Tag Archives: Microsoft

Powershell script to audit users who authenticated against DC servers

The story:

I have got a request from a client asking to find out which server(s) is using which domain admin or a highly privileged account as a service.

To find this I already wrote a powershell script that does this, Search the non standard/(Domain only users) and show the services and name of the servers where those accounts are configured on utilizing Remote powershell to do so and the use of a Domain Admin user.

You can refer to this link to see this article by clicking here

Creating the script process:

The same client wanted to also know which of those accounts did authenticate and wanted to know from which server/Computer did the request originate from and to which DC did it go.

I have started thinking of the process of doing so by again utilizing remote PowerShell to check against certain security events on AD to check which user among the Domain admin members did authenticate.

After sometime and with the help of some forums I managed to get script ready which looks in all Domain Controllers for users that are members of the Domain Admin groups who triggered an event ID 4624 and from which Computer did this request came from.

The Script :

# Get domain admin user list
$DomainAdminList = Get-ADGroupMember -Identity 'Domain Admins'
# Get all Domain Controller names
$DomainControllers = Get-ADDomainController -Filter * | Sort-Object HostName
# EventID
$EventID = '4624'
#
# Get only last 24hrs
$Date = (Get-Date).AddDays(-3)
# Limit log event search for testing as this will take a LONG time on most domains
# For normal running, this will have to be set to zero
$MaxEvent = 100

# Loop through Dcs
$DALogEvents = $DomainControllers | ForEach-Object {
    $CurDC = $_.HostName
    Write-Host "`nSearching $CurDC logs..."
    Get-WinEvent  -ComputerName $CurDC -FilterHashtable @{Logname='Security';ID=$EventID;StartTime = $Date} -MaxEvents $MaxEvent |`
    Where-Object { $_.Properties[5].Value -in $DomainAdminList.SamAccountName } |`
    ForEach-Object {
        [pscustomobject]@{SourceIP = $_.Properties[18].Value; SamAccountName = $_.Properties[5].Value;Time = $_.TimeCreated;LogonEventLocation = $CurDC}
    }
}
$DALogEvents

How to run:

The Script must be run on DC with a privileged account in order to get the write results, The default time interval is set to 3 days but you can choose to increase that.

You can also change the default group where you want to search for members by changing Domain Admin groups to something else.

Screenshot of the result

HOW TO GET ALL DOMAIN JOINED SERVER SERVICES THAT USING A UNIQUE OR DOMAIN USER

The Story (Finding Domain Joined Servers Services users)

If you’re wondering which of your servers are using domain joined account or a non regular account like network service or system. You will need to go through every server’s service console and check that one by one but thanks to PowerShell this job was made like a piece of cake.

Requirement

The requirement to run this script is a domain admin account since the PowerShell will require access to other servers using Remote PowerShell using Invoke command and run a Get-WMIObject script to find out those details. So in short I will write the required things for this to work

1- Logged in to Active Directory (In order for AD PowerShell module to run and find computers).

2- Domain admin account (To run the remote PowerShell on other servers and get service details)

3- Firewall for domain joined computers is open (To allow remote PowerShell to work) or have remote PowerShell enabled via GPO.

The Script will also show you the offline (inaccessible servers) and will state those servers as down as you can see in the screenshot below.

The script will also prompt you for a path to save the output. You can enter something like C:\Services.csv  as soon as you type the file path and extension it’ll be opened using Notepad.

image

#Check servers down and get services from the responsive servers

$Computers = Get-ADComputer -Filter { OperatingSystem -Like ‘*Windows Server*’}

$Input = ForEach ($computer in $computers){

$comp = $Computer.DNSHostName

$dist = $Computer.DistinguishedName

if (Test-Connection -Computername $comp -count 2 -Quiet )

{

Invoke-Command -ComputerName $comp -ScriptBlock {Get-WmiObject win32_service | where {$_.StartName -notlike “*LocalSystem*” -and $_.StartName -notlike “*LocalService*” -and $_.StartName -notlike “*NetworkService*” -and $_.StartName -notlike “*System*”} | select DisplayName,StartName,State }}

else{ Write-host $comp is down -foregroundColor red -BackGroundColor black

}

}

$Output = Read-Host “Enter File path and Name to save output to”

Out-File -FilePath $Output -InputObject $Input -Encoding ascii

Notepad $Output


image

image

Lync Front end event ID 32178

The Issue: Replication problem occurs between Frontend Servers and Edge

If you look at the Eventviewer you might find the following error when you have finished deploying Edge or Frontend Server.

Error:

Failed to sync data for Routing group {563F57A3-0AC1-560A-91B4-74ACDECB2683} from backup store.

Cause: This may indicate a problem with connectivity to backup database or some unknown product issue.

Resolution:

Ensure that connectivity to backup database is proper. If the error persists, please contact product support with server traces.

clip_image001

This error happens when you mistakenly import a certificate that’s not self-signed into the Local computer’s trusted authority store.

To fix this issue you will have to use the following powershell cmdlet on all the servers that are showing the error
  • Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\computer_filtered.txt”
  • Then type the command
  • Notepad C:\computer_filtered.txt
  • The command will open notepad file with the certificates details in it.
  • Take a note of all certificate’s thumb print number and open your MMC console
  • Click File -> add the Certificate then choose Local computer
  • Navigate to “Trusted Root Certification Authority” store

clip_image002

Check the certificate that their thumb print were shown in the Txt file and remove to the Intermediate Certification authority store.

If you have many certificates in the Trusted root store, you can manage the view and choose “Issued by” and then click on the certificate that the “Issued to” and “Issued by” do not match

clip_image003

double click on it then choose the thumbprint section and try to see if this thumbprint value matches the one in the text and move it to the intermediate store.

clip_image004

When you finish, you must restart the servers one by one in order to resolve this issue and then you will notice that the error is gone and that services are back to normal state

clip_image005

http://support.microsoft.com/kb/2795828

Lync common issues

Publishing Topology on Frontend

Some of the issues that might face you while you’re deploying Skype for Business/Lync is something that might be stuck within AD.

A previous installation that was not properly cleaned could result in a failure of publishing the Topology.

Here is one issue that I had while deploying one for one of my clients.

Issue

Enable-CsTopology : Multiple Active Directory entries were found for type “ms-RTC-SIP-EdgeProxy” with ID in a multiple Domain Environment

Active Directory Issue?

Enable-CsTopology : Multiple Active Directory entries were found for type “ms-RTC-SIP-EdgeProxy” with ID

“lyncedge.domain.local”.

At line:1 char:1

+ Enable-CsTopology

+ ~~~~~~~~~~~~~~~~~

+ CategoryInfo : InvalidData: (:SourceCollection) [Enable-CsTopology], InvalidDataException

+ FullyQualifiedErrorId : DuplicateADEntry,Microsoft.Rtc.Management.Deployment.ActivateTopologyCmdlet

clip_image001

clip_image002

clip_image003

Solution:
  • Open ADSIEDIT and look in the following snapshot. Open Configuration for your DC
  • Collapse the menu and click on Services
  • Click on RTC Service
  • Click on Global Settings and on the right pane look if there’s any duplicated entries and remove them.
  • As you can see on my right pane I have 2 duplicated (msRTCSIP-EdgeProxy) and I’m going to remove one of them and see if I can publish my topology or not. But before that I will have to make sure that I export the entry that I wanna delete.

clip_image004

I right clicked on the last value and deleted it and here how it became now.

clip_image005

Now I will try to publish my topology and see what happens, my topology publishing failed with a new error this time.

clip_image006

I will have to go and check where’s this coming from, since it mentions TrustedService. I will go look in the trusted service

This is not going to be easy, as you need to becareful where you look .. You will need to make sure that you’re looking at the right FQDN

clip_image007

Here I could find the value MRAS for the FQDN Edge server

So I looked here and found 2 identical entries with a different (CN) if you scroll down you will see that the GruuId is the same, FQDN is the same, port is the same.

clip_image008

clip_image009

Let’s delete one of them and see again if we can publish our topology, So I deleted the one that starts with {b344}

I will do this using the Lync Powershell, you can see below that the Topology was published successfully.

clip_image010

To resolve the warning you will have to issue the cmdlet Enable-CsAdForest after the Enable-CsTopology

clip_image011

2- SKYPE FOR BUSINESS EDGE SERVER DEPLOYMENT AND HYBRID INTEGRATION WITH SKYPE FOR BUSINESS ONLINE

In the last Skype for Business post I have upgraded my Lync 2013 to Skype for Business (Click here to go to that post). in this article I am going to install Edge server for Skype for Business to the same Lync Environment where I have done the Upgrade to Skype for Business.

clip_image001


clip_image002
clip_image003
clip_image004
clip_image005
clip_image006
clip_image007
clip_image008
clip_image009
clip_image010
clip_image011
clip_image012
clip_image013
clip_image014
clip_image015
clip_image016
clip_image017
clip_image018
clip_image019
clip_image020
clip_image021
clip_image022
clip_image023
clip_image024
clip_image025
clip_image026
clip_image027
clip_image028
clip_image029
clip_image030
clip_image031
clip_image032
clip_image033
clip_image034
clip_image035
clip_image036
clip_image037
clip_image038
clip_image039
clip_image040
clip_image041
clip_image042
clip_image043
clip_image044
clip_image045
clip_image046
clip_image047
clip_image048
clip_image049
clip_image050
clip_image051
clip_image052

1- IN-PLACE UPGRADE FROM LYNC 2013 TO SKYPE FOR BUSINESS STEP BY STEP GUIDE

This article guides you through the steps of doing an in-place upgrade from Lync 2013 to Skype for business. I am copying the article as is from my lab with all the errors that I have been through to give you a real experience feed back of what is this like.

You might get issues that you have never expected, but resolving them is not that hard and if you have any issues please don’t hesitate to leave a comment and I will get back to help you.

Prerequisites

Extensible Chat Communication Over SIP protocol (XCCOS)

From <https://technet.microsoft.com/en-us/library/dn951390.aspx>

References:

https://technet.microsoft.com/en-us/library/dn951371.aspx?f=255&MSPPError=-2147217396

https://technet.microsoft.com/en-us/library/dn933900.aspx

Lync CU 5

https://www.microsoft.com/en-us/download/details.aspx?id=36820

Kb2533623 Windows Server 2008 R2

http://support.microsoft.com/kb/2533623

Kb2858668 Windows Server 2012

http://support.microsoft.com/kb/2858668

KB2982006 Windows Server 2012 R2

https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

SQL 2012 SP2 for Express version

https://www.microsoft.com/en-us/download/details.aspx?id=43351

clip_image001

Prerequisite not satisfied: Internet Information Services (IIS) must be installed before attempting to install this product.

Prerequisite not satisfied: The following Internet Information Services (IIS) role services must be installed before attempting to install this product: Static Content, Default Document, HTTP Errors, ASP.NET, .NET Extensibility, Internet Server API (ISAPI) Extensions, ISAPI Filters, HTTP Logging, Logging Tools, Tracing, Client Certificate Mapping Authentication, Windows Authentication, Request Filtering, Static Content Compression, Dynamic Content Compression, IIS Management Console, IIS Management Scripts and Tools

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2. For details about the update, see Microsoft Knowledge Base article 2982006, “IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2” at http://go.microsoft.com/fwlink/?LinkId=519376

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft ASP.NET 4.5 by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install the ASP.NET 4.5 role service of the Web Server (IIS) role.

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft Windows Communication Foundation Activation by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install WCF Services and HTTP Activation, which are included with the Microsoft .NET Framework 4.5 feature.

http://go.microsoft.com/fwlink/?LinkId=519376

Powershell

$PSVersionTable

clip_image002

STEP 1 : Installing Prerequisites

Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS, Desktop-Experience, Telnet-Client

https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/requirements-for-your-environment/server-requirements

Updated aug-2018

clip_image003

clip_image004

STEP 2: Installing CU5

Download and install CU5

https://www.microsoft.com/en-us/download/details.aspx?id=36820

clip_image005

clip_image006

After the restart we will apply the update of the databases which in my case is going to be the FQDN of the FE server since it’s standard version and not Backend server.

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn lyncfe01.adeo.local -Verbose

clip_image007

clip_image007[1]

Time to upgrade the Archiving/Monitoring databases.

To upgrade we’ll use the same command except change the FQDN of the SQL server to the SQL server where Monitoring and Archiving databases are at.

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn sql01.adeo.local -Verbose

clip_image008

clip_image009

clip_image010

Applying CMS upgrade

clip_image011

Install-CsDatabase -CentralmanagementDatabase -SqlServerFqdn Lyncfe01.adeo.local -SqlInstanceName rtc -verbose

clip_image012

clip_image013

Then run enable-cstopology

Last thing in the CU5 update is

%ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe

clip_image014

clip_image015

https://support.microsoft.com/en-us/kb/2809243

Step 3 : Installing Windows OS hotfix.

KB2982006 Windows Server 2012 R2

Since the FE is on Windows Server 2012 R2 then we’ll need to download this link

https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

RESTART is Required

clip_image016

STEP 4 : Install SQL Service Pack 2 (Express) for your Lync Front end Standard Edition

First Download SQL Express SP2 setup

clip_image017

You can patch the server by opening a Lync Management Shell window and entering the following commands:

1- Stop-CsWindowsService
2- .\SQLEXPR_x64_ENU.exe /ACTION=Patch /allinstances /IAcceptSQLServerLicenseTerms

clip_image018

clip_image019

clip_image020

clip_image021

clip_image022

clip_image023

clip_image024

clip_image025

Step 5: SQL Server (Standard or Enterprise) for (Monitoring, Archiving)

https://support.microsoft.com/en-us/kb/321185

clip_image026

My SQL Server version is SP1 so I don’t need to upgrade it to SP2

clip_image027

Step 6- In-place Upgrade for Skype For Business

In order to do the in-place upgrade, we’ll need to use a machine that doesn’t have Lync 2013 to install the new Topology builder and do the upgrade process

On a different Machine that’s joined to the same domain, I will run the prerequisites script and restart the machine. then I’ll load the Skype for business ISO and install

clip_image028

D:\Setup\amd64\Setup.exe

clip_image029

clip_image030

clip_image031

clip_image032

We’ll now press on Installing Administrative tools

clip_image033

clip_image034

clip_image035

Now in order to continue we’ll have to open the topology builder in order to upgrade our Lync 2013 topology

I’ll open the topology builder and save the topology file somewhere

clip_image036

Once the topology is open, I’ll navigate to the Standard FE Servers and right click on my main server to upgrade

clip_image037

clip_image038

I’ll click on Upgrade to Skype for Business Server 2015…

clip_image039

As soon as you press Yes, the Frontend server that you selected will be moved under the Skype For Business Server 2015 tab as you can see below.

clip_image040

Since I have two FE servers (FE and SBS) I will be upgrading them both but not in the same time not not fall into any errors, so I will publish the topology and see what happens.

clip_image041

clip_image042

We’ll check what do we need to do now in order to upgrade the servers, here is what we’ll do.

Import existing normalization rules from the previous Skype for Business Server deployment. If you want to keep your existing normalization rules you will need to import them using the Import-CsCompanyPhoneNormalizationRules cmdlet. If you have separate normalization rules for each pool then you will need to run the command for each set.

To perform an in-place upgrade of your Skype for Business Server, you’ll need to do the following, in order:

(1) Stop the Skype for Business services on all of the servers that you are upgrading;
(2) Run Skype for Business Server setup (Setup.exe) on all of the servers you are upgrading;
(3) Start the Skype for Business services on all of the servers you upgraded. To start the services in a Front End pool, connect to one of the servers in the pool and run the Start-CsPool cmdlet. All the servers in the pool should be running Skype for Business Server before you use the Start-CsPool cmdlet. To start the services in all other pools (e.g. Edge pool, Mediation pool), run the Start-CsWindowsService cmdlet on every server in the pool;

Server FQDN: lyncfe01.adeo.local, Pool FQDN: lyncfe01.adeo.local

On Lync FE 01 I’ll stop all the services using Stop-cswindowsservice

clip_image043

Now on the same server I’ll load the Skype4B ISO and start the setup

D:\Setup\amd64\Setup.exe

clip_image029[1]

clip_image030[1]

clip_image031[1]

Started at 1:40pm

clip_image044

clip_image045

clip_image046

clip_image047

clip_image048

clip_image049

NOTE:

The required time for the upgrade process is estimated around 75-90 Minutes for each FE Server.

clip_image050

clip_image051

Starting ‘Verifying upgrade readiness…’

‘Verifying upgrade readiness…’ completed successfully

Starting ‘Installing missing prerequisites…’

‘Installing missing prerequisites…’ completed successfully

Starting ‘Uninstalling roles…’

‘Uninstalling roles…’ completed successfully

Starting ‘Detaching database…’

‘Detaching database…’ completed successfully

Starting ‘Uninstalling local management services…’

‘Uninstalling local management services…’ completed successfully

Starting ‘Installing and configuring core components…’

‘Installing and configuring core components…’ completed successfully

Starting ‘Installing administrative tools…’

‘Installing administrative tools…’ completed successfully

Starting ‘Installing local management services…’

‘Installing local management services…’ completed successfully

Starting ‘Attaching database…’

‘Attaching database…’ completed successfully

Starting ‘Upgrading database…’

‘Upgrading database…’ completed successfully

Starting ‘Enabling replica…’

‘Enabling replica…’ completed successfully

Starting ‘Installing roles…’

‘Installing roles…’ completed successfully

Starting ‘Verifying installation…’

‘Verifying installation…’ completed successfully

clip_image052

Upgrade the SBS (Survivable Branch Server) in the pool to Skype4B

clip_image053

clip_image054

Publish the topology

clip_image055

I’ll stop the service before I start the upgrade process.

clip_image056

I’ll load the ISO on the second server and start the upgrade.

D:\Setup\amd64\Setup.exe

clip_image029[2]

clip_image030[2]

clip_image031[2]

clip_image057

Apparently I forgot to update Lync to the latest CU

clip_image058

clip_image059

clip_image060

clip_image061

3- Unified messaging Integration between Exchange 2016 and Skype for Business

Setting up UM

To setup UM between Exchange and Skype for business server, the most important step is how you configure the Certificates between both servers in order for them to trust each other.

For that you don’t have to use a public Certificate but rather an internal CA certificate that has its root certificate installed on all of the server where you intend to deploy the UM. (Exchange, S4B Servers..etc.).

To claim this certificate, the easiest step would be to get the CSR from Skype for Business’s Deployment Wizard

Run Deployment Wizard and click on the “Install or Update skype for business Server system”

clip_image001

Then click on step 3 (request, install or assign Cert)

clip_image002

I already have certificate deployed for S4B service but I’ll request CSR again to get one trusted certificate for both Exchange and S4B.

I will tick only the services that matters as in the below screenshot (Server default and Web services internal) later also will be used for OWA integration with UM.

clip_image003

Click on Request

clip_image004

Click on Advanced

clip_image005

Next

clip_image006

I’ll continue next until I’ve got to the important part which is “Name and Security settings” I’ll need to tick the “Mark the certificate’s private key as exportable” since we’ll export the certificate to Exchange servers

clip_image007

Next I’ll add Exchange servers’s FQDNs.

clip_image008

clip_image009

Click Next

clip_image010

clip_image011

Here is the CMDLET

Request-CSCertificate -New -Type Default,WebServicesInternal -CA “DC2016.moh10ly.com\moh10ly-DC2016-CA” -Country “TR” -FriendlyName “Skype for Business Server 2015 Default certificate 3/18/2016” -KeySize 2048 -PrivateKeyExportable $True -Organization “moh10ly” -OU “moh10ly” -DomainName “sip.moh10ly.com,ex2016.moh10ly.com,ex2016-2.moh10ly.com,ex2010.moh10ly.com” -AllSipDomain -Verbose -Report “C:\Users\administrator.MOH10LY\AppData\Local\Temp\2\Request-CSCertificate-[2016_03_18][11_16_35].html”

Click Next again and mark the thumbprint for the new Cert as we’ll need to see it later to make sure it’s properly configured for the UM on Exchange.

8BA9A2C4CD926B01C029F6B9A76D75BBEFDDE069

clip_image012

Click next to assign the Cert

clip_image013

clip_image014

Successfully, the certificate has been assigned to the Services

clip_image015

The CMDLET that was applied

Set-CSCertificate -Type Default,WebServicesInternal -Thumbprint 8BA9A2C4CD926B01C029F6B9A76D75BBEFDDE069 -Confirm:$false -Report “C:\Users\administrator.MOH10LY\AppData\Local\Temp\2\Set-CSCertificate-[2016_03_18][11_19_06].html”

Now it’s time to export this certificate and import it to Exchange servers

clip_image016

I’ll find the certificate that I have created today by looking at the expiration date which is 2 years from now with the same day.

clip_image017

Now I’ll right click on the certificate and export it with the private key.

clip_image018

I’ll open Exchange EMC and import the certificate

clip_image019

I’ll have to put the exported cert in a shared folder and provide the path and the password for it

clip_image020

I’ll add the two servers below

clip_image021

clip_image022

I’ll double click on the imported certificate and assign the UM services to it on each of the servers

clip_image023

clip_image024

I have got the below error due to not configuring the service to use TLS instead of TCP on both servers.

clip_image025

To fix this I’ll go on Exchange Management shell and run the following CMDLET

Get-UMService | Set-UMService -UMStartupMode TLS

clip_image026

clip_image027

Now I’ll try to save again

clip_image028

clip_image029

I’ll proceed with YES and continue to do the same to the other Server and restart the UM service on both servers

clip_image030

Now it’s time to create a UM Dial plan

clip_image031

I’ll configure the UM Dial plan according to my Skype for Business settings for users enabled for EV

clip_image032

To use powershell, you can use the following cmdlet

New-UMDialPlan –Name DialplanName –UriType SIPURI –NumberOfDigitsInExtension 4 –VoIPSecurity Secured –CountryOrRegionCode 1 –AccessTelephoneNumber +9012345678

Next, adding a gateway to the UM (NOTE: If configured incorrect, will cause the service not to start and errors with event ID (1057, 4999,1430, 1038) will appear.

Time to configure Gateway

clip_image033

In the gateway I’ll add my PBX (AsteriskNow) and place my already configured UMDP

clip_image034

clip_image035

When you create the dial plan, Exchange automatically creates a new UM mail policy along with it and it also generates a name that’s related to the Dial plan

In order to see this policy, you will have to double click on the new dial plan to view it and you can also change the policy in it .. Which I’m going to apply for the length of the policy to make it shorter

clip_image036

Double click on the Mailbox policy and navigate to Pin Polices and change it to the length you want to allow

clip_image037

Configure Auto Attendant

clip_image038

Set the AA as how you want it to be configured and make sure you add the full E.164 format as it won’t accept otherwise.

clip_image039

Click Save to continue

Now time to configure OVA (Outlook voice access)

Subscriber Access

If you want to configure Outlook Voice Access (OVA) , sometimes also referred to as Subscriber Access, click on the Configure button. Select Outlook Voice Access in the left hand menu and enter the telephone number you want to use to access OVA. This must be in the E.164 notation.

clip_image040

To do so click on Configure

clip_image041

To assign the new dial plan to the UM services, both on the Client Access Server (UM Call Router) as well as on the Mailbox server. In an Exchange Management Shell windows enter the following commands:

1

2

Set-UMCallRouterSettings -DialPlans “Exchangelabs Dial Plan” –Server 2012E15FE04

Get-UMService | Set-UMService -DialPlans “Exchangelabs Dial Plan”

clip_image042

clip_image043

Now I’ll also change the UM call router to TLS and assign Certificate to the service then restart it

clip_image044

clip_image045

Restart the services of the Call router, then associate the service with the dialplan you created.

Set-UMCallRouterSettings -DialPlans “UMDP1” –Server EX2016

Set-UMCallRouterSettings -DialPlans “UMDP1” –Server EX2016-2

Configure Skype for Business Server

To configure the UM Service to be used with Skype for Business Server. Microsoft has a script that will create and configure all necessary components. This scripts is located in the scripts directory C:\Program Files\Microsoft\Exchange Server\V15\Scripts.

Run the following CMDLET

CD $ExScripts

.\ExchUCUtil.ps1

clip_image046

The first time you setup this script it’ll detect the Dial plan and set it up with Skype for Business Server

clip_image047

It will show that no setting has changed but the fact that the dial plan is showing here Not found means that there something has changed .. You’ll notice that if you run the same script again.

clip_image048

Let’s try it again

Here you can see that the dial plan has been assigned to the S4B Front end server.

clip_image049

This script performs the following:

  • Grants Skype for Business Server permission to read Exchange UM Active Directory components, specifically, the SIP URI dial plan that was created in the first step;
  • Creates a UM IP gateway for each Skype for business Server pool that hosts users who will be enabled for Enterprise Voice;
  • Create an Exchange UM hunt group for each UM IP gateway. The hunt group pilot identifier will be the name of the dial plan associated with the corresponding UM IP gateway. The hunt group must specify the UM SIP dial plan used with the UM IP gateway.

When the script has run you’ll see a new UM IP Gateway appear in the EAC. Since this script not only creates the UM IP Gateway but also sets the necessary permissions the UM IP Gateway was not created manually in the first step.

clip_image050

Next we’ll go to Skype for Business FE server and then run the OcsUmUtil.exe tool which creates the contact objects for Outlook Voice Access and for the auto attendants. This tool can be found in C:\Program Files\Common Files\Skype for Business Server 2015\Support

clip_image051

I’ll right click the file to run it as administrator

clip_image052

Click on Load Data

clip_image053

clip_image054

Select the SIP dial plan and click ADD

clip_image055

Click OK

Right after configuring this your Voice mail should be enabled once you enable your user for it

After I enable user for UM and assign a valid dialplan .. Now I can see the user has got his Voice Mail option available.

clip_image056

Hope this was useful

clip_image057

—-

UM gateway

clip_image058

clip_image059

clip_image060

CREATE SKYPE FOR BUSINESS GROUPS

If you’re looking for an quick way to let all your users easily add all Skype for Business users to their list after migration from Lync 2010/2013/Skype4business to Office 365 Skype for Business then please follow these steps ..

In order to do so, you will have to have DirSync (Azure AD Sync) installed and functioning properly.

First step: Add a group to AD

On Local AD create a Universal Distribution group as following

Note:

The group must have an e-mail address entered in the Email field otherwise it won’t show up in Lync Client list when you search.

clip_image001

Go to Members tab and add all the users that you are planning to Enable on Skype4Business.

clip_image002

Apply and close the group.

Go to DirSync

Force the Sync

clip_image003

Make sure that group has been Synced.

clip_image004

In office 365. You can check If the group is there or not by simply navigating to the Groups tab on the left pane.

clip_image005

Now Open Lync 2013 or Skype 4 Business client and search for this group by email

clip_image006

Right click the group and click Add to contacts

As soon as you add the group, all the members will come beneath it right away.

clip_image007


Migrating DFS from 2000 Mode to 2008 step by step

The Story

Few months ago I have got a request from one of my clients regarding migrating DFS from 2012R2 to 2016.

2012R2 was migrated from 2008r2 and was based on 2000 Mode. To do this you’ve got a list of requirements as it can be migrated but certain features won’t be supported if you continue to use the 2000 Mode in DFS on Windows 2016 server.

How to Start

In this tutorial I will explain how to do this migration by doing a demo step by step and guide you through this Migration with screenshots and the required commands.

I have added a tiny comparison also to make it clear why are we going to use this particular method of migrating DFS mode and Server.

clip_image001[4]

To migrate a domain-based namespace to Windows Server 2008 mode

  1. Open a Command Prompt window and type the following command to export the namespace to a file, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the export file:
On the source DC/DFS Server

Dfsutil root export \\domain\namespace C:\filename.xml

clip_image002[4]

clip_image003[4]

  1. Write down the path (\\ server \ share ) for each namespace server. You must manually add namespace servers to the recreated namespace because Dfsutil cannot import namespace servers.

clip_image004[4]

clip_image005[4]

  1. In DFS Management, right-click the namespace and then click Delete , or type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace:
    Copy
    Dfsutil root remove \\domain\namespace

clip_image006[4]

Let’s go refresh the console and see if it’s deleted there

clip_image007[4]

clip_image008[4]

Next remove

clip_image009[4]

clip_image010[4]

I will remove the rest of the name spaces

clip_image011[4]

All have been removed, Now lets remove the name spaces from the display and observe what happens to the replication groups

clip_image012[4]

NOTE:

Replication groups didn’t get affected

clip_image013[4]

  1. In DFS Management, recreate the namespace with the same name, but use the Windows Server 2008 mode, or type the following command at a command prompt, where \\ server \ namespace is the name of the appropriate server and share for the namespace root:
    Dfsutil root adddom \\server\namespace v2
I will use the UI instead of the command

clip_image014[4]

Although we raised the forest and domain function forest but still the 2008 is still greyed out. Lets try to restart the DFS services on the FSMO server

clip_image015[4]

clip_image016[4]

After restarting

clip_image017[4]

clip_image018[4]

Next, I will copy all the xml files to the new server and import them there

My new server is 2016

clip_image019[4]

  1. To import the namespace from the export file, type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the file to import:
    Dfsutil root import merge path\filename.xml \\domain\namespace

clip_image020[4]

After the Import

clip_image021[4]

clip_image022[4]

I will continue to import the rest of the namespaces

First we need to create them with their matching namespaces from the GUI

clip_image023[4]

clip_image024[4]

Now I will import and merge the xml file

clip_image025[4]

clip_image026[4]

After adding the NEW folder which has replicating group existing already from the previous mode. First it didn’t show up

clip_image027[4]

but after navigating to the NewFolder and clicking on Replication tab then Navigate to the replication group showed the replication group underneath the Replication

clip_image028[4]

What has changed?

The only noticeable thing which has changed is the NameSpace Servers everything else like ( Folder targets still the same, replication is identical to previous settings)

See this screenshot

clip_image029[4]

Let’s check the access to the new namespace

clip_image030[4]

Finally, Let’s import the latest namespace and its configuration (PublicFolder)

clip_image031[4]

clip_image032[4]

Let’s check the result on GUI

clip_image033[4]

Notice the replication group for the PF didn’t come, so let’s do as we have explained before to show the replication group

Here we go

clip_image034[4]

Right after this process finishes, the command creates some kind of a report with time, importing status and other related settings such as site cost, timeout.. Etc

clip_image035[7]

Note

To minimize the time that is required to import a large namespace, run the Dfsutil root import command locally on a namespace server.

Add any remaining namespace servers to the recreated namespace by right-clicking the namespace in DFS Management and then clicking Add Namespace Server , or by typing the following command at a command prompt, where \\ server \ share is the name of the appropriate server and share for the namespace root:
Copy
Dfsutil target add \\server\share

Note

You can add namespace servers before importing the namespace, but doing so causes the namespace servers to incrementally download the metadata for the namespace instead of immediately downloading the entire namespace after being added as a namespace server.

Ref:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753875(v=ws.11)

LYNC 2013 TO SKYPE FOR BUSINESS IN-PLACE UPGRADE WITH MONITORING DATABASE

This article guides you through the steps of doing an in-place upgrade from Lync 2013 to Skype for business. I am copying the article as is from my lab with all the errors that I have been through to give you a real experience feed back of what is this like.

You might get issues that you have never expected, but resolving them is not that hard and if you have any issues please don’t hesitate to leave a comment and I will get back to help you.

Prerequisites

Extensible Chat Communication Over SIP protocol (XCCOS)

From <https://technet.microsoft.com/en-us/library/dn951390.aspx>

References:

https://technet.microsoft.com/en-us/library/dn951371.aspx?f=255&MSPPError=-2147217396

https://technet.microsoft.com/en-us/library/dn933900.aspx

Lync CU 5

https://www.microsoft.com/en-us/download/details.aspx?id=36820

Kb2533623 Windows Server 2008 R2

http://support.microsoft.com/kb/2533623

Kb2858668 Windows Server 2012

http://support.microsoft.com/kb/2858668

KB2982006 Windows Server 2012 R2

https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

SQL 2012 SP2 for Express version

https://www.microsoft.com/en-us/download/details.aspx?id=43351

clip_image001

First Issue:

Upon running the setup I have got the following error:

Prerequisite not satisfied: Internet Information Services (IIS) must be installed before attempting to install this product.

Prerequisite not satisfied: The following Internet Information Services (IIS) role services must be installed before attempting to install this product: Static Content, Default Document, HTTP Errors, ASP.NET, .NET Extensibility, Internet Server API (ISAPI) Extensions, ISAPI Filters, HTTP Logging, Logging Tools, Tracing, Client Certificate Mapping Authentication, Windows Authentication, Request Filtering, Static Content Compression, Dynamic Content Compression, IIS Management Console, IIS Management Scripts and Tools

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2. For details about the update, see Microsoft Knowledge Base article 2982006, “IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2” at http://go.microsoft.com/fwlink/?LinkId=519376

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft ASP.NET 4.5 by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install the ASP.NET 4.5 role service of the Web Server (IIS) role.

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft Windows Communication Foundation Activation by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install WCF Services and HTTP Activation, which are included with the Microsoft .NET Framework 4.5 feature.

http://go.microsoft.com/fwlink/?LinkId=519376

Powershell

$PSVersionTable

clip_image002

I will re-run prerequisites to make sure that all are satisfied before running setup again.

STEP 1 : Installing Prerequisites for this In-Place Upgrade

Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS, Desktop-Experience, Telnet-Client

https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/requirements-for-your-environment/server-requirements

Updated aug-2018

clip_image003

clip_image004

STEP 2: Installing CU5

Download and install CU5

https://www.microsoft.com/en-us/download/details.aspx?id=36820

clip_image005

clip_image006

After the restart we will apply the update of the databases which in my case is going to be the FQDN of the FE server since it’s standard version and not Backend server.

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn lyncfe01.adeo.local -Verbose

clip_image007

clip_image007[1]

Time to upgrade the Archiving/Monitoring databases.

To upgrade we’ll use the same command except change the FQDN of the SQL server to the SQL server where Monitoring and Archiving databases are at.

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn sql01.adeo.local -Verbose

clip_image008

clip_image009

clip_image010

Applying CMS upgrade

clip_image011

Install-CsDatabase -CentralmanagementDatabase -SqlServerFqdn Lyncfe01.adeo.local -SqlInstanceName rtc -verbose

clip_image012

clip_image013

Then run enable-cstopology

Last thing in the CU5 update is

%ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe

clip_image014

clip_image015

https://support.microsoft.com/en-us/kb/2809243

Step 3 : Installing Windows OS hotfix.

KB2982006 Windows Server 2012 R2

Since the FE is on Windows Server 2012 R2 then we’ll need to download this link

https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

RESTART is Required

clip_image016

STEP 4 : Install SQL Service Pack 2 (Express) for your Lync Front end Standard Edition

First Download SQL Express SP2 setup

clip_image017

You can patch the server by opening a Lync Management Shell window and entering the following commands:

Stop-CsWindowsService

.\SQLEXPR_x64_ENU.exe /ACTION=Patch /allinstances /IAcceptSQLServerLicenseTerms

clip_image018

clip_image019

clip_image020

clip_image021

clip_image022

clip_image023

clip_image024

clip_image025

Step 5: SQL Server (Standard or Enterprise) for (Monitoring, Archiving)

https://support.microsoft.com/en-us/kb/321185

clip_image026

My SQL Server version is SP1 so I don’t need to upgrade it to SP2

clip_image027

Step 6- In-place Upgrade for Skype For Business

In order to do the in-place upgrade, we’ll need to use a machine that doesn’t have Lync 2013 to install the new Topology builder and do the upgrade process

On a different Machine that’s joined to the same domain, I will run the prerequisites script and restart the machine. then I’ll load the Skype for business ISO and install

clip_image028

D:\Setup\amd64\Setup.exe

clip_image029

clip_image030

clip_image031

clip_image032

We’ll now press on Installing Administrative tools

clip_image033

clip_image034

clip_image035

Now in order to continue we’ll have to open the topology builder in order to upgrade our Lync 2013 topology

I’ll open the topology builder and save the topology file somewhere

clip_image036

Once the topology is open, I’ll navigate to the Standard FE Servers and right click on my main server to upgrade

clip_image037

clip_image038

I’ll click on Upgrade to Skype for Business Server 2015…

clip_image039

As soon as you press Yes, the Frontend server that you selected will be moved under the Skype For Business Server 2015 tab as you can see below.

clip_image040

Since I have two FE servers (FE and SBS) I will be upgrading them both but not in the same time not not fall into any errors, so I will publish the topology and see what happens.

clip_image041

clip_image042

We’ll check what do we need to do now in order to upgrade the servers, here is what we’ll do.

Import existing normalization rules from the previous Skype for Business Server deployment. If you want to keep your existing normalization rules you will need to import them using the Import-CsCompanyPhoneNormalizationRules cmdlet. If you have separate normalization rules for each pool then you will need to run the command for each set.

To perform an in-place upgrade of your Skype for Business Server, you’ll need to do the following, in order:

(1) Stop the Skype for Business services on all of the servers that you are upgrading;

(2) Run Skype for Business Server setup (Setup.exe) on all of the servers you are upgrading;

(3) Start the Skype for Business services on all of the servers you upgraded. To start the services in a Front End pool, connect to one of the servers in the pool and run the Start-CsPool cmdlet. All the servers in the pool should be running Skype for Business Server before you use the Start-CsPool cmdlet. To start the services in all other pools (e.g. Edge pool, Mediation pool), run the Start-CsWindowsService cmdlet on every server in the pool;

Server FQDN: lyncfe01.adeo.local, Pool FQDN: lyncfe01.adeo.local

On Lync FE 01 I’ll stop all the services using Stop-cswindowsservice

clip_image043

Now on the same server I’ll load the Skype4B ISO and start the setup

D:\Setup\amd64\Setup.exe

clip_image029[1]

clip_image030[1]

clip_image031[1]

Started at 1:40pm

clip_image044

clip_image045

clip_image046

clip_image047

clip_image048

clip_image049

NOTE:

The required time for the upgrade process is estimated around 75-90 Minutes for each FE Server.

clip_image050

clip_image051

Starting ‘Verifying upgrade readiness…’

‘Verifying upgrade readiness…’ completed successfully

Starting ‘Installing missing prerequisites…’

‘Installing missing prerequisites…’ completed successfully

Starting ‘Uninstalling roles…’

‘Uninstalling roles…’ completed successfully

Starting ‘Detaching database…’

‘Detaching database…’ completed successfully

Starting ‘Uninstalling local management services…’

‘Uninstalling local management services…’ completed successfully

Starting ‘Installing and configuring core components…’

‘Installing and configuring core components…’ completed successfully

Starting ‘Installing administrative tools…’

‘Installing administrative tools…’ completed successfully

Starting ‘Installing local management services…’

‘Installing local management services…’ completed successfully

Starting ‘Attaching database…’

‘Attaching database…’ completed successfully

Starting ‘Upgrading database…’

‘Upgrading database…’ completed successfully

Starting ‘Enabling replica…’

‘Enabling replica…’ completed successfully

Starting ‘Installing roles…’

‘Installing roles…’ completed successfully

Starting ‘Verifying installation…’

‘Verifying installation…’ completed successfully

clip_image052

Upgrade the SBS (Survivable Branch Server) in the pool to Skype4B

clip_image053

clip_image054

Publish the topology

clip_image055

I’ll stop the service before I start the upgrade process.

clip_image056

I’ll load the ISO on the second server and start the upgrade.

D:\Setup\amd64\Setup.exe

clip_image029[2]

clip_image030[2]

clip_image031[2]

clip_image057

Apparently I forgot to update Lync to the latest CU

clip_image058

clip_image059

clip_image060