Firewall Testing for Lync Server

I had a recent fun time arguing with the firewall guys that they were not properly opening the ports that I had requested and that I really needed it done right.

Finally, I decided that I just needed to do the scans myself and give them a quick report of what was responding properly and what was not.

1. Download the portqry.exe and copy it to each server.
2. Put together a list of the Lync servers in a file named LyncServers.txt that contains the server names.
3. Put together a list of the ports and protocols for the ports in a file named LyncServerPortNumbers.txt.
4. Write a quick script to run on each server.

After that, it is just a matter of running the script on each server and collecting the data. Of course, the best feeling was sending the list of results with a From ServerX test for each server to the firewall team so they could see what they missed.

Here is a link to the files: Test-LyncPorts.zip.

Video Device Missing from Lync 2010 Options

This was an interesting scenario. Users have had audio/video in Office Communications Server 2007 R2.

1. Moved user from OCS 2007 R2 pool to a Lync 2010 pool. If they continued to use Communicator 2007 R2, their audio and video devices worked fine.

2. Upgraded user from Communicator 2007 R2 to Lync 2010 client.

After upgrading the client, users complained that they Video option was not available and they could not make video calls. When you go into the Lync Options, there is no choice for Video Device like their should be. The video device is still working in other applications, though.

The really odd thing about this was that if you opened up the Lync Options before the users signed in, you can easily see the Video Device option and set it. Once the user signed in, though, it would disappear.

I was confused as to why video worked when still using the Communicator client, but stopped when their client was upgraded. I took a wild guess and tried these two steps:

1. Set-ConferencingPolicy –AllowIPVideo $True –AllowIPVideo $True –EnableP2PVideo $True
2. Exited and restarted the Lync 2010 client

Ta Da! It works again.

As a side note, it may not require completely exiting the Lync 2010 client. Signing off and signing back in again may be enough.

Part 2 – We found some more unusual behavior in the build numbers.

• 4.0.75577.0 worked fine on most of the Windows 8 client computers
• 4.0.75577.0 did not work on most of the Windows 7 client computers
• Adding the April 2013 rollup seems to have fixed the issues we were seeing with the Windows 7 clients, though.

Identify Group Chat Users

It can be a pain to identify which users have been enabled for Group Chat rooms as there is no attribute in Active Directory that relates to Group Chat.

Now, I suppose you could just go and visit each room configurati0n, and see what security groups have been set up for the room permissions and then translate those security groups to individual accounts.

Or, you could just run a query against the Group Chat database:

SELECT *
  FROM [tblPrincipal]
  WHERE prinTypeID = 5 AND prinDisabled = 0

Identifying Bad/Corrupt Calendar Items

I have been seeing more and more issues with bad calendar items causing out of control mailbox database and transaction log growth. What I seen as a good process for attacking these issues is to use the following:

• Exchange User Monitor (ExMon) which will identify the mailbox that is causing the problem. You will see a single mailbox or just a couple that consumes a huge percentage of resources.
• Calendar Check (CalCheck) can then be used against the mailboxes to identify calendar items that have been modified way too many times and have become extremely large. It is usually one or more of these items that have become corrupted and are causing this issue.
• Scot O, one of my favorite bloggers, also has a great blog to help identify issues by viewing the transaction logs and using strings.exe to identify repeating patterns which usually indicate a problem. http://blogs.msdn.com/b/scottos/archive/2007/07/12/rough-and-tough-guide-to-identifying-patterns-in-ese-transaction-log-files.aspx

Recently, I have been trying to find a more proactive measure to identify these calendar items that tend to break when users just refuse to follow best practices.

I have combined PowerShell and CalCheck to look for bad items. Here is my latest version of the script. Please keep in mind that the formatting of this blog does not always work perfectly for scripts, and many of the lines that appear here are really a single line. You can download the latest version of this script here.

# This script is broken into three steps. In the first step, we identify users that have large calendar folders # In this step, we use get the databases first to try to minimize the memory requirements of processing all mailboxes # as PowerShell fails when you start getting into the tens of thousands of mailboxes.

$Date = Get-Date

Write-Host Start processing script at $Date # I always to keep track of how much time scripts take

$mbdb = Get-MailboxDatabase | Where {$_.name -ilike ‘*vpc*’} Write-Host $Null | Out-File List.txt foreach ($db in $mbdb){

Write-Host Processing $db

$Mailboxes = Get-Mailbox -database $db

foreach ($i in $Mailboxes){

$CalendarSize = (Get-Mailbox $i | Get-MailboxFolderStatistics -folderscope ‘calendar’).FolderandSubFolderSize

# Write-Host $i – Calendar size is $CalendarSize

$CalSplit = $CalendarSize -split ‘ ‘

$CalSize = $CalSplit[2]

$CalSize = $CalSize -replace “\(|\)|,| bytes”

$CalSize = [int]$CalSize

if ($CalSize -gt 100000000){

Get-Mailbox $i | Select Name,LegacyExchangeDN | FL | Out-File -append list.txt

}

}

}

$Date = Get-Date

Write-Host Completed identification of mailboxes that have large calendar folders at $Date

# In this step, we simply run CalCheck against all of the mailboxes that have calendar folders over 100MB as found in the first step. This requires version 2.0 or higher which supports the -l and –a arguments.

# It is vital that the account running this script have proper access to the individual mailboxes to scan them.

# The output will be a large number of log and csv files. I use the csv files for simpler processing.

# Note: Currently, CalCheck is not able to process more than around 100 mailboxes at a time. YMMV. You should also note that I pause the PowerShell script so that CalCheck can run.

Start-Process -FilePath c:\calcheck\calcheck.exe -ArgumentList “-a -l list.txt”

Write-Host “Once CalCheck has finished running, press any key to continue …”

$x = $host.UI.RawUI.ReadKey(“NoEcho,IncludeKeyDown”)

$Date = Get-Date

Write-Host Completed running CalCheck against mailboxes that have large calendar folders at $Date

# In this step, we create an output file for our results.

Write-Host $Null | Out-File Results.csv

$Header = “Subject,Organizer,Email,Modifications,Size”

$Header | Out-File Results.csv

$UserFiles = Dir C:\calcheck\calcheck_*.csv

foreach ($File in $UserFiles){

Write-Host ” “

Write-Host PROCESSING $file

Write-Host ” “

Copy $File CalItems.csv

(Get-Content calitems.csv) | where {$_ -notmatch ‘Processing*’} | Set-Content calitems.csv

$CalItems = Import-CSV calitems.csv

foreach ($item in $CalItems){

$Subject = $Item.Subject

$Size = $Item.Size

#This section is used to identify the organizer of the meeting and to put their info into first name, middle initial, last name format and also the same for their email address which I can use in other scripts to send automated email if I want. Your email address format may differ.

$Organizer = $Item.”Organizer Name”

$Organizer = $Organizer -split “_ “

$OrganizerFN = $Organizer[1]

$OrganizerLN = $Organizer[0]

$OrganizerFN1 = $OrganizerFN -split ” “

$OrganizerFN2 = $OrganizerFN1[0]

$OrganizerMI = $OrganizerFN1[1]

$Organizer = $OrganizerFN + ” ” + $OrganizerLN

if ($OrganizerMI){

$Email = $OrganizerFN2 + “.” + $OrganizerMI + “.” + $OrganizerLN + “@company.com”

}

if (!$OrganizerMI){

$Email = $OrganizerFN2 + “.” + $OrganizerLN + “@company.com”

}

if ($Modified = !$Null){

[int]$Modified = $Item.”Modified Instances”

if($Modified -ge “20″){

$Result = “$Subject,$Organizer,$Email,$Modified,$Size”

Write-Host $Result

$Result | Out-File -append Results.csv

}

}

}

Del CalItems.csv

}

$Date = Get-Date

Write-Host Completed script at $Date

What you will end up with is a csv file named results.csv that can then be loaded into Excel and sorted as needed to identify the items that may be causing the most pain.

Insufficient Access Rights to Perform the Operation – Lync Server 2010

Actually, I have seen this issue with both Exchange Server 2010 and trying to mailbox enable a user account and in Lync Server 2010 and trying to enable a user for Lync. In both cases, the error says you don’t have the proper access rights. It really isn’t so much an issue about your account having the proper rights to enable the Lync user, it is more about the object that you are trying to enable being a member of an Active Directory protected group. 

It really is a simple fix:

1. Open up Active Directory Users and Computers and select the user account.
2. Select the Security tab
3. Click advanced
4. Select “Include inheritable permissions from this object’s parent”
5. Click Apply

It should work now.

Error with your new mobile phone partnership–Exchange Server 2010

This was definitely a first for me.

Hmmm, who knew that ten phones was too many?

From: Microsoft Outlook
Sent: Thursday, August 16, 2012 4:28 PM
To: Kaufmann, Russ
Subject: Error with your new mobile phone partnership
Importance: High

You have 10 phone partnerships out of the maximum allowed 10 partnerships. After you reach the maximum, you can’t create additional partnerships until you delete existing ones from your account. To do so, sign in to Outlook Web App, click Options > Phone > Mobile Phones, and delete any unused partnerships.

Group Chat File Transfer Error

This is another situation impacted by certificates, and is often seen after the certificate has been changed or replaced on a Group Chat server because it expired or is about to expire.

Basically, when somebody tries to send a file, the file transfer will fail with a message that includes the following:

Could not establish trust relationship for the SSL/TLS secure channel.

There are two places where a certificate needs to be configured in Group Chat. First, the Group Chat Server Configuration tool, and second, the certificate needs to be updated in IIS. In this case, though, the cause of the issue is the certificate in IIS. If the certificate was expired in the Group Chat Server Configuration, then users would not be able to access Group Chat at all.

The easiest way to test if the certificate is misconfigured in IIS is to use the GCWebService.asmx page to test it. You can find the URL for this page pretty easily by using the Group Chat Server Configuration tool. Once in the tool, click on the System Wide icon on the left pane, and then click on the File Repository tab.

Here, you will see the URL. Copy it and past it into a Web browser and see if you get a certificate error or warning. The certificate warning is the behavior you can expect for a certificate misconfiguration in IIS. Thankfully, it is very easy to fix.

Setting the Certificate in IIS is not very difficult at all. All you need to do is follow the basic steps here:

1. Open Internet Information Services (IIS) Manager

2. Expand the server name node

3. Expand the Sites node

4. Click on the Default Web Site node

5. Click on the Bindings link in the Actions pane

6. Select https and click Edit

7. Use the SSL certificate drop down box and select the proper certificate, click OK and close any other open windows.

8. Restart the Default Web Site and it should be fine.

Try your Web browser again, and you should see results similar to this page (with more links in it).

At this point, file transfers will again work in Group Chat.