Troubleshooting Lync Server 2013 Federation

The other day, I noticed that one of my contacts in Lync was showing Presence unknown. Fed1

Well, this does happen as people change jobs and go to different companies. I wondered about it, so I asked a common friend if he had heard anything. His response was that they were still there, and something must be wrong with my Federation configuration.

I was pretty sure that nothing was wrong with my Federation configuration since I could see others from other companies and was able to IM them and have conferences with them.

Basic Troubleshooting

I always start with the very basics. Has anything changed recently? What do the Event logs show?

What changed recently is that I migrated to a new Access Edge server. Initially, I discounted that as Federation was working for every other company,  so I didn’t think it was the server configuration.

Next, I opened Event Viewer and checked my Lync Server logs. I admit, I don’t always go to the Event logs early on in my troubleshooting. I have no valid reason, I just don’t do it. In this case, I did. I am also glad that I did, because this is what I found:

TLS outgoing connection failures

Over the past 12 minutes, Lync Server has experienced TLS outgoing connection failures 31 time(s). The error code of the last failure is 0x80090325(SEC_E_UNTRUSTED_ROOT) while trying to connect to the server “” at address [], and the display name in the peer certificate is “Unavailable”.

Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.


Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

When I deployed my new Access Edge server, I made sure that I added all of the major Certification Authorities to the Trusted Root Certification Authorities container. I realized that I must have missed at least one.

Digicert to the Rescue

I have always been a fan of Digicert, mostly because of how they support the MVP community, but also because they provide several great tools.

First, I opened a command prompt and ran nslookup.exe. From there, I set the type to SRV, and then put in, and it provided me the name of the Access Edge server on the other side,

Fed3Next, I went to the Digicert site: and put in the record into the tool. I scrolled down, and found the Certificate Authority that they were using for their certs on

Yes, I did not have this particular Go Daddy Certificate Authority in my Trusted Root Certification Authorities list.

The last step was to go to and get the CA Cert.

Ta da! Problem fixed.

Posted in Uncategorized | Leave a comment

Lync Server 2013–No Users Homed on Front-End

It is funny how you find odd behaviors and then try to figure out what is wrong or why something doesn’t behave like it should.

This situation all started with one of Pat Richard’s famous PowerShell one-liners. Pat, for those that don’t know him, is a wealth of information, and he has helped me out on many occasions. In this case, I was perusing his one-liners and saw one that I liked. However, I didn’t like the output and wanted to use it in a bit of a different way than his example. What did I do? Well, I took a perfectly good one-liner and made it into a mutli-line PowerShell script.


$CsServers = (Get-CsComputer | where {$_.identity -ilike “fe*” -and $_.pool -ilike “pool13*”}).identity

Write-Host ” “

Write-Host “Active Lync Server 2013 Connections”

Write-Host “———————————–“

ForEach ($cs in $CsServers) {

                # Write-Host Checking Counters on $cs

                $EndPoints = (Get-Counter “\LS:USrv – Endpoint Cache\USrv – Active Registered Endpoints” -ComputerName $cs | select -expand CounterSamples).CookedValue

                $RegUsers = (Get-Counter “\LS:USrv – Endpoint Cache\USrv – Active Registered Users” -ComputerName $cs | select -expand CounterSamples).CookedValue

                Write-Host $cs `t “EndPoints: $EndPoints” `t “Users: $RegUsers”


What was interesting is what I found. My pilot users were not spreading across my pool like I thought they would. While I guess that the numbers might even out more as I add users, the “0” really bothered me.          EndPoints: 17   Users: 9          EndPoints: 4    Users: 4          EndPoints: 19   Users: 15          EndPoints: 5    Users: 5          EndPoints: 0    Users: 0

At first, I was thinking, yep, just a statistical anomaly. I talked to one of my colleague, Pete Holmes, and he thought it was strange, too, and he started digging into it. Pete tested the impact of changing his SIP URI to change the impact of the algorithm as described here: The Blog entry says that the “registrar assignment is calculated by a hash value of the user’s SIP URI.” The idea was that changing the SIP URI would result in him getting placed on a different Front-End server. No matter how he changed his SIP URI, it didn’t put him on fe5. Setting the client connection settings to force the client to connect to fe5 resulted in it being properly redirected to the proper front-end server, so it appeared that the server was working correctly. Nothing was found in Event Viewer pointing to any issue, either. Basically, the server looked like it was broken and looked like it was fine all at the same time. Schrödinger’s Front-End Server?

We talked about it for a bit, and I thought it might be that the routing groups are set up so that FE5 is a secondary/tertiary for all of the routing groups. That didn’t sound like it was possible, again, it sounded like a statistical anomaly. No matter how I looked at it, it just didn’t seem right. Pete checked the Fabric, and there it was. Highlighted below, it was clear that none of the routing groups were primary for fe5.

PS > Get-CsPoolFabricState -poolfqdn

Replica Instances for MCUFactory Service

    Address: – Primary: 1 Secondary: 3

    Address: – Primary: 1 Secondary: 3

    Address: – Primary: 1 Secondary: 3

    Address: – Primary: 1 Secondary: 3

    Address: – Primary: 2 Secondary: 0

Replica Instances for ConferenceDirectory Service

    Address: – Primary: 1 Secondary: 0

    Address: – Primary: 0 Secondary: 1

    Address: – Primary: 1 Secondary: 0

    Address: – Primary: 0 Secondary: 1

    Address: – Primary: 0 Secondary: 2

Replica Instances for Routing Service

    Address: – Primary: 9 Secondary: 17

        Local Groups: Primary: 2 Secondary: 3

        Remote Groups: Primary: 7 Secondary: 14

    Address: – Primary: 8 Secondary: 17

        Local Groups: Primary: 1 Secondary: 3

        Remote Groups: Primary: 7 Secondary: 14

    Address: – Primary: 10 Secondary: 16

        Local Groups: Primary: 3 Secondary: 2

        Remote Groups: Primary: 7 Secondary: 14

    Address: – Primary: 8 Secondary: 16

        Local Groups: Primary: 1 Secondary: 2

        Remote Groups: Primary: 7 Secondary: 14

    Address: – Primary: 7 Secondary: 18

        Local Groups: Primary: 0 Secondary: 4

        Remote Groups: Primary: 7 Secondary: 14

Replica Instances for LYSS Service

    Address: – Primary: 9 Secondary: 17

    Address: – Primary: 8 Secondary: 17

    Address: – Primary: 10 Secondary: 16

    Address: – Primary: 8 Secondary: 16

    Address: – Primary: 7 Secondary: 18

Global Service Count Summary:

Fqdn: – Primary: 20 Secondary: 37

Fqdn: – Primary: 17 Secondary: 38

Fqdn: – Primary: 22 Secondary: 35

Fqdn: – Primary: 17 Secondary: 36

Fqdn: – Primary: 16 Secondary: 38

How do you fix it? Don’t worry about it, it will take care of itself over time.

Posted in Uncategorized | Leave a comment

Issue with Meet Now and Invite More People–RCC and Lync Server 2013

Disclaimer: Yes, I know that Remote Call Control (RCC) is being deprecated. Yes, I know Enterprise Voice is WAY better.

A “feature” that was found is that users that are RCC enabled are not able to add other users to meetings that are started by using Meet Now. When meetings are scheduled and invitations are sent via email, users can join by clicking on the link in the email, and all is well. OK, not so much, so let me rephrase, all is well UNTIL another person is invited by using the Invite More People option.

What happens in both cases is that you, as a person in the meeting,  will see the users pop into the meeting for a couple of seconds, then they will disappear. From the user’s side, they start to join the meeting, then they get an error where audio fails to connect (if the meeting is not using Lync audio, i.e. a call bridge or just a shared session) and they get a message at the bottom of their Lync client to retry the connection for audio. If they select the option to rejoin using Lync audio, it will allow them to connect to the meeting.

This strange behavior does not appear if the users are not RCC enabled. If the user is configured for PC to PC audio only, or if they are Enterprise Voice enabled, there are no issues.

This is what appears to happen:

  1. The user that attempts to join the meeting sends a SUBSCRIBE request
  2. The user receives a 200 OK  with the conference information
  3. The user sends an INFO request containing the endpoint URI and the user’s LineURI using a “Dialed-Out” join method
  4. The user is not enabled for dial-out since they are not Enterprise Voice enabled, and they receive a 404 Not Found

So, basically, RCC users joining a conference that does not allow dial out for non-Enterprise Voice users receive a failure to join audio. This is by design. It is not a bug. This only happens when the user is directly invited into a meeting (via Meet Now and Invite Other People), and it does not happen if the user connects to the conference through the Meet Simple URL. After the failure, the user receives the option to rejoin or retry. If the user selects Lync Call, they will then connect. 

Summary: Yes, you should not use RCC, and you should migrate to Enterprise Voice, if it is possible.

Posted in Uncategorized | Leave a comment

Missed Call Notification Failure

Who knew that users would actually get upset if they don’t get their Missed Call emails? Who knew that they would also get upset if they received hundreds of notifications in their email that they missed all of those calls while out on maternity/paternity leave? Who knew that users would get upset no matter what?

Oh wait, all of us admins knew. Smile

Not much has changed in the last several years regarding how the Missed Call Notification works. Jens Trier Rasmussen covers the process very nicely, and it is still pretty accurate, today.

Recently, I have had a couple of users complain that they are not getting their notification emails. The answer, in these cases, has been simple. Would you guess it is because they have too many folders in Outlook? Yes, it is the same issue as with Conversation History not being saved after it has worked for a long time. Exchange Web Services has an issue when there are over 1,000 folders in the mailbox. Once the mailbox is cleaned up, the Missed Call Notification starts working again.

Of course, the best solution might just be to turn it off for everyone by using a Client Policy: Set-CsClientPolicy “PolicyName” -EnableCallLogAutoArchiving $False

If users want to disable the notifications, they can do it in the Lync/Skype for Business client application: In Lync/Skype for Business, click the Gear in the upper tight, then click on Tools, Options, then click on the Personal tab and disable the checkbox for Save call logs in my email Conversation History folder.

Posted in Uncategorized | Leave a comment

Address Book Regeneration–Different in Lync 2013

As often happens, I miss some interesting changes between versions of OCS/Lync/Skype for Business.

This time, I missed the following changes:

RtcAb and RtcAb1 – In Lync Server 201o, the Address Book uses two databases, rtcab and rtcab1. The two databases are used so that one database can respond to queries while the other one is updated at 1:30am. This way, there is always an active version available, and then when the other one is finished updating, it becomes the active one.

In Lync Server 2013, the rtcab responds to queries while it is updating and the second version is not required.

Manual Address Book Update – In Lync Server 2010, the manual process to update the address book requires two different PowerShell cmdlets. The process is to run Update-CsUserDatabase, then after the update completes, you run Update-CsAddressBook to sync the content.

In Lync Server 2013, all you have to do is run the Udpate-CsAddressBook. The cmdlet triggers the user replicator process as part of the process.

I guess I need to take more time away from actually working and doing more research. Smile

Posted in Uncategorized | Leave a comment

Lync 2013 Client and Remote Call Control – CUCM

Yes, I know. Remote Call Control (RCC) is dead in the world of Lync. Well, it’s not dead yet, but I am sure it will get fully clubbed over the head soon.

This issue reared its ugly head the other day when upgrading Lync 2010 clients to Lync image2013 clients. Every time you would start Lync 2013, it would generate this warning pop-up:

Cannot apply your new call forwarding settings. To turn off call forwarding, click OK. To ignore this error, click cancel.

If you click OK, it goes away until the next time you sign into Lync 2013. If you click Cancel, it goes away until the next time you sign into Lync 2013. Basically, nothing gets rid of it. This does not happen if you are using Lync 2010, though.

The reason? Well, Cisco… Yep, it isn’t a Lync 2013 issue, even though it appears to be it’s fault. Lync 2010 doesn’t experience because it doesn’t care what the Cisco Unified Call Manager tells it.

Basically, the issue is that CUCM tells the Lync 2013 client that call forwarding is set, even though it isn’t. See the Cisco Bug report for more info. The good news is that Cisco is going to fix it. Hopefully, it won’t be too long.

Posted in Uncategorized | Leave a comment

Unable to Publish Change to Trunk Configuration

This is a short post.

I tried to make a change to a Trunk configuration,. I needed to set up the Trunk so that it would use TCP and to port 5060. I made the change in Topology Builder, and everything looked great. However, when I tried to publish the change, the Publish Topology option was greyed out. I could not publish the change.

No errors were generated and nothing told me that there was a conflict. However, the solution was an easy one. I turned off “Enable hardware load balancer monitoring port” which was also set to use 5060. I later changed the monitoring port.

The next step will be to let the load balancer team know that they need to update their monitoring port so the load balancer can know not to direct traffic to a downed server.

Posted in Uncategorized | Leave a comment