Establishing Credibility–Yay or Nay?

A discussion among many good friends that I respect started out with one friend saying how much he hated presentations where the speaker spends time on the slide introducing themselves. I agree.

There is a reason, and a bit of a story that goes with my view.

About 20 years ago, I attended a sales seminar that was scheduled for four days. I had nothing on the books with a customer, so I signed up and hoped that I would be able to get some good information that I could apply to my work as a consultant.

Day 1 at 9am – In walked this short Iranian with a turban. He looked like he was about 60 or so. He was wearing khakis and a basic shirt. No flash. He was the speaker/presenter. He came in, said hello, gave his name, and dived right into the subject. I remember, very clearly, that I was kind of turned off by his appearance, and I remember that I was thinking about ditching the rest of the week. All of these thoughts went through my head about how I was wasting my money. I was planning already planning on leaving at lunch.

Day 1 at 9:15am (ok, it might have been 10 minutes in) – While, I was a little shocked with his appearance, he made immediately struck me as a true professional. He walked us through his plans for the next four days, and threw out some scenarios that we would cover in each section of the seminar.

Day 1 at lunch – After completing several exercises and discussing several scenarios. I didn’t care if he was an alien from another planet. The guy was good. It was clear that he was the real deal. Actually, it was clear within the first few minutes, that it was going to be worth my time.

Day 4 at 9am – He walked in wearing a beautiful suit and was not wearing his turban. His long flowing grey hair was amazing and contrasted perfectly with his suit. This is what I was expecting when he first came into the room on Day 1.

Day 4 at 3pm – After four days of incredible content and great information, he started to sum up the week, and at that point, he threw his resume up on the projector. Undergrad at Yale, MBA at Harvard, years of work experience with the biggest of the Fortune 500 companies at the highest levels. He resume was amazing and impeccable.

I asked him why he didn’t share his resume to start on Day 1 to establish his credibility. His response said it all (I am paraphrasing just a bit as I remember it clearly), “You do not need to establish your credibility if you know your subject and you clearly care about helping those in front of you. Your value is in what you do to help those in front of you, not what you tell others about your past. You demonstrate your value through your words and actions, not through a piece of paper that talks about your past.”

Posted in Uncategorized | Leave a comment

OOF Messages Sent Multiple Times


First off, it is OOF, not OOO. It is Out of Facility, not Out of Office.

A few days ago, I received a request asking me why people were getting the OOF from a user that was out, even though they had received it already. In other words, you are only supposed to get the OOF response once during the time frame, so why were people getting replies every single time.

At first, I thought somebody just set up a mailbox rule, rather than using the Automatic Replies option. After checking the mailbox, I saw that the Automatic Replies was set correctly. After a bit, I remembered some peers talking about this issue, and I found the article. Thank you Bing.

Summary, the history of responses is tracked, and there is a limit of 10,000. I still can’t  believe that this limit was actually exceeded. In this case, it was a user that gets hundreds of emails a day, and they were out on medical leave for almost three months.

I am shocked that it happened. I am even more shocked that I remembered that this was an issue and found the article.

Posted in Uncategorized | Leave a comment

Get-CsBackupServiceStatus ErrorState

Before performing an Invoke-CsPoolFailover, it is always a good idea to make sure that the Backup Service is running properly. You should run the cmdlet from both sides to verify that you have


Get-CsBackupServiceStatus -poolfqdn


RunspaceId          : be5ae52b-3f48-4d15-8d36-842d4f5cacf6

ActiveMachineFqdn   :

OverallExportStatus : SteadyState

OverallImportStatus : ErrorState

BackupModules       : {UserServices.PresenceFocus:[FinalState,NormalState],





Get-CsBackupServiceStatus -poolfqdn


RunspaceId          : be5ae52b-3f48-4d15-8d36-842d4f5cacf6

ActiveMachineFqdn   :

OverallExportStatus : SteadyState

OverallImportStatus : NormalState

BackupModules       : {UserServices.PresenceFocus:[FinalState,NormalState],




Above, you can see that the import on pool01 failed. An issue can occur when moving a large number of users between pools where the databases don’t properly synch up during the moves. In such a case, there might be a user account, or more, that appears in both databases.


Microsoft support can provide a copy of the PoolConflictCorrector tool, which reads through the databases and identifies any user accounts that appear on both sides of the environment.


.\PoolConflictCorrector.exe -pool1fqdn -pool2fqdn -logfile PCC3.log


If there are any duplicates found, the tool will prompt you to correct each one. This will fix most issues with Backup Service failures.  

Posted in Uncategorized | Leave a comment

Invoke-CsPoolFailover Warning

If you read all of the documentation, the Invoke-CsPoolFailover cmdlet sounds fantastic and pretty straight forward.  In reality, there are challenges. I haven’t tested a failover for a long time in my lab. So, I figured “Why not?”

Invoke-CsPoolFailOver -poolfqdn

I went through the confirmations, and got this nice warning/error.

WARNING: Invoke-CsPoolFailOver encountered errors. Consult the log file for a detailed analysis, and ensure all errors (1) and warnings (0) are addressed before continuing.

WARNING: Detailed results can be found at “C:\Users\russ.kaufmann\AppData\Local\Temp\11\Invoke-CsPoolFailOver-54fa4569-bb52-4c3b-8719-6ec7e4e01c2f.html”.

Reading further, got me this pretty clear message.

Invoke-CsPoolFailOver : This Front-end pool “” is specified in topology as the next hop for the Edge server. Failing over this pool may cause External access/Federation/Split-domain/XMPP features to stop working. Please use Topology Builder to change the Edge internal next hop setting to point to a different Front-end pool,  before you proceed.

The fix is pretty simple. You need to point the next hop for the Edge server to point to the other pool However, it isn’t clear that you can only do it via PowerShell. The cmdlet is pretty simple, though.

Set-CsEdgeServer -Identity -Registrar

Running the cmdlet will get everything sorted out so you can run the Invoke-CsPoolFailover. However, it will generate a nice warning to tell you that there is a problem if your Front-End pools and Edge pools are in different sites. Of course, to me, that is the best reason to have multiple sites and pools.

WARNING: ServiceId “” depends on “” from different site for dependency ID “Registrar.Default”.

The end result: I wrote this blog post so that I can use it in case I actually have to do a disaster recovery and move everything to another pool.

Posted in Uncategorized | Leave a comment

Troubleshooting Lync Server 2013 Federation

The other day, I noticed that one of my contacts in Lync was showing Presence unknown. Fed1

Well, this does happen as people change jobs and go to different companies. I wondered about it, so I asked a common friend if he had heard anything. His response was that they were still there, and something must be wrong with my Federation configuration.

I was pretty sure that nothing was wrong with my Federation configuration since I could see others from other companies and was able to IM them and have conferences with them.

Basic Troubleshooting

I always start with the very basics. Has anything changed recently? What do the Event logs show?

What changed recently is that I migrated to a new Access Edge server. Initially, I discounted that as Federation was working for every other company,  so I didn’t think it was the server configuration.

Next, I opened Event Viewer and checked my Lync Server logs. I admit, I don’t always go to the Event logs early on in my troubleshooting. I have no valid reason, I just don’t do it. In this case, I did. I am also glad that I did, because this is what I found:

TLS outgoing connection failures

Over the past 12 minutes, Lync Server has experienced TLS outgoing connection failures 31 time(s). The error code of the last failure is 0x80090325(SEC_E_UNTRUSTED_ROOT) while trying to connect to the server “” at address [], and the display name in the peer certificate is “Unavailable”.

Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.


Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

When I deployed my new Access Edge server, I made sure that I added all of the major Certification Authorities to the Trusted Root Certification Authorities container. I realized that I must have missed at least one.

Digicert to the Rescue

I have always been a fan of Digicert, mostly because of how they support the MVP community, but also because they provide several great tools.

First, I opened a command prompt and ran nslookup.exe. From there, I set the type to SRV, and then put in, and it provided me the name of the Access Edge server on the other side,

Fed3Next, I went to the Digicert site: and put in the record into the tool. I scrolled down, and found the Certificate Authority that they were using for their certs on

Yes, I did not have this particular Go Daddy Certificate Authority in my Trusted Root Certification Authorities list.

The last step was to go to and get the CA Cert.

Ta da! Problem fixed.

Posted in Uncategorized | Leave a comment

Lync Server 2013–No Users Homed on Front-End

It is funny how you find odd behaviors and then try to figure out what is wrong or why something doesn’t behave like it should.

This situation all started with one of Pat Richard’s famous PowerShell one-liners. Pat, for those that don’t know him, is a wealth of information, and he has helped me out on many occasions. In this case, I was perusing his one-liners and saw one that I liked. However, I didn’t like the output and wanted to use it in a bit of a different way than his example. What did I do? Well, I took a perfectly good one-liner and made it into a mutli-line PowerShell script.


$CsServers = (Get-CsComputer | where {$_.identity -ilike “fe*” -and $_.pool -ilike “pool13*”}).identity

Write-Host ” “

Write-Host “Active Lync Server 2013 Connections”

Write-Host “———————————–“

ForEach ($cs in $CsServers) {

                # Write-Host Checking Counters on $cs

                $EndPoints = (Get-Counter “\LS:USrv – Endpoint Cache\USrv – Active Registered Endpoints” -ComputerName $cs | select -expand CounterSamples).CookedValue

                $RegUsers = (Get-Counter “\LS:USrv – Endpoint Cache\USrv – Active Registered Users” -ComputerName $cs | select -expand CounterSamples).CookedValue

                Write-Host $cs `t “EndPoints: $EndPoints” `t “Users: $RegUsers”


What was interesting is what I found. My pilot users were not spreading across my pool like I thought they would. While I guess that the numbers might even out more as I add users, the “0” really bothered me.          EndPoints: 17   Users: 9          EndPoints: 4    Users: 4          EndPoints: 19   Users: 15          EndPoints: 5    Users: 5          EndPoints: 0    Users: 0

At first, I was thinking, yep, just a statistical anomaly. I talked to one of my colleague, Pete Holmes, and he thought it was strange, too, and he started digging into it. Pete tested the impact of changing his SIP URI to change the impact of the algorithm as described here: The Blog entry says that the “registrar assignment is calculated by a hash value of the user’s SIP URI.” The idea was that changing the SIP URI would result in him getting placed on a different Front-End server. No matter how he changed his SIP URI, it didn’t put him on fe5. Setting the client connection settings to force the client to connect to fe5 resulted in it being properly redirected to the proper front-end server, so it appeared that the server was working correctly. Nothing was found in Event Viewer pointing to any issue, either. Basically, the server looked like it was broken and looked like it was fine all at the same time. Schrödinger’s Front-End Server?

We talked about it for a bit, and I thought it might be that the routing groups are set up so that FE5 is a secondary/tertiary for all of the routing groups. That didn’t sound like it was possible, again, it sounded like a statistical anomaly. No matter how I looked at it, it just didn’t seem right. Pete checked the Fabric, and there it was. Highlighted below, it was clear that none of the routing groups were primary for fe5.

PS > Get-CsPoolFabricState -poolfqdn

Replica Instances for MCUFactory Service

    Address: – Primary: 1 Secondary: 3

    Address: – Primary: 1 Secondary: 3

    Address: – Primary: 1 Secondary: 3

    Address: – Primary: 1 Secondary: 3

    Address: – Primary: 2 Secondary: 0

Replica Instances for ConferenceDirectory Service

    Address: – Primary: 1 Secondary: 0

    Address: – Primary: 0 Secondary: 1

    Address: – Primary: 1 Secondary: 0

    Address: – Primary: 0 Secondary: 1

    Address: – Primary: 0 Secondary: 2

Replica Instances for Routing Service

    Address: – Primary: 9 Secondary: 17

        Local Groups: Primary: 2 Secondary: 3

        Remote Groups: Primary: 7 Secondary: 14

    Address: – Primary: 8 Secondary: 17

        Local Groups: Primary: 1 Secondary: 3

        Remote Groups: Primary: 7 Secondary: 14

    Address: – Primary: 10 Secondary: 16

        Local Groups: Primary: 3 Secondary: 2

        Remote Groups: Primary: 7 Secondary: 14

    Address: – Primary: 8 Secondary: 16

        Local Groups: Primary: 1 Secondary: 2

        Remote Groups: Primary: 7 Secondary: 14

    Address: – Primary: 7 Secondary: 18

        Local Groups: Primary: 0 Secondary: 4

        Remote Groups: Primary: 7 Secondary: 14

Replica Instances for LYSS Service

    Address: – Primary: 9 Secondary: 17

    Address: – Primary: 8 Secondary: 17

    Address: – Primary: 10 Secondary: 16

    Address: – Primary: 8 Secondary: 16

    Address: – Primary: 7 Secondary: 18

Global Service Count Summary:

Fqdn: – Primary: 20 Secondary: 37

Fqdn: – Primary: 17 Secondary: 38

Fqdn: – Primary: 22 Secondary: 35

Fqdn: – Primary: 17 Secondary: 36

Fqdn: – Primary: 16 Secondary: 38

How do you fix it? Don’t worry about it, it will take care of itself over time.

Posted in Uncategorized | Leave a comment

Issue with Meet Now and Invite More People–RCC and Lync Server 2013

Disclaimer: Yes, I know that Remote Call Control (RCC) is being deprecated. Yes, I know Enterprise Voice is WAY better.

A “feature” that was found is that users that are RCC enabled are not able to add other users to meetings that are started by using Meet Now. When meetings are scheduled and invitations are sent via email, users can join by clicking on the link in the email, and all is well. OK, not so much, so let me rephrase, all is well UNTIL another person is invited by using the Invite More People option.

What happens in both cases is that you, as a person in the meeting,  will see the users pop into the meeting for a couple of seconds, then they will disappear. From the user’s side, they start to join the meeting, then they get an error where audio fails to connect (if the meeting is not using Lync audio, i.e. a call bridge or just a shared session) and they get a message at the bottom of their Lync client to retry the connection for audio. If they select the option to rejoin using Lync audio, it will allow them to connect to the meeting.

This strange behavior does not appear if the users are not RCC enabled. If the user is configured for PC to PC audio only, or if they are Enterprise Voice enabled, there are no issues.

This is what appears to happen:

  1. The user that attempts to join the meeting sends a SUBSCRIBE request
  2. The user receives a 200 OK  with the conference information
  3. The user sends an INFO request containing the endpoint URI and the user’s LineURI using a “Dialed-Out” join method
  4. The user is not enabled for dial-out since they are not Enterprise Voice enabled, and they receive a 404 Not Found

So, basically, RCC users joining a conference that does not allow dial out for non-Enterprise Voice users receive a failure to join audio. This is by design. It is not a bug. This only happens when the user is directly invited into a meeting (via Meet Now and Invite Other People), and it does not happen if the user connects to the conference through the Meet Simple URL. After the failure, the user receives the option to rejoin or retry. If the user selects Lync Call, they will then connect. 

Summary: Yes, you should not use RCC, and you should migrate to Enterprise Voice, if it is possible.

Posted in Uncategorized | Leave a comment