the O365 Portal

A O365 account with Enterprise E3 or E4 plan, Educational A3 or A4 Plan, or Government E3 Plan , or a la cart Exchange Online Plan 2 Is Required.

There are Two Important settings that you have to configure on the O365 Portal related to Unified Messaging

Create a UM Dial Plan

Enable Users for Unified Messaging

Below are Instructions on how to accomplish that.

1. Create a UM Dial Plan

To create a UM dial Plan

Login to the O365 Portal as an Administrator

On the Top right Hand corner click the drop down box where it says Admin

Select Exchange from the List

Then on the following Page select Unified Messaging at the bottom left Hand Corner

On the resulting page click on UM dial plans Tab at the top

Click the "+" Sign to create a New Dial plan

The New UM dial plan window now opens

On this window enter the details of the Dial Plan

Name - You can enter any name you want, some special Characters like " / \ [ ] : ; | = , + * ? < > are not allowed.

Extension Length - Enter the number of Digits you use for extension number for your users ON Premise

Dial Plan Type – SIP URI is the only supported Dial plan type for Integrating UM online with Lync/SFB.

VoIP Security Mode -Unsecured (default) should NOT be changed. (This is the Only supported VoIP security Mode for integrating UM online with Lync/SFB at present)

Audio Language - English (depends on your preference)

Country/Region Code - "1" for United States

Click Save

Your Dial Plan is now Created.

Every time you create a New UM Dial Plan a default Mailbox policy is created Automatically that is associated with this dial Plan.

Take a Note of what mailbox policy is Associated with your Dial plan. You can use the below steps to check what Mailbox policy is associated with your dial Plan.

How to check what Mailbox policy is associated with your dial Plan.

Login to the O365 Portal

On the Top right Hand corner click the drop down box where it says Admin

Select Exchange from the List

Then on the following Page select Unified Messaging at the bottom left Hand Corner

On the resulting page Double click on UM dial plan you created

You will be able to see what Mailbox Policy is associated with your UM Dial Plan as shown in the below screen shot:

You can find more detailed explanation on Each of the above properties and UM Dial Plans here - http://technet.microsoft.com/en-us/library/bb123819(v=exchg.150).aspx

2. Enable your Users for Unified messaging

Follow the Below steps to enable a User for UM online on the O365 Portal;

Login to the O365 Portal

On the Top right Hand corner click the drop down box where it says Admin

Select Exchange from the List

Then on the following Page select Active users under the Users Section.

Select your User (in this case User A)

ON the Extreme right hand side Select/click EDIT EXCHANGE PROPERTIES as shown below:

On the resulting Page Click on Mailbox features on the Left

Click on Enable under PHONE AND VOICE FEATURES --> Unified Messaging

On the resulting Page Click BROWSE

Select the UM Mailbox policy from the List that you want to use for User A

Click OK

Refer Screen shot below for reference

This will take you back to the Enable UM Mailbox Page

Click Next here

On the resulting page Verify the Sip address of the User and make sure its correctly populated. (the sip address of the user should be EXACTLY SAME as the SIP URI that he uses to login to LYNC Client)

Enter an extension for the user (his extension should be the same as what he uses On Premise, If they don’t use extensions On Premise they still have to enter an extension here, they will have to give the user an extension and it has to be Unique for every user)

Click Finish

On the resulting Page Click Save

Your User is now Enabled for UM in O365.

NOTE: In this scenario we Enabled the user for UM on the O365 Portal itself. This was because I created My user directly on the O365 portal and My user was previously NOT enabled for UM. If you are in a scenario where you are Migrating your User from Exchange On Premise to Exchange Online and if the User is already enabled for UM in your On Premise environment then to Enable him for UM in O365 you have two options.

Option 1: You can disable UM for the User on the ON Premise Exchange server and then Move his mailbox to O365 and then Enable him again For UM on the O365 Portal following the same instructions as described above.

Option 2: If you Do not wish to Disable and Re-enable the user for UM and would instead like him to stay UM Enabled while you are moving the users Mailbox then to do this you have to create the same Dial plan and Mailbox policies as you use on the ON Premise Exchange UM set up in O365 and then you can move the User with his UM settings to O365, this way his UM extension and Pin will remain the same. The procedure for this is described very well here - https://msdn.microsoft.com/en-us/library/hh552484(v=exchsrvcs.149).aspx

You still will need to provide a Unique Subscriber Access number to your O365 Dial plan if you want your users to be able to call and Check their Voice mails from PSTN or use OVA.

When the User is moved to O365 they will receive an automated email indicating they are enabled for UM and this email will contain the new SA number they can now use for OVA.

"Once You have completed all the above steps and you reach this section of the Article your Step 2 is Complete. That means everything that you were required to do configuration wise on the O365 Portal has now been completed. We can now move towards steps 3 where we configure the On Premise LYNC servers to make sure they work with Exchange UM online."

Step 3 - Configure the FE server on Premise

Pre-requisite

Hosted Voice Mail is ONLY supported for users who are Enabled for Enterprise Voice. In order to ensure all Voice Mail features for Users work accurately you need to ensure they are enabled for EV on Premise.

Overview

Here are the configurations you have to perform on Premise

Create Hosting provider for Edge

A Hosting provider is Required in order for the Edge Server to forward Voice Mail calls to O365.

You Can Create a Hosting Provider by Running the Following Command.

New-CsHostingProvider -Identity UMonline-Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFQDN "exap.um.outlook.com" -IsLocal $False -VerificationLevel UseSourceVerification

The Proxy FQDN Field should always be pointing to Exap.um.outlook.com for every customer. The Enabled and EnabledSharedAddressSpace parameters should always be set to TRUE for every customer.

To Ensure that a Hosting Provider was created successfully, run the following command from Lync PowerShell "Get-CsHostingProvider"

Below is a Screen shot of a Successful output of this command from a working Lab environment. Compare your Output with the screen shot below and Ensure all required Fields are populated correctly.

Enable Users for Hosted Voice Mail.

You have to Enable your Users for Hosted Voice Mail in order for Voice Mail to work. To do this you can run the following Command from the LYNC power Shell.

Set-CsUser -Identity sip:Usera@lync1.com -HostedVoiceMail $True

For More Details Refer Article - https://technet.microsoft.com/en-us/library/gg413062.aspx

To ensure that the User was enabled for Hosted Voice Mail successfully run the following command from Lync PowerShell "Get-CsUser -Identity sip:Usera@lync1.com " . Below is a Screen shot of a Successful output of this command from a working Lab environment. Compare your Output with the screen shot below and Ensure that the HostedVoiceMail attribute is set to TRUE

Create Hosted Voice Mail Policy

In order for LYNC FE server to send Voice Mail calls to O365 you have to create Hosted Voice Mail Policy.

Hosted Voice Mail Policies can be Created at Global (Exists in every Organization By Default, you can't create a New one you can Only Modify an Existing One) Site or User Level.

You can use the Below command to Create/Modify a Hosted Voice Mail Policy at Global Level.

Set-CshostedVoiceMailPolicy -Identity Global -Description Global Hosted VM Policy for All Users -Destination exap.um.outlook.com -Organization techlyncumonline.onmicrosoft.com

For More Details Refer Article - https://technet.microsoft.com/en-us/library/gg398332.aspx

To Ensure that a Global Hosted Voice Mail Policy was created successfully, run the following command from Lync PowerShell "Get-CsHostedVoiceMailPolicy"

Below is a Screen shot of a Successful output of this command from a working Lab environment. Compare your Output with the screen shot below and Ensure all required Fields are populated correctly.

This Hosted Voice mail Policy then needs to be applied to all your Users.

If you have created Hosted Voice Mail policy at Global Level then this Policy by default will apply to ALL users who have been enabled for Hosted Voice Mail and you DO NOT have to specifically assign this policy to any user.

In this case if you Run the command "Get-CsUser -Identity sip:Usera@lync1.com " from LYNC PowerShell you will Notice that the HostedVoicemail attribute is set to True but the HostedVoiceMailPolicy Attribute is "Blank". If you are using a Global Hosted Voice Mail policy then this attribute will always be "Blank". This just means that the FE server will use the Global Hosted Voice Mail policy settings for this User.

If you create a Site Level Hosted Voice Mail policy than that Policy will apply to All users in that site by Default.

If you create a User Level Hosted Voice Mail Policy then IT WONT apply to any users by Default, You have to Manually Assign the Policy to your Users.

Please Refer the following Articles for more information on how to Create and Apply Site/User Level Hosted Voice Mail Policies.

https://technet.microsoft.com/en-us/library/gg398332.aspx

The Destination Field in the Hosted Voice Mail Policy should always be pointing to Exap.um.outlook.com for every customer. The Organization field should point to either the Default O365 Tenant of the customer which would be something like customerdomain.onmicrosoft.com or the Vanity domain of the customer which maybe just customerdomain.com.

Important: The domain name that has been entered in the organization Field HAS to be an Authoritative/accepted exchange domain in O365 . You can check If the domain entered by the customer is an authoritative domain or not by checking the O365 portal or by connecting to Exchange online PowerShell and running the command Get-acceptedDomain

Please refer the following KB to find out how to do that in more detail

http://technet.microsoft.com/en-us/library/jj945194(v=exchg.150).aspx

http://technet.microsoft.com/en-us/library/jj984289(v=exchg.150).aspx

Create SA and AA contact Objects

(this step is required only if you want your users to be able to call and check their VM using their Cell phone or PSTN, And if you want to use Auto Attendant feature. For initial Voice mail roll out this is NOT Mandatory)

Since Creating SA and AA contact Objects is Not Necessary for Voice Mail calls to work I am not including details on how to create these Contact objects. Please refer the following KB to find out how to do that in more detail

https://technet.microsoft.com/en-us/library/gg412765.aspx

Once You have done all of the Above Your Step 3 Is Complete and the On Premise LYNC Environment should Now be Configured Completely to Work with O365 for Unified Messaging. AT This Point Calls to Voice mail for User Mailboxes Hosted in O365 Exchange Should Start Working. If they aren't you can proceed further to the below section of this document for more useful information.

If you have done all of the Above and if Still Voice Mail for users hosted in O365 does not work then you can follow the Instructions further below in Step 4 and Step 5 in this Article to Troubleshoot further. I have Listed Below some Known Reasons why calls to Voice Mail would Normally Fail even if all the Necessary configurations have been completed Successfully.

Step 4: Verify the following configurations on the LYNC on Premise side

The Internal Interface of the edge server should not have a default gateway. You should have a Persistent route on the internal edge network interface for every Client Subnet you have in your Environment/Network.

The External Interface of the edge server should use a Public DNS server in an Ideal scenario. If You are Using an Internal/Private DNS server on the External Interface Switch to an External/Public DNS server and Flush the DNS Cache. If you have a Security Requirement that Prevents you from using an External/Public DNS server then you will have to create the _sipfederationtls._tcp.domain.com SRV record on your Internal/Private DNS server pointing to the external FQDN of your Access edge pool. If you don't do this you may see errors like - ms-diagnostics: 1008;reason="Unable to resolve DNS SRV record"; ";responsecode="504"; In Event logs or in Sip Stack logs on the Edge Server.

Check if you can do an NSLOOKUP and resolve _sipfederationtls._tcp.domain.com SRV federation record from the edge server itself. If you can't this may be a reason why calls are failing.

Ensure UDP 3478 and TCP 443 are open Inbound on the External AV Edge FQDN.

Check if you have configured any static routes, if you have a static route then this will cause issues with UM online if the Matched URI of the static route is same as the Sip Domain/Users Sip URI. So if you have a static route and the Matched URI of the static route is same as the Sip Domain/Users Sip URI you need to remove the static route otherwise UM will NEVER work. You can check if you have a Static route or not by running the command "Get-CsStaticRoutingConfiguration" from the LYNC PowerShell. If they do not have a static route the output of this command should be Blank as shown below:

If removing the static Route resolves the issue and you insists that you need a Static route then you have to change the URL of the service that you are using the static route for. You cannot use the same SIP domain you have in LYNC for any other service like video conferencing which requires a static route. If you want to use both a third party video conferencing service and UM online then the Conference URL’s of the video conferencing service should not be the same as their default SIP domain.

For example: If the SIP domain is contoso.com then the Third party conference system URL should not be Contoso.com it can however be set as XXX.contoso.com.

Make sure CMS Replication status is good between FE and Edge, If Replication between FE and Edge is Not working the Edge server may not know about the Hosting Provider and may not even send the Call to O365. You can check this by running the following command from the LYNC PowerShell

Get-CsManagementStoreReplicationStatus

Once you have Verified/Corrected all the above Check if the issue is now resolved if Not Continue forward;

Note: At this point, If you have done all the above you can be confident that all the configuration that is required to ensure LYNC/SFB ON premise works with O365 Exchange UM online has been done correctly. If Voice mail still isn't working we will now have to collect Logs to find out the cause/solution.

Step 5: Collect Traces to further Troubleshoot

If you have verified and confirmed steps 1 to 4 and the issue still persists than collect traces to further troubleshoot.

Collect Traces for the following components on all the FE and Edge servers while reproducing the issue

FE Server à Sip Stack, S4, Inbound Routing, Outbound Routing, ExUM Routing

Edge Server à Sip Stack, S4, Network Traces using Wireshark or Network Monitor.

User A and user B Client Side UCCAPI logs

Important: When reproducing the problem while collecting traces always reproduce the problem using users signed in internally directly through the FE and not from users connecting remotely. For Example if you are troubleshooting an issue where User A calls User B and when B does not answer the call the call does not roll over to VM; Then while collecting traces make sure both Users A and B are logged in to LYNC internally to the Fe server and not External through Edge.

In the logs look for the INVITE that goes from FE to Edge and from Edge to Exap.um.outlook.com. Follow this call ID and see where the error occurs. If the Errors that you see in Ms-Diagnostic reflect something like "A Call Failed to Establish due to Media Connectivity Failure" Then this means that Network issues are preventing Calls from Working. Ideally If this is the reason You should see failure when trying to make audio calls or Perform Application Sharing with Federated Partners as well. The Most Common Reason for this issue per My experience is Incorrect NAT rule on the Firewall. If you are Using Nat on the External AV edge Interface then you have to ensure any traffic that leaves the External AV edge FQDN is Nat-ted correctly on the Firewall. So the Firewall when it sends these Packets out to O365 it should keep the Source address of outgoing Packets same as the External Nat-ted FQDN of the AV Edge Server.

I would Strongly recommend collecting Network Traces on the External Interface of the Firewall to confirm this.

You should also ensure that UDP 3478 and TCP 443 are open Inbound on the External AV Edge FQDN.

THE END

Get-CsPoolUpgradeReadinessState showing NOT READY or BUSY

Mohammed Anas Shaikh — Tue, 21 May 2019 00:01:21 GMT

First published on TECHNET on Mar 18, 2016
Author: Mohammed Anas Shaikh

Issue: Get-CsPoolUpgradeReadinessState showing NOT READY or BUSY all the time.

You may come across this issue where the output of Get-CsPoolUpgradeReadinessState command would always show "NOT READY" or "BUSY" and never changes even though the pool is stable, All the routing groups are evenly balanced, There is NO user impact or issue and there seems to be nothing wrong. Still Every time you run the command Get-CsPoolUpgradeReadinessState the output simply shows NOT Ready or BUSY.

Since the Get-CsPoolUpgradeReadinessState never shows a READY Status you could not update/restart these FE servers at all.

It just seems like everything is Normal but for Some Reason the output of the command doesn’t reflect that and it seems very likely that the Command output is inaccurate.

The Get-CsPoolUpgradeReadinessState in the backend checks Certain Performance counters to decide if the Pool is Stable and Ready for Upgrade or NOT. If for some reason it is unable to read these counters than there is a possibility that when you run the Get-CsPoolUpgradeReadinessState command the Output will Not be Accurate.

TO resolve this issue you can use the Below information;

What Information does Get-CsPoolUpgradeReadinessState command look at in order to decide if a pool is ready for Upgrade or not?

There are Certain Performance Counters on every FE server that are by default supposed to be ENABLED and should always stay in the ENABLED state. The Get-CsPoolUpgradeReadinessState command reads these counters in order to decide whether a pool or a FE server in an Upgrade domain is ready for update or Not. If For some reason these Performance counters are Disabled then the Get-CsPoolUpgradeReadinessState command will never be able to reflect the True state of the FE server or Pool.

What Counters are required to be Enabled on the LYNC FE Server in order to make sure Get-CsPoolUpgradeReadinessState returns the Correct state of the Pool?

The Performance Counter Named WRTCESPF is the actual Counter that is required to be Enabled for Get-CsPoolupgradeReadinessstate command to work. If this Counter is disabled on any FE server then Get-CsPoolupgradeReadinessstate will not be able to show the true state of the pool.

How can you find out if the WRTCESPF Counter is enabled and is working?

Method 1 - Using Command Lodctr (Recommended Method)

The Output of the LODCTR command shows all the Performance counters that are enabled on a Particular FE server.

To Find out which Counters are Enabled on any FE server do the following

Open Command Prompt

C:\> LODCTR /Q >Counters.txt

Open the Text File Counters.txt in notepad

This file will list all the counters that are present on the Server

Search for the counter Named WRTCESPF

Make Sure it says Enabled next to this Counter in the Text File (See Example below) If it shows Enabled then it means the required counters are enabled.

Method 2 - Using Performance Monitor

The Counter WRTCESPF corresponds to the "LS:Usrv - Cluster Manager" Counter in Performance Monitor

"LS:Usrv - Cluster Manager" is the Actual Counter that Get-CsPoolUpgradeReadinessState looks for in order to decide the state of the pool.

There are several Counters listed Under LS:Usrv - Cluster Manager (as shown below)

To View the above do the following

On the FE server

Click Start

Go to Performance Monitor

On the Performance Monitor Window

Click the Green Plus Icon for Add

Select LS:Usrv - Cluster Manager

Click Add

Click OK

Then Click the Graph Type Icon

Select Report from the Drop Down Menu

This Will show you all the Counters that are within Cluster Manager. The Get-CsPoolUpgradeReadinessState command reads these Counter Values to Decide whether a FE server is in Ready state for upgrade or Not.

You can confirm this if you Start PowerShell Logging in OCS Logger and run the Get-CsPoolUpgradeReadinessState command.

In the Screen Shot Above for LS:Usrv - Cluster Manager Counters you will Notice some numeric Values on the right, If the counter is working fine these Values will be populated. In addition if the Counter is enabled then you will be able to find it in Performance Monitor. These two things will indicate that the Counter is enabled.

You can also run some commands to get the actual output of the Counter Values, the command Below can be used to find the output of the "Usrv - Number of routing groups for which the current machine is idle secondary replica"

"Get-Counter "LS:USrv - Cluster Manager\USrv - Number of routing groups for which the current machine is idle secondary replica" -ComputerName $fe"

The output of the above command on a FE server that is Ready for Update should be Zero. If you run the command and you don’t get an output etc. then it would again indicate that the counter may be Disabled.

How To Reload the Counters if they are disabled or not working?

If the Get-CsPoolUpgradeReadinessState Command Output Never Shows that the Pool is READY then it could mean two things.

The Pool is ACTUALLY Not Ready for Update because Routing groups are still being Balanced in the Background.

The Pool is Steady and all Routing Groups have been Balanced and all users are working just fine but the state Never changes from Not Ready to Ready EVER.

For point #1 the recommendation is to Just wait long enough to make sure the routing groups are balanced and then eventually the Get-CsPoolUpgradeReadinessState should reflect a Status of READY for the Pool.

For Point #2 - The Pool is Steady and all Routing Groups have been Balanced and all users are working just fine but the state Never changes from Not Ready to Ready EVER.

In this case there is a good possibility that everything in working fine but still the Get-CsPoolUpgradeReadinessState never shows READY even after you have waited a considerably long amount of time even Days. The Cause of this issue could potentially be related to the Performance Counters ( WRTCESPF , LS:USrv - Cluster Manager ) that are required by the Get-CsPoolUpgradeReadinessState to report the True state of the FE server or Pool.

We Discussed previously in this Document how you can find out if the Performance Counters for (WRTCESPF, LS:USrv - Cluster Manager) are enabled and working.

If you have Confirmed that the Counters are in Fact Disabled then that would probably be the cause of the issue.

However you may come across a scenario where you would find that the (WRTCESPF) Counter is ACTUALLY enabled but still the Get-CsPoolUpgradeReadinessState keeps Showing a NOT READY Status.

In BOTH of these situations follow the steps below:

Step 2: Reload the Performance Counters on Every FE server

We have to reload the performance counters on every FE server that is having an issue.

To reload the counter do the following on Each FE server

Open Command Prompt

Run the command regsvr32.exe /I /n wrtcespf.dll

as shown in the screen shot below from C:\program files\Microsoft Lync Server 2013\Server\Core>

C:\program files\Microsoft Lync Server 2013\Server\Core> regsvr32.exe /i /n wrtcespf.dll

Step 3: Manually Set the Correct Permissions in the Registry so that the RTC Server Local Group has Full Permissions to read these Counter Values.

It is required that the RTC Server Local Group has the proper permissions assigned in order to be able to read these performance counter values. If for some reason the permissions get altered due to a Faulty/corrupt GPO then chances are that even though the Counters are Loaded and enabled correctly the Get-CsPoolUpgradeReadinessState will be unable to read these counters. Hence it is a good idea to manually set these permissions Correctly.

To Set the correct Permission do the following on every FE server after you reload the Counters

On FE Server

Open Registry Editor

Browse to HKLM\system\currentcontrolset\services\wrtcespf\performance\parameters

Right Click Parameters

Click permissions

Click Add

Click Locations

Select The FE server that you are performing this operation on here "in my example it is LYNCENT01"

Now Enter RTC Server Local Group and Click Check Names as shown below:

Click OK

On the Permissions for Parameters page click Advanced

Select RTC Server Local Group

Click Edit

In the Drop Down Box next to Apply to: Select This Key only

Select checkbox to Allow Full Control

Click OK

Repeat the same on all the FE servers that have the issue.

Recycle RTCSrv service or Restart FE server

Once the Counters have been reloaded and appropriate permissions have been set then recycle the RTCSrv Service on all the FE servers (One server at a Time)

stop-cswindowsservice rtcsrv

start-cswindowsservice rtcsrv

NOTE : Make sure you follow the guidelines when recycling the Windows service. Perform this only on one FE server at a time . Make sure it comes back up and the Primary and secondary's are balanced before you move to the other server.

The NextHop team wants to thank our team member Mohammed Anas Shaikh in Microsoft CSS for this excellent post. We look forward to featuring more of his content soon!

TCP? or TLS? Which do I use for Trusted Applications?

NextHop_Team — Mon, 20 May 2019 23:59:22 GMT

First published on TECHNET on Mar 11, 2016
Author: Steve Schiemann

Product Version: Skype for Business Server 2015

During the first few months after the release of Skype for Business Server 2015, Unified Communications Customer Service and Support (CSS) was hit with a minor “surge” of cases with a puzzling issue. The Skype for Business Server 2015 Front End (FE) service would crash every 24 hours, almost to the minute after the last reboot, or service restart. Here is a typical event ID 1000 associated with such a crash:

Log Name: Applicationw
Source: Application Error
Date: Date/Time
Event ID: 1000
Task Category: (100)
Level: Error
Keywords: Classic

User: N/A

Computer: ServerName
Description:
Faulting application name: RTCSrv.exe, version: XXXX , time stamp: XXXX
Faulting module name: SIPStack.dll, version: XXXX , time stamp: XXXX
Exception code: 0xc0000005
Fault offset: 0x0000000000442aa1
Faulting process id: 0x1ab4
Faulting application start time: 0x01d0bbeed3ffd292
Faulting application path: C:\Program Files\Skype for Business Server 2015\Server\Core\RTCSrv.exe
Faulting module path: C:\PROGRA~1\SKYPEF~1\Server\Core\SIPStack.dll
Report Id: 874748dc-28ab-11e5-8115-005056b52889

Shortly after each case was opened, relevant data was gathered, which included event logs, a topology export, and crash dumps gathered from an elevated command prompt with “ procdump -ma -e <PID_of_Process> <output path>" . The data showed that the FE service (rtcsrv.exe) was using incorrect logic to validate the address of the trusted TCP server. Part of this logic assumed that Transport Layer Security (TLS) was in use. The certificates in use on the FE server all checked out fine. So the certificate information must be coming from a remote server, right? Not so in this case...

During the course of investigation, CSS asked the affected customers about their environment. We also looked at the topology files. A pattern soon emerged, in that these customers were all running trusted applications from third-parties. Furthermore, the applications were configured to use TCP connections, instead of TLS, which requires a certificate. With help from the Skype for Business product group, the issue was at last fully understood: There was no problem with a certificate; the problem was that there was NO certificate. When a TCP connection came in from a trusted app, an access violation was generated because of the “missing” certificate. This problem has now been corrected in Skype for Business 2015 Server Cumulative Update 2. See this link for the latest Front-End/Edge update for Skype for Business server 2015, and related KB 3141114 for more information on this particular issue.

But why not use TCP for trusted application connections? I’ve found nothing in Microsoft documentation says use TLS only. As a matter of fact, you have to run New-CsTrustedApplication when installing/configuring a new trusted app, and the -EnableTCP parameter is valid. The documentation for New-CsTrustedApplication says, “Use this parameter only if the trusted application is not a Microsoft Unified Communications Managed API (UCMA) application”. This doesn’t mean that you SHOULD use -EnableTCP if the trusted app is not UCMA, but it is an option.

The use of plain TCP connections with trusted applications is not nearly as common as TLS connections. It turns out that TCP connectivity from trusted applications gets limited test coverage. Most trusted apps nowadays can and should be configured to use TLS. With TCP connectivity, there is no support for IPv6, and it lacks the added security and privacy of TLS .

Back to the crashing problem, why did the crash occur almost exactly 24 hours after the last FE service restart? It seems that TCP connections are refreshed at that set time interval from the last service start. While this issue is resolved in Skype for Business Server 2015 CU2, we recommend using TLS over TCP for your trusted applications.

Skype for Business 2015 Protocol Workloads Poster

NextHop_Team — Mon, 20 May 2019 23:59:13 GMT

First published on TECHNET on Feb 23, 2016
Hi Everyone,

The NextHop team wanted to make sure you all know about the Skype for Business Server 2015 Protocol Workloads Poster. We realize this isn't exactly "new" news, but downloads for the protocol workload posters have historically been included on NextHop, so we felt it was time that we caught up with the past. Anyone have a garbage consuming, time travelling vehicle we can borrow so we can backdate this post? If not, the "present" will have to do. So, here goes!

The posters can be downloaded here (PDF and VSDX formats): https://www.microsoft.com/en-us/download/confirmation.aspx?id=46448

And get this...the package includes SEVEN, that's right SEVEN different posters!

Topics covered in the posters include:

IM and Presence

IM and Presence

A/V and Web Conferencing

Application Sharing

Enterprise Voice

Certificate Requirements

DNS Configuration

Here are a few snippets of what you'll find in the posters:

Above - Application Sharing poster snippet

Below - DNS Configuration poster snippet

Don't wait, download your copy today!

The posters can be downloaded here (PDF and VSDX formats): https://www.microsoft.com/en-us/download/confirmation.aspx?id=46448

Thank you from the NextHop team!

End of Extended Support for Office Communicator and Office Communications Server

NextHop_Team — Mon, 20 May 2019 23:58:50 GMT

First published on TECHNET on Feb 22, 2016
End of Extended Support for Office Communicator and Office Communications Server

Please see the updated article here .

Lync 2010 transitioning from mainstream to extended support

NextHop_Team — Mon, 20 May 2019 23:58:43 GMT

First published on TECHNET on Feb 17, 2016
The NextHop teams wants to remind everyone that the following products will be transitioning to Extended support as of April 12, 2016:

Microsoft Lync 2010

Microsoft Lync 2010 Attendant

Microsoft Lync 2010 Attendee

Microsoft Lync 2010 Group Chat

Microsoft Lync Server 2010 Enterprise Edition

Microsoft Lync Server 2010 Group Chat Software Development Kit

Microsoft Lync Server 2010 Software Development Kit

Microsoft Lync Server 2010 Standard Edition

Extended Support lasts for a minimum of 5 years and includes security updates at no cost, and paid non-security updates and support. Additionally, Microsoft will not accept requests for design changes or new features during the Extended Support phase.

You can find out more about Microsoft product lifecycles here .

Thanks!

The NextHop Team

On .NET Framework 4.6.2 and Skype for Business/Lync Server Compatibility

NextHop_Team — Mon, 20 May 2019 23:58:35 GMT

First published on TECHNET on Feb 11, 2016
Update 2/13/17 – .NET Framework 4.6.2 is supported with the February 2017 Cumulative Update for Skype for Business Server 2015

Both Lync Server 2013 and Skype for Business Server 2015 are supported with the .Net Framework 4.6.2. Skype for Business Server must have the February 2017 update for Skype for Business Server or later installed. This update can be found at https://support.microsoft.com/en-us/help/3061064/updates-for-skype-for-business-server-2015

Lync Server 2013 must have the November 2016 update, or later installed. This update can be found at https://www.microsoft.com/en-us/download/details.aspx?id=36820 .

Skype for Business and Lync 2013 Memory Usage

NextHop_Team — Mon, 20 May 2019 23:58:27 GMT

First published on TECHNET on Jan 14, 2016
Skype for Business and Lync 2013 clients manage memory differently than previous client versions. This article describes the design change, how it impacts client performance, and how it affects the memory footprint. For purposes of this article, the term “Lync 2013” relates to Lync 2013 and Skype Business clients. At the time of this writing, the executable name for Lync 2010, 2013 and Skype for Business clients is lync.exe.

Author : Steve Schiemann

Product Versions : Lync 2010, 2013/Skype for Business 2013

Design Changes

At a high level, the difference between Lync 2013 and Lync 2010 memory usage patterns stem from two main changes. Each change will be discussed in more detail below.

Lync 2013 does not proactively flush working set memory

Lync 2013 uses shared office components

Working Set Trimming

Lync 2013 relies more on the operating system to manage memory compared to Lync 2010. This allows the lync.exe process to effectively utilize physical memory when available and at the same time allowing the operating system (OS) to trim lync.exe’s working set when other application demand more. By allowing the OS to manage physical memory, Lync 2013 can reduce the number of page faults thereby improving the overall system performance.

Lync 2010 performs explicit flushing of the working set memory when the main window of the application is minimized or closed to run in system tray even when physical memory is already available for use by other applications. This explicit flushing of the working set consumes operating system resources, and causes page faults when the Lync application demands more physical memory from the paging file. This impact can be observed by measuring the number of page faults when Lync client is minimized/running in system tray and executing core scenarios like receiving IM, receiving P2P audio call or joining a meeting. In real time communication scenarios, this impact can translate to delays in effective use of the application.

Page faults occur when there is not enough physical memory on the machine to meet memory demands. When this occurs, memory is copied from physical RAM to a swap file on the hard disk drive, and then make room to enable the requested memory allocation to complete. This is a very expensive operation because this swap requires a series of reads and writes on the hard disk drive, and this process must be completed before the operation that caused the fault can resume.

In Lync 2013, if the OS needs the memory for other programs, lync.exe’s working set will still get trimmed, but only when needed. This design change improves the overall performance of Lync 2013, and the host machine as well.

The graph below is a sampling of the page faults for 2010 and 2013 collected on the same machine, running the same Lync account while executing the same set of scenarios in the same sequence.

As you can see there is a significant decrease in the number of page faults for Lync 2013\Skype for Business:

The graphs below show Page Faults/sec and Working set memory while executing the above scenarios.

Shared Office Components

Lync 2013 is more strongly integrated with other office components and shares several office components and resources. This move effectively allows Lync 2013 client to provide a much richer user interface (UI) experience compared to Lync 2010. Reusing office components has also increased the working set of Lync 2013 compared to Lync 2010. This increase in working set can be attributed to advanced caching strategies, use of hardware vs software rendering when appropriate, animations and fluidity of the user experience (UX).

In addition to richer UX, sharing office components allows Lync 2013 to share working set with other office applications running on the same machine consuming the shared components. This can be observed by capturing a virtual memory snapshot of Lync process and another office application (Outlook -2013) running on the same machine and components like msod.dll loaded into memory (working set) is being shared by both the applications.

With Lync 2013 being part of office suite of applications, many users have Lync & other Office applications (Outlook, OneNote) running on the same box. This combination results in a much more effective usage of working memory set even though the working memory size is bigger when viewed individually from Lync 2013 as a standalone application. Lync 2010 running on the same box as other Office applications does not share Office components in memory, effective resulting in less effective usage of working memory set across applications.

Implications of These Changes

You might notice that the Lync 2013 client may use a significant amount of memory, depending on how long it has been running, and what activities have been performed with the client. When looking at a graph of Private Byes, Virtual Bytes, and Working Set in Performance Monitor, you might see a constant increase in these counters for lync.exe, especially during the working day. These counters will typically not decrease overnight if lync.exe is left running.

For some applications that trim their own working set, this could be a sign of a memory leak. However, because of the design changes mentioned above, chances are good that this is NOT a leak. The real question to ask is whether there any actual performance problems associated with this level of memory consumption, with this application, other applications, or the operating System? If real performance problems are seen, further investigation would be warranted.

Resources

Working Set
https://msdn.microsoft.com/en-us/library/windows/desktop/cc441804(v=vs.85).aspx

Ask the Performance Team - PRF: Memory Management (Working Set Trimming)
http://blogs.technet.com/b/askperf/archive/2009/04/10/prf-memory-management-working-set-trimming.aspx

Working Set Trimming can negatively impact SQL, Exchange, and Operating System performance under Windows 2003
https://support.microsoft.com/en-us/kb/2001745

Excessive paging on Exchange 2007 servers when working sets are trimmed
http://blogs.technet.com/b/mikelag/archive/2007/12/19/working-set-trimming.aspx

AllowSavePassword Group Policy setting for Skype for Business or Lync 2013

NextHop_Team — Mon, 20 May 2019 23:57:55 GMT

First published on TECHNET on Jan 14, 2016
We recently discovered an issue with the with the Lync 2013\Skype for Business GPO (Group Policy Object) that controls a user's ability to save their password. The Group Policy setting in question is SavePassword and is used to control the ability to prevent users from checking the "Save my password" box. Prior to this update, the SavePassword GPO would uncheck the "Save my password" checkbox, but would leave the box exposed so that users could simply recheck the box.

This issue was resolved with the addition of a new GPO titled AllowSavePassword as detailed in KB 3086665 . This new setting must be used IN COMBINATION with the SavePassword GPO as described in the KB. The AllowSavePassword registry when set in proper combination with SavePassword, will remove the "Save my password" checkbox from the Sign In UI.

This update is included as part of the September 2015 update for Lync 2013 and Skype for Business, MS15-097: Description of the security update for Microsoft Lync 2013 (Skype for Business)

You may need to perform additional steps if you wish to force users to enter credentials every time they log in to Lync or Skype for Business. Lync\Sfb saves a certificate in the users Personal certificate store, and this certificate (if present) may need to be removed to prevent the client from automatically logging in. This certificate can be viewed using the certificate MMC, should be of type Client Authentication, and will contain the users SIP address (for example, user@contoso.com). The certutil utility can also be used to view and delete certificates.

We strongly encourage you to test this GPO, any associated registry keys, and any other modifications (including modification or removal of any certificates) in your lab or test environment.

Additional Resources:

See Configuring client bootstrapping policies in Lync Server 2013 .

You can find the Office 2013 Administrative Templates here .

The Office 2016 Administrative Templates can be found here .

Author Credit for this post: Tom Misiak

It's time for the NextHop!

NextHop_Team — Mon, 20 May 2019 23:57:40 GMT

First published on TECHNET on Dec 02, 2015

The Skype for Business Serviceability team is pleased to announce the return of NextHop! Lync has experienced a great deal of growth and change over the past year, becoming Skype for Business along the way. Just this month we released several new features, including Skype Meeting Broadcast , PSTN Conferencing and Cloud PBX with PSTN Calling . With all of these exciting new product developments, we felt the time was right to revive and reinvigorate NextHop. We hope you are as excited about this as we are!

The team is currently busy rebranding and polishing the site, but stay tuned! We will be adding fresh, new content in the very near future.

Updated: NextHop blog is being consolidated

NextHop_Team — Mon, 20 May 2019 23:57:32 GMT

First published on TECHNET on May 01, 2014
Thank you to our readers for making NextHop one of the most read blogs on TechNet. The community and engagement have been integral to the success of Lync. However, as Microsoft moves toward frequent updates across all Office products, we’ve decided to consolidate future blog posts to the Office blogs platform ( blogs.office.com ) and technical content to the Lync library on TechNet. This will make it easier to find news and announcements on Office blogs and pure technical content right in the Lync library most of you frequent already. Thank you and we look forward to reading and responding to your comments on Office blogs!

-The Lync Team

Update: Some additional details that we should have included in the post:

The site will remain accessible for the near future. We cannot commit to a specific amount of time (but perhaps several months), so that folks can archive, copy, etc, articles that they rely on or regularly use without losing the information.

We will be migrating key articles to the TechNet library. We will not be moving every article published since 2007 though. When articles are published on TechNet, a redirect will be put in place so that links to the posts are not broken. Again, no promises about a flawless implementation or a specific time frame, but we did consider this and are planning to address the issue.

We'd appreciate hearing from you about the articles you rely on so that we can prioritize those in the migration to TechNet. Also unable to promise that every request will be honored, but any article that has gotten significant traffic is already on the list. You can send requests to NextHop , or post a comment below.

Thanks for the feedback.

Demo Scripts for Using Remote Windows PowerShell to Manage Office 365 Now Available

NextHop_Team — Mon, 20 May 2019 23:57:24 GMT

First published on TECHNET on Feb 21, 2014
A set of sample scripts that enable users to explore the use of remote Windows PowerShell as a tool for managing Office 365 in general, and Lync Online in particular, are now available on the Microsoft Download Center.

Author: Barry Castle, Sr. Product Marketing Manager

Reviewer: Greg Stemp, Sr. Content Developer

Product: Lync Online, Office 365

These sample scripts walk users through common Office 365 and Lync Online management scenarios, including such tasks as listing all of your Office 365 users; adding domains to your allowed and blocked domains list; and assigning conferencing policies to your Lync-enabled users. The sample scripts use an easy-to-follow menuing system, which means no prior knowledge of Windows PowerShell is required: the scripts will even make the connection and logon to Office 365 for you.

Download the scripts here: http://www.microsoft.com/en-us/download/details.aspx?id=41953 .

We Want to Hear from You

Fan us on Facebook

Send us e-mail

Lync Server 2013 Certificate Authentication and Passive Authentication support for Lync 2013 Mobile applications

NextHop_Team — Mon, 20 May 2019 23:57:15 GMT

First published on TECHNET on Oct 08, 2013

Abstract: Following up on our announcement today about new features available with updated Lync 2013 Mobile clients, we are excited to share more details about Lync 2013 Mobile client’s support for certificate authentication and passive authentication.

Author: Kaushal Mehta, Sr. Lync Beta Engineer

Publication date: 10/08/2013

Product version: Lync 2013

Introduction

Some customers prefer to limit the use of Active Directory (AD) username and password credentials in order to address a range of security concerns, including those associated with the use of smartphones and tablets. It has been challenging for these customers to take advantage of Lync mobile clients which have until now relied on AD credentials for authentication.

With the updated Lync 2013 mobile clients (version 5.2, now available for iOS and Windows Phone), customers can now take advantage of the support for Lync Server Certificate Authentication or Passive Authentication and configure their environment for enabling mobility scenarios. Notably, we are addressing these concerns in a way that minimizes the impact for end users.

Certificate Authentication

This is a proven solution since Lync Server 2010 release and Lync desktop clients already support this authentication method.

Figure 1: Lync 2013 Mobile Client Certificate Authentication flow diagram

In this method, the Lync user signs in using AD Credentials (same as before) but in the background we also get a Lync Certificate which is used for ongoing authentication. The AD credentials are only stored as a long as the current Lync application session is running, and that once either Lync or the device is restarted, only the certificate is stored locally.

Advantages

AD password is no longer needed for Lync server access (while signed in)

Certificate can be renewed without AD credentials.
- The Lync Certificate is stored in a location that does not allow access from other applications.
- The Lync certificate is scoped to Lync resources only (limits risk).
  Furthermore, a certificate is revocable by a Lync Admin using Lync PowerShell cmdlet. This limits exposure in the case where device is compromised (stolen/hacked).

In combination with AllowSaveCredentials inband policy for mobile clients, the “save my password” option can be disabled.
- If password is already set, it gets cleared from device storage when policy is downloaded; without any user interaction.

Please note: When this in-band policy is enabled or in general when credentials aren’t stored on the device, Lync mobile client cannot authenticate against Exchange Web Services (EWS).

For more details about Lync Server Certificate Authentication in general, please visit Certificate Authentication in Lync Server 2010 and Enterprise PKI .

Passive Authentication

This type of authentication offers the customers to have their users authenticate passively and hence customize the authentication experience as desired. Passive auth is handled using AD FS 2.0 that does the initial authentication. User signs in by typing sign in address only ( no password ), taps sign in and then gets redirected to ADFS for authentication. AD FS server passes back a Lync server trusted authentication token that is used by the mobile client for signing in. As we can see, there are no user credentials stored in the devices’ encrypted memory or other mobile storage location. The subsequent authentication between the Lync mobile client and Lync server is handled using the certificate retrieved during the initial sign-in.

Figure 2: Lync 2013 Mobile Client Passive Authentication flow diagram

When signing in from a Windows Phone, below is the expected user experience when AD FS configuration is set for “forms” based authentication.

Figure 3: Client Sign in

AD FS server can be configured to enable other forms of authentication (for two-factor authentication). This includes customized forms of authentication as well as support for third party AD FS based solutions. Please note that, smart card based authentication is not possible on a smart phone device at present.

Configuration and Setup

For detailed step by step instructions on how to configure your Lync deployment for passive authentication, see the blog post, Microsoft Lync 2013 for Mobile and Passive Authentication by Jens Trier Rasmussen .

Summary

We truly believe that Lync 2013 Mobile client support for Certificate and Passive authentication will help address key Enterprise IT security concerns and, more importantly, without having the users worry about security policies. The following table that demonstrates this.

	Lync Mobile 2013 with Kerberos/NTLM	Lync Mobile 2013 with certificate authentication	Lync Mobile 2013 with passive authentication
Eliminates need to store AD Credentials on device	X	√	√
Restricts use of AD Credentials to corporate network only	X	X	√
Eliminates need to have users configured with AD credentials	X	X	√*
Provides option for Two Factor Authentication	X	X	√*

√* - Passive authentication using AD FS in combination with customized authentication or third-party two-factor authentication solutions required.

Script to delete SIP profile for multiple Lync 2013 users

NextHop_Team — Mon, 20 May 2019 23:56:39 GMT

First published on TECHNET on Sep 24, 2013

Author: Edwin Joseph

Publication date: September 24, 2013

Product version: Lync Server 2013

Introduction

When a Lync 2013 desktop client for Windows signs-in, to minimize the bandwidth consumption the Lync client retrieves a lot of information from cache. This cached information is stored in the users Sip profile in a folder named Sip_(SipURI of the user) located on a Windows computer in the following folder:

%UserProfile%AppDataLocalMicrosoftOffice15.0Lync

If there is any issue with the files in the sip profile user might experience issue with Lync client such as:

Contacts appear to be offline

You cannot search the Global Address List

Contacts are missing from the contact list

Contacts display Presence Unknown

Presence is not displayed in Outlook or SharePoint

To resolve the above issue exist of out of the Lync client delete the content of the sip profile folder or delete the sip profile folder itself. However, this is not a scalable solution for large organizations. To solve this problem, I have written a script that deletes the SIP profile folder on the user’s computer which in turn deletes the cache files used by Lync 2013

Note: When restarting the Lync after deleting the SIP profile folder, the client will attempt to download the address book file resulting in heavy bandwidth consumption. This script will delete all the sip profile folders under %UserProfile%.

The Script

'==========================================================================

‘NAME: Delete sip profile

‘BY Edwin Joseph

‘COMMENT: This script deletes the sip profile for the user from machine if it exists

‘the purpose here is delete the cache files used by Lync 2013 client

'==========================================================================

Option Explicit

Dim objShell12

Dim objUserEnv

Dim strUserPro

Dim userProfile,SipProfile

Dim proPath

Dim objFSO

Dim objStartFolder

Dim objFolder

Dim colFiles

Dim objFile

Dim Subfolder

Dim uProfile

Set objShell12=CreateObject("WScript.Shell")

Set objUserEnv=objShell12.Environment("User")

strUserPro= objShell12.ExpandEnvironmentStrings(objUserEnv("TEMP"))

userProfile = objShell12.ExpandEnvironmentStrings("%userprofile%")

DeleteSip strUserPro 'delete user sip profile

'Delete sip Profile

SipProfile=userProfile & "AppDataLocalMicrosoftOffice15.0Lync"

uProfile=userProfile & "AppDataLocalMicrosoftOffice15.0"

Set objFSO = CreateObject("Scripting.FileSystemObject")

objStartFolder = uProfile

Set objFolder = objFSO.GetFolder(objStartFolder)

'Wscript.Echo objFolder.Path

ShowSubfolders objFSO.GetFolder(objStartFolder)

Sub ShowSubFolders(Folder)

For Each Subfolder in Folder.SubFolders

proPath = Right(Subfolder.Path,4)

'Wscript.Echo proPath

If proPath = "Lync" Then

DeleteSip SipProfile

End if

End Sub

DeleteSip SipProfile

'this is also to delete user sip profile

SipProfile=SipProfile & "Sip_*"

DeleteSip SipProfile

WScript.Quit

Sub DeleteSip (strSipPath)

On Error Resume Next

Dim objFSO

Dim objFolder,objDir

Dim i

Set objFSO=CreateObject("Scripting.FileSystemObject")

Set objFolder=objFSO.GetFolder(strSipPath)

'delete folder

For i=0 To 10

For Each objDir In objFolder.SubFolders

objDir.Delete True

'clear all objects

Set objFSO=Nothing

Set objFolder=Nothing

Set objDir=Nothing

End Sub

'==================================================================

How to Use the Script

To use the script, do the following:

Copy the highlighted section and paste into Notepad.

Save the Notepad file as DeleteSipProfile.vbs .

This VBS file can be executed in multiple ways.

Method 1: Network share

This method requires end user assistance and awareness. This is, however, the fastest way to achieve the end result.

Copy the DeleteSipProfile.vbs to a network share that all users can access.

Train end users to exit Communicator or Lync, and then double click DeleteSipProfile.vbs .

When the user receives the message: Open File - Security Warning Click Run .

Re-start the Communicator or Lync client.

Method 2: Group policy

To use the group policy method, deploy the VBS file as a logon policy. All end users need to do is log off, then log on to their Windows workstation.

Copy the DeleteSipProfile.vbs from the \domainSysvoldomainscripts folder.

Create a new Group Policy Object.

To suppress the Open File - Security Warning

Open the new Group Policy Object. In the left pane, expand User Configuration , and then expand Administrative Templates .

Expand Windows Components , and then click Attachment Manager .

In the right pane, double-click Default risk level for file attachments .

Click the Setting tab, and then click Enabled .

In the Set the default risk level drop down list, select High Risk .

Click Apply , and then click OK .

Double-click Inclusion list for low file types .

Click the Setting tab, and then click Enabled .

Enter the file types you don't want to be warned about in the box (for example: .vbs) in the Specify low risk extensions box.

Click OK .

Deploying the logon script

Open the new GPO In the left pane, expand User Configuration , and then expand Windows Settings .

Click Script (logonlogoff) .

In the right pane, double-click Logon .

In the Logon Properties windows click Add .

In the Script Name field type in \domainSysvoldomainscriptsDeleteSipProfile.vbs .

Click OK .

In the Logon Properties window, click Apply and then click OK .

Link this new GPO to Users OU and, if possible, enforce it.

Run GPupdate /force on the Domain Controller.

Note: Do not forget to unlink the policy after confirming that all users have logged out and logged in.

Summary

In this article we have examined how to delete Sip profiles on from multiple workstations using a script which in turn will delete cache files used by the Lync client. This script has been tested for both Windows 7 and above client operating systems as per System requirement for Office 2013 .

Understanding HADR in Lync Server 2013

NextHop_Team — Mon, 20 May 2019 23:56:31 GMT

First published on TECHNET on Sep 04, 2013

Abstract: With the introduction of new features in Lync Server 2013, IT administrators and partners can provide users a rich unified communications experience that is highly resilient to single points of failure. However, failures can – and do – happen, so the product enables a set of recovery services that allow for minimal data loss and swift re-enablement of services in the cases of server or datacenter outages.

Author: Marc Perez

Technical Review: Thomas Binder

Product version: Lync Server 2013

Publication date: September 2013

High Availability

A system is considered high available if it can tolerate the loss of one or more of its subcomponents and still provide service. For Lync Server 2013, high availability is achieved by a number of methods, in particular are two: the replicated distribution of user sets and the user data across multiple Front End servers in a pool and the mirroring of Back End servers via SQL Mirroring (preferred) or SQL Clustering ** . These two functions can ensure that a potential failure of any one Front End or Back End server (including the respective storage) can no longer present a single point of failure for the entire system.

Since these features are dependent upon the presence of multiple servers within a single pool to ensure both Front End and Back End components remain available, Standard Edition - which is an all-in-one instance of Lync Server – offers no high availability. By default, it is a single point of failure as the mechanisms for replicating data and enabling the recovery of all services (in an automated fashion) are not available if the server experiences failure. When a Standard Edition server fails, effectively all the Front Ends and Back Ends in that pool fail with it.

Variations in deployment configuration can determine where the solution provides automated resiliency and where it will need manual intervention. If manual intervention is required, the entire solution cannot be considered “highly available” as users would experience a service interruption until an administrator invoked whatever manual process is required. Additionally, consideration should be given to things like server maintenance and other server roles: maintenance on a Lync Server in a two Front End pool eliminates any availability during the maintenance window, and without a SQL Witness there can be no automated failover and failback for the backend SQL Mirror.

** While SQL Clustering is now supported by Lync Server 2013, it should be noted that SQL Mirroring – which can be configured and managed by Lync Server 2013 – is the preferred solution. For more on SQL Clustering support, see Database Software Support .

Lync Server Edition	Configuration	High Availability
Standard	Single Server	None
Standard	Paired SE pools (in data center)	Automatic for Resiliency Mode *
Enterprise	Single FE, Single BE	None
Enterprise	Single FE, Paired BEs (SQL Mirror)	None
Enterprise	Single FE, Paired BEs (SQL Mirror) + Witness	Automated Backend Failover only
Enterprise	Two FEs, Single BE	HA for Lync only w/o BE failure
Enterprise	Two FEs, Paired BEs (SQL Mirroring)	HA for Lync only w/o BE failure
Enterprise	Two FEs, Paired BEs (SQL Mirror) + Witness or SQL Cluster	Full HA during non-maintenance
Enterprise	Three+ FEs, Paired BEs (SQL Mirror) + Witness or SQL Cluster	Full HA

Table 1 - High Availability matrix by Deployment Configuration

* The Lync client will eventually utilize a backup registrar for voice if so configured, but some delay should be expected between lost connection to the home pool and the successful retry. See Planning for Central Site Resiliency in the TechNet Library for more information on configuring registrar intervals.

Disaster Recovery

Service outages are still possible when there is a hardware failure affecting an entire pool (Standard Edition server failure, network appliance, server rack, etc.) or when there is a location based challenge (such as a network outage in a particular datacenter). In these cases, re-establishing these services quickly and with minimal data loss is the focus of disaster recovery planning. Lync Server 2013 supports two disaster recovery functions via “pool pairing”: site resiliency and pool failover.

In site resiliency, users of one Lync 2013 pool can be configured to automatically connect to a backup pool for resiliency mode services (a subset of full production features) when their own pool is unavailable. This period of unavailability is configurable now for both basic SIP connectivity as well as Voice services (see footnote in Table 1 for more). For pool failover, users are manually moved from one pool to another (failover) and then back (failback). While there is no automation either failover or failback, Lync Server 2013 introduces data replication between paired pools during regular (non-disaster) service. This real-time persistent data replication enables a faster recovery of services with minimal risk of data loss in the event of a site (datacenter) failure.

Lync Server Edition	Configuration	Recovery Enabled
Standard	Paired SE Pools	Site Resiliency (Automated) and Pool Failover (RTO/RPO of 30min after manual initiation)
Enterprise	Paired EE Pools	Site Resiliency (Automated) and Pool Failover (RTO/RPO of 30min after manual initiation)

Table 2 – Site Resiliency by Product Edition

Note: Please note that while SQL Clustering is now supported, Metropolitan Site Resiliency remains unsupported for Lync Server 2013. All the nodes in a SQL Cluster serving a Lync pool – as well as the associated Front End servers – should be deployed within the same physical site represented within Topology Builder.

Configuration and Considerations

From an overall solution standpoint, there are “best practices” about how to pair pools – such as keeping pairs of only same editions (EE pools paired with EE pools, SE pools with SE pools), platforms (hardware paired with hardware, virtual paired with virtual), etc. Furthermore, it is recommended to pair pools within geographic regions to mitigate challenges with performance across WANs. When a set of users are failed over from one pool to another, their conferences are hosted on the new pool until they are failed back. If the failover is from one continent to another, all users joining the conference - even if local to each other - will traverse the WAN to join the conference hosted in the failover pool. Since elements like Call Admission Control settings and Direct Inward Dial (DID) numbers are tied to pools and are not easily transferred from one region to another (such as from North America to Europe), even an organization with robust WAN links should consider such a deployment carefully.

Finally, there are often users homed on Survivable Branch Appliances (SBAs). These are often remote office locations, and like Lync 2010, SBAs can be paired to a Lync pool in 2013 for failover. Users homed on the SBAs can, in the event of a SBA failure, have their clients redirect to the Lync pool for many services:

Users	Configuration	Resiliency Achieved
Homed on SBA	SBA paired with pool, both functional	All Services
Homed on SBA	SBA paired with pool, pool fails	Resiliency Mode
Homed on SBA	SBA paired with pool, SBA fails	All Services

Table 3 –Resiliency with SBAs

*While SBAs can be paired to a Lync pool, they are not capable of utilizing pool failover services. So if an SBA is paired with Pool A which is also paired with Pool B, and Pool A fails – users of Pool A will redirect to the backup registrar of Pool B but SBA users will not.

Lync Online: Guided Walkthrough for Troubleshooting Communication Between Lync Online Users and Their Federated Contacts

NextHop_Team — Mon, 20 May 2019 23:56:25 GMT

First published on TECHNET on Jul 18, 2013

Are you looking for help to set up communication between Lync online users and their federated contacts? This guided walkthrough—based on analysis of Microsoft Support cases—walks you through the essential steps.

Contributors : Peter Krebs | Patrick Kelly | Tim Lulofs | Darrin Hanson | Premal Gandhi

Published : July 18, 2013

Product version : Lync Online

To assist you in setting up and troubleshooting communication between Lync online users and federated users from other organizations, we launched the Set up Lync Online external communications guided walk-through .

Figure 1. Set up Lync Online external communications guided walk-through

We encourage you to consult the walk-through when setting up or troubleshooting communication between Lync Online users and their external contacts.

Coming Soon: You will be able to locate the guided walk-through from the Office 365 admin center when submitting a support case.

Figure 2. Locating content for your issue in the Office 365 admin center (coming soon)

Additional Information

Office 365 Help: Configure external communications (Enterprise and Midsize Business admins)

Office 365 Help: Let Lync Online users communicate outside your organization (Small Business admins)

Office 365 Help: Add an external contact in Lync (end users)

Lync Online Resources

Configuring Federation Support for a Lync Online Customer

Office 365 Community

Lync Online Technical Blog

Lync Online Wiki Portal

Lync Online Forum

NextHop Blog

We Want to Hear from You

Fan us on Facebook

Send us e-mail

Keywords : Office 365, Lync Online, Federation

What is a Session Border Controller (SBC) and Do I Need It?

NextHop_Team — Mon, 20 May 2019 23:56:00 GMT

First published on TECHNET on Jul 08, 2013

This article discusses the functionality of Session Border Controllers, including scenarios where they can be used and how they can be implemented.

Author : Steven van Houttum, Lync MVP

Publication date : July 8, 2013

Product version : Lync Server 2013

A Session Border Controller (SBC) can be used to connect your Lync environment to one or more SIP Trunk providers or to other Voice over IP (VoIP) systems. SBCs are very common in Service Provider networks, but they can be useful on-premise as well.

The on-premise form of an SBC is also known as an Enterprise-SBC or E-SBC. In this article, we will use the term SBC. The original purpose of an SBC was to provide a secure entry point in a VoIP network. That is still a valid reason to deploy an SBC, but the modern SBC can do a lot more.

What functionality can an SBC provide?

There are several reasons that you might want to deploy an SBC. We will consider the following:

Security

Interoperability

Migration

Performance

Application on the SBC

Security

Depending on how SIP Trunks or connections with other VoIP solutions enter the environment, it can make security sense to deploy an SBC in the traditional way. The risk is usually lower with a Multiprotocol Label Switching (MPLS) or Virtual Private Network (VPN) solution, but even then, it is still an external network connecting to yours.

Having connectivity with other networks always introduces security risks. Some risks are generic, such as Denial of Service (DoS) attacks, and some are voice specific, such as toll fraud or attempts to manipulate the media.

An SBC contains back-to-back user agent (b2bua) functionality. This provides the SBC the option to handle the media, as well as the signalling (SIP). This gives an SBC more control than an application layer firewall (ALG), which usually can handle SIP only.

Another security based reason is topology hiding.

From a security perspective an SBC is an addition to a firewall, not a replacement.

Interoperability

Not all VoIP solutions are created equal, and an SBC can be an excellent way of connecting those solutions.

An SBC can handle TCP/UDP conversion, codec conversion, and connectivity to H.323 systems (so you do not need to upgrade the legacy system), to name a few.

Although SBC’s can also handle normalization, that is usually not necessary with Lync, because Lync is good at handling that itself. Lync also has quite a few settings available through Set-CsTrunkConfiguration, if you need additional adjustments in the SIP traffic.

Some interoperability issues can also be resolved of by manipulating SIP with Microsoft SIP Programming Language (MSPL).

Migration

Another SBC usage scenario is where interoperability with a third-party IP-PBX solution is required for migration or co-existence scenarios.

Besides the interoperability functionality, there are some options that can simplify a migration. When migrating from another telephony solution, an AD lookup functionality can check to see if a user is enabled for Enterprise Voice and route accordingly to Lync or the legacy PBX. This could also include call forwarding and simultaneous ring provided by the gateway, which can be handled by Lync in most cases.

Performance

When using an SBC appliance, its Digital Signalling Processor (DSP) can help with encoding/decoding.

An SBC can provide media bypass functionality, which shifts load from the Mediation role, thus requiring fewer Lync servers.

Applications on the SBC

Some vendors provide additional functionality on their SBC, such as call recording or Sip Phone Support (SPS).

SPS is used to connect third-party IP phones or devices to Lync. This can result in limited functionality, but it can make sense for some migration or interoperability scenarios.

Types of SBC’s

Multiple vendors offer E-SBC solutions. This can be in the form of a physical or virtual appliance, a software product installed on a Windows server, or combined with a gateway product. When combined with a gateway product, an SBC can also provide PSTN failover functionality, for instance between SIP trunks and ISDN.

Some providers will deploy an on-premise SBC as part of their offering, in which case the providers can manage the SBC.

See Microsoft TechCenter: Infrastructure Qualified for Microsoft Lync (including SBC) for an overview of qualified SBC solutions.

Do you need an SBC?

Whether you need an SBC depends, amongst other things, on the connectivity situation and company security policy. Using a qualified SIP Trunk provider should prevent any interoperability issues between Lync and the SIP Trunk from occurring, but an SBC could still make sense for the additional functionality it provides.

The downside of using an SBC is that is needs to be maintained, which could lead to additional costs.

SBC’s can be very useful to deploy and their use is not only for provider networks or large enterprises.

Even with a qualified SIP Trunk, it still can be useful to deploy an SBC for media bypass or Sip Phone Support.

About the Author

Steven van Houttum is a Lync MVP and independent consultant and trainer specializing in Microsoft UC deployments and migrations with a focus on voice and telephony. For additional insights, be sure to visit Steven's highly touted Lync blog, Unified Communications.NL .

Keywords: Lync Server 2013 SBC E-SBC Session Border Controller SIP Trunk

Lync Online Media Port Changes Offer Better Bandwidth Management

NextHop_Team — Mon, 20 May 2019 23:55:44 GMT

First published on TECHNET on Jun 28, 2013

Lync Online media ports are now split into three separate categories, giving you much better control over network bandwidth. This article applies to midsized business or enterprise customers with an internal proxy or firewall server.

Author : Rob Pittfield, Microsoft Senior Service Engineer

Contributor : Patrick Kelley

Technical Reviewers: Darrin Hanson | Francois Doremieux | Thomas Laciano

Published : June 26, 2013

Updated : July 3, 2013

Product version : Lync Online

Lync Online media ports are now split into three separate categories, giving you much better control over network bandwidth, as shown in Table 1 below:

Table 1. Lync Online media ports separated into three categories

Port	Protocol	Direction	Usage
50000-50019	RTP/UDP	Outbound	Audio
50020-50039	RTP/UDP	Outbound	Video
50040-50059	TCP	Outbound	Application sharing and file transfer

This enables you to manage the flows differently on your network, for example giving a higher network priority to audio or video packets using Differentiated Services Code Point (DSCP).

You can achieve this either through configuration of your network elements to apply DSCP tags to traffic coming from the relevant ports, or by applying DSCP tags to the packets at the desktop using Quality of Service (QoS) group policies.

The result can be a smoother Lync peer-to-peer (and possibly multiparty conferencing) conversation experience during times of heavy use of your network.

Please note that this applies only to client ports. Server ports (specifically Lync Online edge ports, because AVMCU ports are not directly visible) remain unchanged, covering the full 50,000-59,999 port range without segmentation by media type.

For traffic from clients on your network to server, traffic prioritization, if desired, should be applied either at desktop or at first network element based on source port.

For traffic from server to clients on your network, traffic prioritization, if desired, should be applied at the ingress point based on destination port.

IMPORTANT

QoS group policies work with only client machines running Windows 7 or Windows 8.

DSCP tags have no effect on media traffic on the internet, may be reset as they travel outside your network, and may not be honored by other parties (such as federated Lync users).

The Lync Online service doesn’t add DSCP tagging or perform prioritization on existing DSCP Tagging.

Because multiparty conferencing traffic travels from your network to the Microsoft datacenter on networks that do not honor DSCP tags, traffic prioritization only occurs on the portion of the path that you control on your network. This may or may not result in improvements to the conversation experience.

For details, see Configuring Quality of Service Policies for Clients Running on Windows 7 or Windows 8 .

Further, we are planning to eventually split out the Application sharing and File Transfer ports so that traffic can be prioritized independently also.

About the Author

Rob Pittfield is a Dedicated Premier Field Engineer for Microsoft Lync Server 2010 and Microsoft Office Communications Server 2007 R2. He works with enterprise customers, helping them get Microsoft Lync 2010 and Office Communications Server running smoothly and to their expectations.

Additional Information

Lync Technical Library: Set-CsConferencingConfiguration

NextHop: Lync Server 2013 Networking Guide: Network Planning, Monitoring, and Troubleshooting with Microsoft Lync Server

NextHop: VoiceRx: Validating QoS on Lync Endpoints

Lync Server Resources

Lync Server 2010 Documentation Library

NextHop blog

Lync Server and Communications Server resources

We Want to Hear from You

Fan us on Facebook

Send us e-mail

Keywords :

Lync Online: Troubleshooting Lync-Skype Connectivity

NextHop_Team — Mon, 20 May 2019 23:55:37 GMT

First published on TECHNET on Jun 10, 2013

With the recent release of Lync-Skype connectivity, Lync unified communications capabilities are now extended to hundreds of millions of Skype users. And there are of course lots of questions. Check out this Lync Online article for tips, tricks, and workarounds for the top questions.

Author : Patrick Kelley, Microsoft Senior Technical Writer

Published : June 10, 2013

Product version : Lync Server 2013, Lync Online

Lync-Skype connectivity is now available, which extends Lync unified communications capabilities to the hundreds of millions of people who use Skype. This combination enables Lync customers to take advantage of the global reach of Skype to connect and collaborate with suppliers, customers, and partners while relying on the enterprise richness of Lync. This initial set of features includes:

Adding Skype contacts to Lync and vice-versa, enabling presence sharing

Audio calling and instant messaging between Lync and Skype users

Management settings for Lync administrators

And although this is great news, we also know you have questions. Check out Lync Online Wiki: Troubleshooting Lync-Skype Connectivity for the three most popular questions and answers on Lync-Skype connectivity, and peruse a bevy of tips, tricks, and workarounds for people who are having trouble getting connected.

About the Author

Patrick Kelley’s first job at Microsoft was documenting the Microsoft C Compiler, Version 6.0. He currently documents Lync Client and Lync Online for the Office 0365 Documentation team.

Additional Information

Lync Online Wiki: Troubleshooting Lync-Skype Connectivity

The Lync Team Blog: Lync-Skype Connectivity Available Today

Microsoft Download Center: Provisioning Guide for Lync-Skype Connectivity: Lync Server 2013 and Lync Online (for Admins)

Keywords : Lync Server, Lync Online, Skype, connectivity

Lync Server Resources

Lync Server 2010 Documentation Library

NextHop blog

Lync Server and Communications Server resources

We Want to Hear from You

Fan us on Facebook

Send us e-mail

Lync Server 2013 Networking Guide: Network Planning, Monitoring, and Troubleshooting with Microsoft Lync Server

NextHop_Team — Mon, 20 May 2019 23:55:21 GMT

First published on TECHNET on Jun 03, 2013

The Lync Server 2013 Networking Guide: Network Planning, Monitoring, and Troubleshooting with Microsoft Lync Server white paper is now available from the Microsoft Download Center. This white paper provides a model for managing the network infrastructure for Lync Server 2013, consisting of three phases—planning, monitoring, and troubleshooting. These phases can apply to new or existing Lync Server deployments.

Authors : Craig Hill, Jack Wight, Jigar Dani, Wei Zhong

Published : June 4, 2013

Product version : Lync Server 2013

Microsoft Lync Server 2013 is a real-time unified communications application that enables peer-to-peer audio and video (A/V) calling, conferencing, and collaboration. It relies on an optimized, reliable network infrastructure to deliver high-quality media sessions between clients.

This white paper provides a model for managing the network infrastructure for Lync Server 2013, consisting of three phases—planning, monitoring, and troubleshooting. These phases can apply to new Lync Server deployments or to existing deployments. In new Lync Server deployments, your organization must begin from the planning phase. In existing deployments, your organization can start at the planning phase for major upgrades or for integrating new sites into the Lync Server ecosystem. Organizations with existing deployments can also begin from the monitoring or troubleshooting phases, if you are trying to achieve a healthy state.

Craig Hill (project lead) wishes to thank the following people for their valuable contributions to this guide: Brandon Bernier, Robert Burnett, Jason Collier, Paul Cullimore, Daniel Hernandez, James Hornby, Dave Jennings, Jonathan Lewis, Jens Trier Rasmussen, June Rugh, Juha Saarinen, Marc Sanders, Joel Sisko, Nick Smith, Andrew Sniderman, Jamie Stark, Aaron Steele, and Connie Welsh.

Additional Information

Lync Server 2013 Networking Guide: Network Planning, Monitoring, and Troubleshooting with Microsoft Lync Server

About the Authors

Craig Hill brings over 15 years of enterprise telecommunications design, R&D, consulting, support and management experience to his current role as the Microsoft Consulting Services Voice & Video Center of Excellence Practice Manager covering EMEA. He was a Voice Architect based in the UK and Ireland covering EMEA before taking the practice manager role. Craig’s previously published works include the Lync Bandwidth Calculator and the Microsoft Network Assessment for Unified Communications whitepaper.

Jigar Dani has been in the enterprise telecommunication industry for over 8 years with roles in R&D, Sales, Support, and now Lync Media Program Management. Jigar’s experience spans service providers, network and telecom OEM’s, and solution/application providers. In his 3½ years at Microsoft, he has contributed to various blog posts while working on Microsoft unified communication products, including Lync, Exchange Unified Messaging, and Live Meeting Service.

Jack Wight celebrates 30 years of technical writing and consulting experience in the software development, electronics, avionics, financial services, and telecommunications fields. Since 1998, he has been both documentation manager and writer for a variety of Microsoft technologies, including SharePoint, Windows Server System product lines, Office Small Business Accounting, and Lync Server. Jack regularly collaborates with program managers, subject matter experts, editing, and production staff to provide timely documentation.

Wei Zhong is a Principal Software Development Lead in the Microsoft Lync Media Team. He received his B.S. in Computer Science from Columbia University and has since been a developer in the real-time communications space at Microsoft for 16 years. Wei led the development effort on the core audio and video stack for Office Communications Server 2003 and Office Communications Server 2007. He has contributed to all releases of Office Communications Server and Lync Server. Since 2007, Wei has devoted his energy to improving troubleshooting tools and processes for Lync and Skype.

Lync Server Resources

Lync Server 2010 Documentation Library

NextHop blog

Lync Server and Communications Server resources

We Want to Hear from You

Fan us on Facebook

Send us e-mail

Keywords : Lync Server 2013, white paper, networking