Lync 2013 Client and Remote Call Control – CUCM

Yes, I know. Remote Call Control (RCC) is dead in the world of Lync. Well, it’s not dead yet, but I am sure it will get fully clubbed over the head soon.

This issue reared its ugly head the other day when upgrading Lync 2010 clients to Lync image2013 clients. Every time you would start Lync 2013, it would generate this warning pop-up:

Cannot apply your new call forwarding settings. To turn off call forwarding, click OK. To ignore this error, click cancel.

If you click OK, it goes away until the next time you sign into Lync 2013. If you click Cancel, it goes away until the next time you sign into Lync 2013. Basically, nothing gets rid of it. This does not happen if you are using Lync 2010, though.

The reason? Well, Cisco… Yep, it isn’t a Lync 2013 issue, even though it appears to be it’s fault. Lync 2010 doesn’t experience because it doesn’t care what the Cisco Unified Call Manager tells it.

Basically, the issue is that CUCM tells the Lync 2013 client that call forwarding is set, even though it isn’t. See the Cisco Bug report for more info. The good news is that Cisco is going to fix it. Hopefully, it won’t be too long.

Posted in Uncategorized | Leave a comment

Unable to Publish Change to Trunk Configuration

This is a short post.

I tried to make a change to a Trunk configuration,. I needed to set up the Trunk so that it would use TCP and to port 5060. I made the change in Topology Builder, and everything looked great. However, when I tried to publish the change, the Publish Topology option was greyed out. I could not publish the change.

No errors were generated and nothing told me that there was a conflict. However, the solution was an easy one. I turned off “Enable hardware load balancer monitoring port” which was also set to use 5060. I later changed the monitoring port.

The next step will be to let the load balancer team know that they need to update their monitoring port so the load balancer can know not to direct traffic to a downed server.

Posted in Uncategorized | Leave a comment

Persistent Chat is Deployed–Now What?

Persistent Chat (PChat to those near that have come to love it or hate it) is an interesting beast in that it isn’t very widely used in many organizations, if it is used at all. However, I have found that PChat provides valuable communication and collaboration opportunities for many user groups in a company.

For example, help desk personnel can post information in a room about trending issues caused by an application upgrade, and they can share their fixes. Once the next shift comes in, they can review the information previously posted.

Deploying PChat is covered by several Technet articles and several blogs. It is fairly simple, unless you want stretch pools, to deploy PChat. The basic steps are to:

  1. Create the PChat Pool in the Topology Builder.
  2. Install the prerequisites on the target servers.
  3. Run the Deployment Wizard.
  4. Make sure you update the install to match the rest of the environment.

The next steps are pretty simple, as well. However, it is easy to forget a few steps. So, let’s cover the individual pieces that are needed.

Persistent Chat Policy

Configure the Persistent Chat Policy to enable PChat, and assign it to the user accounts. You can edit the existing Global policy if you want, or create another policy and enable PChat for it and then assign it to users.

Create a Category 

You will probably want to create multiple categories depending on your permission model, the types of users, or even the location of the users.


The Category needs to include:

  • Allowed members – To add users to the room, they must be listed in the Allowed members list. This can be confusing in comparison to Group Chat. The category basically defines what users are allowed to be assigned to rooms in the category. Allowed members can include OUs, Distribution Groups, Domains, and individuals
  • Denied members – As in all Microsoft products, deny overrides allowed.
  • Creators – You need to define the list of creators. These are the administrators that will have the permissions to create rooms in the category.

Note: The Enable file upload does not work for Lync 2013 clients, it will only for down-level clients.



Create Rooms

The creators can create rooms, and then assign the Managers role so that the managers of a room can add and remove users to the room. Remember, they can only add users that have been previously identified in the category.

The page for creating new rooms is pretty self-explanatory.



Edit/Modify Room Settings

Changes can be made to a room in the My Rooms screen by hovering over the room name and then clicking on the Edit icon when it appears. Another method would be to use the Lync 2013 client, enter the room, and then click on the ellipses and expose the menu that allows you to Manage the Room.


Posted in Uncategorized | Leave a comment

Rate My Call–Skype for Business

I would say that this is definitely one of the Top 10 questions that I hear from those that are investigating the upgrade to Skype for Business or have recently deployed it.

Question: How do I turn off the Rate My Call feature?

Microsoft’s Jens Trier Rasmussen covers this topic very well for us on the Technet Blog. I strongly suggest reading his blog post as it has some great information.

From what I keep hearing, Administrators have two major concerns:

  1. They don’t want users to be bothered with the pop-ups.
  2. They don’t want to be bothered with explaining why there are so many poor quality reports when the call quality is just fine.

I think the second issue is the most important to administrators. I hear from administrators that they don’t want to collect the call rating information as they are pretty sure that managers will be wanting to see reports on the data. The first time a manager sees the pop-up requesting feedback, they will know that the data is being collected and will want to know all about it. The call quality reporting that is self reported by users is not as reliable as we would like it to be, and it can be hard explaining to management that users are providing less than stellar responses despite the environment providing for top quality calls.

Keep in mind that in order for this feature to work properly, users need to have the following:

  • They need to be running Skype for Business 2015. Please note that the feature works whether running the Lync User Interface of the Skype for Business User Interface.
  • They need to be on a Skype for Business pool.
  • The Client Policy needs to be configured.

How do I Turn it Off?

Run the PowerShell cmdlet: Set-CsClientPolicy –RateMyCallDisplayPercentage 0

Set the parameter to zero, and users will not receive the pop-ups.

Posted in Lync | 1 Comment

DIY Lync Diagnostics

I am like everyone else in that sometimes I just don’t have the time, the attentiveness, nor the in-depth knowledge to completely diagnose some of the off the wall stuff that I run into. I am also cheap in that I don’t want to pay for a Microsoft case every time something strange happens in Lync. I am not saying that I stick my head in the sand, either.

So, being a reasonably responsible engineer, I look at some of the basics, and then I leverage some of the many tools available to help troubleshoot issues. I hope this collection of tools helps.

Remote Connectivityimage

This is probably one of the easiest pieces to test for Lync. Microsoft has had the Remote Connectivity Analyzer for years, and it does a great job.

There is a great deal of information out there on this tool, so I won’t replicate that. Please remember that it is out there.

Microsoft Support Diagnosticsimage

I don’t know the history of this site, but I know that I have learned to love the Microsoft Support Diagnostics site. What I love about this site is that you can use it to upload and Microsoft’s server go through the logs and configurations of your environment. Go to the site, enter Lync in the search field, and you will find several options to download diagnostic packages that can then be run on the servers. The resulting data is then sent to Microsoft for analysis and a report is sent back.

Pre-Call Diagnostics

The Lync 2013 Pre-Call Diagnostics tool is available for download from Microsoft’s site. This somewhat simple tool allows us to test a user’s connection and use the data for troubleshooting performance and identify the expected user experience when they make calls. The tool provides Network MOS, Packet Loss Rate, and Jitter for a particular connection at a certain time. The results may change because of changes in network load. However, if the tool provides the data that indicates that the call will be poor, then the call will almost certainly be poor.

Monitoring Server

Part of the Lync install can include monitoring services. The Monitoring role can provide a great deal of information. Monitoring reports can provide information about specific calls as well as information about the overall environment.

Lync Edge Port Tester Tool

The ability to properly test an Edge server environment can be challenging. James Cussen put together a nice tool and a post. The Lync Edge Port Tester provides the ability to save the day from evil typos and other mistakes. I really can’t see enough about this great tool, and I encourage everyone to take a look at it. In the past, I used to build a script that would leverage the port query tool and test the ports to and from each server in the environment. With this tool, it is really easy to set up the different profiles and test the Edge environment and the firewalls between the Edge servers and the internal Front-End pools.


Well, of course there are tools for testing and validating certificates. I would guess that over 90% of all Lync issues are related to Certificates and DNS. That might even be low. Digicert has a great help page that has all sorts of great tools for testing certificates even if they are not issues by Digicert.

Remote UC Troubleshooting Tool (RUCT)

The Remote UC Troubleshooting Tool was developed by Cutis Johnstone. I highly recommend Curtis’ blog as a site that you should visit on a regular basis. As described on the website for the RUCT, the tool can be used to test DNS records used for Lync, Testing network availability, Certificate testing, and retrieve important client-side troubleshooting information.

Posted in Lync | Leave a comment

Is it a Lync 2013 Client or is it a Skype for Business 2015 Client?

I was an OCS guy when Office Communications Server came out. I hated Live Communications Server, but it was a great first step. Then, they changed the name to Communications Server. I kind of liked that name. However, before Communications Server was released, Microsoft made the decision to release new version as Lync Server 2010. What a great step forward from OCS. The next version was Lync Server 2013. Lync Server 2013 is a fantastic product and business users love it.

Then… Microsoft bought Skype. Skype is a consumer product with a great name and some nice technical features and it includes some great built-in telephony capabilities. The Skype brand is well recognized by all sorts of people all over the world. Even my Mother-in-Law knows what Skype is because her friends talk about having video chat with their Grandchildren all over the world. So, of course, there was a rebranding of Lync to Skype. Microsoft decided to apply a similar brand to the business product as the name really does have great value. Microsoft recognized that they needed to make it clear that the rebranded product was different. To make the difference between the two products, they added the words “for Business” and expected the world to get that they are two separate products with different features and target markets. There is the Skype product and there is the Skype for Business product. Yep, no confusion there. How could anyone be confused when they added “for Business” to the newly rebranded product.

WHOA! Confusion! Yep, Nobody Saw it Coming (yes, sarcasm)

The last couple of months have seen Microsoft put the brand changes into the Lync product. Microsoft started with the client. All of a sudden, people came into work to start their Microsoft Lync client and saw something different, and freaked out. Users all over the world lost their minds and started calling their help desks. “Who installed Skype on my computer, and where is my Lync client?” Some of the more savvy users said, “WTF! We can’t run consumer software in our business environment!” Of course, the really super savvy people realized that Skype for Business is not Skype, and they were a bit shocked but they didn’t run down the aisles screaming that ”the Skype is falling.” OK, let’s be clear, I get credit for that one.

Two Skins, One Product

I kind of like what Microsoft did in that they realized that people might jump out of windows (yes, pun intended) and that they needed to help keep calm in the colonies of business cubes around the world. Microsoft’s solution is to allow the new client to have a “Lync Skin” to it so it appears to be like the old Lync client. Companies have the option to approach their uses and provide counselors to help them make the adjustment from the Lync world to the Skype for Business world. They can run the Lync skin until they are ready to accept Skype for Business into their lives.

There are some differences in functionality between the two skins, and the interfaces are clearly different. I am not going into that here. I don’t need to create any more fear of change.

What Users See – Help Keep them Calm

For those companies try to minimize change for the users out there, they made the decision to keep the Lync skin. However, some Skype for Business branding still became part of their world. It is like pulling the band-aid off slowly instead of just ripping it off. Even though they run the Lync skin, they will still see some Skype for Business branding.

So, let’s talk about what happened for those users, and some that are still to come as they haven’t had the latest/greatest updates to their Lync 2013 clients.

First, they start their computer, and then they start their Lync client and they see…clip_image002

OK, deep breath… This looks scary. It looks like Skype, but if you look closely, it says “for Business” on the splash screen. OK, this can’t be too bad.


It looks like something is happening…

Then, BAM! They see a whole new interface. clip_image002[5]

This can really hurt some of the users out there, and they start to get that feeling that something has changed, and all is not right in their world. Somebody moved their cheese, and they don’t like it. I saw some users sit there and stare at their monitors. They looked. They looked away. Then they looked again. Then they started yelling, “Hey, Steve, are you getting the same thing that I am? I started Lync and something weird is happening. I don’t know what this is? Should I call security? Did somebody hack my computer?”

Luckily, before they start to run down the aisles screaming that “the Skype is falling,” clip_image002[7]they get some more… umm… stuff… thrown at them.

They see a restart screen. They will only see this restart screen if you set up the policy to force use of the Lync skin. This is the bit of software that guides them to restart their Skype for Business client so that the Lync skin can be slapped onto it.

With a little coaching, and some communication that a few users will read before this happens, we might get some people in cubeville that know what is going on. Steve might reply that, “It isn’t anything to worry about. It is OK. Don’t run. Just sit still for a few minutes, and it will be OK. Really, it will be OK, you can trust IT.” (yeah, I know, I went a bit overboard with that one)clip_image002[11]

If everything goes as planned, they will see a normal looking Lync interface and then they can go about the start of their business day.

The Branding is There!

The biggest issue is that while the users will see the Lync user interface, as they start clip_image002[15]working, they might notice some minor changes like the short cut link in their task bar now looks like a Skype client because it has Skype branding.

The branding in the task bar can be a bit of a problem. It sounds crazy to many of us, but clip_image002[13]some users just can’t handle even the smallest changes. So, they will see the change, but there are two changes that really mess with users. The first is when they use the Start button and type “Lync” in the search and Skype for Business 2015 shows up in the results. I have to admit, that one caught me by surprise. I didn’t expect the search result.


The second one is seeing the “Skype Meeting” link. This branding change is one change that really catches attention. I get calls about this one all the time.

All in all, change can be a challenge. So, you can try to communicate that the change isn’t going to hurt them, but even then, almost nobody reads those emails from IT that tell them about the upcoming changes.


Take a deep breath, keep the windows locked, and try to help stop the panic.

Posted in Uncategorized | Leave a comment

Certificates in Wrong Container–Lync Front-End Service Fails

The last couple of days, I have been having lots of fun (that was sarcasm for those that are sarcasm challenged) working with some colleagues on some certificate issues.

Basically, the issue is that Lync Server 2013’s Front-End services will not start up properly if Intermediate Certification Authorities certificates, or any other non-Root certificates, are put in the Trusted Root Certification Authorities certificate store. This issue is documented in Technet.

The first part of the discussion was how to identify a Root CA certificate.

What is a Root Certificate Authority certificate? This is the actual issue. If you don’t know what a Root CA certificate is, it is hard to fix the problem. If you look at the certificates here, you will see that there is a column title Issued To and another column titled Issued By. A Root CA issues its own cert. Basically, the Issued To and the Issued By need to be the same. Please not that, in this case, the following certs in this graphic are NOT Root CA certs:clip_image001


  • Symantec Class 3 DSA SSL CA
  • Symantec Class 3 EV SSL CA – G2
  • Symantec Class 3 EV SSL CA – G3
  • Symantec Class 3 Secure Server CA – G4
  • Symantec Class 3 SHA256 Code Signing CA

These should be moved to the Intermediate Certification Authorities container.

Certificate Authority Analogy – Also a bit of a Rant

I put together an analogy a few years ago, and I think it really helps explain the issue that we are discussing here.

Back in 2010, there was a huge Lacrosse tournament being held in the United Kingdom. The Iroquois Nationals lacrosse team was invited to this tournament. For those that don’t know, the Iroquois Nation (also known as the Haudenosaunee and the Six Nations) is a very powerful and influential Native American confederacy. The Iroquois Nation includes land that spans the border between the United States and Canada.

Anyway, the Iroquois were issued passports by their government officials. The passports were not recognized as being acceptable by the UK (nor would they have been found to be acceptable to the US) as they just are not recognized as a separate nation with an accepted passport issuing authority. Well, who says whether they should be allowed to create passports and that their passports should or should not be accepted? Who gets to make that decision?

Let me ask a different question: Who says that we should accept certificates issued by the Equifax Secure Certification Authority (I just picked one out of the air)? Really, who says we have to accept the certificates issued by their CA? The answer is, “We do.” We, as server administrators, can easily add or remove CAs from our list any time we want. The CAs in our certification stores are prepopulated in many cases by the operating system vendor, i.e. Microsoft, but we can change the list all we want. It is just like the US has refused to accept Cuban passports for political reasons for decades, while other nations accept Cuban passports without any issues. Who says the US does not have to accept Cuban passports? Well, the US government is fully allowed to accept or reject any passport document. They can also change their minds about it.

So what it comes down to is that a CA is only as valid as we decide. If Joe’s Seafood Emporium created its own CA and issued certificates, does that mean we have to accept them as a valid CA and thus accept all certs that it issues? Of course not.

To extend this analogy, if the Iroquois Nation was recognized as a valid passport issuing authority by the UK, then there wouldn’t have been any issues so long as the passports contained all of the proper passport authorities security mechanisms. They would have been allowed into the UK for the tournament, and they might have won it all. However, they didn’t have valid passports according to the UK as the UK didn’t recognize the Iroquois Nation as a proper passport issuing authority, and they were denied entry to the UK.

Back to the Topic

OK, back to my original rant. In my case, these Intermediate CA certs were being pushed into the Trusted Root Certification Authorities container by a Group Policy. Somebody in the company decided that they should go there, even though they don’t belong there. To remove them is easy, but if the Group Policy keeps putting them back, the only solution is fix the Group Policy.

Thankfully, it was pretty easy to convince the right people that they needed to fix the Group Policy that was causing me heartache.

Posted in Lync | Leave a comment