07-27-2017 07:40 AM
07-27-2017 07:40 AM
Just set up a new Skype4B hybrid (first time in yeeeeeeeeeeers). Attaching an on-premises pool with one set of SIP addresses to a Skype4B Online environment with another set of domains for SIP addresses.
Online users can see the presence info and communicate with On-Prem users. On-Prem users can respond back to Online users if the Online user initiates the conversation.
On-Prem users cannot see presence info for Online users and get an error stating "We couldn't reach [user] to send this message."
Event Viewer says:
"A SIP request made by Lync failed in an unexpected manner (status code 80ef0194). More information is contained in the following technical data:"
404 Not Found
ms-diagnostics: 1003;reason="User does not exist";destination="email@example.com";source="sip.unh.edu";OriginalPresenceState="0";CurrentPresenceState="0";MeInsideUser="Yes";ConversationInitiatedBy="6";SourceNetwork="5";RemotePartyCanDoIM="Yes";RetriedInvite="true"
If I move an On-Premises user to the cloud, they can see all the users.
07-27-2017 07:47 AM
07-27-2017 07:52 AM
No, the online users have never been homed in the on-prem environment. One exception is that I can move my own account back and forth. When my mailbox is in the Online environment, I can communicate with the On-Prem folks and presence works fine both ways.
I haven't done much with Skype4b since the Lync 2010 and Lync 2013 days so my skills are definitely rusty. I believe we have the DNS set up correctly (5061, etc.) and set up the hybrid per this guide to the best of my abilities: https://blogs.technet.microsoft.com/canitpro/2015/12/23/step-by-step-skype-for-business-2015-hybrid-...
07-27-2017 07:53 AM
Please can you clarify this "Just set up a new Skype4B hybrid (first time in yeeeeeeeeeeers). Attaching an on-premises pool with one set of SIP addresses to a Skype4B Online environment with another set of domains for SIP addresses."
I am assuming that your SIP domains exist in your On-Prem topology and the same ones exist in 365? If not they need to match.
Secondly, assuming that your have synced your AD to Azure AD?
One question - the cloud users where they enabled in SfB Online first? If so then this would explain your behaviour. You'll need to tell your on-prem that they existin in the cloud, by enabling them like so
Enable-CsUser -Identity "username" -SipAddress "sip: firstname.lastname@example.org" -HostingProviderProxyFqdn "sipfed.online.lync.com"
07-27-2017 08:04 AM
Yes, as Mark says the online users are not aware of the on-prem environment and have to be enabled on-prem first, then moved to the on-prem pool and then back online. Make note that all attributes have to be successfully sync'ed between every step.
07-27-2017 08:29 AM
Embarassingly, I spaced on adding the cloud SIP domains to the On-Premises topology. I added them and am crossing my fingers.
On the Online side of things, I do see the SIP domains for the on-prem environment listed under Organization domains in the Skype4B Admin Center's dashboard (along with the cloud SIP domains).
We are syncing our AD to Azure AD but the user's from the cloud SIP domain are created in the cloud and not synced from AD. The users with the On-Prem SIP domains are created in AD and synced to Azure AD.
Yes, it's very, very strange. No, it's not my fault. :) Working on trying to unify and standardize the on-prem and cloud environments which have historically been very, very separate.
I have a question aout the enable-csuser command. I tried it on my account on-premises and get an error:
"enable-csuser : Cannot move user in enable operation. Use the Move user cmdlet
07-27-2017 08:32 AM
Missed this comment before I posted just a minute ago.
So, the CLOUD users will need to be enabled on-prem, moved to the on-prem pool, and then moved back online?
There's about 30,000 of them but if it works on a test group, I can gin up a PowerShell script.
07-27-2017 08:57 AM
Yeah to do hybrid properly, you'll need to add all O365 domains to your additional domains in On-Prem topology. This of course means updating certs.
You then need to make sure that DNS is pointing towards your On-Prem for all SIP domains in 365. Otherwise federation will not work right and you'll get weird issues.
Those accounts also need to be sourced from your on-prem AD. The problem is the -SharedSIPAddressSpace parameter on the tenant, basically is responsible for this complexity as it is a tenant level setting not per SIP domain.
There is also a weird quirk in how 365 performs federation. If a SIP domain exists in your tenant it will hairpin inside the tenant the communication. It will not break out to the internet, or perform DNS SRV lookup. So if you dont configure hybrid properly for all domains, you'll get this weird behaviour. I know, i've been through this pain :s
If this is not possible, you need separate tenants.
Assuming it is, you do not need to move users back to on-prem then move them to online, although that would work. The enable command should work provided your account of course is in 365 and not on-prem already. Basically what this does is tell the On-Prem SfB that the user is part of the topology, but is hosted on SfBO. this allows internal users to route to cloud users and also vice versa.
07-27-2017 08:59 AM
To comment on your command, the person you run this against must only exist in the cloud. If you run this against an On-Prem user it will fail, because you're already enabled for on-prem
07-31-2017 01:32 PM
Sorry for the absence. Real life getting in the way of work stuff.
We have about 6,000 dirsynced accounts in the on-premises SIP domain and another 23K that exist only in the cloud and are not dirsynced in a separate SIP domain space.
We updated all the DNS entries for the cloud SIP domain (lyncdiscoverinternal, lyncdiscover, _sipinternaltls._tcp, etc.) and the cloud accounts stopped being able to sign in (or at least my test account). It looked to me like it was trying to authenticate to the on-premises domain controllers but I might be mistaken.
We removed the DNS entries so that accounts with the SIP domain for the cloud environment pointed to Skype4B Online when logging in and I was able to log in with in a cloud only account again.
Now, the cloud users and the on-premises users can see each other's presence if they are in the contact list, or if you have opened a conversation window with them at some point (regardless of whether you send an actual message).
If you just use the search feature to find a new contact, you get "Presense Unknown."
I'm not sure I understand what's going on but it's better than before.
I think my next steps are to observe what happens when I migrate on-premises users to the cloud. I can't migrate (existing) cloud users on-premises because they are not dirsynced (that's another battle for another day).
Thanks for your help and being understanding of my (very) strange setup.
by Voravut on May 13, 2020
by Greg Whitworth on May 07, 2020
by Corbin Meek on April 08, 2020
by Hiren_Shah on March 19, 2020
by Corbin Meek on January 13, 2020