Is it a Lync 2013 Client or is it a Skype for Business 2015 Client?

I was an OCS guy when Office Communications Server came out. I hated Live Communications Server, but it was a great first step. Then, they changed the name to Communications Server. I kind of liked that name. However, before Communications Server was released, Microsoft made the decision to release new version as Lync Server 2010. What a great step forward from OCS. The next version was Lync Server 2013. Lync Server 2013 is a fantastic product and business users love it.

Then… Microsoft bought Skype. Skype is a consumer product with a great name and some nice technical features and it includes some great built-in telephony capabilities. The Skype brand is well recognized by all sorts of people all over the world. Even my Mother-in-Law knows what Skype is because her friends talk about having video chat with their Grandchildren all over the world. So, of course, there was a rebranding of Lync to Skype. Microsoft decided to apply a similar brand to the business product as the name really does have great value. Microsoft recognized that they needed to make it clear that the rebranded product was different. To make the difference between the two products, they added the words “for Business” and expected the world to get that they are two separate products with different features and target markets. There is the Skype product and there is the Skype for Business product. Yep, no confusion there. How could anyone be confused when they added “for Business” to the newly rebranded product.

WHOA! Confusion! Yep, Nobody Saw it Coming (yes, sarcasm)

The last couple of months have seen Microsoft put the brand changes into the Lync product. Microsoft started with the client. All of a sudden, people came into work to start their Microsoft Lync client and saw something different, and freaked out. Users all over the world lost their minds and started calling their help desks. “Who installed Skype on my computer, and where is my Lync client?” Some of the more savvy users said, “WTF! We can’t run consumer software in our business environment!” Of course, the really super savvy people realized that Skype for Business is not Skype, and they were a bit shocked but they didn’t run down the aisles screaming that ”the Skype is falling.” OK, let’s be clear, I get credit for that one.

Two Skins, One Product

I kind of like what Microsoft did in that they realized that people might jump out of windows (yes, pun intended) and that they needed to help keep calm in the colonies of business cubes around the world. Microsoft’s solution is to allow the new client to have a “Lync Skin” to it so it appears to be like the old Lync client. Companies have the option to approach their uses and provide counselors to help them make the adjustment from the Lync world to the Skype for Business world. They can run the Lync skin until they are ready to accept Skype for Business into their lives.

There are some differences in functionality between the two skins, and the interfaces are clearly different. I am not going into that here. I don’t need to create any more fear of change.

What Users See – Help Keep them Calm

For those companies try to minimize change for the users out there, they made the decision to keep the Lync skin. However, some Skype for Business branding still became part of their world. It is like pulling the band-aid off slowly instead of just ripping it off. Even though they run the Lync skin, they will still see some Skype for Business branding.

So, let’s talk about what happened for those users, and some that are still to come as they haven’t had the latest/greatest updates to their Lync 2013 clients.

First, they start their computer, and then they start their Lync client and they see…clip_image002

OK, deep breath… This looks scary. It looks like Skype, but if you look closely, it says “for Business” on the splash screen. OK, this can’t be too bad.


It looks like something is happening…

Then, BAM! They see a whole new interface. clip_image002[5]

This can really hurt some of the users out there, and they start to get that feeling that something has changed, and all is not right in their world. Somebody moved their cheese, and they don’t like it. I saw some users sit there and stare at their monitors. They looked. They looked away. Then they looked again. Then they started yelling, “Hey, Steve, are you getting the same thing that I am? I started Lync and something weird is happening. I don’t know what this is? Should I call security? Did somebody hack my computer?”

Luckily, before they start to run down the aisles screaming that “the Skype is falling,” clip_image002[7]they get some more… umm… stuff… thrown at them.

They see a restart screen. They will only see this restart screen if you set up the policy to force use of the Lync skin. This is the bit of software that guides them to restart their Skype for Business client so that the Lync skin can be slapped onto it.

With a little coaching, and some communication that a few users will read before this happens, we might get some people in cubeville that know what is going on. Steve might reply that, “It isn’t anything to worry about. It is OK. Don’t run. Just sit still for a few minutes, and it will be OK. Really, it will be OK, you can trust IT.” (yeah, I know, I went a bit overboard with that one)clip_image002[11]

If everything goes as planned, they will see a normal looking Lync interface and then they can go about the start of their business day.

The Branding is There!

The biggest issue is that while the users will see the Lync user interface, as they start clip_image002[15]working, they might notice some minor changes like the short cut link in their task bar now looks like a Skype client because it has Skype branding.

The branding in the task bar can be a bit of a problem. It sounds crazy to many of us, but clip_image002[13]some users just can’t handle even the smallest changes. So, they will see the change, but there are two changes that really mess with users. The first is when they use the Start button and type “Lync” in the search and Skype for Business 2015 shows up in the results. I have to admit, that one caught me by surprise. I didn’t expect the search result.


The second one is seeing the “Skype Meeting” link. This branding change is one change that really catches attention. I get calls about this one all the time.

All in all, change can be a challenge. So, you can try to communicate that the change isn’t going to hurt them, but even then, almost nobody reads those emails from IT that tell them about the upcoming changes.


Take a deep breath, keep the windows locked, and try to help stop the panic.

Posted in Uncategorized | Leave a comment

Certificates in Wrong Container–Lync Front-End Service Fails

The last couple of days, I have been having lots of fun (that was sarcasm for those that are sarcasm challenged) working with some colleagues on some certificate issues.

Basically, the issue is that Lync Server 2013’s Front-End services will not start up properly if Intermediate Certification Authorities certificates, or any other non-Root certificates, are put in the Trusted Root Certification Authorities certificate store. This issue is documented in Technet.

The first part of the discussion was how to identify a Root CA certificate.

What is a Root Certificate Authority certificate? This is the actual issue. If you don’t know what a Root CA certificate is, it is hard to fix the problem. If you look at the certificates here, you will see that there is a column title Issued To and another column titled Issued By. A Root CA issues its own cert. Basically, the Issued To and the Issued By need to be the same. Please not that, in this case, the following certs in this graphic are NOT Root CA certs:clip_image001


  • Symantec Class 3 DSA SSL CA
  • Symantec Class 3 EV SSL CA – G2
  • Symantec Class 3 EV SSL CA – G3
  • Symantec Class 3 Secure Server CA – G4
  • Symantec Class 3 SHA256 Code Signing CA

These should be moved to the Intermediate Certification Authorities container.

Certificate Authority Analogy – Also a bit of a Rant

I put together an analogy a few years ago, and I think it really helps explain the issue that we are discussing here.

Back in 2010, there was a huge Lacrosse tournament being held in the United Kingdom. The Iroquois Nationals lacrosse team was invited to this tournament. For those that don’t know, the Iroquois Nation (also known as the Haudenosaunee and the Six Nations) is a very powerful and influential Native American confederacy. The Iroquois Nation includes land that spans the border between the United States and Canada.

Anyway, the Iroquois were issued passports by their government officials. The passports were not recognized as being acceptable by the UK (nor would they have been found to be acceptable to the US) as they just are not recognized as a separate nation with an accepted passport issuing authority. Well, who says whether they should be allowed to create passports and that their passports should or should not be accepted? Who gets to make that decision?

Let me ask a different question: Who says that we should accept certificates issued by the Equifax Secure Certification Authority (I just picked one out of the air)? Really, who says we have to accept the certificates issued by their CA? The answer is, “We do.” We, as server administrators, can easily add or remove CAs from our list any time we want. The CAs in our certification stores are prepopulated in many cases by the operating system vendor, i.e. Microsoft, but we can change the list all we want. It is just like the US has refused to accept Cuban passports for political reasons for decades, while other nations accept Cuban passports without any issues. Who says the US does not have to accept Cuban passports? Well, the US government is fully allowed to accept or reject any passport document. They can also change their minds about it.

So what it comes down to is that a CA is only as valid as we decide. If Joe’s Seafood Emporium created its own CA and issued certificates, does that mean we have to accept them as a valid CA and thus accept all certs that it issues? Of course not.

To extend this analogy, if the Iroquois Nation was recognized as a valid passport issuing authority by the UK, then there wouldn’t have been any issues so long as the passports contained all of the proper passport authorities security mechanisms. They would have been allowed into the UK for the tournament, and they might have won it all. However, they didn’t have valid passports according to the UK as the UK didn’t recognize the Iroquois Nation as a proper passport issuing authority, and they were denied entry to the UK.

Back to the Topic

OK, back to my original rant. In my case, these Intermediate CA certs were being pushed into the Trusted Root Certification Authorities container by a Group Policy. Somebody in the company decided that they should go there, even though they don’t belong there. To remove them is easy, but if the Group Policy keeps putting them back, the only solution is fix the Group Policy.

Thankfully, it was pretty easy to convince the right people that they needed to fix the Group Policy that was causing me heartache.

Posted in Lync | Leave a comment

Skype for Web (Consumer)

Yes, it is for the Skype consumer version. I felt I had to be clear about that after having many discussions in the last couple of months about Skype for Business and explaining that there is a significant difference between the two.

I was told that there was a Beta for those that reside in the US and in the UK for a completely Web based version of Skype. Being a long time Skype user, I decided to check it out. Well, I forgot to check it out until today.

I am glad I checked it out. It is pretty slick, but I had trouble envisioning use cases for it. OK, not really, it took me a couple of minutes of thinking about the many times that I wanted to make a Skype call, grabbed computer (you can probably imagine that I have more than one in the house) and found that the Skype client was not installed on it. So, I would have to download it, and then after spending at least a minute with the download and logging into it, I would be in business. Of course, this is an issue if you are on the road and have crappy bandwidth at one of the many super expensive hotels out there. Well, here is the answer.

Let me go through the horrible (yes, that was sarcasm) process for you.

  1. I opened a browser.
  2. I typed into the browser.
  3. I got the screen below:image
  4. I clicked the link that says “Launch Skype for Web”
  5. I noticed that I had a couple of notices (that is how I noticed) that I needed to install a plug-in for Audio/Video calls (man, it is starting to get painful now).
  6. image

  7. I read the notice information about cookies and such, because that is how I roll.
  8. I clicked the link to get the plugin.

Yeah, not very painful, and I was up in running pretty quickly. I feel sorry for those that can’t use the Beta. It really is nice, and it was very easy to set up.

Check it out!

Posted in Uncategorized | Leave a comment

Getting Lync User Connection Information

I posted in the past about how to identify where users are connecting to in Lync. I have used this script several times this week to find out what version users were using and what computer they were using. The troubleshooting process is a great deal easier when you don’t have to depend on users to give you the information.

I spent some time adding to the previous script and added an nslookup to get the client computer name along with the IP, and then I added some historical logon information.

Between the two pieces of the script, I ended up using the local SQL on Front-End servers and then the LcsCDR database. It was actually a fun couple of hours of testing and playing.

You can download the latest script here, or you can read it and take what you want as shown below, and then modify it as needed to fit your environment. At the very bottom of this post is an example of the output.

# User Name to Search
$User = “”
# SQL Server for historical connection information
$SqlServer = “SqlServerName\InstanceName”

Write-Host ” “
Write-Host “Retrieving Current Lync Client Connections for $User” -foregroundcolor red
#Find the Front-End server that is supposed to be used by the user
$FirstPriority = Get-CsUserPoolInfo $User | Select –ExpandProperty PrimaryPoolMachinesInPreferredOrder | Select fqdn -First 1
# The SQL server in this next variable is for the SQL express on the Front-End
$ServerName = $FirstPriority.fqdn

# This query is for the SQL Express to get current connection information
$SQLQuery = “
    From RegistrarEndpoint
    WHERE SipHeaderFrom LIKE ‘%$User%'”
$Connection = New-Object
$Connection.connectionString=”Data Source=$ServerName\RTCLOCAL;Initial Catalog=RTCDyn;Integrated Security=SSPI”
$Command = $Connection.CreateCommand()
$Command.Commandtext = $SqlQuery
$DataAdapter = New-Object System.Data.SqlClient.SqlDataAdapter $Command
$Dataset = New-Object System.Data.Dataset
# $Dataset.Tables[0] | Export-CSV UserIP.csv -notype
$Connection = $null

$Results1 = $dataset.tables[0].rows

ForEach ($r in $Results1){

    If ($r.IsServerSource -ne “False”){
        $ClientApp = $r.ClientApp
        $ContactInfo = $r.ContactInfo
        $SipHeaderFrom = $r.SipHeaderFrom
        $EncodingType = “System.Text.ASCIIEncoding”
        $Encode = new-object $EncodingType
        $ClientApp = $Encode.GetString($ClientApp)
        $ContactInfo = $encode.getstring($ContactInfo)
        $SipHeaderFrom = $encode.getstring($SipHeaderFrom)
        # Strip garbage from $ContactInfo to get IP
            $CI = $ContactInfo.split(‘;’)
            $CI2 = $CI[0]
            $CI3 = $CI2.split(‘:’)
            $ClientIp = $CI3[1]
        #Strip garbage from $Sip User to get SIP address in SMTP format
            $Sip = $SipHeaderFrom.split(‘:’)
            $Sip2 = $Sip[1]
            $Sip3 = $Sip2.split(‘>’)
            $SipAddress = $Sip3[0]
        #Find computer name
            $Name = nslookup $ClientIp
            ForEach ($n in $Name){
                If($n -ilike “name*”){
                    $Name = $n.split(‘ ‘)
                    $Name2 = $Name[4]
                    $Name3 = $Name2.split(‘.’)
                    $CompName = $Name3[0]
        Write-host “UserURI         : $SipAddress”
        Write-host “IPAddress       : $ClientIp”
        Write-Host “ComputerName    : $CompName”
        Write-host “Version         : $ClientApp” 

    Write-Host ” “

Write-Host ” “
Write-Host “Retrieving Recent Lync Client Connections for $User” -foregroundcolor red

# The second query is used to get recent connection information, changing to TOP 10 or more will retrieve more results
$SQLQuery = “
    s.ServerFQDN as Server,
    p.PoolFQDN as Pool
FROM Registration as r
    JOIN Users as u on r.UserId = u.UserId
    JOIN ClientVersions as v on r.ClientVersionId = v.VersionId
    JOIN Servers as s on r.RegistrarId = s.ServerId
    JOIN Pools as p on r.PoolId = p.PoolId
WHERE u.UserUri = ‘$User’
ORDER BY r.RegisterTime DESC”

$Connection = new-object
$Connection.connectionString=”Data Source=$SqlServer;Initial Catalog=LcsCDR;Integrated Security=SSPI”
$Command = $Connection.CreateCommand()
$Command.Commandtext = $SqlQuery
$DataAdapter = New-Object System.Data.SqlClient.SqlDataAdapter $Command
$Dataset = New-Object System.Data.Dataset
# $Dataset.Tables[0] | Export-CSV TempList.csv -notype
$Connection = $null

$Results2 = $Dataset.Tables[0].rows


I played with the output a bit to make it all align. Basically, what you get is the first section of the output shows the two locations where I was currently logged in at the time I ran the script. The second part shows the last five logons. The number can easily be changed in the script by modifying the TOP 5 part of the SELECT statement.

Retrieving Current Lync Client Connections for
UserURI         :
IPAddress       :
ComputerName    : Desktop1
Version         : UCCAPI/15.0.4675.1000 OC/15.0.4675.1000 (Microsoft Lync)

UserURI         :
IPAddress       :
ComputerName    : Desktop2
Version         : UCCAPI/15.0.4675.1000 OC/15.0.4675.1000 (Microsoft Lync)

Retrieving Recent Lync Client Connections for

UserUri        :
RegisterTime   : 2/24/2015 6:12:58 PM
DeRegisterTime : 2/24/2015 6:13:30 PM
Version        : UCCAPI/4.0.7577.4409 GCAT/4.0.7577.4398
Server         :
Pool           :

UserUri        :
RegisterTime   : 2/24/2015 6:05:35 PM
DeRegisterTime : 2/24/2015 6:06:08 PM
Version        : UCCAPI/4.0.7577.4409 GCAT/4.0.7577.4398
Server         :
Pool           :

UserUri        :
RegisterTime   : 2/24/2015 6:05:14 PM
DeRegisterTime : 2/24/2015 6:14:40 PM
Version        : UCCAPI/4.0.7577.4409 GCC/4.0.7577.4398
Server         :
Pool           :

UserUri        :
RegisterTime   : 2/24/2015 2:19:49 AM
DeRegisterTime : 2/24/2015 2:28:02 AM
Version        : UCCAPI/4.0.7577.0 GCAT/4.0.7577.0
Server         :
Pool           :

UserUri        :
RegisterTime   : 2/23/2015 7:15:11 PM
DeRegisterTime :
Version        : UCCAPI/15.0.4675.1000 OC/15.0.4675.1000 (Microsoft Lync)
Server         :
Pool           :

Posted in Lync | 2 Comments

Lync 2010 vs Lync 2013 Address Book Troubleshooting

When troubleshooting Address Book issues in Lync, I keep forgetting to ask users which version of the Lync client they are using. After all, it is a bit of a pain if you walk them through deleting their Global Address List files and setting the GalDownloadInitialDelay setting in the Registry just to find out that you did all the work for the wrong version.

So, just a reminder to everyone, make sure you do the work in the right areas for users based on the version of the client that they are currently using. When trying to make sure that they have the proper Address Book, you need to go through four steps:

  1. Update the Address Book from the server side by running:  Update-CsAddressBook
  2. Exit Lync and then delete the GalContacts.db and GalContacts.db.idx files
  3. Configure the Registry on the client so it will immediately download the new Address Book
  4. Restart the Lync client and verify that everything is happy again

For example, for Lync 2010:

The location for the Gal* files is C:\Users\%username%\AppData\Local\Microsoft\Communicator

The location for the GalDownloadInitialDelay in the Registry is HKLM\Software\Policies\Microsoft\Communicator (create the DWORD for GalDownloadInitialDelay and set it to 0)

For example, for Lync 2013:

The location for the Gal* files is C:\Users\%username%\AppData\Local\Microsoft\Office\15.0\

The location for the GalDownloadInitialDelay in the Registry is HKLM\Software\Policies\Microsoft\Office\15.0\Lync (create the DWORD for GalDownloadInitialDelay and set it to 0)

Jeff Schertz does a great job explaining the details for Lync 2010 on his blog:

Remember, to modify the locations for Lync 2013 and it is pretty much the same thing. I highly suggest reading Jeff’s blog as he does an awesome job of explaining the process and verifing that the Update-CsAddressBook was successful.

Posted in Lync | 1 Comment

Lync Web Access for Anonymous Users–Failure

In my current job, I have been using Federation connections for many Lync meetings. My meetings include internal company participants and external participants that are Federated. I love having Lync meetings, and just making Lync phone calls to external users. Presence, Instant Messaging, Desktop and Application sharing and Audio and Video connects all work perfectly.

I was tasked with making sure that we can add external anonymous users. Of course, that should not be an issue. However, during testing, I found that there were many issues. I was able to get some anonymous users connected and send and receive Instant Messages. Well, it appeared to work, but there seemed to be some intermittent issues.

Anonymous users were complaining that they had to try multiple times to make the connection to the Lync conference and that they kept losing their connections. After doing some extensive testing, I was finally able to get some captures of the errors. Anonymous users were receiving errors like the one below when trying to join as a guest:clip_image002

The connection to the server was lost. Check your network connection and try again.

After multiple retries, they were able to join the meeting. However, they were not able to view the shared content. After a short time, they were no longer able to participate in clip_image004the IM session, either. You can see, from the reproduction of the error, that the first message was fine, but the second message that was sent a couple of minutes later failed. Obviously, this is not by design. Smile

Now, I fully admit that I am sick person because I was excited to get these screen shots and to have a chance to troubleshoot this issue.

First Steps:

  1. Check the Conferencing Policy. Obviously, the meeting organizer needs to be assigned a policy that allows anonymous users. I verified that that the policy allowed anonymous users and allowed application and desktop sharing.
  2. Cuss at the computer. Cussing is a big part of how I work as an administrator when troubleshooting.

Next Steps:

Try to connect to the meeting using LWA (like an anonymous user) from the same computer where the meeting is initiated. In this case, I was able to reproduce the issue on the internal network. I copied the URL from my meeting to a browser window on my desktop, i.e. and then added the suffix of ?sl=1 to the end of it to force the connection via the browser. The URL used looks like this:

If you don’t add the suffix, then the Lync client will try to connect to the meeting, and the goal here is to test LWA, not the Lync client. 

In this case, the browser connected properly, initially. When clicking the link to Join the meeting using your web browser, it would take me to the next screen where I could select the radio button to Join as a guest.


The same issue appeared and the connection failed. If this had worked, I would have tried using another computer inside the network to see if I could reproduce the issue there as well.

At this point, this looked like an issue with a hardware load balancer. I jumped to this conclusion because I could establish a connection (intermittently) and then would see a failure when trying to send subsequent IMs (which sounds to me like a reconnection to the same session).

Last Steps:

Now, I needed to verify that it was actually an issue with the hardware load balancer.

I used a second computer and configured the hosts file for the address pointing it to a single server in the pool rather than the load balancer’s IP address, and I also did the same with the pool name and set it up in the hosts file as well. Remember, you need to use FQDNs.

Once the hosts file was set up, I retested the LWA connection and it worked like a charm. No issues. I was able to share apps, share the desktop, and IM for an extended length of time. It was rock solid.

So, how did I know for sure it wasn’t a problem with one of the front-end servers in the pool instead of the load balancer? Easy, I just repeated the process for each of the front-end servers by setting the IP for each one in the hosts file and testing the connectivity. Every single front-end worked wonderfully.

Once I removed the hosts file entries, and went back to using the load balancer, it was easy to reproduce the problem. Yep, definitely the hardware load balancer.

Of course, every load balancer is a bit different. In this case, following the guidance of the vendor, the load balancer was reconfigured and the issue was resolved.

Another happy ending in the world of troubleshooting Lync.

Posted in Lync | 1 Comment

Lync Web App and Google Chrome

There was a recent update to Lync Server 2013 (including Lync Server 2013 as found in Office 365) that included a new error page for Chrome users.

It appears that Google dropped support for some older APIs that have been deprecated in Chrome. The APIs were for QuickDraw and Carbon.

While I have not had the experience of seeing the error page, I have heard that is reads:

Lync Web App

Google Chrome no longer supports Lync Web App

To join the meeting:

1. Copy the meeting URL

2. Open Internet Explorer or Firefox

3. Past the URL in address bar, and hit Enter

UPDATE (Dec 15, 2014): Microsoft posted something on this issue last night.

And another UPDATE today (Dec 17, 2014):

Posted in Uncategorized | Leave a comment