Lync and Cisco Remote Call Control–Updated

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/im_presence/lync_integration/9_0_1/CUP0_BK_CE1362F3_00_lync-integration-guide-90.pdf is a great document to follow.

I have summarized the steps here. However, there is one big difference between these steps and the ones in the Cisco document. Step 4 is the big difference.

What I found is that if users were on the second pool in my Lync environment, Lync would not recognize that the phone was answered on the other end, and would never show the call as connected or tear it down when the call completed. Basically, if you have more than one pool in your Lync environment, you need to configure each pool by using the Set-CsRegister cmdlet.

The process for Lync 2010 is to follow these steps:

  1. Create the Static Route and Add the Route to a Routing Collection
  2. Authorize the Host and Create a Trusted ApplicationPool/Computer
  3. Create an Application that is Associated with the Pool
  4. Configure the Listening Port on Lync for the Trusted Application Pool
  5. Configure the Topology for the Trusted Application
  6. Push the Settings to the Topology
  7. Update the Topology

1. Create the Static Route and Add the Route to the Global Collection

$Route = New-CsStaticRoute -TCPRoute -Destination “vvovm3003cdc.cdc.infrastructurehelp.com” -Port 5060 -MatchUri “vvovm3003cdc.cdc.infrastructurehelp.com” -ReplaceHostInRequestUri $true

Set-CsStaticRoutingConfiguration -identity global -route @{Add=$route}

2. Authorize the Host and Create a Trusted Application Pool

New-CsTrustedApplicationPool -Identity “vvovm3003cdc.cdc.infrastructurehelp.com” -Registrar “pool01.infrastructurehelp.com” –Site 1 –TreatAsAuthenticated $True –ThrottleAsServer $True –RequiresReplication $False

3. Create a Trusted Application that is Associated with the Trusted Application Pool

New-CsTrustedApplication -ApplicationID CiscoRCC -TrustedApplicationPoolFqdn “vvovm3003cdc.cdc.infrastructurehelp.com” -Port 5060 –EnableTcp

4. Configure the Listening Port on Lync for the Trusted Application

Set-CsRegistrar registrar:pool01.infrastructurehelp.com -SipServerTcpPort 5060

Set-CsRegistrar registrar:pool02.infrastructurehelp.com -SipServerTcpPort 5060

5. Configure the Topology for the Trusted Application

Get-CsTopology -AsXml | Out-File C:\CiscoRCC.xml

6. Push the Settings to the Topology

Enable-CsTopology

7. Update the Topology

Get-CsTopology -AsXml | Out-File C:\CiscoRCC.xml

In the  Cluster Fqdn section, change the IPAddress parameter from “<0.0.0.0>” to 10.100.242.133, which is  the IP address of the IM and Presence server.

Publish-CsTopology -FileName CiscoRCC.xml

Posted in Uncategorized | Leave a comment

Setting Up PowerShell on Your Desktop to Support AD, Lync, and Exchange in the same Shell

You will find that there are many times you need to run PowerShell scripts or cmdlets from your desktop because you need a combination of modules or you have other needs.

For example, for many of the scripts that I run, I need the Quest Active Directory module that can be downloaded for free from here: http://www.quest.com/powershell/activeroles-server.aspx

Set Execution Policy

You may need to set the script execution policy to run PowerShell scripts from your local console. Run, Set-ExecutionPolicy Unrestricted and that should work for you.

Configure a PowerShell Profile

You will want to configure a profile that will store your configuration on the computer.

  1. First, make sure you don’t already have a profile by running Test-Path $Profile

  2. Second, run New-Item –path $profile –type file –force to create a blank profile

  3. Then run Notepad $Profile to open up the profile and edit it.

Here is what I use in my $Profile:

Set-Location c:\scripts

Import-Module ActiveDirectory

Add-PsSnapin quest.activeroles.admanagement

# Import Exchange cmdlets

$e = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://CasServer.Infrastructurehep.com/powershell

Import-PSSession $e

# Import Lync cmdlets

$l = New-PSSessionOption -SkipRevocationCheck -SkipCACheck –SkipCNCheck

$ls = New-PSSession -ConnectionUri https://FEServer.infrastructurehelp.com/ocspowershell -SessionOption $l -Authentication NegotiateWithImplicitCredential

Import-PSSession $ls

The first line sets the default starting location when PowerShell is started.

The second line is used to import the Active Directory cmdlets.

The third line adds the Quest cmdlets. Of course, this line is worthless unless you have installed the Quest tools, first.

The Exchange section follows. I would use these two lines, instead of the section used above for the lines for remoting, if I have the Exchange admin tools installed on the desktop:

Add-PSSanpin Microsoft.Exchange.Management.PowerShell.admin

Add-PSSanpin Microsoft.Exchange.Management.PowerShell.Support

The Lync section is after the Exchange section. I would also use this line if the Lync tools are installed on the computer:

Import-Module Lync

Run as AD Account

Running PowerShell as your standard user account is pretty much worthless. So, you can use the famous Run-As to start up PowerShell using your AD credentials.

Click Start, All Programs, Accessories, Windows PowerShell, then right-click the Windows PowerShell icon and select Properties.

In Properties, in the Target attribute, modify it like my example with everything on one line:

C:\Windows\System32\runas.exe /user:us\ad.russ ”%SystemRoot%\syswow64\WindowsPowerShell\v1.0\powershell.exe”

You might want to pin the icon to your Start Menu or create a short-cut. I find it so much easier that way.

Posted in Exchange, Lync, PowerShell | Leave a comment

Lync 2010 Users Receive Certificate Expiration Warning

Symptom: Users may see (if they are paying close attention) a warning that their CertNotificationcertificate will expire soon. The quick user will double-click the pop-up for the warning and will see a message like this one:

 

The Title is: Expiring Certificates

The Text of the message is as follows: image

The following certificates have expired or will expire soon. When a certificate expires, it is no longer considered an acceptable or usable credential. You can attempt to renew these certificates now.

If you do not want to renew certificates at this time, Windows will remind you of their pending expiration each time you log on.

Certificates

If you do not want to be reminded to renew specific user certificates, select the checkbox next to these certificates and click Done. For machine certificates, please read help and contact a system administrator if this warning reappears the next time you log onto the network.

User Action: The user panics and calls the help desk. The help desk doesn’t have a clue because they don’t even understand certificates. The help desk escalates to the Lync administrator. The Lync administrator may or may not know about this issue. If it is a VIP, it may result in a conference call with all of the managers involved.

Cause: The Lync Front-End server issues a certificate to the end user (if you look at the cert is will show that it is issued by Communications Server), and that certificate is installed in the Personal certificate store. This certificate is NOT issued by the company’s Certificate Authority, it is issue by the Lync environment. This certificate is, by default, set to expire in 180 days. When the certificate is close to expiration, a pop-up is generated to warn the user that the certificate is about to expire so that action can be taken.

Why Certificates?: Great question, and I can’t come close to explaining this as well as the Microsoft product team does in the NextHop blog entry here.

What to do?: Nothing. Absolutely nothing needs to be done. When the certificate expires, it is renewed and users will not have any Lync connectivity issues. If you absolutely feel that something needs to be done, or you are asked for options, you can consider the following:

  1. Put out a message to all the users telling them that they “may” see this a couple of times a year and that they can safely ignore it. Of course, users will ignore the communication or will have forgotten about it and will still call the help desk.
  2. Write a PowerShell script that uses the Get-CsClientCertificate cmdlet to find those certificates about to expire, then use the Revoke-CsClientCertificate cmdlet to remove the certificates. Once the user logs back in, a new certificate will be created and applied. This seems like too much work to me.
  3. Use the Set-CsWebServiceConfiguration cmdlet to extend the validity period of the certificate to the maximum of 365 days. Yeah, this is not worth the effort, either.
  4. Configure a Group Policy object and disable the notifications. You can go here: HKLM\Windows Settings\Security Settings\Public Key Policies\Certificate Services Client – Auto Enrollment. Hopefully, this will work for you.
Posted in Lync | Leave a comment

Lync Server 2010, Group Chat

I swear, every time somebody talks about patching, I cringe. While I support patching, I also understand that there is risk associated with it. Last week, I patched my Group Chat servers. Life has sucked since then.

Previous State: In this particular case, Group Chat was migrated from OCS 2007 R2 to Lync 2010. It was working fine for months. The previous environment had two OCS Group Chat servers.

What Happened: After patching, the Lync Server Channel Service and the Lync Server Lookup Service would not start and stay started. Here is the level of the patches. At this time, these are all current.

clip_image002

Yep, Lync Server 2010 Group Chat is fully up to date.

Errors Experienced: From the user perspective, users saw The DomainName.com is not available error in their notices. Of course, this error is misleading as it is caused simply by the fact that the Group Chat services would not start on the server.

After years and years of working on Windows servers, I have finally learned to use the Event Viewer. On the server side, Event Viewer displayed

Event ID 6381: An error MGCLOOKU is stopping due to an unhandled exception.

Event ID 6381: An error MGCCHANS is stopping due to an unhandled exception.

Research identified that the lookup and channel logs showed that the services were trying to establish connections to the old OCS Group Chat servers. In this case, the old OCS Group Chat servers were not properly removed from the OCS environment. Instead, the Group Chat services were disabled, and the servers were shut down and recycled. This, of course, meant that there were legacy artifacts floating around in Active Directory.

The Fix, It Took Lots of Work:

I started with Randy Wintle’s blog at http://blog.ucmadeeasy.com/2010/11/09/lync-server-2010-active-directory-references-and-how-to-remove-them/ which provided some great information on removing entries for trusted services from Active Directory. Using his steps, I used LDP to identify each server’s DN, and the used AdsiEdit to remove each entry.

Randy’s blog is an excellent source of info, but in this case, it was a great blog post with fantastic instructions. However, that didn’t fix the problem, all by itself.

After turning up the logging to the Trace level in the Group Chat configuration tool, it was found that a stored procedure named procGetPeerServers was still finding the old OCS Group Chat server objects in the Group Chat SQL database. I opened up the stored procedure and saw that it was querying entries from a table, tblServerIdentity.

Deleting the old servers from this table sounded like the answer, and it was, with one issue. There was an issue where an error was thrown when trying to delete certain entries. The error referred to entries in the tblActivePeers. The relationship between two old servers was listed in this table and it needed to be deleted. The aplServerID referred to one of the old servers and the aplPeerID referred to another. Once this record was removed, Lync Group Chat services started again.

Questions:

1. Why did this only become a problem after patching? I have no clue.

2. Why were these servers not gracefully removed from OCS in the first place? Well, that sounds like it should have happened, but we know how it all works in real life. Tasks are assigned to people, and they get dropped.

3. Why was it a blocker? Who knows? I am still trying to figure out how Group Chat worked in the first place if the other servers had been disabled.

Oh well, life goes on, and Group Chat is once again up and going. I will sleep well tonight.

Posted in Lync, Office Communications Server | Leave a comment

Group Chat–Unable to Add a User

I had a few users that are unable to join Lync 2010 Group Chat rooms after being re-hired. They had their accounts disabled, and then after being re-hired, they had new accounts created. After a great deal of research and testing, I found two scenarios and two solutions. The second scenario and solution seems to be the most likely.

Scenario #1:

  1. Add user to a room, and click apply. The name appears, but it disappears if you refresh the screen.
  2. Try to add the user to the room again, and you get an error message similar to this one:

Unable to save the memberlist:[3][322] Role <Member> for <ma-chan://DomainName.com/622cf214-de21-48f0-9f0d-80e096da67d1> already contains <These principals are already defined on the node: <sip:UserName@DomainName.com>>

  1. You can add the user to a different room, and it works fine.

The solution is to use the following steps:

1. Get the User information by running this SQL command.

SELECT *

     FROM [GroupChatDB].[dbo].[tblPrincipal]

     WHERE prinEmail=’mother.goose@infrastructurehelp.com’

Document the prinID, which will be a number. This number will be used in step 3 as the prinRolePrinID.

2. Get the Group Chat room information by running this SQL command.

SELECT *

     FROM [GroupChatDB].[dbo].[tblNode]

     WHERE nodeName=’NameOfChatRoom’

Document the nodeID, which will be a number. This number will be used in step 3 as the prinRoleNodeID.

3. Remove the association between the user and the room by running this SQL command.

DELETE FROM [GroupChatDB].[dbo].[tblPrincipalRole]

     WHERE prinRoleNodeID=14 and prinRolePrinID=21290

Scenario #2:

  1. Add user to a room, and click apply. The name appears, but it disappears if you refresh the screen.
  2. Try to add the user to the room again, and you get the error message:

Unable to save the memberlist:[3][322] Role <Member> for <ma-chan://DomainName.com/622cf214-de21-48f0-9f0d-80e096da67d1> already contains <These principals are already defined on the node: <sip:UserName@DomainName.com>>

Suspected Cause:

The user account was deleted, but the user came back to the company with the same name, same email address, and same SIP address. The Group Chat database basically sees that the user already exists and doesn’t like the new user account. Yes, I dumbed that down for me. :)

The solution is to use the following steps:

1. Get the User information by running this SQL command.

SELECT *

     FROM [GroupChatDB].[dbo].[tblPrincipal]

     WHERE prinEmail=’mother.goose@infrastructurehelp.com’

Document the prinUri which will be ‘sip:mother.goose@infrastructurehelp.com’

Document the prinEmail which will be ‘mother.goose@infrastructurehelp.com’

Document the prinADPath which will be the DN, i.e. ‘CN=Goose\, Mother,OU=People,DC=infrastructurehelp,DC=com’ IT WILL PROBABLY BE NULL

Document the prinDisabled which will be either 1 or 0, if it is 1, then the account needs to be enabled by changing it to 0.

2. Update the User’s Distinguished Name (DN) by running this SQL command.

UPDATE [GroupChatDB].[dbo].[tblPrincipal]

      SET prinADPath=’CN=Goose\, Mother,OU=People,DC=infrastructurehelp,DC=com’

     WHERE prinURI=’sip:mother.goose@infrastructurehelp.com’

3. Enable the account in Group Chat by running this SQL command.

UPDATE [GroupChatDB].[dbo].[tblPrincipal]

     SET prinDisabled=’0′

     WHERE prinUri=’sip:mother.goose@infrastructurehelp.com’

4. Update the User’s Email Address by running this SQL command (if needed).

UPDATE [GroupChatDB].[dbo].[tblPrincipal]

     SET prinEmail=’mother.goose@infrastructurehelp.com’

     WHERE prinUri=’sip:mother.goose@infrastructurehelp.com’

This is one situation where I just couldn’t find good information on how to fix the issue. I knew that it had to be fixed within the database, but I could not figure out how to fix the issue without having to try several different solutions.

Posted in Lync | Leave a comment

Heading Down the Path to MCSE: Communication, Part 3: 70-411 and 70-412

I finally got back on track and started getting some more tests done. Two more down, two more to go.

As for the 70-41 exam that I took earlier, my impression is basically: Damn, that was hard. OK, it was more like DAMN those were hard. I spent lots of time figuring out which were the wrong answers on several questions to narrow it down. I felt like I was taking my GMAT and LSAT exams all over again.

As before, I can’t tell you what was on the exam, but I can certainly tell you that I was not ready for the questions on Network Policy Server (NPS) in 70-411. Definitely one of my weaknesses. I also wasn’t ready for many of the Build List questions. These questions are the “select the right answers and put them in the right freaking order or you will get it wrong” questions.

I really like several of the Drag and drop items. OK, I know that is sick, but I really did have fun with some of them.  As I have said before, make sure you know the different items types and understand how they are used. It will really help to improve the chances of passing.

Of the two exams, 70-411 was much harder for me than the 70-412 exam mostly because I used to live in the High Availability space and understand Failover Clustering and Network Load Balancing really well. Virtualization is an area that I have worked hard on in the last year, so it was also pretty straight forward for me.

Between these exams, I would say they cover more than all of the old MCSE exams ever covered all together.

I wish I could tell you more than to study hard, but I hope I made it clear that these are really hard exams and you should invest in a great deal of study time.

Posted in Uncategorized | Leave a comment

Troubleshooting Lync and Exchange Web Services (EWS)

I am finding more and more that I run into issues with Exchange Web Services (EWS). For example, in an earlier blog post, I talked about the issue with 1,000 or more folders in the mailbox causing issues with the Conversation History for Lync.

I have found, by stumbling on it, an interesting application called Conversations Analyzer. The purpose of this app is to test for negative words and messages by pulling content from the Conversation History folder in the mailbox. What I found interesting is that this app uses EWS.

If you feel that you might have issues with EWS or specific servers in your environment, you can use this application to test it.

You can download the Getting Started Guide here: http://www.microsoft.com/en-us/download/details.aspx?displaylang=en&id=26127

You can then download the application here: http://www.microsoft.com/en-us/download/details.aspx?id=26134

What you will find in the Getting Started Guide is a nice detailed explanation on how the application works and how it can be modified. The only part that I cared about is the section on configuring the application to point to EWS.

Basically, Press and hold Ctrl, and then right-click the Outlook icon in the notification area Outlook Testof the taskbar. It will get you something that looks similar to the image here:

Click Test E-mail AutoConfiguration, and then click Test in the resulting window.

In the displayed Results tab, find and use the Availability Service URL in the results.

Use the Availability Service URL in the Exchange Server URL box in the Configuration settings of Conversations Analyzer.

In the Conversations Analyzer, click on the Load Items button. If it works, yeah, EWS works. If it doesn’t work, point to a different server and try it. For me, it helped me verify connectivity for a couple of troublesome users, and it also helped me identify that the EWS connectivity just wasn’t working for another user.

Good luck!

Posted in Exchange, Lync | Leave a comment