Category Archives: Lync RC
At this time, there are going to be a few scenarios where you may need to deploy the R2 version of Communicator Web Access with Lync Server 2010. The core reason here, is that the RTM Version of Lync Server 2010 contains a feature on the front end called Lync Web App. Eventually, Lync Web App will become a full featured web client, however, today it is only used for users to join online meetings from the web. There is no ability to access Lync Web App from a URL and sign-in, or use it as a instant messaging too. This is planned to be released SP1 of the product, that timeframe is unknown right now.
To fill this gap, customers will have to deploy the OCS 2007 R2 CWA role, which can register against a Lync Server 2010 Pool. This post will show you how to configure OCS 2007 R2 CWA to work in your Lync Server 2010 environment.
Preparing the Environment
The most important piece of information in this blog, is that the Schema Prep for OCS 2007 R2 must be run in the environment before the Lync Server 2010 Schema Prep, or you will not be able to install the R2 version of CWA. If this is a deployment where there have not been prior installs of OCS 2007 R2, you will need to obtain this media, and run that Schema Prep before your Lync deployment starts, so it is very important to plan for this in your design/planning phase of your project.
Also, to get straight to the point for this blog, I am going to assume you have prepared the schema in the correct order, have your Lync Server 2010 environment online, and have already installed the CWA Role on a server. I will walk through creating the virtual directory, as well as integrating it with your Lync environment.
Use this Deployment Guide to install and configure the CWA role
Creating the OCS 2007 R2 Virtual Web Server
One you have the CWA role installed, and a valid certificate installed on the server, you must configure the virtual web server that clients will access.
I will walk you through the process for creating an External web server, however the same process applies for the Internal web server. The difference being the types of authentication allowed, external allows forms, where as internal also allows NTLM authentication.
Login to your R2 CWA server, and open the Communicator Web Access Admin Console
Once in the admin console, right click on your server and choose Create Virtual Web Server
Navigate through the setup wizard, choose only your Web Server Type, in my case I am choosing External. Make sure to select a valid HTTPS certificate when prompted.
When you get to this section, Specify IP Address and Port it is important to note that this is the IP and listening port for your web server, not the communication between Lync and your CWA server, we will get to that next.
After entering a description for your virtual web server, the most important part of this wizard is the Specify a Listening Port section. This port defines what this application will listen on, and communicate with your Lync front end on. Because of the change in ports between OCS R2 and Lync, previously used values like 5070, or 5071 as you will see in older blog posts of mine do not work. You must pick a port that is not being used by an application currently. For my example I am using 4790.This can be any port, as long as your Lync front end and this server can communicate on that port.
Next, define your next hop pool, choose the appropriate Lync pool as your next hop and leave the port to default 5061.
Complete the wizard and start the virtual server.
Your settings should look similar to this
Now that you have completed this, you will need to make Lync aware of this server.
As you will find in the OCS 2007 R2 to Lync Server 2010 Migration Guide, you must merge your Legacy (OCS 2007 R2 components in to your Lync Topology.
Configuring Lync Server 2010
Now that we have our CWA server configured, we must make the Lync topology aware of this server. To do so, we will merge the legacy topology in to our Lync topology. This is possible through PowerShell using the Merge-CSLegacyTopology cmdlet, however I will be using the GUI.
Before completing this task, you must install the OCS WMI Backwards Compatibility tool, this can be found on the install media, called ocswmibc.msi
First, navigate to your Lync front end and open the Topology Builder.
If you already have coexistence with a R2 environment you will be very familiar with this process, and you will also see the BackCompatSite listed.
Right click where it says Lync Server 2010 and choose Merge 2007 or 2007 R2 Topology
In this post, I am assuming there are no R2 pools, and we are just importing the CWA server and web site. Because of that, you will actually leave the wizard blank when it asks for servers. This wizard will connect to servers in your environment and pull configuration data out of WMI, and input them into this BackCompatSite that will reside on the CMS. This is the major change from OCS 2007 R2 to Lync, is what used to be in WMI, is now in the CMS. You can find plenty of resources to get into more detail about that on Nexthop.
Verify the setting selected in the wizard, and choose Next to merge your legacy topology.
Everything should complete, choose Finish and you will now see your new site.
Expand BackCompatSite and expand TrustedApplicationServers for this blog post, we are concerned only with the trusted application servers, this is where your CWA, and other R2 server roles like group chat will appear.
Once you have verified that your R2 CWA server appears correctly, right click where it says Lync Server 2010 and choose Publish Topology.
Once you have published your topology, we will have one last step to verify our web server was imported correctly.
Open the Lync Server Management Shell and run the following command: Get-CSTrustedApplication
This command will return trusted applications that are associated with Trusted Application Servers and Trusted Application Pools in your environment, you may have many depending on your topology. However the two we are looking for, involve CWA.
Your output should return something similar to below:
I have crossed out my server names, however there should be the FQDN of your CWA server where I have marked.
The two entries represent the external facing web site that users hit, as well as the port that is used to communicate with the Lync front end, as you can see highlighted below, the port you assigned should be listed there.
You should now be able to login to CWA as a Lync Server 2010 user! If you run into issues, make sure to check out this blog relating to the SPN error related to CWA service accounts in R2.
Also, make sure that your CWA server is on the latest release of OCS 2007 R2 patches which can be found here:
I hope this helps you extend CWA capability to your Lync users, if you have any issues please contact me via the comments and I will try to help you the best I can.
A common theme I am seeing lately is that people have setup Lync test environments, and are required to start from scratch for one reason or another. The problem is active directory is still detecting their old topology and causing issues with moving forward with the new environment.This post will cover what is required to remove references to the Lync deployment from Active Directory.
One very important thing to note here, once you extend your AD Schema, unless you revert from a backup, you will not be able to back out those changes. As a quick reference, lets go over what Lync Server 2010 does when you extend the schema.
In Office Communications Server 2007 R2, majority of configuration data was stored in Active Directory, however Lync Server 2010 stores most of the configuration data in the Central Management Store, which is a SQL database that lives on your servers in the topology. Lync Server 2010 still stores certain information in active directory including:
- Schema extensions:
- User object extensions
- Extensions for Office Communications Server 2007 and Office Communications Server 2007 R2 classes to maintain backwards compatibility with supported previous versions
- Data (stored in Lync Server extended schema and in existing schema classes):
- User SIP Uniform Resource Identifier (URI) and other user settings
- Contact objects for applications such as Response Group and Conferencing Attendant
- A pointer to the Central Management store
- Kerberos Authentication Account (an optional computer object)
Now, there are a ton of Attributes and Classes involved, because of the backwards compatibility with OCS 2007 R2, however I am simply going to cover the references to your pools, pool servers and your topology, and how to get rid of them. When the RTM documentation is released, it will have a full list of all attributes and classes.
Central Management Store References
The key change in Lync Server 2010 is the reference to the Central Management Store that is created in active directory. When you install your first server in the environment an Active Directory Service Connection Point is created in AD referencing the location of the central management store, all servers going forward pull from that reference point to identify where they should be pulling configuration data from. Once they have made that first pull, Lync Server 2010 keeps each of the local configuration stores up to date in a replication process. It’s a similar setup to Active Directory, if you think about domain controllers having a local store of data, and it replicates across all, same concept with the Lync CMS.
You can view this SCP through ADSI Edit.
Open ADSI Edit and connect to the context where your data is stored, either Configuration or System. Below I am showing System.
Expand Microsoft->RTC Service->Topology Settings
If your right click and choose Properties you will see the most important data, the server and version that is holding the CMS.
Essentially the commands below manage this entry.
There are a couple PowerShell commands that can be used to manage the CMS Connection in Active Directory.
Commands to view the status and location of the CMS
The command Get-CSManagementStoreReplicationStatus
This command can be run by itself to see the status of replication across all of the servers in your topology
You can also run this command with the switch –CentralManagementStoreStatus to view information about your central management store:
This command will give you very valuable information, for this purpose it will show you what your connection point is referencing, and in troubleshooting, you will be able to identify any issues with your CMS.
You can also do a very basic command to report on the location of the CMS.
The command Get-CSConfigurationStoreLocation
This simple command will print the CMS location in a single line.
There are a couple ways we can change where the CMS reference in AD points to, as well as to completely remove the connection point.
Modifying or Deleting the CMS Location in Active Directory
The command Move-CSManagementServer
This command will move your CMS between pools. This is useful if you have your existing CMS still online, and will be making a smooth transition to the new servers. If you do not have your old CMS server available, you will not be able to use this command unless you have a valid backup of your configuration data. These backups can be obtained by running Export-CSConfiguration and Export-CSLISConfiguration. That will backup to ZIP files, which can then be used with the Move-CSManagement store command to restore the configuration and repoint the SCP to the new pool.
The syntax for this command is pretty basic, here is the reference from the Help File:
Before you move the Central Management Server, you must do the following:
1. Verify that you have created the new Central Management store. This is d
one by running the Install-CsDatabase cmdlet and using the CentralManagemen
2. If you are moving the Central Management Server to a Standard Edition se
rver, verify that you have used local setup to run the Prepare Standard Edi
tion server option. This advance preparation is required to add firewall ru
les that will allow Windows PowerShell to remotely access the new Central M
3. Verify that there is enough free disk space on the computer where Move-C
sManagementStore is being run to accommodate the Central Management Server.
4. Verify that the Front End Server service has been installed on the compu
ter where Move-CsManagementStore is being run. If this service is not insta
lled, and running, then the move will fail.
5. Verify that you can successfully run the Enable-CsTopology cmdlet on the
computer where Move-CsManagementStore is going to be run. If Enable-CsTopo
logy cannot be run on that computer then the move will fail and you will no
longer have a functioning Central Management store.
After you have completed these steps, all you need to do to move the Centra
l Management Server from Pool A to Pool B is log on to a computer in Pool B
and then call Move-CsManagementServer without any additional parameters:
When you do that, Move-CsManagementServer will consult the topology to dete
rmine the prior location of the Central Management Server (Pool A), and th
en transfer the Central Management Server and the Central Management store
to the current pool (Pool B).
If the move succeeds, Move-CsManagementServer will display a list of comput
ers on the screen. In order to finish the move, you must run local setup on
each of these computers. Computers in Pool A will still be running an inac
tive version of the Central Management service; running local setup will de
lete that service. The computer in Pool B where the Central Management Serv
er was moved will be running the Central Management service; however, other
computers in the pool will not. Running local setup on these computers wil
l install the Central Management service.
Two important parts:
- Make sure you have properly prepared your new Front End/Pool Server prior to running this command (see documentation on setting that up)
- Login to the NEW server which will contain the CMS, open the Lync Powershell, and run Move-CSManagementServer
The command Remove-CSConfigurationStoreLocation
This command will actually remove the service control point in Active Directory that points to your Central Management Store. You can also include the parameter –Report with a file path to output a report of the activity for confirmation.
When you perform Remove-CSconfigurationStoreLocation the reference is deleted from active directory.
This step would be more common in lab scenarios where you are starting from scratch and just need a quick and dirty way to remove reference to your topology. To completely remove references to old topology objects, you will also need to remove some additional entries using ADSI Edit.
How to Remove Server Entries from AD using ADSI Edit
When you deploy a Lync topology in your environment, the servers are also references in AD. Most importantly, when you do not properly remove a server, there will be stale references to this throughout the entire RTC Service CN in Active Directory.
- I will show you how to remove references to these old servers and old pools.
- When you are looking at the tree, you will find specific references to servers and pools in Global Settings, Pools, Trusted MCUs, Trusted Services and Trusted WebComponentsServers.
You may also find old references to application contacts and conference directories if those were not properly removed. It is safe to say that you can run through each of these and remove references to your old servers if you are certain they will not be in use anymore.
Global Settings and Trusted Services
If you expand Global Settings you will see entries, the number of entries will depend on how much you have going on in your environment.
We can search for specific servers are are looking to remove by using LDP to perform queries looking for this server.
First, you must open LDP and bind to the correct DN.
Start->Run type LDP and hit enter
Select Connection choose Connect and enter a valid domain controller to connect to
Then you must Bind as a valid user, choose Connection and choose Bind, either use the currently logged in user, or specify an account with privileges.
Now we will display the Tree we will be searching through. Select View->Tree
If your information is stored in your System container, you must choose DC=domain,DC=com where domain is your domain. If it is stored in configuration you should choose CN=Configuration,DC=Domain,DC=COM
Expand down to your RTC Service container that we were viewing before in ADSI Edit
Now that we are bound and connected to the correct tree, its time to start searching. If your server is referenced in Global Settings or Trusted Services we will be looking for msRTCSIP-TrustedServerFQDN
Right Click on RTC Service and choose Search
For the filter enter the following, replacing serverfqdn with the server you wish to remove
In my example I am searching for “winx-cs2010b3.winxnet.com”
Make sure to select Subtree so it searches all trees below for this entry.
Select Run, the query should return results in the right pane with specific CNs, we will want to navigate to these Cs and delete them.
Copy these results, we will use them as a reference to delete these entries using ADSI edit.
Before deleting, review the properties of each of the CN to make sure it is a valid item to delete. Most of these are references to the individual services on those machines, which is evident from the different TrustedServicePort and ServiceType
Open ADSI Edit for each entry in your search results, navigate to the full DN, right click and choose Delete
Pools usually does not require the use of LDP as the list is so short and easy to identify. Lync identifies pools in active directory with numbers, if you have any beta pools, you may also see them referenced as Sitename:1,2,3 . As you can see in my screenshot, I have a few of each. identify the pool you want to delete, and simply right click and choose Delete
The Trusted MCUs entry is similar to Trusted Services. We will perform a LDP query for the attribute msRTCSIP-TrustedMCUFQDN
Follow the steps above for Global Settings and Trusted Services replacing msRTCSIP-TrustedServerFQDN with msRTCSIP-TrustedMCUFQDN
Your results should return three per server, because of IM/Audio/Video and Data. Copy the results and set aside.
Following the same steps above for Global Settings and Trusted Services, delete each DN that you wish to remove.
Trusted WebComponentsServers entries are created usually per front end server you put in your environment both for OCS 2007 R2 and Lync Server 2010. You can search using LDP and the attribute msRTCSIP-TrustedWebComponentsServerFQDN
Follow the same steps above to search for that attribute, and delete any DNs associated with the server you are trying to remove.
I hope this helps people understand how the central management store is referenced in active directory, and also how to do some cleanup if you did not properly remove servers from your environment. As always. open to comments about ways to improve the methods, or your own methods for performing these steps!
I created this powershell for our internal onboarding process, figured I would share it with the masses.
I think there are a couple good takeways from this script, it remotes into Exchange 2010 and Lync Server 2010 Powershell sessions, so nothing except Powershell 2.0 is required on the client side, which is standard with Windows 7. It also shows how you can simultaneously use Exchange and Lync powershell commands in the same script to get things done.
A couple of disclaimers:
I am in no way advanced at powershell scripting, so nothing fancy here.
This was developed specifically for my internal needs, you will probably have to add/remove variables and requirements.
Script is above, any freedback is appreciated, if you improve on this at all, I would love to see it as well.
I am very proud to announce that I have been awarded 2010 Microsoft MVP for Communications Server!
Here is a quote from the MVP site on what this means exactly:
The Microsoft MVP Award recognizes exceptional technical community leaders from around the world who voluntarily share their high quality, real world expertise with others. Microsoft MVPs are a highly select group of experts representing technology’s best and brightest who share a deep commitment to community and a willingness to help others. Worldwide, there are over 100 million participants in technical communities; of these participants, there are fewer than 4,000 active Microsoft MVPs.
At Microsoft, we believe that technical communities enhance people’s lives and the industry’s success by providing users with the opportunity to have conversations about technology that catalyze change and innovation. Technical communities help users adopt new technologies more quickly and more effectively. Also, they help Microsoft product developers understand the "pulse" of our users and better meet our customers’ needs. As the most active, expert participants in technical communities, MVPs are recognized and awarded for their inspirational commitment to technical communities.
In order to receive the Microsoft MVP Award, MVP nominees undergo a rigorous review process. Technical community members, current MVPs, and Microsoft personnel may nominate candidates. A panel that includes MVP team members and product group teams evaluate each nominee’s technical expertise and voluntary community contributions for the past year. The panel considers the quality, quantity, and level of impact of the MVP nominee’s contributions. Active MVPs receive the same level of scrutiny as other candidates each year.
MVP Award recipients reflect Microsoft’s global customer base and the breadth of Microsoft’s technologies. MVPs have been awarded in new categories such as Windows Live, Xbox, VSTO, Microsoft Dynamics, and Visual Developer Team System. A significant portion of new MVPs represent emerging markets in China, Russia, and Korea, as well as smaller markets like Ghana, Nepal, Macedonia, and Macao.
MVPs also represent the diversity of today’s technical communities. Respecting the user’s desire to get technical information in a variety of ways, Microsoft recognizes both online and offline community contributions. Reviewers consider the contributions that nominees make to traditional communities such as public newsgroups and third-party Web sites, as well as emerging community venues such as forums and blogs.
Microsoft MVPs are an amazing group of individuals. By sharing their knowledge and experiences and providing objective feedback, MVPs help people solve problems and discover new capabilities. It gives us great pleasure to recognize and award MVPs as our way of saying thank you for their demonstrated commitment to helping others in technical communities worldwide. We sincerely appreciate their efforts. Microsoft would like to congratulate and thank this year’s MVPs.
Thanks to everyone who views my blog, and finds this information useful. More great content to come this year!
In my first blog post around TMG 2010, I outlined the setup of TMG and configuration for publishing OCS 2007 R2 web components and then CWA services through that same server. Please reference that post for the basics around the network configuration for this TMG server, and I will cover configuring publishing rules for your Lync Server Simple URLs and web components in this post.
First, I assume you have configured simple urls and web services when deploying your topology, and now need to publish this externally.
My URL information is as follows:
|Component||URL||IP Internal||IP External||Port on Front End||Port on External/ISA|
|Web Services||lyncweb.winxnet.com||10.117.117.9||18.104.22.168||8080 and 4443||80 and 443|
|Dialin Simple URL||dialin.winxnet.com||10.117.117.9||22.214.171.124||8080 and 4443||443|
|Meet Simple URL||meet.winxnet.com||10.117.117.9||126.96.36.199||8080 and 4443||443|
First off, let me point out by saying that you can use a single external IP address for all three of these URLs, as they go to the same place. Also, if you open IIS manager on your front end server, you will notice there is an internal, and an external site, the internal listens on 80 and 443, and the external on 8080 and 4443. When proxying requests through TMG, you will be sending external clients to the external site, listening on 8080 and 4443.
Also, one not so commonly known fact is that the Meet simple URL is required to provide external access to meetings. You will notice when clicking on the link to Join Online Meeting in your outlook, it is directing you to your meet simple URL.
As far as certificates go, you must also have a certificate with the following names:
Common Name: lynecwebservicesexternalurl.domain.com (lyncweb.winxnet.com
Subject Alt Name(s): meetsimpleurl.domain.com,dialinsimpleurl.domain.com(meet.winxnet.com,dialin.winxnet.com)
Import this certificate to the TMG server, and you can proceed with the following steps for configuration.
Another important thing regarding DNS:
If you have a separate internal domain name, you will need split brain DNS to get this working. You should already have split brain DNS configured to get your internal clients to work with auto signin.
For example, if your internal domain name is winxnet.local and your external is winxnet.com, your simple urls should be for the winxnet.com namespace, however you will need to resolve the winxnet.com simple URLs to the correct internal address.
At winxnet, we actually have a single namespace, winxnet.com so it was an oversight to point out the fact that you would need these DNS entries resolvable
internally and externally for this to work.
Thanks to Adam in the comments for pointing this out and working through the issue with me. Check out this link for a great review on how this DNS
configuration works for the rest of the services:
Steps to Create Publishing Rule
While in the TMG or ISA management console, Right click on Firewall Policy and choose New->Web Site Publishing Rule
Enter a name for the rule like Lync Web
Follow the wizard with the following options:
Select Rule Action : Allow
Publishing Type: Publish a single web site or load balancer
Server Connectivity Security: Use SSL to connect to the published Web server or server farm
Internal publishing details:
Internal Site Name: FQDN of front end server (winx-lyncrc1.winxnet.com)
If your internal server is a Standard Edition server, this FQDN is the Standard Edition server FQDN. If your internal server is an Enterprise pool, this FQDN is a hardware load balancer VIP that load balances the internal Web farm servers. The TMG Server must be able to resolve the FQDN to the IP address of the internal Web server. If the TMG Server is not able to resolve the FQDN to the proper IP address, you can select Use a computer name or IP address to connect to the published server, and then in the Computer name or IP address box, type the IP address of the internal Web server. If you do this, you must ensure that port 53 is open on the TMG Server and that it can reach an internal DNS server or a DNS server that resides in the perimeter network.
Path (optional): /*
Public Name Details:
Public Name: FQDN of external web services (lyncweb.winxnet.com)
Select Web Listener: Select New(This will open the new web listener wizard)
Web Listener Name: Anything you want, something like Lync Web Listener)
Client Connection Security: Require SSL secured connections with clients
Web Listener IP Address: Select External and then Select IP Address choose the appropriate IP address and add it to the listener
Listener SSL Certificates: Select Assign Certificate for Each IP Address, select the IP associated before, and choose your valid certificate.
Authentication Setting: No Authentication
Single Sign On Setting: Ignore, click Next
Complete the web listener wizard and choose Finish
Authentication Delegation: No Delegation, but client may authenticate directly
User Set: Ignore, click Next
Complete the rule configuration wizard and choose Finish. Then at the top hit Apply to save the configuration.
Once the rule is created, there are a couple important settings that need to be changed, this is really the only thing that makes the Lync setup different from OCS R2.
Open the newly created rule and modify the following settings.
On the To tab, ensure that the Forward the original host header instead of the actual one check box is checked.
On the Listener Tab, click to modify the properties of the web listener
Navigate to the Connections tab and enable port 80
On the Bridging tab, select to Redirect requests to SSL port and Redirect requests to HTTP port, enter 8080 and 4443 for your ports.
On the Public Name tab, add the Simple URLS to the list of allowed public names. In my example: meet.winxnet.com and dialin.winxnet.com.
Once these changes have been made, Apply the configuration and you are done. To verify access, you can test the following URLs in Internet Explorer.
For address book server: https://externalwebservicesfqdn/abs (https://lyncweb.winxnet.com/abs) You should receive an HTTP challenge, because directory security on the ABS folder is configured for Windows Authentication by default.
For Web conferencing: Generate an online meeting request in Outlook, or a meet now request in Lync 2010, try joining the URL provided from external, it should be similar to this: https://meet.winxnet.com/rwintle/KG2K4HDM
You should now have functioning simple URLs and web services which provide the following functionality:
- Enabling external users to download meeting content for your meetings.
- Enabling external users to expand distribution groups.
- Enabling remote users to download files from the Address Book Service.
- Accessing the Reach client
- Accessing the dial-in Web page
- Accessing the Location Information Service
- Enabling external devices to connect to Device Update Service and obtain updates.