Category Archives: Lync

Deleting Old Skype for Business or Lync server from ADSI

The story

I had a project few weeks ago where my client wanted to install Skype for Business 2019 but had installed Lync before and removed the server without doing proper decommissioning which kept dirty records in AD database and had to be removed manually in order to make a new clean installation of Skype for Business 2019

To do so:

There are two days of doing so, One is using ADSIEdit and ADUC to remove Computer Objects and Users related attributes and Security Groups.

I normally would prefer PowerShell but since we can demonstrate both ways for people who like to work with GUI

Starting with GUI

Removing Legacy Lync server from the AD Schema


  1. Using a domain or enterprise admin
  2. Access to the ADSIEdit.

Goal of removing Legacy Lync server from your AD environment.

  1. Preparing AD schema and domain for a new deployment after you improperly deleted Lync Servers without uninstalling them.
  2. Cleaning Users’ Lync related attributes for the new deployment.



Step#1: Remove permissions

This step removes the original Lync permissions from the active director.

  1. Open Active Directory Users and Computers
  2. Right click on your top level domain being cleaned and select Properties
  3. From the Properties windows, select the Security tab.
  4. Remove all security users titled RTC*
    These are usually
    – RTCUniversalServerReadOnlyGroup
    – RTCUniversalUserReadOnlyGroup
    – RTCUniversalUniversalServices
    – RTCUniversalUserAdmins

From <>



  1. Repeat the same steps for each of the following AD Folders and

    NOTE: Not all RTC permissions will exist in each AD Folder or OU, but these three OUs do:
    – Domain Controllers
    – System
    – Users

Domain Controllers






Step#3: Additional AD cleanup

  1. Open Active Directory Users and Computers
  2. Drill down as follows
    [Your Domain] \ Program Data \ Distributed \ KeyMan
  3. Delete LyncCertificates
    NOTE: This may not exist in all scenarios.
  4. Drill down as follows
    [Your Domain] Users
  5. Delete all RTC* and CS* users created by Lync
    I.E. CSAdministrator, CSHelpDesk, RTCComponentUniversalServices, Etc.


Deleting users from the User OU


Deleting CS Users


Step#4: Cleanup existing users

This steps resets Lync attributes for any domain users and contacts.


The Second way: Using PowerShell

get-aduser -filter {msRTCSIP-PrimaryUserAddress -like “*”}|set-aduser -clear msRTCSIP-PrimaryUserAddress,msRTCSIP-PrimaryHomeServer,msRTCSIP-UserEnabled,msRTCSIP-OptionFlags,msRTCSIP-UserPolicies, msRTCSIP-DeploymentLocator, msRTCSIP-FederationEnabled, msRTCSIP-InternetAccessEnabled


Users attribute are clean and AD has nothing left over of Previous installation of Lync or Skype for Business .


Lync 2013 to Skype for Business in-place upgrade with Monitoring database

This article guides you through the steps of doing an in-place upgrade from Lync 2013 to Skype for business. I am copying the article as is from my lab with all the errors that I have been through to give you a real experience feed back of what is this like.

You might get issues that you have never expected, but resolving them is not that hard and if you have any issues please don’t hesitate to leave a comment and I will get back to help you.


Extensible Chat Communication Over SIP protocol (XCCOS)

From <>


Lync CU 5

Kb2533623 Windows Server 2008 R2

Kb2858668 Windows Server 2012

KB2982006 Windows Server 2012 R2!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

SQL 2012 SP2 for Express version


First Issue:

Upon running the setup I have got the following error:

Prerequisite not satisfied: Internet Information Services (IIS) must be installed before attempting to install this product.

Prerequisite not satisfied: The following Internet Information Services (IIS) role services must be installed before attempting to install this product: Static Content, Default Document, HTTP Errors, ASP.NET, .NET Extensibility, Internet Server API (ISAPI) Extensions, ISAPI Filters, HTTP Logging, Logging Tools, Tracing, Client Certificate Mapping Authentication, Windows Authentication, Request Filtering, Static Content Compression, Dynamic Content Compression, IIS Management Console, IIS Management Scripts and Tools

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2. For details about the update, see Microsoft Knowledge Base article 2982006, “IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2” at

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft ASP.NET 4.5 by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install the ASP.NET 4.5 role service of the Web Server (IIS) role.

Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft Windows Communication Foundation Activation by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install WCF Services and HTTP Activation, which are included with the Microsoft .NET Framework 4.5 feature.




I will re-run prerequisites to make sure that all are satisfied before running setup again.

STEP 1 : Installing Prerequisites

Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS, Desktop-Experience, Telnet-Client

Updated aug-2018



STEP 2: Installing CU5

Download and install CU5



After the restart we will apply the update of the databases which in my case is going to be the FQDN of the FE server since it’s standard version and not Backend server.

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn lyncfe01.adeo.local -Verbose



Time to upgrade the Archiving/Monitoring databases.

To upgrade we’ll use the same command except change the FQDN of the SQL server to the SQL server where Monitoring and Archiving databases are at.

Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn sql01.adeo.local -Verbose




Applying CMS upgrade


Install-CsDatabase -CentralmanagementDatabase -SqlServerFqdn Lyncfe01.adeo.local -SqlInstanceName rtc -verbose



Then run enable-cstopology

Last thing in the CU5 update is

%ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe



Step 3 : Installing Windows OS hotfix.

KB2982006 Windows Server 2012 R2

Since the FE is on Windows Server 2012 R2 then we’ll need to download this link!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

RESTART is Required


STEP 4 : Install SQL Service Pack 2 (Express) for your Lync Front end Standard Edition

First Download SQL Express SP2 setup


You can patch the server by opening a Lync Management Shell window and entering the following commands:


.\SQLEXPR_x64_ENU.exe /ACTION=Patch /allinstances /IAcceptSQLServerLicenseTerms









Step 5: SQL Server (Standard or Enterprise) for (Monitoring, Archiving)


My SQL Server version is SP1 so I don’t need to upgrade it to SP2


Step 6- In-place Upgrade for Skype For Business

In order to do the in-place upgrade, we’ll need to use a machine that doesn’t have Lync 2013 to install the new Topology builder and do the upgrade process

On a different Machine that’s joined to the same domain, I will run the prerequisites script and restart the machine. then I’ll load the Skype for business ISO and install







We’ll now press on Installing Administrative tools




Now in order to continue we’ll have to open the topology builder in order to upgrade our Lync 2013 topology

I’ll open the topology builder and save the topology file somewhere


Once the topology is open, I’ll navigate to the Standard FE Servers and right click on my main server to upgrade



I’ll click on Upgrade to Skype for Business Server 2015…


As soon as you press Yes, the Frontend server that you selected will be moved under the Skype For Business Server 2015 tab as you can see below.


Since I have two FE servers (FE and SBS) I will be upgrading them both but not in the same time not not fall into any errors, so I will publish the topology and see what happens.



We’ll check what do we need to do now in order to upgrade the servers, here is what we’ll do.

Import existing normalization rules from the previous Skype for Business Server deployment. If you want to keep your existing normalization rules you will need to import them using the Import-CsCompanyPhoneNormalizationRules cmdlet. If you have separate normalization rules for each pool then you will need to run the command for each set.

To perform an in-place upgrade of your Skype for Business Server, you’ll need to do the following, in order:

(1) Stop the Skype for Business services on all of the servers that you are upgrading;

(2) Run Skype for Business Server setup (Setup.exe) on all of the servers you are upgrading;

(3) Start the Skype for Business services on all of the servers you upgraded. To start the services in a Front End pool, connect to one of the servers in the pool and run the Start-CsPool cmdlet. All the servers in the pool should be running Skype for Business Server before you use the Start-CsPool cmdlet. To start the services in all other pools (e.g. Edge pool, Mediation pool), run the Start-CsWindowsService cmdlet on every server in the pool;

Server FQDN: lyncfe01.adeo.local, Pool FQDN: lyncfe01.adeo.local

On Lync FE 01 I’ll stop all the services using Stop-cswindowsservice


Now on the same server I’ll load the Skype4B ISO and start the setup





Started at 1:40pm








The required time for the upgrade process is estimated around 75-90 Minutes for each FE Server.



Starting ‘Verifying upgrade readiness…’

‘Verifying upgrade readiness…’ completed successfully

Starting ‘Installing missing prerequisites…’

‘Installing missing prerequisites…’ completed successfully

Starting ‘Uninstalling roles…’

‘Uninstalling roles…’ completed successfully

Starting ‘Detaching database…’

‘Detaching database…’ completed successfully

Starting ‘Uninstalling local management services…’

‘Uninstalling local management services…’ completed successfully

Starting ‘Installing and configuring core components…’

‘Installing and configuring core components…’ completed successfully

Starting ‘Installing administrative tools…’

‘Installing administrative tools…’ completed successfully

Starting ‘Installing local management services…’

‘Installing local management services…’ completed successfully

Starting ‘Attaching database…’

‘Attaching database…’ completed successfully

Starting ‘Upgrading database…’

‘Upgrading database…’ completed successfully

Starting ‘Enabling replica…’

‘Enabling replica…’ completed successfully

Starting ‘Installing roles…’

‘Installing roles…’ completed successfully

Starting ‘Verifying installation…’

‘Verifying installation…’ completed successfully


Upgrade the SBS (Survivable Branch Server) in the pool to Skype4B



Publish the topology


I’ll stop the service before I start the upgrade process.


I’ll load the ISO on the second server and start the upgrade.






Apparently I forgot to update Lync to the latest CU





Skype for Business Edge server deployment and Hybrid integration with Skype for Business Online

In the last Skype for Business post I have upgraded my Lync 2013 to Skype for Business (Click here to go to that post). in this article I am going to install Edge server for Skype for Business to the same Lync Environment where I have done the Upgrade to Skype for Business.


Configuring Edge Server


In order to configure Skype 4 Business Edge, we’ll have to change the Netbios to give it the name of our Domain but we won’t join it to the domain.



Setup NICs

Edge Server must have 2 NICs, one Local NIC will point out to the Front end server but must not have Default gateway so traffic can only flow through the DMZ out to the internet and back in. but still it must be able to ping to the FE from Edge and vice versa.

DMZ network can have 1 DMZ address (Public Address to be NATTED to) or 3 DMZ addresses for public IP addresses with standard HTTPS ports.



Configure Hostnames

Edit the Edge server’s host file to include Lync FE and DC’s IP addresses and Hostname


Install Prerequisites

  • Microsoft .Net Framework 3.5


Now I will go back to Skype for Business FE server, I’ll launch the topology builder and add new Edge server

I will add the first Edge pool which contains of a single Edge server


Next, you will have to choose if you want to enable federation with partners or other service providers …e.g. (Google)


I am intending to use a single Public IP address with a different ports (nonstandard) since this is a lab. For production it’s recommended to use 3 public IP addresses for Access Edge, AV and WebConf services.


Next I will choose the last option which says that the Edge pool is translated by NAT. I will configure my firewall to NAT ports to the Edge’s DMZ IP addresses from the Public so I am choosing this option.



This is the FQDN’s the default configuration .. It’ll only use a single FQDN for all services if you’re going to use a single public IP address with a different ports.


When you use a single IP address with a different ports, the Access Edge port will normally change to 5061 (Not 443 like in the SRV record which will cause failure if you forgot to change this port to match the one in your Topology’s Access Edge settings.

Next I’ll have to enter my Edge server’s Local IP address.



Next I will be asked to enter the DMZ’s IP address which the wizard calls (Private External IP address)


Here I am going to place the NAT IP address which is my Public IP address.


Next I’ll have to choose which Lync FE pool will be used as the next hop to the Edge pool. In this case I’ll be choosing my main pool since the second is only for resilience purpose.


Then I’ll associate the mediation pool for Edge server for external media traffic. I can assign both in this case.


Now I’ll click on Finish and right click on the Site name’s properties to enable the SIP federation and XMPP federation then Publish the topology.





Now I will setup Azure Active Directory Sync on my DC server in order to sync the required users for the test purpose.

My domain is adeo.local so I want to change the UPN for users to match the synced domain. ( and


Installing Azure Active Directory Sync

Now I will install the prerequisites which consist of the following


Net framework 4.5.2 is required for AADS but it’s already installed on my server


Next I will install Microsoft Online Service Sign in assistant


Next I will install Azure AD Module


Finally Azure AD Sync


Before moving forward, I’ll have to go to the Office 365 portal and activate DirSync


Then use a global admin credentials from O365.


Adding the forest using an enterprise admin user account



Due to the fact that my domain’s public dns host doesn’t have SRV configuration because it’s hosted by the famous free domain service (Freenom) so I’ll have to add my original domain as Lync (S4B) requires SRV records to point to the on-premises lync.






I will only sync one OU, so I will untick the Sync now box and click on Finish


I will go to the following path

“C:Program FilesMicrosoft Azure AD SyncUIShell” and create a shortcut for the GUI application of AADS on the desktop

“C:Program FilesMicrosoft Azure AD SyncUIShellmiisclient.exe”


To get this GUI app to work, you will have to sign out of your account and sign back in as your username will be added to the local administrators and have the authority to open it

Log off, log back in


Next I will go to the connectors tab and double click on the ADDS connector (Adeo.local)


I will go to the Configure Directory Partitions and under Credentials I’ll choose “Alternate credentials for this directory partition” then enter my on-premises AD Enterprise admin credentials


I’ll click on Containers


I’ll untick the DC=Adeo,Dc=Local box and only choose Dirsync OU then click OK and apply


Before I start syncing my AD , I will go to Skype for Business Server and add my domain as a SIP domain


Next I am going to change the FQDN of the SIP access edge for public domain to and the default port for the Access Edge to 443 and publish the topology



I needed to finally check if all my FE servers are replicating. So then I can move to Edge server to install Lync components


On the Edge server, I’ll use ISO for Skype 4 business to install the setup



First thing I’ll install the local Configuration Store

I’ll click on Run and then I’ll be asked to import the configuration file which I’ll must export from Lync FE (Skype 4 b FE) server


In this case, I’ll go to Lync FE and open Lync Management shell and enter the following Cmdlet

Export-CsConfiguration -FileName


This cmdlet will export a file to the root C drive . I’ll copy this file to the edge server.


I’ll click next to continue, this should start installing the local store




Next I’ll request a certificate for Internal NIC For edge server




I’ll take the CSR (Certificate sign request) code and get a certificate from my local CA


I’ll open MMC and add Certificates console and import the PKCS certificate



After importing the certificate I’ll assign it to the internal NIC by clicking on Assign to the Edge Internal





Once we assign the certfiicate to the internal edge. The replication service for Edge and FE will start working


Now I’ll import my Public Certificate to Edge Server’s DMZ NIC

I already imported my public certificate, now I’ll go to the S4B wizard and assign it there



Unlike IN lync 2013 when you Click on Start service in the Wizard all services start on their own but on Skype for business you ‘ll have to start the services manually by yourself.


So Instead I used the service console to start the services.

Now I’ll go back to the FE And enable remote connectivity to Skype for Business from outside and make sure that replication works fine by checking the Topology or from cmdlet




Setting up Hybrid integration with Skype online for Business (O365)

In order to allow Hybrid environment to function properly, we’ll have to federate our Skype for Business on-premises’s Edge server as microsoft says below

Federation allows users in your on-premises deployment to communicate with Office 365 users in your organization. To configure federation, run the following cmdlets in the Skype for Business Server Management Shell:

From <>

On the front end server, we’ll run the following CMDlet

Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -UseDnsSrvRouting -EnablePartnerDiscovery $true


Next cmdlet will create a new public federated provider for skype for business online.. However it already exists so we must delete it from control panel or the cmdlet will fail with the following message


I’ll delete the hosted provider “Skype for Business Online”


I’ll try the cmdlet again after deleting the provider ..

New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl


Since it worked already, I will go back to the control panel and make sure it is enabled


Next is : Configure your Skype for Business Online tenant for a shared SIP address space


To configure a shared SIP address space, establish a remote PowerShell session with Skype for Business Online, and then run the following cmdlet:

We’ll have to download skype for business online powershell!38849&authkey=!AKW6Ln4Rkn6QuUI&ithint=file{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}2cexe

After launching the PowerShell module as an administrator I’ll run the following cmdlet

Import-Module SkypeOnlineConnector


Now I’ll connect to my Office 365 tenant


$cred = Get-Credential

$CSSession = New-CsOnlineSession -Credential $cred

Import-PSSession $CSSession -AllowClobber


Now I’ll configure the shared sip address

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

From <>


To double check my configuration I will see if the SharedSipAddresSpace is enabled or not



To double check that the hybrid configuration is setup properly we can use the Skype for business on-premises Hybrid UI wizard from the Home Menu under “Connection to Skype for Business Online”


Using the Skype for Business 2015 User interface to setup Hybrid configuration:

After you sign in it does automatically logs you in and configure the three following options

  1. Federation for the Edge server
  2. Federation with Office 365.
  3. Shared SIP address space.



Now I will configure my DNS Settings as recommended by Microsoft for the Hybrid Integration scenario

DNS Settings

When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.

From <>

  1. Update some DNS records to direct all SIP traffic to Skype for Business on-premises:
  • Update the A record to point to the FQDN of the on-premises reverse proxy server.
  • Update the SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
  • Update the SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
  • If your organization uses split DNS (sometimes called “split-brain DNS”), make sure that users resolving names through the internal DNS zone are directed to the Front End Pool.

From <>

According to Microsoft’s configuration of the Public DNS, you will have to configure only the SRV records to point to your edge server however, running a simple wireshark on your Skype for business client machine you can notice the following:


Microsoft Lync / Skype client first requires the Lyncdiscover / Lyncdiscoverinternal record in order to see where the user is located… then gets redirected to which is the Cname value to the Lyncdiscover Cname in the public DNS and tries to login the user through then finds no user there and logs in using the SRV eventually in the end as in the below snapshot which I’ve used Wireshark for to monitor the DNS traffic that the Lync Client requests upon login request.



What have me confused here is that Microsoft says only SRV records must be pointing to your On-premises Lync/Skype for Business Edge server.. So you must enter something else other than (Which in normal cases might be the common name of your Edge certificate) for the value of the SRV Record since the and must be pointing to Office 365.

I tried using the Public IP address of my Edge server just to check if my on-premises user will connect without any issue however I did have an issue with the Certificate saying “There was a problem verifying the certificate from the server”.


Luckily the Public certificate that I had on my edge server had multiple SANs (Subject Alternative Names) and one of them was which I was intending to use for the WAC Server (Office Web Apps Server) and then I created an A record on my public DNS that points to my Edge server’s Public IP address…. although the is not a common name but it worked and I was able to federate with Office 365 users and was able to move users from on-premises to office 365 and back to on-premises as demonstrated later in the article.

“When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.”

From <>


Now I have changed all the SRV records to direct to the new A record


And finally deleted the A sip record and created a new CNAME record that points to



I have already a user synced from my local AD to the cloud (office 365) that’s not enabled for Skype for business on-premises .. Once this user is synced and have been assigned a license it should be directly enabled for Skype for Business Online and I should be able to sign in to it without any issue.


In order for both users (homed online and On-premises) to see eachother’s presence the synced user must be enabled on the On-premises Server before moved to the cloud or else the presence and M will fail.

Time to test, I was able to sign in to the Online homed user (admin) and now I’ll be adding the on-premises homed user to the list to check the presence, IM ..etc


Here I added the user admin to my other account Mohammed.hamada and vice versa.


The Presence appears to be working fine for user homed on-premises as it shows when I changed it to “busy, be right back..etc” on the cloud user’s Client however the Office 365 homed user’s presence takes time to change on the on-premises user’s list and the IM doesn’t seem to work properly as messages sometimes doesn’t go through and fail.

Sending a message from the on-premises User (Mohammed Hamada) to (ADMIN)


Now sending an IM from Admin to Mohammed Hamada


To make sure that the issue is not within my on-premises server, I will use a different Skype for Business online account and see if IM work both ways.

This is my other user.. The presence information seems to work properly and now I’ll test the IM


IM between my On-premises and another user on another Office 365 tenant seems to be working fine back and forth as in the below snapshots so the issue might be related to Office 365 tenant which I am using for this test (could be related to trial version)

I am going to open a case with MS and see why this issue happens since my on-premises work fine with other tenants.



Now It’s time to move users from and to cloud and on-premises to check how easy, flexible or hard this process is.

I currently have 2 users, one on cloud and one synced and homed online (Office365)


In order to move users, you can go to Users tab after the hybrid config is finished and find the user you want to move then click on Actions and chose to move the users to the Skype for Business Online as in the below snapshot


Before you move the user to Office 365, you must assign license to the user or else the move will fail.






You can move the user back from Office 365 to your on-premises Skype for Business server with the same process exactly except that you’ll have to choose which pool you need to move the user to.

Checking where the user is hosted from Skype for business Management shell

The Hosting Provider will show you where the user is working from now.




Hope this has been helpful


Create Skype4Business Groups

If you’re looking for an quick way to let all your users easily add all Skype for Business users to their list after migration from Lync 2010/2013/Skype4business to Office 365 Skype for Business then please follow these steps ..

In order to do so, you will have to have DirSync (Azure AD Sync) installed and functioning properly.

First step: Add a group to AD

On Local AD create a Universal Distribution group as following


The group must have an e-mail address entered in the Email field otherwise it won’t show up in Lync Client list when you search.


Go to Members tab and add all the users that you are planning to Enable on Skype4Business.


Apply and close the group.

Go to DirSync

Force the Sync


Make sure that group has been Synced.


In office 365. You can check If the group is there or not by simply navigating to the Groups tab on the left pane.


Now Open Lync 2013 or Skype 4 Business client and search for this group by email


Right click the group and click Add to contacts

As soon as you add the group, all the members will come beneath it right away.


Hope you find this useful

Install Frontend Skype for Business 2015

Install prerequisites

Frontend/Standard edition as well

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client,


From <>

Installing Director Prerequesties

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client

From <>

Check Powershell version



Install prerequisites



Restart is required





Prepare Active Directory








Install Administrative tools





Prepare First standard edition server














I will create a shared folder








It’s time to publish the topology



Publishing failed with an error that states the following


So I will double check that I am member of the required groups


It seems not, I will add Csadministrator and RTCUniversalServerAdmins



Still I get the same error every time I try to publish the topology. Apparently the way I solved this was by creating a new topology where the standard pool name must match the server’s hostname otherwise Topology won’t be able to access the SQL Express that’s installed by Lync setup.

So in this case I am going to re-create my topology as following is my public domain which is going to be my sip domain in this case not my local one (






Next I will put my server’s FQDN in the pool name, my FQDN Is













Now it’s time to publish the topology once again




Seems we have passed the permission issue as soon as the Standard edition FE server matches the FQDN of the server



We’ll look up at the open to-do list now

The to do list seems a bit different from Lync 2013 as it requires the part about the certificate


I will run the Local setup for the server since I only have one server now.


Before we run the local setup we need to make sure that our account has the required privileges which is shown under the Install local CS below. Since I already have configured the account’s privileges I will continue my setup.





There’s nothing new about the local store installation on S4B except that it checks and downloads updates during this process as the report shows below.


Detailed steps for the local store installation can be found in the sub page.


Now it’s time to move to the next step and check for the prerequisites




S4B says that a prerequisite is not meet, checking the link posted in the error information it seems that it needs a hotfix to be installed on the server


I am attaching the hotfix after requesting and Installing as requested




After finishing we’ll double check if the prerequisites are meet or not

Running the setup again it seems that the prerequisite has been satisfied.


The setup and in particular the next step could take approximately about 5-10 minutes depending on the resources you have assigned to the Skype for business server.



I will navigate to the MSI file location and try to install it without using the wizard.


The file path is as showed in the previous path:

C:ProgramdataMicrosoftSkype for Business ServerDeploymentcache6.0.9319.0


So the problem is that Windows Identity foundation is not installed. Although I have copied the prerequisite cmdlet from the official Microsoft Skype for business’s technet article but it seems they have missed out there so I will adjust the powershell cmdlet to include it which means you won’t face this issue.



Now I’ll re-run the setup again


We have passed the error already and now in the process of assigning accounts to SQL services.

The setup might take approximately 30-60 minutes installing all the required components.



In order to continue to the next step we must deploy CA (Certification Authority) to issue a certificate for Skype for Business Front end web services.

I already have one CA deployed on my CA so I will just go ahead and click run on the step 3

This process will be easy as it’s automated if you have configured your CA properly. First click on Request


Now S4B certificate request wizard provides new user interface that’s easier and faster to fill, I will fill it and go ahead with issuing the certificate.








And it’s done


I will do the same steps for the OAuthTokenIssuer



Now it’s time to start the Services and check eventviewer

Trying to start the services from the wizard fails with event ID 20002 so instead I am going to try Lync Management shell instead


Trying Management shell with the cmdlet start-cswindowsservices seems to work



All the services are running now



Stay tuned for the next article of deploying Edge server Winking smile

Lync Distribution Group


To add a certain number of Lync users to certain client list, you can create a distribution group with the following options


  1. The group scope should be universal
  2. The group type will be Distribution.
  3. You must include the e-mail address

Now when this group is created, you can add any number of users to it. I will add couple of users from Lync users

After adding the users that I wanted to add. Now I have to go to Lync server and force the Address book synchronization between GAL and Lync.

Wait about 5 mins to Clients to download latest updates and then you will be able to see the changes on the client list. If not you can force the clients to download the new updates by using GPO to force special registry value
This registry will be applied on the Clients
reg add HKLMSoftwarePoliciesMicrosoftOffice15.0Lync /v GalDownloadInitialDelay /t REG_DWORD /d 0 /f
From here you can now see the changes on Lync’s contact lists. Tags: ,

Set Pin Authentication for Lync on DHCP Server


NOTE: I have attached the DHCPUTIL and all of the other required files with it, so you directly download them to your DHCP Server.

This is the shortest way to setup up Pin Authentication for Lync on the DHCP Server… 

First Copy/Download all the DHCP Utilities content from Lync Front end server to DHCP server and run the following command line


Note: Make sure you run DHCP on Command line (CMD) as an administrator. 


DHCPUtil.exe -SipServer –WebServer –RunConfigScript


On Lync Server make sure you run the following CMDLET on Lync powershell 


set-CsRegistrarConfiguration -EnableDHCPServer $true


That’s it you should be all set after you ran this command line and you should be able to see the new DHCP options are showing in the DHCP server console. 

To test the configuration you can run the same tool with a different parameter which will do the test for you, On a nother computer that’s not the “DHCP” open command prompt and run the following command line.


DHCPutil.exe –EmulateClient


Note: I’m attaching all the required files to this page below for download.



If you run the command and you get the error below, then you might have a missing step 


DHCPUtil.exe -SipServer –WebServer –RunConfigScript


C:UsersadminDesktop> DHCPUtil.exe -EmulateClient


Starting Discovery …

Result: Failure =  -2147014848


On the Lync Server run the command 

set-CsRegistrarConfiguration -EnableDHCPServer $true 

Again on Lync server “Not DHCP” run the DHCPUtil.exe -EmulateClient to test the configuration. Tags: ,

Web Conferencing Server connection failed to Establish on Edge server


Web Conferencing Server connection failed to Establish on Edge server 


In an environment of a domain with a backup DC you might face a problem with Lync Edge deployment.

After the step where you have to add the CA authority certificate to your Trusted CA store in Edge Server you might notice 

some errors with Edge server trusting the connection from Front end or vice versa.

The problem will happen if there’s two CA certificates in the Trusted CA store and you only have imported one of them.



Looking at the Front End server Certificate store which is joined to the Domain.



Errors might be generated by the same symptom are:

Web Conferencing Server connection failed to establish.

Over the past 1 minutes Lync Server has experienced incoming TLS connection failures 1 time(s). The error code of the last

failure is 0x80090325 (The certificate chain was issued by an authority that is not trusted.

) and the last connection was from the host “”.



‘This can occur if this box is not properly configured for TLS communications with remote Web Conferencing Server.


Check your topology configuration to ensure that both this host and remote Web Conferencing Server can validate each 

other TLS certificates and are otherwise trusted for communications.


The XMPP Translating Gateway Proxy has no connections to any XMPP gateways.


Connectivity issue.



Check that a configured gateway is running.


TLS outgoing connection failures.

Over the past 1 minutes, Lync Server has experienced TLS outgoing connection failures 1 time(s). The error code of the 

last failure is 0x80090325 (The certificate chain was issued by an authority that is not trusted.) while trying to connect to

the server “EGELYNCFE.domain.local” at address [], and the display name in the peer certificate is 


Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer 

server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server 

used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not 

trusted by the local machine.



Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN 

somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses 

returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain

is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.



To Resolve this problem, make sure that you export both CA from Front End and import them in to Edge’s Trusted root 

CA Local store.



Enable-CsTopology : Multiple Active Directory entries were found for type “ms-RTC-SIP-EdgeProxy” with ID in a multiple Domain Environment


If you ever tried to publish Lync topology and receieved the following error, then go on read this article to the end to find the solution.


Enable-CsTopology : Multiple Active Directory entries were found for type “ms-RTC-SIP-EdgeProxy” with ID in a multiple Domain Environment

At line:1 char:1

+ Enable-CsTopology

+ ~~~~~~~~~~~~~~~~~

    + CategoryInfo          : InvalidData: (:SourceCollection) [Enable-CsTopology], InvalidDataException

+ FullyQualifiedErrorId : DuplicateADEntry,Microsoft.Rtc.Management.Deployment.ActivateTopologyCmdlet

to enlarge please click on the screenshot

to enlarge please click on the screenshot

Open ADSIEDIT and look in the following snapshot. Open Configuration for your DC

Collapse the menu and click on Services

Click on RTC Service

Click on Global Settings and on the right pane look if there’s any duplicated entries and remove them.

As you can see on my right pane I have 2 duplicated (msRTCSIP-EdgeProxy) and I’m going to remove one of them and see 

if I can publish my topology or not. But before that I will have to make sure that I export the entry that I wanna delete.

to enlarge please click on the screenshot

I right clicked on the last value and deleted it and here how it became now.

to enlarge please click on the screenshot

Now I will try to publish my topology and see what happens, my topology publishing failed with 

a new error this time.

to enlarge please click on the screenshot

I will have to go and check where’s this coming from, since it mentions TrustedService. I will go look in the trusted service

This is not going to be easy, as you need to be careful where you look .. You will need to make sure that you’re looking

at the right FQDN

to enlarge please click on the screenshot

Here I could find the value MRAS for the FQDN Edge server

So I looked here and found 2 identical entries with a different (CN) if you scroll down you will see that the GruuId is the

same, FQDN is the same, port is the same.

to enlarge please click on the screenshot

to enlarge please click on the screenshot

Let’s delete one of them and see again if we can publish our topology, So I deleted the one that starts with {b344}

I will do this using the Lync Powershell, you can see below that the Topology was published successfully.

to enlarge please click on the screenshot

To resolve the warning you will have to issue the cmdlet Enable-CsAdForest after the Enable-CsTopology

to enlarge please click on the screenshot Tags: ,,,

FreePBX 6.12.65 Integration with Lync 2013

Installing AsteriskNow (FreePBX 6.12.65) and integration with Lync 2013
Download AsteriskNow from the following Link
First the setup window will come: there I will choose No RAID on Asterisk 13 since this is a virtual machine.
Here I will choose IPv4 static IP (Manual configuration) and click OK
Choose the time zone according to the nearest location to you
Next, we’ll configure the root password
Here it’s formatting the Disk that I have assigned to the VM.
It should start the installation now and should download all the required packages from the internet incase they were not found on the ISO which I’ve loaded.
Now the installation is about to finish and once it does, the machine is supposed to restart on its own allowing you to go to the Web UI.

Upon setup and restart, you might get the following error! The error states that your PBX can’t access the internet so you might wanna double check your NIC configuration and that you’re able to reach to it. 
This is usually related to the DNS setup on the Centos machine where “AsteriskNow” is setup.
If you do a test and try to update your system from the CLI window you might get this error which is related to the DNS.
To resolve it, you’ll have to replace the localhost with any public DNS e.g. (google or comodo DNS) or any internal DNS that’s capable of reaching out to the internet to resolve this problem.
To edit the DNS you will have to type in the command  “nano /etc/resolv.conf”
The default DNS is the localhost
and you’ll have to manually change it and save the  settings
Press Ctrl + X and then Press Y to save and hit Enter
To test that we can access the internet you can nslookup for instance and see if it works

Once you are able to resolve the, that error will go.

Now to continue, let’s setup a FreePBX Admin (Make sure you remember both username and password)

Click on the (FreePBX Administration) and enter the username and password you have just created in the previous step.
This will allow you to the configuration portal
Extensions configuration:
To start, let’s configure an extension (Since I don’t have an IP phone now) so I will use a SIP application for my test (Zoiper or Xlite would do fine)
Select Chan SIP device as this talks directly with Lync Trunk then Click Submit once you choose the device .
Now I will configure the new extension’s number, name and secret and port too.
Under device options, you have to set the secret (Password) which you’ll use to login to your sip phone or sip softphone..
You need to also make sure that the port configured under the device is what will be used for the device to login with this sip extension
so basically the sip port in this case is 5060 which is the default one unless you’re already using a different port then you’ll have to reconfigure it here.
I’ll leave the rest of the options on default value and click submit. Then apply Config
Applying Configuration
Now I will use a soft phone (SIP Application) on my PC to check out if calls are working properly. And for the second extension a second computer with the same software or even A software like Zoiper or Xlite can be utilized on iPhone or Android for the same purpose.
No other settings are required on the SIP phone after that it should register without an issue. And you’ll be able to make calls between SIP phones
I am going to call my computer (3700) sip phone (Xlite) from my iPhone (Zoiper) soft phone (3800)
So calls are working properly between SIP extensions, now we’ll have to go configure Lync and Asterisk Configuration.
Before starting, we’ll have to enable the TCP protocol on Asterisk for Lync to send calls to Asterisk since Lync talks only TCP.
Enabling Asterisk to listen on TCP
Enable TCP for Lync and SIP Phones for Asterisk
I’ll have to configure the local networks and the RTP port range as well.
Next I’ll click on Submit, and apply configuration then on top right I’ll click on Chan SIP to configure the ports and the right protocol
Under SIP Settings, make sure your settings matches the snapshot below, then navigate to advanced settings
Under Advanced General settings make sure that CHAN_SIP is bind to port 5061 or else calls from Lync will fail with “Unauthorized” error code.
Once you change the port scroll further down to Other SIP settings and add the following variables
Tcpenable = Yes
Transport = tcp
Submit the changes and apply the configuration.
Lync Configuration
Now I will go on Lync server now (Standard edition) and enable the TCP port for the mediation server (Collocated mediation service)
To do so
Right click on your Mediation server and edit properties and Enable TCP port and change it from 5068 to 5060.
I will publish the topology
Published the topology and now it’s time to run the setup as it will install the mediation server role on Front end.
Next I will run the second step (Setup or remove Lync Server Components):
I will go check if the mediation service is enabled now
I will run the command netstat -anb >1.txt
The command will export all the ports status on the server including each of the Lync services.
So Lync mediation service is listening on the default sip port 5060.
Now I will go back to the topology and add the PSTN Gateway (AsteriskNow)
Right click on PSTN Gateways –> Click add PSTN gateways
Next, I will type in the AsteriskNow PBX IP address and the port that “Chan_SIP” driver is listening on since all calls are going to be routed to it.
And will select my mediation server and the Mediation server’s configured port on Lync.
Click Finish and Right click on your front end server and click properties
Make sure you
Click on Make default and then OK then publish the topology
Asterisk Configuration
Asterisk side of the Integration
In order for the configuration to work, we’ll have to configure a new trunk of the Asterisk IP PBX to identify where is the Lync server ..etc
Let’s go to our Asterisk portal, configure new trunk by going to Connectivity -> Trunks then choose “Add SIP(chan_sip) Trunk”
You will need to fulfill the boxes in red below each with what pertain to it.
The IP is my Mediation server (Front end since Mediation server is collocated)
TCP is the protocol that Lync uses
5060 is the port which Lync listens on
I will clear all the settings below “User Details” and save this trunk
Now field cleared and next will click on Submit Changes.
Inbound Routes
I have applied the configuration and now it’s time to create routes on Asterisk to route calls to Lync.
To configure routes, click on Connectivity and then Inbound routes
Click Submit now and Apply Config for changes to take effect
Outbound Routes
It’s time to configure the outbound routes, Depending on your Lync users URI or telephone number and extension number you will have to configure
Your outbound routes according so it will be able to route it properly to Lync users.
I’m going to show my user’s uri and extension on Lync server and what does it look like now
So the entire number is +2163314210 but my extension is basically 4210
Now again click on Connectivity > Outbound routes and add new “Dial Pattern” as following
The +216331 will be automatically entered by AsteriskNow once you dial the number defined in the “Match Pattern” field
Once finished configuring the required dial patterns you can submit and apply …
Lync Voice Route Configuration
Now it’s time to go configure Lync Routes, Go to Lync Server and open the Control panel, Go to Voice routing there we will go under the dial plan
tab and choose New User Dial Plan.
If you don’t want to mess up your Global dial plan or let every new user be able to use this dial plan ,you will have to configure a user dial plan.
I will have to create 2 normalization rules at least in the new dial plan. The first one is going to normalize the inbound numbers
And the second one is going to normalize the outbound.
Since on PBX I choose to create extensions that begins with 3 and are 4 digits long, I will create a normalization rule that’s exactly 4 digits
And it starts with 3. depending on your PBX configuration for the extension and inbound routes Lync needs to either have or not have the + in the dial plan
Now I will create the second dial plan which is from Asterisk to Lync “To match the full URI”
The normalization rule that I am creating here is 10 digits long and it starts with 21633 and it has + digits to add
After creating the Dial plans, it’s time to test them now! I will go to the Test Voice Routing Tab and create a test
So the test for Asterisk Extensions goes well
Now I will test the Lync dial plan
Since Asterisk is going to send the full URI as it will auto complete it even if the user enters the extension only (4210) then our rule is configured properly
Now after configuring rules and testing them it’s time to go to Voice Policy tab and create a new voice policy for Asterisk
Click on New under “Associated PSTN Usages”
Click on New under Associated Routes
You can leave the pattern .* (Which will allow all calls) for the time being until we test everything between both systems.
Scroll down and click on Add next to “Associated Trunks”
Select the available trunk and add it then Click OK 3 times and commit all changes
Now after applying all the configuration, It’s time to apply some tests.
From Asterisk to Lync
Below when I initiated the call I managed to see the SIP invite coming from the IP “” which is my AsteriskNOW PBX IP going to Lync and then the phone starts ringing.
When I have answered the call the RTP starts flowing.
Here I typed RTP in the Wireshark filter and could see the RTP media flowing between Asterisk and Lync Mediation server on the G.711 codec.
What I like about Asterisk is that it sends all users information along with the call and doesn’t strip them out, in extension information I have typed the extension name as “NEWPHONE” and put it all in capitals.
From Lync to Asterisk
Since the call is from Lync to Asterisk, then I will have to run wireshark or trace on Asterisk to see the Invite.
You can see Asterisk logs if you click on “Reports> Asterisk LogFiles”
Once the call has ended I was able to see that in detail as well in the logs.
All the media was
Next few days I will install and configure Brekeke to work with both (Asterisk and Lync) in the same environment… and share my deployment update with you all.
Hope this would do be of good help Open-mouthed smile Tags: ,,,