Category Archives: Skype for Business

3- Migrate Users from Skype for Business 2015 to Teams

 

Hybrid Integration

In my last post about Skype for Business / Office 365 Skype for Business Online/Teams migration article I discussed the steps of how to create a hybrid environment between Skype for Business on-premises and went through the troubleshooting of each issue I have been through. In this article I am going to discuss the migration of users from on-premises to the cloud through UI and PowerShell.

Migrating users

This article will assume that you are planning to migrate users from Skype for Business Frontend 2015 Server and that you already have a hybrid configuration in place. If so then you’re going to fulfill the following prerequisites:

To check the currently installed PowerShell run the following cmdlet

$PSVersionTable

clip_image001

After you Download and install PowerShell 5.1 you might need to restart the server. In which case the PowerShell will show that it is updated to the required version.

image

After Installing the Skype Online Connector Module, We will be able to connect right after launching PowerShell

To do so type:

Import-Module SkypeOnlineConnector

image

Connecting to Office 365 (Teams Online or Skype for Business Online)

The process of connecting to Office 365 Online PowerShell sounds easy but with MFA enforced in your environment you’ll have a nightmare mix of errors when you try so.

I have came through a lot of errors trying to force the use of PowerShell with MFA user authentication but eventually came to realize that Microsoft still does not support MFA for some cmdlets like Move-CsUser for instance.

So In short, to connect you’ll need to have a global or Teams admin user with MFA disabled to do so.

To create a new Skype Online Session enter:

– Make sure you start the regular PowerShell as admin and not Skype for Business Management Shell.

If you run these commands from SfB Management Shell you’ll get an error

image

So first, We will import the Skype Online connector Module

Import-Module SkypeOnlineConnector

image

Then get the OverRidePowershell URI using the command:

Get-CsOnlinePowerShellEndPoint

image

 

Next, We will connect and authenticate to our tenant using the following cmdlet

$sfbsess = New-CsOnlineSession -Username User@domain.onmicrosoft.com -OverRidePowerShellUri https://admin4a.online.lync.com/OcsPowershellOAuth –Verbose

image

Moving Users to Teams

To Move users to Office 365, You need to first provide credentials of the User with MFA disabled and then use the command Move-CsUser

An Example:

$Creds = Get-Credential

image

Moving User

Move-CsUser –Identity user@domain.com –target “sipfed.online.lync.com” –hostedMigrationOverRideUri https://admin4a.online.lync.com/HostedMigration/hostedmigrationservice.svc –ProxyPool “YourFEPool.Domain.local” –Credential $Creds

image

Let’s check the status of the migrated user, The hosting provider attribute is what we care about as it tells us where the user is homed at.

image

 

Checking the user from Teams Portal

Users seems to be licensed, online and can now login using the Microsoft Teams app.

image

Bulk Enable Users and assign Tel URI numbers to them

In case you have a big number of users that you want to enable them online

# Please provide your O365 admin credential

$creds = Get-Credential

-PSSession (New-CsOnlineSession $cred) -AllowClobber

$csv = Import-csv “C:\Users\Mohammed\users.csv”

ForEach ($user in $csv) {

Write-host now enabling $user.alias

Move-CsUser –Identity $user.alias –target “sipfed.online.lync.com” –hostedMigrationOverRideUri https://admin4a.online.lync.com/HostedMigration/hostedmigrationservice.svc –ProxyPool “YourFEPool.Domain.local” –Credential $creds

}

The CSV File will look like this

Alias

user@domain.com

user2@domain.com

 

Moving User back to On-premises (From Office 365 to SfB 2015 )

On Frontend Server Launch PowerShell as Administrator then:

A- Import-Module MicrosoftTeams

B- Connect-MicrosoftTeams

After you connect you’ll get the following result:

Now that you’re connected to your tenant, Try to create a Skype for Business session with the following commands

C- $sfbsession = New-CsOnlineSession

D- Import-PsSession $Sfbsession

You should get the following result

Type the following command to move the user back to On-premises environment:

Now last and most important note is that since I am using Skype for Business 2015 Server, I have to use the parameter -UseOAuth which uses modern authentication.

Move-csuser -Identity User@domain.com -target PoolHostname.Domain.Local -UseOAuth -Verbose

This should get it to work finally

 

Errors you might face

Error 1:

When you have your on-premises user enabled for dialin you will probably get the following error if you try to migrate them to Skype for Business online or teams.

Move-Csuser :: HostedMisrat ion fault: Error=(511), Description=(The user could not be moved because he or she is enabled for dial-in conferencing on-premises, but has not been an assigned an Audio Conferencing license in Office 365. Users must be licensed before they can be moved to Teams or Skype for Business Online.)

If you are sure do want to use migrate this user without an Audio Conferencing license, specify the

“BypassAudioConferencingCheck” switch. ) At line: 1 char: 1

clip_image001[4]

The Solution is to either provide an audio conferencing license  or as it is showing in the error itself as it says use the switch -BypassAudioConferencingCheck to ignore that.

Error 2:

When trying to import the session, I got the following error

the runspace state is not valid for this operation for PowerShell Online.

clip_image001[6]

Solution: To overcome this problem you’ll need to use the overridePowershellUri Parameter in the New-CsOnlineSession in order to connect to Skype online powershell.

To get your tenant’s PowerShell URI use the cmdlet Get-CsOnlinePowerShellEndPoint

What you need to use is the AbsoluteUri

clip_image001[8]

Error 3:

When you try to import the SkypeOnlineConnector module and then run the New-CsOnlineSession cmdlet from Skype for Business Management Shell you’ll get the following error after authenticating.

Sign in

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘7716031e-6f8b-45a4-b82b-922b1af0fbb4’. More details: Reply address did not match because of case sensitivity.

Troubleshooting details

If you contact your administrator, send this info to them.
Copy info to clipboard  
  
Request Id:  f0f97265-4669-4e4f-bcf7-609469e92f00
 
Correlation Id:  829c8a2b-f697-416f-bfa6-4a794a229a13

Timestamp:  2021-01-10T23:00:10Z
 
Message:  AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘7716031e-6f8b-45a4-b82b-922b1af0fbb4’. More details: Reply address did not match because of case sensitivity.
     

Advanced diagnostics: Disable
  
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

image

Solution:

Run the cmdlets from Windows PowerShell as admin not Skype for Business Management shell.

Error 4 

Get-CsOnlinePowerShellAccessInformation : Unable to get response from https://admin4a.online.lync.com/OcsPowershellOAuth.
At C:\Program Files\Common Files\Skype for Business Online\Modules\SkypeOnlineConnector\SkypeOnlineConnectorStartup.psm1:160 char:20
+ … pAuthInfo = Get-CsOnlinePowerShellAccessInformation -PowerShellEndpoi …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsOnlinePowerShellAccessInformation], Exception
+ FullyQualifiedErrorId : System.Exception,Microsoft.Rtc.Management.OnlineConnector.GetPowerShellAccessInformationCmdlet

Error 5

Move-CsUser
[Y] Yes [A] Yes to All [N] No [L] No to All [S] Suspend [?] Help (default is “Y”): y
move-csuser : The underlying connection was closed: An unexpected error occurred on a send.
At line:1 char:1
+ move-csuser -identity user@domain.com -target D2-POOL01.clou …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (CN=user …domain,DC=net:OCSADUser) [Move-CsUser], WebException
+ FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserCmdlet

Solution:

1- Make sure you have the proper Powershell version.

2- Make sure you enable TLS1.2 as default, for a quick solution use this PowerShell script 

[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;

3- Use MFA enabled account by following these steps to login and move user.

A- Import-Module MicrosoftTeams

B- Connect-MicrosoftTeams

After you connect you’ll get the following result:

Now that you’re connected to your tenant, Try to create a Skype for Business session with the following commands

C- $sfbsession = New-CsOnlineSession

D- Import-PsSession $Sfbsession

You should get the following result

Now last and most important note is that since I am using Skype for Business 2015 Server, I have to use the parameter -UseOAuth which uses modern authentication.

This should get it to work finally

References:

https://docs.microsoft.com/en-us/microsoftteams/upgrade-to-teams-on-prem-overview

https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx

https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-on-premises-to-skype-for-business-online

https://docs.microsoft.com/en-us/microsoftteams/teams-powershell-install

https://docs.microsoft.com/en-us/skypeforbusiness/troubleshoot/hybrid-move-sfb-online/move-csuser-hostedmigration-fault-507

https://docs.microsoft.com/en-us/powershell/module/skype/move-csuser?view=skype-ps

Skype for Business IM integration with Exchange 2016 OWA–Part 2

This article is a completion of Part 1, Click here to go to Part 1

Configuration Steps – Part 2

7. On Exchange: Enable OWA VD Instant Messaging
8. On Exchange: Enable Messaging on OWA Policy
9. On Exchange: Create Enterprise Application for Skype Pool.
10. On Exchange: Create new SettingOverride for Skype for Business.
11- Generate a new Certificate for Exchange IM
12. Assign the newly imported certificate to IIS Exchange Back End site
13. On Exchange: Restart the WebAppPool
14. Log out and sign back in to OWA to Check
15. Troubleshooting methods

    7- On Exchange Server: Enable OWA VD Instant Messaging

    Part of enabling IM integration between Exchange and SfB is to enable OWA Virtual Directory to allow this. The below cmdlet does the job for you on all your Exchange Servers

    From Exchange, Launch Exchange Management and run the following cmdlet

    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingEnabled $true -InstantMessagingType Ocs

    clip_image001[6]_thumb

    8- On Exchange: Enable Messaging on OWA Policy

    Run the following to enable Messaging for Owa Policy

    Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -InstantMessagingEnabled $true -InstantMessagingType Ocs

    clip_image001[6]_thumb[1]

    9- On Exchange: Create Enterprise Application for Skype Pool.

      From Exchange Management shell Run the following cmdlet

      Cd $exscripts

      .\Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl “https://sbg-pool01.domain.com/metadata/json/1” -ApplicationType Lync

      The AuthMetadataUrl is going to be your local Skype for Business Pool URL. This URL should work in your Exchange server without any Certificate error. Meaning that the certificate assigned to your Skype for Business pool should already be imported to Exchange Servers to trust this URL.

      image_thumb[14]

        If your previous configuration is correct then you should see the “The Configuration has Succeeded” Message.

          10- On Exchange: Create new SettingOverride for Skype for Business.

          Notes:

          • To configure the same settings on all Exchange 2016 and Exchange 2019 servers in the Active Directory forest, don’t use the Server parameter.

          New-SettingOverride -Name “<UniqueOverrideName>” -Component OwaServer -Section IMSettings -Parameters @(“IMServerName=<Skype server/pool  name>”,”IMCertificateThumbprint=<Certificate Thumbprint>”) -Reason “<DescriptiveReason>” [-Server <ServerName>]

          The Thumbprint you use here will define if whether IM will work or not as this what secures the communication between Exchange and Skype. If you use the wrong certificate your Integration will fail and users wont be able to login to IM through OWA.

          11- Generate a new Certificate for Exchange IM

          IMPORTANT NOTE:

          In order for IM in OWA to work the certificate you will generate must have its common name set as mail.domain.com to match the configuration.

          Using Digicert tool on Exchange Server I will generate the CSR of the new certificate

          Click on Create CSR

          image_thumb[15]

          Choose SSL certificate type and make sure you choose Mail.domain.com as CN

          In the SANs type all of the involved servers (Skype for Business Frontends, Mailbox servers in FQDN and in Hostnames as in the screenshot below). and click on Generate

          image_thumb[16]

          • Go to your CA Server’s CertSRV URL and copy the CSR code there to generate the new certificate.
          • Import the new certificate to the current server, then export it in PFX format and import it to all the Exchange Servers you’re planning to use.

          image_thumb[18]

          • After importing the certificate I will verify that I can see the private key

          image_thumb[19]

          Click on the Details and copy the Thumbprint or from MMC right click the certificate > Properties give it a friendly name e.g. (IM) and then from Exchange Management shell you can copy the Thumbprint directly.

          Get-ExchangeCertificate | select thumbprint,friendlyName

          image_thumb[20]

          Now use the previous script to create the setting Override for OwaServer.

          Things you can change are in bold “Name, IM Servername Value, and the Thumbprint value”.

          New-SettingOverride -Name “IM Override” -Component OwaServer -Section IMSettings -Parameters @(“IMServerName=SBG-Pool01.domain.com“,”IMCertificateThumbprint= 28E4B1BA0F2FCB1535AF199F02A64EFC78367F2D“) -Reason “Configure IM”

          image_thumb[21]

          If you enter the server parameter to use a single server you can change that by using. Note that you must not use FQDN but rather only the server’s hostname.

          Get-SettingOverride | Set-SettingOverride -Server sbg-mx01,sbg-mx02

          image_thumb[22]

          This should generate an event ID 112 on Exchange servers involved in the deployment.

          clip_image001[9]_thumb

            12. Assign the newly imported certificate to IIS Exchange Back End site

            Once the certificate is in the server store, You will be able to easily find in from IIS and bind it to the Exchange Back End site.

            This is the most crucial step to get IM to work in OWA. Don’t worry about breaking up Exchange Sites or Powershell. If you have added Exchange Servers Hostnames and FQDNs in this certificate then you should be good.

            • Now Launch IIS
            • Click on Exchange Back End
            • Select Binding
            • Click on the 444 port and edit
            • Select the newly generated certificate that has the mail.domain.com as CN. (This certificate must also have all Exchange Servers hostnames and FQDNs set as SANs)

            image_thumb[23]

            image_thumb[24]

            Make sure you change the backend cert to the new on all the involved Exchange Servers.

            13. On Exchange: Restart the WebAppPool

            Restart-WebAppPool MSExchangeOWAAppPool

            image_thumb[25]

              14. Log out and sign back in to OWA to Check

              Log out of OWA and back in and check if you are able to Login to IM . It should normally sign you in automatically but in case of an error then you should see it.

              image_thumb[29]

              In case of an error you should see the following.

              image_thumb[27]

              If it works then you should see the presence

              image_thumb[28]

              15. Troubleshooting Methods

              If you follow the above steps correctly then it should work especially when applying the right certificate for your Exchange Back End IIS part however if you face an error then you should do the following steps to troubleshoot the error

              • Set the Eventlog for Instant Messaging on Exchange from Low to High

              Set-EventLogLevel -Identity “sbg-mx01\MSExchange OWA\InstantMessage” -Level High

              image_thumb[30]

              • Look in the following path for errors

              C:\Program Files\Microsoft\Exchange Server\V15\Logging\OWA\InstantMessaging

              • Check the Healthset of the OWA Instant Messaging.

              Get-ServerHealth -HealthSet OWA.Protocol.Dep -Server sbg-mx01 | Format-Table Name, AlertValue –Auto

              image_thumb[31]

              Get-MonitoringItemIdentity -Server sbg-mx01 -Identity OWA.Protocol.Dep | Format-Table Identity,ItemType,Name -Auto

                image_thumb[32]

                Ref

                https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-im-integration-with-owa?view=exchserver-2019

                https://docs.microsoft.com/en-us/exchange/high-availability/managed-availability/health-sets?view=exchserver-2019

                Skype for Business IM integration with Exchange 2016 OWA–Part 1

                The Story

                A good and detailed documentation is everything we need to implement any kind of project especially if it’s an integration between two different servers that perform different roles.

                And with PKI involved the complications multiply thus a good article write up is what we need.

                Previously I have tried a test lab with Skype for Business 2015/2019 IM Integration with Exchange 2016/2019 and the result was a complete failure and endless search for what’s missing to get IM to work from OWA?

                image

                ERROR

                Upon completion of the steps mentioned in Microsoft’s Official documentation and after restarting Exchange IIS or OWAAppPool you will see this when you try to login to OWA with your user

                There’s a problem with instant messaging. Please try again later.

                image

                MS Official Documentation

                In their Official documentation Microsoft says that the certificate in question must be trusted by all the servers involved meaning Skype for Business Frontend and Mailbox Servers.

                Meanwhile this is true, it still would not get the IM to login/work although it might drop the initialize event ID 112 in the event log.

                clip_image001

                Here is what MS says about the certificate.

                Exchange and Skype for Business integration requires server certificates that are trusted by all of the servers involved. The procedures in this topic assume that you already have the required certificates. For more information, see Plan to integrate Skype for Business Server 2015 and Exchange. The required IM certificate thumbprint refers to the Exchange Server certificate assigned to the IIS service.

                REF URL: https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-im-integration-with-owa?view=exchserver-2019#what-do-you-need-to-know-before-you-begin

                image

                Step by Step Deployment

                To do things the way that should get this to work, I will detail steps one by one so we can be sure to get the positive results we are all waiting for when dealing with Exchange and Skype for Business.

                Exchange IM URL 1: mail.domain.com

                Skype for Business Pool FQDN: SBG-Pool01.domain.com

                Autodiscover URL : Autodiscover.Domain.com

                Prerequisites

                1. For Default and Web Service Internal, Your Skype for Business Frontend Server/Pool must use a certificate that is generated from an internal CA which you can use later to generate Exchange’s IM Certificate.
                2. UCMA must be installed (Doesn’t matter if version 4 or 5) both are supposed to work with Exchange 2016.
                3. Local Certification Authority must already be deployed in the domain.

                Configuration Steps – Part 1

                1. On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover
                2. On SfB: Get-CsSite to see what is the current site ID.
                3. On Exchange: Check AutodiscoverServiceInternalURI
                4. On SfB: Create new Partner
                5. On SfB: Create new Trusted Application Pool
                6. On SfB: Create new Trusted Application ID

                Configuration Steps – Part 2

                7. On Exchange: Enable OWA VD Instant Messaging
                8. On Exchange: Enable Messaging on OWA Policy
                9. On Exchange: Create Enterprise Application for Skype Pool.
                10. On Exchange: Create new SettingOverride for Skype for Business.
                11- Generate a new Certificate for Exchange IM
                12. Assign the newly imported certificate to IIS Exchange Back End site
                13. On Exchange: Restart the WebAppPool
                14. Log out and sign back in to OWA to Check
                15. Troubleshooting methods

                Prerequisites

                1- Update or Create Server Default and Web Service Internal Certificate for SfB Pool servers

                The certificate installed on the Skype for Business Pool Frontend servers must be generated from a local Certification Authority which can be trusted by Exchange Server services.

                The Certificate generated for Skype for Business pool as in the below screenshot is generated from my CA and includes the names of the servers:

                • Skype for Business Pool
                • Skype for Business Frontend FQDNs
                • Exchange Servers
                • Autodiscover FQDN
                • Lyncdiscover.domains.com
                • Lyncdiscoverinternal.domains.com
                • sip.domains.com
                • meet.domains.com
                • dialin.domain.com
                • External.domain.com

                image

                image

                2- UCMA must be installed

                On both Exchange and Skype for Business servers I already have UCMA 4.0 version installed, but if you don’t have it or have an older version then you can’t continue without it.

                image

                3- Make sure you have a Local Certification Authority deployed in your domain.

                Configuration Steps – Part 1

                1- On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover

                For Skype for Business Server to find Exchange Autodiscover Service point and to be able to authenticate servers we’ll be using the below cmdlet

                This enables both servers to authenticate and share information when needed and without user’s interference.

                Set-CsOauthConfiguration -ExchangeAutodiscoverUrl https://autodiscover.domain.com/autodiscover/autodiscover.svc

                image

                image

                Ref:

                https://docs.microsoft.com/en-us/powershell/module/skype/set-csoauthconfiguration?view=skype-ps

                2- On SfB: Get-CsSite to see what is the current site ID.

                Getting a site ID will be useful for later use to setup the Trusted Application Pool.

                On Skype for Business Management shell. Type the following

                Get-CsSite

                So the Site ID is 1. I will keep this for later use

                image

                3- On Exchange: Check AutodiscoverServiceInternalURI

                Specify the AutodiscoverServiceInternalURI for internal Autodiscover service. Make sure it points to your public URL and certificate not the internal one otherwise your users will get a certificate error through Outlook and might cause IM chat not to work.

                The Cmdlet would be

                Get-ClientAccessService | Set-ClientAccessService –AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

                image

                4- On SfB: Create new Partner Application

                On Skype for Business Server, Launch Management Shell and use this cmdlet to add Exchange as a trusted Application to the SfB topology.

                New-CsPartnerApplication -Identity Exchange -ApplicationTrustLevel Full -MetadataUrl “https://autodiscover.domain.com/autodiscover/metadata/json/1

                image

                5- On SfB: Create new Trusted Application Pool

                New-CsTrustedApplicationPool -Identity mail.domain.com -Registrar sbg-pool01.domain.com -Site 1 -RequiresReplication $false

                image

                6- On SfB: Create new Trusted Application ID

                From SfB Management Shell run the following cmdlet .

                New-CsTrustedApplication -ApplicationId OutlookWebAccess -TrustedApplicationPoolFqdn mail.domain.com -Port 5199

                image

                Finally

                clip_image001[4]

                Click on the link below for Part 2

                Skype for Business IM integration with Exchange 2016 OWA–Part 2

                Deleting Old Skype for Business or Lync server from ADSI

                The story

                I had a project few weeks ago where my client wanted to install Skype for Business 2019 but had installed Lync before and removed the server without doing proper decommissioning which kept dirty records in AD database and had to be removed manually in order to make a new clean installation of Skype for Business 2019

                To do so:

                There are two days of doing so, One is using ADSIEdit and ADUC to remove Computer Objects and Users related attributes and Security Groups.

                I normally would prefer PowerShell but since we can demonstrate both ways for people who like to work with GUI

                Starting with GUI

                Removing Legacy Lync server from the AD Schema

                Prerequisites

                1. Using a domain or enterprise admin
                2. Access to the ADSIEdit.

                Goal of removing Legacy Lync server from your AD environment.

                1. Preparing AD schema and domain for a new deployment after you improperly deleted Lync Servers without uninstalling them.
                2. Cleaning Users’ Lync related attributes for the new deployment.

                clip_image001

                clip_image002

                Step#1: Remove permissions

                This step removes the original Lync permissions from the active director.

                1. Open Active Directory Users and Computers
                2. Right click on your top level domain being cleaned and select Properties
                3. From the Properties windows, select the Security tab.
                4. Remove all security users titled RTC*
                  These are usually
                  – RTCUniversalServerReadOnlyGroup
                  – RTCUniversalUserReadOnlyGroup
                  – RTCUniversalUniversalServices
                  – RTCUniversalUserAdmins

                From <http://blog.armgasys.com/?p=320>

                clip_image003

                clip_image004

                1. Repeat the same steps for each of the following AD Folders and

                  OUs
                  NOTE: Not all RTC permissions will exist in each AD Folder or OU, but these three OUs do:
                  – Domain Controllers
                  – System
                  – Users

                Domain Controllers

                clip_image005

                Systems

                clip_image006

                Users

                clip_image007

                Step#3: Additional AD cleanup

                1. Open Active Directory Users and Computers
                2. Drill down as follows
                  [Your Domain] \ Program Data \ Distributed \ KeyMan
                3. Delete LyncCertificates
                  NOTE: This may not exist in all scenarios.
                4. Drill down as follows
                  [Your Domain] Users
                5. Delete all RTC* and CS* users created by Lync
                  I.E. CSAdministrator, CSHelpDesk, RTCComponentUniversalServices, Etc.

                image

                Deleting users from the User OU

                clip_image001[6]

                Deleting CS Users

                clip_image002[4]

                Step#4: Cleanup existing users

                This steps resets Lync attributes for any domain users and contacts.

                image

                The Second way: Using PowerShell

                get-aduser -filter {msRTCSIP-PrimaryUserAddress -like “*”}|set-aduser -clear msRTCSIP-PrimaryUserAddress,msRTCSIP-PrimaryHomeServer,msRTCSIP-UserEnabled,msRTCSIP-OptionFlags,msRTCSIP-UserPolicies, msRTCSIP-DeploymentLocator, msRTCSIP-FederationEnabled, msRTCSIP-InternetAccessEnabled

                Result:

                Users attribute are clean and AD has nothing left over of Previous installation of Lync or Skype for Business .

                clip_image001[8]

                Lync Front end event ID 32178

                The Issue: Replication problem occurs between Frontend Servers and Edge

                If you look at the Eventviewer you might find the following error when you have finished deploying Edge or Frontend Server.

                Error:

                Failed to sync data for Routing group {563F57A3-0AC1-560A-91B4-74ACDECB2683} from backup store.

                Cause: This may indicate a problem with connectivity to backup database or some unknown product issue.

                Resolution:

                Ensure that connectivity to backup database is proper. If the error persists, please contact product support with server traces.

                clip_image001

                This error happens when you mistakenly import a certificate that’s not self-signed into the Local computer’s trusted authority store.

                To fix this issue you will have to use the following powershell cmdlet on all the servers that are showing the error
                • Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\computer_filtered.txt”
                • Then type the command
                • Notepad C:\computer_filtered.txt
                • The command will open notepad file with the certificates details in it.
                • Take a note of all certificate’s thumb print number and open your MMC console
                • Click File -> add the Certificate then choose Local computer
                • Navigate to “Trusted Root Certification Authority” store

                clip_image002

                Check the certificate that their thumb print were shown in the Txt file and remove to the Intermediate Certification authority store.

                If you have many certificates in the Trusted root store, you can manage the view and choose “Issued by” and then click on the certificate that the “Issued to” and “Issued by” do not match

                clip_image003

                double click on it then choose the thumbprint section and try to see if this thumbprint value matches the one in the text and move it to the intermediate store.

                clip_image004

                When you finish, you must restart the servers one by one in order to resolve this issue and then you will notice that the error is gone and that services are back to normal state

                clip_image005

                http://support.microsoft.com/kb/2795828

                Lync common issues

                Publishing Topology on Frontend

                Some of the issues that might face you while you’re deploying Skype for Business/Lync is something that might be stuck within AD.

                A previous installation that was not properly cleaned could result in a failure of publishing the Topology.

                Here is one issue that I had while deploying one for one of my clients.

                Issue

                Enable-CsTopology : Multiple Active Directory entries were found for type “ms-RTC-SIP-EdgeProxy” with ID in a multiple Domain Environment

                Active Directory Issue?

                Enable-CsTopology : Multiple Active Directory entries were found for type “ms-RTC-SIP-EdgeProxy” with ID

                “lyncedge.domain.local”.

                At line:1 char:1

                + Enable-CsTopology

                + ~~~~~~~~~~~~~~~~~

                + CategoryInfo : InvalidData: (:SourceCollection) [Enable-CsTopology], InvalidDataException

                + FullyQualifiedErrorId : DuplicateADEntry,Microsoft.Rtc.Management.Deployment.ActivateTopologyCmdlet

                clip_image001

                clip_image002

                clip_image003

                Solution:
                • Open ADSIEDIT and look in the following snapshot. Open Configuration for your DC
                • Collapse the menu and click on Services
                • Click on RTC Service
                • Click on Global Settings and on the right pane look if there’s any duplicated entries and remove them.
                • As you can see on my right pane I have 2 duplicated (msRTCSIP-EdgeProxy) and I’m going to remove one of them and see if I can publish my topology or not. But before that I will have to make sure that I export the entry that I wanna delete.

                clip_image004

                I right clicked on the last value and deleted it and here how it became now.

                clip_image005

                Now I will try to publish my topology and see what happens, my topology publishing failed with a new error this time.

                clip_image006

                I will have to go and check where’s this coming from, since it mentions TrustedService. I will go look in the trusted service

                This is not going to be easy, as you need to becareful where you look .. You will need to make sure that you’re looking at the right FQDN

                clip_image007

                Here I could find the value MRAS for the FQDN Edge server

                So I looked here and found 2 identical entries with a different (CN) if you scroll down you will see that the GruuId is the same, FQDN is the same, port is the same.

                clip_image008

                clip_image009

                Let’s delete one of them and see again if we can publish our topology, So I deleted the one that starts with {b344}

                I will do this using the Lync Powershell, you can see below that the Topology was published successfully.

                clip_image010

                To resolve the warning you will have to issue the cmdlet Enable-CsAdForest after the Enable-CsTopology

                clip_image011

                2- SKYPE FOR BUSINESS EDGE SERVER DEPLOYMENT AND HYBRID INTEGRATION WITH SKYPE FOR BUSINESS ONLINE

                Skype for Business Edge server deployment and Hybrid integration with Skype for Business Online

                In the last Skype for Business post I have upgraded my Lync 2013 to Skype for Business (Click here to go to that post). in this article I am going to install Edge server for Skype for Business to the same Lync Environment where I have done the Upgrade to Skype for Business.

                Configuring Edge Server

                Setup NETBIOS

                In order to configure Skype 4 Business Edge, we’ll have to change the Netbios to give it the name of our Domain but we won’t join it to the domain.

                clip_image001[8]

                clip_image002[8]

                Setup NICs

                Edge Server must have 2 NICs, one Local NIC will point out to the Front end server but must not have Default gateway so traffic can only flow through the DMZ out to the internet and back in. but still it must be able to ping to the FE from Edge and vice versa.

                The DMZ network could have a single DMZ address (Public Address to be pointing to) or three DMZ addresses for public IP addresses with standard https ports.

                clip_image003[8]

                clip_image004[8]

                Configure Hostnames

                Edit the Edge server’s host file to include Lync FE and DC’s IP addresses and Hostname

                image

                Install Prerequisites

                • Microsoft .Net Framework 3.5
                clip_image001[10]

                Now I will go back to Skype for Business FE server, I’ll launch the topology builder and add new Edge server

                I will add the first Edge pool which contains of a single Edge server

                clip_image002[10]

                Next, you will have to choose if you want to enable federation with partners or other service providers …e.g. (Google)

                clip_image003[10]

                I am intending to use a single Public IP address with a different ports (nonstandard) since this is a lab. For production use it’s recommended to have 3 public IP addresses, One is for Access Edge, AV and WebConf services.

                clip_image004[10]

                Next I will choose the last option which says that the Edge pool is translated by NAT. I will configure my firewall to NAT ports to the Edge’s DMZ IP addresses from the Public so I am choosing this option.

                clip_image005[8]

                clip_image006[8]

                This is the FQDN’s the default configuration .. It’ll only use a single FQDN for all services if you’re going to use a single public IP address with a different ports.

                IMPORTANT NOTE

                When you use a single IP address with a different ports, the Access Edge port will normally change to 5061 (Not 443 like in the _sip._tls.domain.com) SRV record which will cause failure if you forgot to change this port to match the one in your Topology’s Access Edge settings.

                Next I’ll have to enter my Edge server’s Local IP address.

                clip_image007[8]

                Next I will be asked to enter the DMZ’s IP address which the wizard calls (Private External IP address)

                clip_image001[12]

                Here I am going to place the NAT IP address which is my Public IP address.

                clip_image002[12]

                Next I’ll have to choose which Lync FE pool will be used as the next hop to the Edge pool. In this case I’ll be choosing my main pool since the second is only for resilience purpose.

                clip_image003[12]

                Then I’ll associate the mediation pool for Edge server for external media traffic. I can assign both in this case.

                clip_image004[12]

                Now I’ll click on Finish and right click on the Site name’s properties to enable the SIP federation and XMPP federation then Publish the topology.

                clip_image005[10]

                clip_image006[10]

                clip_image007[10]

                clip_image008[10]

                Now I will setup Azure Active Directory Sync on my DC server in order to sync the required users for the test purpose.

                My domain is adeo.local so I want to change the UPN for users to match the synced domain. (Adeo-office365.ga) and moh10ly.com

                clip_image009[8]

                Installing Azure Active Directory Sync

                Now I will install the prerequisites which consist of the following

                clip_image010[8]

                Net framework 4.5.2 is required for AADS but it’s already installed on my server

                clip_image011[8]

                Next I will install Microsoft Online Service Sign in assistant

                clip_image012[8]

                Next I will install Azure AD Module

                clip_image001[14]

                Finally Azure AD Sync

                clip_image002[14]

                Before moving forward, I’ll have to go to the Office 365 portal and activate DirSync

                clip_image003[14]

                Then use a global admin credentials from O365.

                clip_image004[14]

                Adding the forest using an enterprise admin user account

                clip_image005[12]

                clip_image006[12]

                Due to the fact that my domain adeo-office365.ga’s public dns host doesn’t have SRV configuration because it’s hosted by the famous free domain service (Freenom) so I’ll have to add my original domain moh10ly.com as Lync (S4B) requires SRV records to point to the on-premises lync.

                clip_image007[12]

                clip_image008[12]

                clip_image001[16]

                clip_image002[16]

                clip_image003[16]

                I will only sync one OU, so I will untick the Sync now box and click on Finish

                clip_image004[16]

                I will go to the following path

                “C:\Program Files\Microsoft Azure AD Sync\UIShell” and create a shortcut for the GUI application of AADS on the desktop

                “C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe”

                clip_image005[14]

                To get this GUI app to work, you will have to sign out of your account and sign back in as your username will be added to the local administrators and have the authority to open it

                Log off, log back in

                clip_image006[14]

                Next I will go to the connectors tab and double click on the ADDS connector (Adeo.local)

                clip_image007[14]

                I will go to the Configure Directory Partitions and under Credentials I’ll choose “Alternate credentials for this directory partition” then enter my on-premises AD Enterprise admin credentials

                clip_image008[14]

                I’ll click on Containers

                clip_image001[18]

                I’ll untick the DC=Adeo,Dc=Local box and only choose Dirsync OU then click OK and apply

                clip_image002[18]

                Before I start syncing my AD , I will go to Skype for Business Server and add my domain moh10ly.com as a SIP domain

                clip_image003[18]

                Next I am going to change the FQDN of the SIP access edge for public domain to moh10ly.com and the default port for the Access Edge to 443 and publish the topology

                clip_image004[18]

                clip_image005[16]

                I needed to finally check if all my FE servers are replicating. So then I can move to Edge server to install Lync components

                clip_image006[16]

                On the Edge server, I’ll use ISO for Skype 4 business to install the setup

                clip_image007[16]

                clip_image008[16]

                First thing I’ll install the local Configuration Store

                I’ll click on Run and then I’ll be asked to import the configuration file which I’ll must export from Lync FE (Skype 4 b FE) server

                clip_image009[10]

                In this case, I’ll go to Lync FE and open Lync Management shell and enter the following Cmdlet

                Export-CsConfiguration -FileName c:\top.zip

                clip_image010[10]

                This cmdlet will export a file to the root C drive . I’ll copy this file to the edge server.

                clip_image011[10]

                I’ll click next to continue, this should start installing the local store

                clip_image012[10]

                clip_image013[8]

                clip_image014[8]

                Next I’ll request a certificate for Internal NIC For edge server

                clip_image015[8]

                clip_image016[8]

                clip_image017[8]

                Configure Certificate

                I’ll take the CSR (Certificate sign request) code and get a certificate from my local CA

                clip_image018[8]

                I’ll open MMC and add Certificates console and import the PKCS certificate

                clip_image001[20]

                clip_image002[20]

                After importing the certificate I’ll assign it to the internal NIC by clicking on Assign to the Edge Internal

                clip_image003[20]

                clip_image004[20]

                clip_image005[18]

                clip_image006[18]

                Once we assign the certfiicate to the internal edge. The replication service for Edge and FE will start working

                clip_image007[18]

                Now I’ll import my Public Certificate to Edge Server’s DMZ NIC

                I already imported my public certificate, now I’ll go to the S4B wizard and assign it there

                clip_image008[18]

                clip_image009[12]

                Unlike IN lync 2013 when you Click on Start service in the Wizard all services start on their own but on Skype for business you ‘ll have to start the services manually by yourself.

                clip_image010[12]

                So Instead I used the service console to start the services.

                Now I’ll go back to the FE And enable remote connectivity to Skype for Business from outside and make sure that replication works fine by checking the Topology or from cmdlet

                clip_image011[12]

                clip_image012[12]


                After the replication is finished, I was able to login remotely with my Skype for Business on-premises accounts.

                Setting up Hybrid integration with Skype online for Business (O365)

                https://technet.microsoft.com/en-us/library/jj205126.aspx

                https://technet.microsoft.com/en-us/library/jj204669.aspx

                In order to allow Hybrid environment to function properly, we’ll have to federate our Skype for Business on-premises’s Edge server as Microsoft says below

                Federation allows users in your on-premises deployment to communicate with Office 365 users in your organization. To configure federation, run the following cmdlets in the Skype for Business Server Management Shell:

                From <https://technet.microsoft.com/en-us/library/jj205126.aspx>

                On the front end server, we’ll run the following CMDlet

                Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -UseDnsSrvRouting -EnablePartnerDiscovery $true

                clip_image014[10]

                Next cmdlet will create a new public federated provider for skype for business online.. However it already exists by default as in the below snapshot but just to avoid any issues I will delete the default provider from control panel and recreate it again. 

                clip_image015[10]

                I’ll delete the hosted provider “Skype for Business Online”

                clip_image016[10]

                I’ll try the cmdlet again after deleting the provider ..

                New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root

                clip_image017[10]

                Since it worked already, I will go back to the control panel and make sure it is enabled

                clip_image018[10]

                Next is : Configure your Skype for Business Online tenant for a shared SIP address space

                Note:

                To configure a shared SIP address space, establish a remote PowerShell session with Skype for Business Online, and then run the following cmdlet:

                We’ll have to download skype for business online powershell

                https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38849&authkey=!AKW6Ln4Rkn6QuUI&ithint=file%2cexe

                After launching the PowerShell module as an administrator I’ll run the following cmdlet

                Import-Module SkypeOnlineConnector

                clip_image019[8]

                Now I’ll connect to my Office 365 tenant

                clip_image020[8]

                $cred = Get-Credential

                $CSSession = New-CsOnlineSession -Credential $cred

                Import-PSSession $CSSession -AllowClobber

                clip_image021[8]

                Now I’ll configure the shared sip address

                Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

                From <https://technet.microsoft.com/en-us/library/jj205126.aspx>

                clip_image001[22]

                To double check my configuration I will see if the SharedSipAddresSpace is enabled or not

                Get-CsTenantFederationConfiguration

                clip_image002[22]

                To double check that the hybrid configuration is setup properly we can use the Skype for business on-premises Hybrid UI wizard from the Home Menu under “Connection to Skype for Business Online”

                clip_image003[22]

                Using the Skype for Business 2015 User interface to setup Hybrid configuration:

                After you sign in it does automatically logs you in and configure the three following options

                1. Federation for the Edge server
                2. Federation with Office 365.
                3. Shared SIP address space.
                clip_image004[22]

                clip_image005[20]

                Now I will configure my DNS Settings as recommended by Microsoft for the Hybrid Integration scenario

                DNS Settings

                When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.

                From <https://technet.microsoft.com/en-us/library/jj205403.aspx>

                1. Update some DNS records to direct all SIP traffic to Skype for Business on-premises:
                • The lyncdiscover.contoso.com A record to point to the FQDN of the on-premises reverse proxy server.
                • Update the _sip._tls.contoso.com SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
                • Update the _sipfederationtls._tcp.contoso.com SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
                • If your organization uses split DNS (sometimes called “split-brain DNS”), make sure that users resolving names through the internal DNS zone are directed to the Front End Pool.

                From <https://support.office.com/en-us/article/Configure-Skype-for-Business-Server-2015-Hybrid-b06ee805-4349-4519-82fb-b06ed57c0bd0>

                According to Microsoft’s configuration of the Public DNS, you will have to configure only the SRV records to point to your edge server however, running a simple wireshark on your Skype for business client machine you can notice the following:

                clip_image006[20]

                Microsoft Lync / Skype client first requires the Lyncdiscover / Lyncdiscoverinternal record in order to see where the user is located… then gets redirected to webdir.online.lync.com which is the Cname value to the Lyncdiscover Cname in the public DNS and tries to login the user through Login.microsoftonline.com then finds no user there and logs in using the SRV eventually in the end as in the below snapshot which I’ve used Wireshark for to monitor the DNS traffic that the Lync Client requests upon login request.

                clip_image007[20]

                NOTE:

                What have me confused here is that Microsoft says only SRV records must be pointing to your On-premises Lync/Skype for Business Edge server.. So you must enter something else other than SIP.domain.com (Which in normal cases might be the common name of your Edge certificate) for the value of the SRV Record since the SIP.domain.com and Lyncdiscover.domain.com must be pointing to Office 365.

                I tried using the Public IP address of my Edge server just to check if my on-premises user will connect without any issue however I did have an issue with the Certificate saying “There was a problem verifying the certificate from the server”.

                clip_image008[20]

                Error:

                Luckily the Public certificate that I had on my edge server had multiple SANs (Subject Alternative Names) and one of them was WAC.moh10ly.com which I was intending to use for the WAC Server (Office Web Apps Server) and then I created an A record on my public DNS WAC.moh10ly.com that points to my Edge server’s Public IP address…. although the Wac.moh10ly.com is not a common name but it worked and I was able to federate with Office 365 users and was able to move users from on-premises to office 365 and back to on-premises as demonstrated later in the article.

                “When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.”

                From <https://support.office.com/en-us/article/Configure-Skype-for-Business-Server-2015-Hybrid-b06ee805-4349-4519-82fb-b06ed57c0bd0>

                clip_image009[14]

                Now I have changed all the SRV records to direct to the new A record

                clip_image010[14]

                And finally deleted the A sip record and created a new CNAME record that points to sipdir.online.lync.com

                clip_image011[14]

                clip_image012[14]

                I have already a user synced from my local AD to the cloud (office 365) that’s not enabled for Skype for business on-premises .. Once this user is synced and have been assigned a license it should be directly enabled for Skype for Business Online and I should be able to sign in to it without any issue.

                Note:

                In order for both users (homed online and On-premises) to see eachother’s presence the synced user must be enabled on the On-premises Server before moved to the cloud or else the presence and M will fail.

                Time to test, I was able to sign in to the Online homed user (admin) and now I’ll be adding the on-premises homed user to the list to check the presence, IM ..etc

                clip_image001[24]

                Here I added the user admin to my other account Mohammed.hamada and vice versa.

                clip_image002[24]

                The Presence appears to be working fine for user homed on-premises as it shows when I changed it to “busy, be right back..etc” on the cloud user’s Client however the Office 365 homed user’s presence takes time to change on the on-premises user’s list and the IM doesn’t seem to work properly as messages sometimes doesn’t go through and fail.

                Sending a message from the on-premises User (Mohammed Hamada) to (ADMIN)

                clip_image003[24]

                Now sending an IM from Admin to Mohammed Hamada

                clip_image004[24]

                To make sure that the issue is not within my on-premises server, I will use a different Skype for Business online account and see if IM work both ways.

                This is my other user.. The presence information seems to work properly and now I’ll test the IM

                clip_image005[22]

                IM between my On-premises and another user on another Office 365 tenant seems to be working fine back and forth as in the below snapshots so the issue might be related to Office 365 tenant which I am using for this test (could be related to trial version)

                I am going to open a case with MS and see why this issue happens since my on-premises work fine with other tenants.

                clip_image006[22]

                clip_image007[22]

                Now It’s time to move users from and to cloud and on-premises to check how easy, flexible or hard this process is.

                I currently have 2 users, one on cloud and one synced and homed online (Office 365)

                clip_image008[22]

                In order to move users, you can go to Users tab after the hybrid config is finished and find the user you want to move then click on Actions and chose to move the users to the Skype for Business Online as in the below snapshot

                Note:

                Before you move the user to Office 365, you must assign license to the user or else the move will fail.

                clip_image009[16]

                clip_image010[16]

                clip_image011[16]

                clip_image012[16]

                clip_image013[12]

                You can move the user back from Office 365 to your on-premises Skype for Business server with the same process exactly except that you’ll have to choose which pool you need to move the user to.

                Checking where the user is hosted from Skype for business Management shell

                The Hosting Provider will show you where the user is working from now.

                clip_image014[12]

                clip_image015[12]

                clip_image016[12]

                Hope this has been helpful

                References:

                https://technet.microsoft.com/en-us/library/jj204967.aspx

                https://technet.microsoft.com/en-us/library/jj205403.aspx

                https://technet.microsoft.com/en-us/library/jj205126.aspx

                https://technet.microsoft.com/en-us/library/jj204669.aspx

                https://support.office.com/en-us/article/Configure-Skype-for-Business-Server-2015-Hybrid-b06ee805-4349-4519-82fb-b06ed57c0bd0

                https://channel9.msdn.com/Events/Ignite/2015/BRK4129

                1- IN-PLACE UPGRADE FROM LYNC 2013 TO SKYPE FOR BUSINESS STEP BY STEP GUIDE

                This article guides you through the steps of doing an in-place upgrade from Lync 2013 to Skype for business. I am copying the article as is from my lab with all the errors that I have been through to give you a real experience feed back of what is this like.

                You might get issues that you have never expected, but resolving them is not that hard and if you have any issues please don’t hesitate to leave a comment and I will get back to help you.

                Prerequisites

                Extensible Chat Communication Over SIP protocol (XCCOS)

                From <https://technet.microsoft.com/en-us/library/dn951390.aspx>

                References:

                https://technet.microsoft.com/en-us/library/dn951371.aspx?f=255&MSPPError=-2147217396

                https://technet.microsoft.com/en-us/library/dn933900.aspx

                Lync CU 5

                https://www.microsoft.com/en-us/download/details.aspx?id=36820

                Kb2533623 Windows Server 2008 R2

                http://support.microsoft.com/kb/2533623

                Kb2858668 Windows Server 2012

                http://support.microsoft.com/kb/2858668

                KB2982006 Windows Server 2012 R2

                https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

                SQL 2012 SP2 for Express version

                https://www.microsoft.com/en-us/download/details.aspx?id=43351

                clip_image001

                Prerequisite not satisfied: Internet Information Services (IIS) must be installed before attempting to install this product.

                Prerequisite not satisfied: The following Internet Information Services (IIS) role services must be installed before attempting to install this product: Static Content, Default Document, HTTP Errors, ASP.NET, .NET Extensibility, Internet Server API (ISAPI) Extensions, ISAPI Filters, HTTP Logging, Logging Tools, Tracing, Client Certificate Mapping Authentication, Windows Authentication, Request Filtering, Static Content Compression, Dynamic Content Compression, IIS Management Console, IIS Management Scripts and Tools

                Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2. For details about the update, see Microsoft Knowledge Base article 2982006, “IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2” at http://go.microsoft.com/fwlink/?LinkId=519376

                Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft ASP.NET 4.5 by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install the ASP.NET 4.5 role service of the Web Server (IIS) role.

                Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft Windows Communication Foundation Activation by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install WCF Services and HTTP Activation, which are included with the Microsoft .NET Framework 4.5 feature.

                http://go.microsoft.com/fwlink/?LinkId=519376

                Powershell

                $PSVersionTable

                clip_image002

                STEP 1 : Installing Prerequisites

                Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS, Desktop-Experience, Telnet-Client

                https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/requirements-for-your-environment/server-requirements

                Updated aug-2018

                clip_image003

                clip_image004

                STEP 2: Installing CU5

                Download and install CU5

                https://www.microsoft.com/en-us/download/details.aspx?id=36820

                clip_image005

                clip_image006

                After the restart we will apply the update of the databases which in my case is going to be the FQDN of the FE server since it’s standard version and not Backend server.

                Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn lyncfe01.adeo.local -Verbose

                clip_image007

                clip_image007[1]

                Time to upgrade the Archiving/Monitoring databases.

                To upgrade we’ll use the same command except change the FQDN of the SQL server to the SQL server where Monitoring and Archiving databases are at.

                Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn sql01.adeo.local -Verbose

                clip_image008

                clip_image009

                clip_image010

                Applying CMS upgrade

                clip_image011

                Install-CsDatabase -CentralmanagementDatabase -SqlServerFqdn Lyncfe01.adeo.local -SqlInstanceName rtc -verbose

                clip_image012

                clip_image013

                Then run enable-cstopology

                Last thing in the CU5 update is

                %ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe

                clip_image014

                clip_image015

                https://support.microsoft.com/en-us/kb/2809243

                Step 3 : Installing Windows OS hotfix.

                KB2982006 Windows Server 2012 R2

                Since the FE is on Windows Server 2012 R2 then we’ll need to download this link

                https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

                RESTART is Required

                clip_image016

                STEP 4 : Install SQL Service Pack 2 (Express) for your Lync Front end Standard Edition

                First Download SQL Express SP2 setup

                clip_image017

                You can patch the server by opening a Lync Management Shell window and entering the following commands:

                1- Stop-CsWindowsService
                2- .\SQLEXPR_x64_ENU.exe /ACTION=Patch /allinstances /IAcceptSQLServerLicenseTerms

                clip_image018

                clip_image019

                clip_image020

                clip_image021

                clip_image022

                clip_image023

                clip_image024

                clip_image025

                Step 5: SQL Server (Standard or Enterprise) for (Monitoring, Archiving)

                https://support.microsoft.com/en-us/kb/321185

                clip_image026

                My SQL Server version is SP1 so I don’t need to upgrade it to SP2

                clip_image027

                Step 6- In-place Upgrade for Skype For Business

                In order to do the in-place upgrade, we’ll need to use a machine that doesn’t have Lync 2013 to install the new Topology builder and do the upgrade process

                On a different Machine that’s joined to the same domain, I will run the prerequisites script and restart the machine. then I’ll load the Skype for business ISO and install

                clip_image028

                D:\Setup\amd64\Setup.exe

                clip_image029

                clip_image030

                clip_image031

                clip_image032

                We’ll now press on Installing Administrative tools

                clip_image033

                clip_image034

                clip_image035

                Now in order to continue we’ll have to open the topology builder in order to upgrade our Lync 2013 topology

                I’ll open the topology builder and save the topology file somewhere

                clip_image036

                Once the topology is open, I’ll navigate to the Standard FE Servers and right click on my main server to upgrade

                clip_image037

                clip_image038

                I’ll click on Upgrade to Skype for Business Server 2015…

                clip_image039

                As soon as you press Yes, the Frontend server that you selected will be moved under the Skype For Business Server 2015 tab as you can see below.

                clip_image040

                Since I have two FE servers (FE and SBS) I will be upgrading them both but not in the same time not not fall into any errors, so I will publish the topology and see what happens.

                clip_image041

                clip_image042

                We’ll check what do we need to do now in order to upgrade the servers, here is what we’ll do.

                Import existing normalization rules from the previous Skype for Business Server deployment. If you want to keep your existing normalization rules you will need to import them using the Import-CsCompanyPhoneNormalizationRules cmdlet. If you have separate normalization rules for each pool then you will need to run the command for each set.

                To perform an in-place upgrade of your Skype for Business Server, you’ll need to do the following, in order:

                (1) Stop the Skype for Business services on all of the servers that you are upgrading;
                (2) Run Skype for Business Server setup (Setup.exe) on all of the servers you are upgrading;
                (3) Start the Skype for Business services on all of the servers you upgraded. To start the services in a Front End pool, connect to one of the servers in the pool and run the Start-CsPool cmdlet. All the servers in the pool should be running Skype for Business Server before you use the Start-CsPool cmdlet. To start the services in all other pools (e.g. Edge pool, Mediation pool), run the Start-CsWindowsService cmdlet on every server in the pool;

                Server FQDN: lyncfe01.adeo.local, Pool FQDN: lyncfe01.adeo.local

                On Lync FE 01 I’ll stop all the services using Stop-cswindowsservice

                clip_image043

                Now on the same server I’ll load the Skype4B ISO and start the setup

                D:\Setup\amd64\Setup.exe

                clip_image029[1]

                clip_image030[1]

                clip_image031[1]

                Started at 1:40pm

                clip_image044

                clip_image045

                clip_image046

                clip_image047

                clip_image048

                clip_image049

                NOTE:

                The required time for the upgrade process is estimated around 75-90 Minutes for each FE Server.

                clip_image050

                clip_image051

                Starting ‘Verifying upgrade readiness…’

                ‘Verifying upgrade readiness…’ completed successfully

                Starting ‘Installing missing prerequisites…’

                ‘Installing missing prerequisites…’ completed successfully

                Starting ‘Uninstalling roles…’

                ‘Uninstalling roles…’ completed successfully

                Starting ‘Detaching database…’

                ‘Detaching database…’ completed successfully

                Starting ‘Uninstalling local management services…’

                ‘Uninstalling local management services…’ completed successfully

                Starting ‘Installing and configuring core components…’

                ‘Installing and configuring core components…’ completed successfully

                Starting ‘Installing administrative tools…’

                ‘Installing administrative tools…’ completed successfully

                Starting ‘Installing local management services…’

                ‘Installing local management services…’ completed successfully

                Starting ‘Attaching database…’

                ‘Attaching database…’ completed successfully

                Starting ‘Upgrading database…’

                ‘Upgrading database…’ completed successfully

                Starting ‘Enabling replica…’

                ‘Enabling replica…’ completed successfully

                Starting ‘Installing roles…’

                ‘Installing roles…’ completed successfully

                Starting ‘Verifying installation…’

                ‘Verifying installation…’ completed successfully

                clip_image052

                Upgrade the SBS (Survivable Branch Server) in the pool to Skype4B

                clip_image053

                clip_image054

                Publish the topology

                clip_image055

                I’ll stop the service before I start the upgrade process.

                clip_image056

                I’ll load the ISO on the second server and start the upgrade.

                D:\Setup\amd64\Setup.exe

                clip_image029[2]

                clip_image030[2]

                clip_image031[2]

                clip_image057

                Apparently I forgot to update Lync to the latest CU

                clip_image058

                clip_image059

                clip_image060

                clip_image061

                3- Unified messaging Integration between Exchange 2016 and Skype for Business

                Setting up UM

                To setup UM between Exchange and Skype for business server, the most important step is how you configure the Certificates between both servers in order for them to trust each other.

                For that you don’t have to use a public Certificate but rather an internal CA certificate that has its root certificate installed on all of the server where you intend to deploy the UM. (Exchange, S4B Servers..etc.).

                To claim this certificate, the easiest step would be to get the CSR from Skype for Business’s Deployment Wizard

                Run Deployment Wizard and click on the “Install or Update skype for business Server system”

                clip_image001

                Then click on step 3 (request, install or assign Cert)

                clip_image002

                I already have certificate deployed for S4B service but I’ll request CSR again to get one trusted certificate for both Exchange and S4B.

                I will tick only the services that matters as in the below screenshot (Server default and Web services internal) later also will be used for OWA integration with UM.

                clip_image003

                Click on Request

                clip_image004

                Click on Advanced

                clip_image005

                Next

                clip_image006

                I’ll continue next until I’ve got to the important part which is “Name and Security settings” I’ll need to tick the “Mark the certificate’s private key as exportable” since we’ll export the certificate to Exchange servers

                clip_image007

                Next I’ll add Exchange servers’s FQDNs.

                clip_image008

                clip_image009

                Click Next

                clip_image010

                clip_image011

                Here is the CMDLET

                Request-CSCertificate -New -Type Default,WebServicesInternal -CA “DC2016.moh10ly.com\moh10ly-DC2016-CA” -Country “TR” -FriendlyName “Skype for Business Server 2015 Default certificate 3/18/2016” -KeySize 2048 -PrivateKeyExportable $True -Organization “moh10ly” -OU “moh10ly” -DomainName “sip.moh10ly.com,ex2016.moh10ly.com,ex2016-2.moh10ly.com,ex2010.moh10ly.com” -AllSipDomain -Verbose -Report “C:\Users\administrator.MOH10LY\AppData\Local\Temp\2\Request-CSCertificate-[2016_03_18][11_16_35].html”

                Click Next again and mark the thumbprint for the new Cert as we’ll need to see it later to make sure it’s properly configured for the UM on Exchange.

                8BA9A2C4CD926B01C029F6B9A76D75BBEFDDE069

                clip_image012

                Click next to assign the Cert

                clip_image013

                clip_image014

                Successfully, the certificate has been assigned to the Services

                clip_image015

                The CMDLET that was applied

                Set-CSCertificate -Type Default,WebServicesInternal -Thumbprint 8BA9A2C4CD926B01C029F6B9A76D75BBEFDDE069 -Confirm:$false -Report “C:\Users\administrator.MOH10LY\AppData\Local\Temp\2\Set-CSCertificate-[2016_03_18][11_19_06].html”

                Now it’s time to export this certificate and import it to Exchange servers

                clip_image016

                I’ll find the certificate that I have created today by looking at the expiration date which is 2 years from now with the same day.

                clip_image017

                Now I’ll right click on the certificate and export it with the private key.

                clip_image018

                I’ll open Exchange EMC and import the certificate

                clip_image019

                I’ll have to put the exported cert in a shared folder and provide the path and the password for it

                clip_image020

                I’ll add the two servers below

                clip_image021

                clip_image022

                I’ll double click on the imported certificate and assign the UM services to it on each of the servers

                clip_image023

                clip_image024

                I have got the below error due to not configuring the service to use TLS instead of TCP on both servers.

                clip_image025

                To fix this I’ll go on Exchange Management shell and run the following CMDLET

                Get-UMService | Set-UMService -UMStartupMode TLS

                clip_image026

                clip_image027

                Now I’ll try to save again

                clip_image028

                clip_image029

                I’ll proceed with YES and continue to do the same to the other Server and restart the UM service on both servers

                clip_image030

                Now it’s time to create a UM Dial plan

                clip_image031

                I’ll configure the UM Dial plan according to my Skype for Business settings for users enabled for EV

                clip_image032

                To use powershell, you can use the following cmdlet

                New-UMDialPlan –Name DialplanName –UriType SIPURI –NumberOfDigitsInExtension 4 –VoIPSecurity Secured –CountryOrRegionCode 1 –AccessTelephoneNumber +9012345678

                Next, adding a gateway to the UM (NOTE: If configured incorrect, will cause the service not to start and errors with event ID (1057, 4999,1430, 1038) will appear.

                Time to configure Gateway

                clip_image033

                In the gateway I’ll add my PBX (AsteriskNow) and place my already configured UMDP

                clip_image034

                clip_image035

                When you create the dial plan, Exchange automatically creates a new UM mail policy along with it and it also generates a name that’s related to the Dial plan

                In order to see this policy, you will have to double click on the new dial plan to view it and you can also change the policy in it .. Which I’m going to apply for the length of the policy to make it shorter

                clip_image036

                Double click on the Mailbox policy and navigate to Pin Polices and change it to the length you want to allow

                clip_image037

                Configure Auto Attendant

                clip_image038

                Set the AA as how you want it to be configured and make sure you add the full E.164 format as it won’t accept otherwise.

                clip_image039

                Click Save to continue

                Now time to configure OVA (Outlook voice access)

                Subscriber Access

                If you want to configure Outlook Voice Access (OVA) , sometimes also referred to as Subscriber Access, click on the Configure button. Select Outlook Voice Access in the left hand menu and enter the telephone number you want to use to access OVA. This must be in the E.164 notation.

                clip_image040

                To do so click on Configure

                clip_image041

                To assign the new dial plan to the UM services, both on the Client Access Server (UM Call Router) as well as on the Mailbox server. In an Exchange Management Shell windows enter the following commands:

                1

                2

                Set-UMCallRouterSettings -DialPlans “Exchangelabs Dial Plan” –Server 2012E15FE04

                Get-UMService | Set-UMService -DialPlans “Exchangelabs Dial Plan”

                clip_image042

                clip_image043

                Now I’ll also change the UM call router to TLS and assign Certificate to the service then restart it

                clip_image044

                clip_image045

                Restart the services of the Call router, then associate the service with the dialplan you created.

                Set-UMCallRouterSettings -DialPlans “UMDP1” –Server EX2016

                Set-UMCallRouterSettings -DialPlans “UMDP1” –Server EX2016-2

                Configure Skype for Business Server

                To configure the UM Service to be used with Skype for Business Server. Microsoft has a script that will create and configure all necessary components. This scripts is located in the scripts directory C:\Program Files\Microsoft\Exchange Server\V15\Scripts.

                Run the following CMDLET

                CD $ExScripts

                .\ExchUCUtil.ps1

                clip_image046

                The first time you setup this script it’ll detect the Dial plan and set it up with Skype for Business Server

                clip_image047

                It will show that no setting has changed but the fact that the dial plan is showing here Not found means that there something has changed .. You’ll notice that if you run the same script again.

                clip_image048

                Let’s try it again

                Here you can see that the dial plan has been assigned to the S4B Front end server.

                clip_image049

                This script performs the following:

                • Grants Skype for Business Server permission to read Exchange UM Active Directory components, specifically, the SIP URI dial plan that was created in the first step;
                • Creates a UM IP gateway for each Skype for business Server pool that hosts users who will be enabled for Enterprise Voice;
                • Create an Exchange UM hunt group for each UM IP gateway. The hunt group pilot identifier will be the name of the dial plan associated with the corresponding UM IP gateway. The hunt group must specify the UM SIP dial plan used with the UM IP gateway.

                When the script has run you’ll see a new UM IP Gateway appear in the EAC. Since this script not only creates the UM IP Gateway but also sets the necessary permissions the UM IP Gateway was not created manually in the first step.

                clip_image050

                Next we’ll go to Skype for Business FE server and then run the OcsUmUtil.exe tool which creates the contact objects for Outlook Voice Access and for the auto attendants. This tool can be found in C:\Program Files\Common Files\Skype for Business Server 2015\Support

                clip_image051

                I’ll right click the file to run it as administrator

                clip_image052

                Click on Load Data

                clip_image053

                clip_image054

                Select the SIP dial plan and click ADD

                clip_image055

                Click OK

                Right after configuring this your Voice mail should be enabled once you enable your user for it

                After I enable user for UM and assign a valid dialplan .. Now I can see the user has got his Voice Mail option available.

                clip_image056

                Hope this was useful

                clip_image057

                —-

                UM gateway

                clip_image058

                clip_image059

                clip_image060

                CREATE SKYPE FOR BUSINESS GROUPS

                If you’re looking for an quick way to let all your users easily add all Skype for Business users to their list after migration from Lync 2010/2013/Skype4business to Office 365 Skype for Business then please follow these steps ..

                In order to do so, you will have to have DirSync (Azure AD Sync) installed and functioning properly.

                First step: Add a group to AD

                On Local AD create a Universal Distribution group as following

                Note:

                The group must have an e-mail address entered in the Email field otherwise it won’t show up in Lync Client list when you search.

                clip_image001

                Go to Members tab and add all the users that you are planning to Enable on Skype4Business.

                clip_image002

                Apply and close the group.

                Go to DirSync

                Force the Sync

                clip_image003

                Make sure that group has been Synced.

                clip_image004

                In office 365. You can check If the group is there or not by simply navigating to the Groups tab on the left pane.

                clip_image005

                Now Open Lync 2013 or Skype 4 Business client and search for this group by email

                clip_image006

                Right click the group and click Add to contacts

                As soon as you add the group, all the members will come beneath it right away.

                clip_image007