Category Archives: Skype for Business 2015

3- Migrate Users from Skype for Business 2015 to Teams

Hybrid Integration

In my last post about Skype for Business / Office 365 Skype for Business Online/Teams migration article I discussed the steps of how to create a hybrid environment between Skype for Business on-premises and went through the troubleshooting of each issue I have been through. In this article I am going to discuss the migration of users from on-premises to the cloud through UI and PowerShell.

Migrating users

This article will assume that you are planning to migrate users from Skype for Business Frontend 2015 Server and that you already have a hybrid configuration in place. If so then you’re going to fulfill the following prerequisites:

To check the currently installed PowerShell run the following cmdlet

$PSVersionTable

clip_image001

After you Download and install PowerShell 5.1 you might need to restart the server. In which case the PowerShell will show that it is updated to the required version.

image

After Installing the Skype Online Connector Module, We will be able to connect right after launching PowerShell

To do so type:

Import-Module SkypeOnlineConnector

image

Connecting to Office 365 (Teams Online or Skype for Business Online)

The process of connecting to Office 365 Online PowerShell sounds easy but with MFA enforced in your environment you’ll have a nightmare mix of errors when you try so.

I have came through a lot of errors trying to force the use of PowerShell with MFA user authentication but eventually came to realize that Microsoft still does not support MFA for some cmdlets like Move-CsUser for instance.

So In short, to connect you’ll need to have a global or Teams admin user with MFA disabled to do so.

To create a new Skype Online Session enter:

– Make sure you start the regular PowerShell as admin and not Skype for Business Management Shell.

If you run these commands from SfB Management Shell you’ll get an error

image

So first, We will import the Skype Online connector Module

Import-Module SkypeOnlineConnector

image

Then get the OverRidePowershell URI using the command:

Get-CsOnlinePowerShellEndPoint

image

Next, We will connect and authenticate to our tenant using the following cmdlet

$sfbsess = New-CsOnlineSession -Username User@domain.onmicrosoft.com -OverRidePowerShellUri https://admin4a.online.lync.com/OcsPowershellOAuth –Verbose

image

Moving Users to Teams

To Move users to Office 365, You need to first provide credentials of the User with MFA disabled and then use the command Move-CsUser

An Example:

$Creds = Get-Credential

image

Moving User

Move-CsUser –Identity user@domain.com –target “sipfed.online.lync.com” –hostedMigrationOverRideUri https://admin4a.online.lync.com/HostedMigration/hostedmigrationservice.svc –ProxyPool “YourFEPool.Domain.local” –Credential $Creds

image

Let’s check the status of the migrated user, The hosting provider attribute is what we care about as it tells us where the user is homed at.

image

Checking the user from Teams Portal

Users seems to be licensed, online and can now login using the Microsoft Teams app.

image

Bulk Enable Users and assign Tel URI numbers to them

In case you have a big number of users that you want to enable them online

# Please provide your O365 admin credential

$creds = Get-Credential

-PSSession (New-CsOnlineSession $cred) -AllowClobber

$csv = Import-csv “C:\Users\Mohammed\users.csv”

ForEach ($user in $csv) {

Write-host now enabling $user.alias

Move-CsUser –Identity $user.alias –target “sipfed.online.lync.com” –hostedMigrationOverRideUri https://admin4a.online.lync.com/HostedMigration/hostedmigrationservice.svc –ProxyPool “YourFEPool.Domain.local” –Credential $creds

}

The CSV File will look like this

Alias

user@domain.com

user2@domain.com

Errors you might face

Error 1:

When you have your on-premises user enabled for dialin you will probably get the following error if you try to migrate them to Skype for Business online or teams.

Move-Csuser :: HostedMisrat ion fault: Error=(511), Description=(The user could not be moved because he or she is enabled for dial-in conferencing on-premises, but has not been an assigned an Audio Conferencing license in Office 365. Users must be licensed before they can be moved to Teams or Skype for Business Online.)

If you are sure do want to use migrate this user without an Audio Conferencing license, specify the

“BypassAudioConferencingCheck” switch. ) At line: 1 char: 1

clip_image001[4]

The Solution is to either provide an audio conferencing license  or as it is showing in the error itself as it says use the switch -BypassAudioConferencingCheck to ignore that.

Error 2:

When trying to import the session, I got the following error

the runspace state is not valid for this operation for PowerShell Online.

clip_image001[6]

Solution: To overcome this problem you’ll need to use the overridePowershellUri Parameter in the New-CsOnlineSession in order to connect to Skype online powershell.

To get your tenant’s PowerShell URI use the cmdlet Get-CsOnlinePowerShellEndPoint

What you need to use is the AbsoluteUri

clip_image001[8]

Error 3:

When you try to import the SkypeOnlineConnector module and then run the New-CsOnlineSession cmdlet from Skype for Business Management Shell you’ll get the following error after authenticating.

Sign in

Sorry, but we’re having trouble signing you in.

AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘7716031e-6f8b-45a4-b82b-922b1af0fbb4’. More details: Reply address did not match because of case sensitivity.

Troubleshooting details

If you contact your administrator, send this info to them.
Copy info to clipboard  
  
Request Id:  f0f97265-4669-4e4f-bcf7-609469e92f00
 
Correlation Id:  829c8a2b-f697-416f-bfa6-4a794a229a13

Timestamp:  2021-01-10T23:00:10Z
 
Message:  AADSTS50011: The reply URL specified in the request does not match the reply URLs configured for the application: ‘7716031e-6f8b-45a4-b82b-922b1af0fbb4’. More details: Reply address did not match because of case sensitivity.
     

Advanced diagnostics: Disable
  
If you plan on getting support for an issue, turn this on and try to reproduce the error. This will collect additional information that will help troubleshoot the issue.

image

Solution:

Run the cmdlets from Windows PowerShell as admin not Skype for Business Management shell.

References:

https://docs.microsoft.com/en-us/microsoftteams/upgrade-to-teams-on-prem-overview

https://social.technet.microsoft.com/wiki/contents/articles/34339.skype-for-business-online-enable-your-tenant-for-modern-authentication.aspx

https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/move-users-from-on-premises-to-skype-for-business-online

https://docs.microsoft.com/en-us/microsoftteams/teams-powershell-install

https://docs.microsoft.com/en-us/skypeforbusiness/troubleshoot/hybrid-move-sfb-online/move-csuser-hostedmigration-fault-507

error when Installing Nuget module for Microsoft Teams integration

Story

I got a client requesting to integrate Skype for Business 2015 with Microsoft Teams. Skype for Business 2015 is installed on Windows Server 2012 R2 which has PowerShell 4.0

I already installed PowerShell 5.1 and restarted the server in question.

When I tried to install the Microsoft Teams PowerShell Module to integrate Skype for Business with Teams I got the following error:

image

Error

PS C:\Users\Admin> Install-Module MicrosoftTeams

NuGet provider is required to continue
PowerShellGet requires NuGet provider version ‘2.8.5.201’ or newer to interact with NuGet-based repositories. The NuGet
  provider must be available in ‘C:\Program Files\PackageManagement\ProviderAssemblies’ or
‘C:\Users\Admin\AppData\Local\PackageManagement\ProviderAssemblies’
. You can also install the
NuGet provider by running ‘Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force’. Do you want
PowerShellGet to install and import the NuGet provider now?
[Y] Yes  [N] No  [S] Suspend  [?] Help (default is “Y”): y
WARNING: Unable to download from URI ‘https://go.microsoft.com/fwlink/?LinkID=627338&clcid=0x409′ to ”.
WARNING: Unable to download the list of available providers. Check your internet connection.
PackageManagement\Install-PackageProvider : No match was found for the specified search criteria for the provider
‘NuGet’. The package provider requires ‘PackageManagement’ and ‘Provider’ tags. Please check if the specified package
has the tags.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7405 char:21
+ …     $null = PackageManagement\Install-PackageProvider -Name $script:N …
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : InvalidArgument: (Microsoft.Power…PackageProvider:InstallPackageProvider) [Install-Pac
    kageProvider], Exception
     + FullyQualifiedErrorId : NoMatchFoundForProvider,Microsoft.PowerShell.PackageManagement.Cmdlets.InstallPackagePro
    vider

PackageManagement\Import-PackageProvider : No match was found for the specified search criteria and provider name
‘NuGet’. Try ‘Get-PackageProvider -ListAvailable’ to see if the provider exists on the system.
At C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1:7411 char:21
+ …     $null = PackageManagement\Import-PackageProvider -Name $script:Nu …
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : InvalidData: (NuGet:String) [Import-PackageProvider], Exception
     + FullyQualifiedErrorId : NoMatchFoundForCriteria,Microsoft.PowerShell.PackageManagement.Cmdlets.ImportPackageProv
    ider

More Details:

Although I have PowerShell 5.1 module installed but still it seems problems wont go away. It’s part of Microsoft’s main requirement to have Windows PowerShell 5.1 and to import the Microsoft Teams Module for an easy installation and integration with Teams as it leverages the Module MicrosoftTeams to make things easy.

When looking at the details of the error, it seems as if PowerShell is trying to connect to a particular link to download and install the NuGet Provider which is part of installing the MicrosoftTeams Module.

The error below can be noticed to be the cause.

image

Resolution:

After doing some digging it turns out that since April 2020 Microsoft has disabled the use of TLS Version 1.0 and 1.1 so people who are working on old Windows Server edition or any application servers that utilize these protocols will now have to force PowerShell or any other app to use the TLS 1.2 Version.

In order to fix this, You will need to run the following Script on your PowerShell as an Admin

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

See the announcement here:

https://docs.microsoft.com/en-us/powershell/scripting/gallery/installing-psget?view=powershell-7.1

After running this script, I was able to install NuGet and run the installation of MicrosoftTeams PowerShell Module

image

Hope this helps

Skype for Business IM integration with Exchange 2016 OWA–Part 2

This article is a completion of Part 1, Click here to go to Part 1

Configuration Steps – Part 2

7. On Exchange: Enable OWA VD Instant Messaging
8. On Exchange: Enable Messaging on OWA Policy
9. On Exchange: Create Enterprise Application for Skype Pool.
10. On Exchange: Create new SettingOverride for Skype for Business.
11- Generate a new Certificate for Exchange IM
12. Assign the newly imported certificate to IIS Exchange Back End site
13. On Exchange: Restart the WebAppPool
14. Log out and sign back in to OWA to Check
15. Troubleshooting methods

    7- On Exchange Server: Enable OWA VD Instant Messaging

    Part of enabling IM integration between Exchange and SfB is to enable OWA Virtual Directory to allow this. The below cmdlet does the job for you on all your Exchange Servers

    From Exchange, Launch Exchange Management and run the following cmdlet

    Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingEnabled $true -InstantMessagingType Ocs

    clip_image001[6]_thumb

    8- On Exchange: Enable Messaging on OWA Policy

    Run the following to enable Messaging for Owa Policy

    Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -InstantMessagingEnabled $true -InstantMessagingType Ocs

    clip_image001[6]_thumb[1]

    9- On Exchange: Create Enterprise Application for Skype Pool.

      From Exchange Management shell Run the following cmdlet

      Cd $exscripts

      .\Configure-EnterprisePartnerApplication.ps1 -AuthMetadataUrl “https://sbg-pool01.domain.com/metadata/json/1” -ApplicationType Lync

      The AuthMetadataUrl is going to be your local Skype for Business Pool URL. This URL should work in your Exchange server without any Certificate error. Meaning that the certificate assigned to your Skype for Business pool should already be imported to Exchange Servers to trust this URL.

      image_thumb[14]

        If your previous configuration is correct then you should see the “The Configuration has Succeeded” Message.

          10- On Exchange: Create new SettingOverride for Skype for Business.

          Notes:

          • To configure the same settings on all Exchange 2016 and Exchange 2019 servers in the Active Directory forest, don’t use the Server parameter.

          New-SettingOverride -Name “<UniqueOverrideName>” -Component OwaServer -Section IMSettings -Parameters @(“IMServerName=<Skype server/pool  name>”,”IMCertificateThumbprint=<Certificate Thumbprint>”) -Reason “<DescriptiveReason>” [-Server <ServerName>]

          The Thumbprint you use here will define if whether IM will work or not as this what secures the communication between Exchange and Skype. If you use the wrong certificate your Integration will fail and users wont be able to login to IM through OWA.

          11- Generate a new Certificate for Exchange IM

          IMPORTANT NOTE:

          In order for IM in OWA to work the certificate you will generate must have its common name set as mail.domain.com to match the configuration.

          Using Digicert tool on Exchange Server I will generate the CSR of the new certificate

          Click on Create CSR

          image_thumb[15]

          Choose SSL certificate type and make sure you choose Mail.domain.com as CN

          In the SANs type all of the involved servers (Skype for Business Frontends, Mailbox servers in FQDN and in Hostnames as in the screenshot below). and click on Generate

          image_thumb[16]

          • Go to your CA Server’s CertSRV URL and copy the CSR code there to generate the new certificate.
          • Import the new certificate to the current server, then export it in PFX format and import it to all the Exchange Servers you’re planning to use.

          image_thumb[18]

          • After importing the certificate I will verify that I can see the private key

          image_thumb[19]

          Click on the Details and copy the Thumbprint or from MMC right click the certificate > Properties give it a friendly name e.g. (IM) and then from Exchange Management shell you can copy the Thumbprint directly.

          Get-ExchangeCertificate | select thumbprint,friendlyName

          image_thumb[20]

          Now use the previous script to create the setting Override for OwaServer.

          Things you can change are in bold “Name, IM Servername Value, and the Thumbprint value”.

          New-SettingOverride -Name “IM Override” -Component OwaServer -Section IMSettings -Parameters @(“IMServerName=SBG-Pool01.domain.com“,”IMCertificateThumbprint= 28E4B1BA0F2FCB1535AF199F02A64EFC78367F2D“) -Reason “Configure IM”

          image_thumb[21]

          If you enter the server parameter to use a single server you can change that by using. Note that you must not use FQDN but rather only the server’s hostname.

          Get-SettingOverride | Set-SettingOverride -Server sbg-mx01,sbg-mx02

          image_thumb[22]

          This should generate an event ID 112 on Exchange servers involved in the deployment.

          clip_image001[9]_thumb

            12. Assign the newly imported certificate to IIS Exchange Back End site

            Once the certificate is in the server store, You will be able to easily find in from IIS and bind it to the Exchange Back End site.

            This is the most crucial step to get IM to work in OWA. Don’t worry about breaking up Exchange Sites or Powershell. If you have added Exchange Servers Hostnames and FQDNs in this certificate then you should be good.

            • Now Launch IIS
            • Click on Exchange Back End
            • Select Binding
            • Click on the 444 port and edit
            • Select the newly generated certificate that has the mail.domain.com as CN. (This certificate must also have all Exchange Servers hostnames and FQDNs set as SANs)

            image_thumb[23]

            image_thumb[24]

            Make sure you change the backend cert to the new on all the involved Exchange Servers.

            13. On Exchange: Restart the WebAppPool

            Restart-WebAppPool MSExchangeOWAAppPool

            image_thumb[25]

              14. Log out and sign back in to OWA to Check

              Log out of OWA and back in and check if you are able to Login to IM . It should normally sign you in automatically but in case of an error then you should see it.

              image_thumb[29]

              In case of an error you should see the following.

              image_thumb[27]

              If it works then you should see the presence

              image_thumb[28]

              15. Troubleshooting Methods

              If you follow the above steps correctly then it should work especially when applying the right certificate for your Exchange Back End IIS part however if you face an error then you should do the following steps to troubleshoot the error

              • Set the Eventlog for Instant Messaging on Exchange from Low to High

              Set-EventLogLevel -Identity “sbg-mx01\MSExchange OWA\InstantMessage” -Level High

              image_thumb[30]

              • Look in the following path for errors

              C:\Program Files\Microsoft\Exchange Server\V15\Logging\OWA\InstantMessaging

              • Check the Healthset of the OWA Instant Messaging.

              Get-ServerHealth -HealthSet OWA.Protocol.Dep -Server sbg-mx01 | Format-Table Name, AlertValue –Auto

              image_thumb[31]

              Get-MonitoringItemIdentity -Server sbg-mx01 -Identity OWA.Protocol.Dep | Format-Table Identity,ItemType,Name -Auto

                image_thumb[32]

                Ref

                https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-im-integration-with-owa?view=exchserver-2019

                https://docs.microsoft.com/en-us/exchange/high-availability/managed-availability/health-sets?view=exchserver-2019

                Skype for Business IM integration with Exchange 2016 OWA–Part 1

                The Story

                A good and detailed documentation is everything we need to implement any kind of project especially if it’s an integration between two different servers that perform different roles.

                And with PKI involved the complications multiply thus a good article write up is what we need.

                Previously I have tried a test lab with Skype for Business 2015/2019 IM Integration with Exchange 2016/2019 and the result was a complete failure and endless search for what’s missing to get IM to work from OWA?

                image

                ERROR

                Upon completion of the steps mentioned in Microsoft’s Official documentation and after restarting Exchange IIS or OWAAppPool you will see this when you try to login to OWA with your user

                There’s a problem with instant messaging. Please try again later.

                image

                MS Official Documentation

                In their Official documentation Microsoft says that the certificate in question must be trusted by all the servers involved meaning Skype for Business Frontend and Mailbox Servers.

                Meanwhile this is true, it still would not get the IM to login/work although it might drop the initialize event ID 112 in the event log.

                clip_image001

                Here is what MS says about the certificate.

                Exchange and Skype for Business integration requires server certificates that are trusted by all of the servers involved. The procedures in this topic assume that you already have the required certificates. For more information, see Plan to integrate Skype for Business Server 2015 and Exchange. The required IM certificate thumbprint refers to the Exchange Server certificate assigned to the IIS service.

                REF URL: https://docs.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/configure-im-integration-with-owa?view=exchserver-2019#what-do-you-need-to-know-before-you-begin

                image

                Step by Step Deployment

                To do things the way that should get this to work, I will detail steps one by one so we can be sure to get the positive results we are all waiting for when dealing with Exchange and Skype for Business.

                Exchange IM URL 1: mail.domain.com

                Skype for Business Pool FQDN: SBG-Pool01.domain.com

                Autodiscover URL : Autodiscover.Domain.com

                Prerequisites

                1. For Default and Web Service Internal, Your Skype for Business Frontend Server/Pool must use a certificate that is generated from an internal CA which you can use later to generate Exchange’s IM Certificate.
                2. UCMA must be installed (Doesn’t matter if version 4 or 5) both are supposed to work with Exchange 2016.
                3. Local Certification Authority must already be deployed in the domain.

                Configuration Steps – Part 1

                1. On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover
                2. On SfB: Get-CsSite to see what is the current site ID.
                3. On Exchange: Check AutodiscoverServiceInternalURI
                4. On SfB: Create new Partner
                5. On SfB: Create new Trusted Application Pool
                6. On SfB: Create new Trusted Application ID

                Configuration Steps – Part 2

                7. On Exchange: Enable OWA VD Instant Messaging
                8. On Exchange: Enable Messaging on OWA Policy
                9. On Exchange: Create Enterprise Application for Skype Pool.
                10. On Exchange: Create new SettingOverride for Skype for Business.
                11- Generate a new Certificate for Exchange IM
                12. Assign the newly imported certificate to IIS Exchange Back End site
                13. On Exchange: Restart the WebAppPool
                14. Log out and sign back in to OWA to Check
                15. Troubleshooting methods

                Prerequisites

                1- Update or Create Server Default and Web Service Internal Certificate for SfB Pool servers

                The certificate installed on the Skype for Business Pool Frontend servers must be generated from a local Certification Authority which can be trusted by Exchange Server services.

                The Certificate generated for Skype for Business pool as in the below screenshot is generated from my CA and includes the names of the servers:

                • Skype for Business Pool
                • Skype for Business Frontend FQDNs
                • Exchange Servers
                • Autodiscover FQDN
                • Lyncdiscover.domains.com
                • Lyncdiscoverinternal.domains.com
                • sip.domains.com
                • meet.domains.com
                • dialin.domain.com
                • External.domain.com

                image

                image

                2- UCMA must be installed

                On both Exchange and Skype for Business servers I already have UCMA 4.0 version installed, but if you don’t have it or have an older version then you can’t continue without it.

                image

                3- Make sure you have a Local Certification Authority deployed in your domain.

                Configuration Steps – Part 1

                1- On SfB: Set CsAuthConfiguration Autodiscover URL for Skype server to find Exchange Autodiscover

                For Skype for Business Server to find Exchange Autodiscover Service point and to be able to authenticate servers we’ll be using the below cmdlet

                This enables both servers to authenticate and share information when needed and without user’s interference.

                Set-CsOauthConfiguration -ExchangeAutodiscoverUrl https://autodiscover.domain.com/autodiscover/autodiscover.svc

                image

                image

                Ref:

                https://docs.microsoft.com/en-us/powershell/module/skype/set-csoauthconfiguration?view=skype-ps

                2- On SfB: Get-CsSite to see what is the current site ID.

                Getting a site ID will be useful for later use to setup the Trusted Application Pool.

                On Skype for Business Management shell. Type the following

                Get-CsSite

                So the Site ID is 1. I will keep this for later use

                image

                3- On Exchange: Check AutodiscoverServiceInternalURI

                Specify the AutodiscoverServiceInternalURI for internal Autodiscover service. Make sure it points to your public URL and certificate not the internal one otherwise your users will get a certificate error through Outlook and might cause IM chat not to work.

                The Cmdlet would be

                Get-ClientAccessService | Set-ClientAccessService –AutoDiscoverServiceInternalUri https://autodiscover.domain.com/autodiscover/autodiscover.xml

                image

                4- On SfB: Create new Partner Application

                On Skype for Business Server, Launch Management Shell and use this cmdlet to add Exchange as a trusted Application to the SfB topology.

                New-CsPartnerApplication -Identity Exchange -ApplicationTrustLevel Full -MetadataUrl “https://autodiscover.domain.com/autodiscover/metadata/json/1

                image

                5- On SfB: Create new Trusted Application Pool

                New-CsTrustedApplicationPool -Identity mail.domain.com -Registrar sbg-pool01.domain.com -Site 1 -RequiresReplication $false

                image

                6- On SfB: Create new Trusted Application ID

                From SfB Management Shell run the following cmdlet .

                New-CsTrustedApplication -ApplicationId OutlookWebAccess -TrustedApplicationPoolFqdn mail.domain.com -Port 5199

                image

                Finally

                clip_image001[4]

                Deleting Old Skype for Business or Lync server from ADSI

                The story

                I had a project few weeks ago where my client wanted to install Skype for Business 2019 but had installed Lync before and removed the server without doing proper decommissioning which kept dirty records in AD database and had to be removed manually in order to make a new clean installation of Skype for Business 2019

                To do so:

                There are two days of doing so, One is using ADSIEdit and ADUC to remove Computer Objects and Users related attributes and Security Groups.

                I normally would prefer PowerShell but since we can demonstrate both ways for people who like to work with GUI

                Starting with GUI

                Removing Legacy Lync server from the AD Schema

                Prerequisites

                1. Using a domain or enterprise admin
                2. Access to the ADSIEdit.

                Goal of removing Legacy Lync server from your AD environment.

                1. Preparing AD schema and domain for a new deployment after you improperly deleted Lync Servers without uninstalling them.
                2. Cleaning Users’ Lync related attributes for the new deployment.

                clip_image001

                clip_image002

                Step#1: Remove permissions

                This step removes the original Lync permissions from the active director.

                1. Open Active Directory Users and Computers
                2. Right click on your top level domain being cleaned and select Properties
                3. From the Properties windows, select the Security tab.
                4. Remove all security users titled RTC*
                  These are usually
                  – RTCUniversalServerReadOnlyGroup
                  – RTCUniversalUserReadOnlyGroup
                  – RTCUniversalUniversalServices
                  – RTCUniversalUserAdmins

                From <http://blog.armgasys.com/?p=320>

                clip_image003

                clip_image004

                1. Repeat the same steps for each of the following AD Folders and

                  OUs
                  NOTE: Not all RTC permissions will exist in each AD Folder or OU, but these three OUs do:
                  – Domain Controllers
                  – System
                  – Users

                Domain Controllers

                clip_image005

                Systems

                clip_image006

                Users

                clip_image007

                Step#3: Additional AD cleanup

                1. Open Active Directory Users and Computers
                2. Drill down as follows
                  [Your Domain] \ Program Data \ Distributed \ KeyMan
                3. Delete LyncCertificates
                  NOTE: This may not exist in all scenarios.
                4. Drill down as follows
                  [Your Domain] Users
                5. Delete all RTC* and CS* users created by Lync
                  I.E. CSAdministrator, CSHelpDesk, RTCComponentUniversalServices, Etc.

                image

                Deleting users from the User OU

                clip_image001[6]

                Deleting CS Users

                clip_image002[4]

                Step#4: Cleanup existing users

                This steps resets Lync attributes for any domain users and contacts.

                image

                The Second way: Using PowerShell

                get-aduser -filter {msRTCSIP-PrimaryUserAddress -like “*”}|set-aduser -clear msRTCSIP-PrimaryUserAddress,msRTCSIP-PrimaryHomeServer,msRTCSIP-UserEnabled,msRTCSIP-OptionFlags,msRTCSIP-UserPolicies, msRTCSIP-DeploymentLocator, msRTCSIP-FederationEnabled, msRTCSIP-InternetAccessEnabled

                Result:

                Users attribute are clean and AD has nothing left over of Previous installation of Lync or Skype for Business .

                clip_image001[8]

                Lync 2013 to Skype for Business in-place upgrade with Monitoring database

                This article guides you through the steps of doing an in-place upgrade from Lync 2013 to Skype for business. I am copying the article as is from my lab with all the errors that I have been through to give you a real experience feed back of what is this like.

                You might get issues that you have never expected, but resolving them is not that hard and if you have any issues please don’t hesitate to leave a comment and I will get back to help you.

                Prerequisites

                Extensible Chat Communication Over SIP protocol (XCCOS)

                From <https://technet.microsoft.com/en-us/library/dn951390.aspx>

                References:

                https://technet.microsoft.com/en-us/library/dn951371.aspx?f=255&MSPPError=-2147217396

                https://technet.microsoft.com/en-us/library/dn933900.aspx

                Lync CU 5

                https://www.microsoft.com/en-us/download/details.aspx?id=36820

                Kb2533623 Windows Server 2008 R2

                http://support.microsoft.com/kb/2533623

                Kb2858668 Windows Server 2012

                http://support.microsoft.com/kb/2858668

                KB2982006 Windows Server 2012 R2

                https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

                SQL 2012 SP2 for Express version

                https://www.microsoft.com/en-us/download/details.aspx?id=43351

                clip_image001

                First Issue:

                Upon running the setup I have got the following error:

                Prerequisite not satisfied: Internet Information Services (IIS) must be installed before attempting to install this product.

                Prerequisite not satisfied: The following Internet Information Services (IIS) role services must be installed before attempting to install this product: Static Content, Default Document, HTTP Errors, ASP.NET, .NET Extensibility, Internet Server API (ISAPI) Extensions, ISAPI Filters, HTTP Logging, Logging Tools, Tracing, Client Certificate Mapping Authentication, Windows Authentication, Request Filtering, Static Content Compression, Dynamic Content Compression, IIS Management Console, IIS Management Scripts and Tools

                Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2. For details about the update, see Microsoft Knowledge Base article 2982006, “IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2” at http://go.microsoft.com/fwlink/?LinkId=519376

                Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft ASP.NET 4.5 by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install the ASP.NET 4.5 role service of the Web Server (IIS) role.

                Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install Microsoft Windows Communication Foundation Activation by using the Add Roles and Features Wizard in Windows Server 2012 Server Manager. Install WCF Services and HTTP Activation, which are included with the Microsoft .NET Framework 4.5 feature.

                http://go.microsoft.com/fwlink/?LinkId=519376

                Powershell

                $PSVersionTable

                clip_image002

                I will re-run prerequisites to make sure that all are satisfied before running setup again.

                STEP 1 : Installing Prerequisites

                Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS, Desktop-Experience, Telnet-Client

                https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/requirements-for-your-environment/server-requirements

                Updated aug-2018

                clip_image003

                clip_image004

                STEP 2: Installing CU5

                Download and install CU5

                https://www.microsoft.com/en-us/download/details.aspx?id=36820

                clip_image005

                clip_image006

                After the restart we will apply the update of the databases which in my case is going to be the FQDN of the FE server since it’s standard version and not Backend server.

                Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn lyncfe01.adeo.local -Verbose

                clip_image007

                clip_image007[1]

                Time to upgrade the Archiving/Monitoring databases.

                To upgrade we’ll use the same command except change the FQDN of the SQL server to the SQL server where Monitoring and Archiving databases are at.

                Install-CsDatabase -ConfiguredDatabases -SqlServerFqdn sql01.adeo.local -Verbose

                clip_image008

                clip_image009

                clip_image010

                Applying CMS upgrade

                clip_image011

                Install-CsDatabase -CentralmanagementDatabase -SqlServerFqdn Lyncfe01.adeo.local -SqlInstanceName rtc -verbose

                clip_image012

                clip_image013

                Then run enable-cstopology

                Last thing in the CU5 update is

                %ProgramFiles%\Microsoft Lync Server 2013\Deployment\Bootstrapper.exe

                clip_image014

                clip_image015

                https://support.microsoft.com/en-us/kb/2809243

                Step 3 : Installing Windows OS hotfix.

                KB2982006 Windows Server 2012 R2

                Since the FE is on Windows Server 2012 R2 then we’ll need to download this link

                https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38654&authkey=!AE9IJKbMPtkge8U&ithint=file%2cexe

                RESTART is Required

                clip_image016

                STEP 4 : Install SQL Service Pack 2 (Express) for your Lync Front end Standard Edition

                First Download SQL Express SP2 setup

                clip_image017

                You can patch the server by opening a Lync Management Shell window and entering the following commands:


                Stop-CsWindowsService

                .\SQLEXPR_x64_ENU.exe /ACTION=Patch /allinstances /IAcceptSQLServerLicenseTerms

                clip_image018

                clip_image019

                clip_image020

                clip_image021

                clip_image022

                clip_image023

                clip_image024

                clip_image025

                Step 5: SQL Server (Standard or Enterprise) for (Monitoring, Archiving)

                https://support.microsoft.com/en-us/kb/321185

                clip_image026

                My SQL Server version is SP1 so I don’t need to upgrade it to SP2

                clip_image027

                Step 6- In-place Upgrade for Skype For Business

                In order to do the in-place upgrade, we’ll need to use a machine that doesn’t have Lync 2013 to install the new Topology builder and do the upgrade process

                On a different Machine that’s joined to the same domain, I will run the prerequisites script and restart the machine. then I’ll load the Skype for business ISO and install

                clip_image028

                D:\Setup\amd64\Setup.exe

                clip_image029

                clip_image030

                clip_image031

                clip_image032

                We’ll now press on Installing Administrative tools

                clip_image033

                clip_image034

                clip_image035

                Now in order to continue we’ll have to open the topology builder in order to upgrade our Lync 2013 topology

                I’ll open the topology builder and save the topology file somewhere

                clip_image036

                Once the topology is open, I’ll navigate to the Standard FE Servers and right click on my main server to upgrade

                clip_image037

                clip_image038

                I’ll click on Upgrade to Skype for Business Server 2015…

                clip_image039

                As soon as you press Yes, the Frontend server that you selected will be moved under the Skype For Business Server 2015 tab as you can see below.

                clip_image040

                Since I have two FE servers (FE and SBS) I will be upgrading them both but not in the same time not not fall into any errors, so I will publish the topology and see what happens.

                clip_image041

                clip_image042

                We’ll check what do we need to do now in order to upgrade the servers, here is what we’ll do.

                Import existing normalization rules from the previous Skype for Business Server deployment. If you want to keep your existing normalization rules you will need to import them using the Import-CsCompanyPhoneNormalizationRules cmdlet. If you have separate normalization rules for each pool then you will need to run the command for each set.

                To perform an in-place upgrade of your Skype for Business Server, you’ll need to do the following, in order:

                (1) Stop the Skype for Business services on all of the servers that you are upgrading;

                (2) Run Skype for Business Server setup (Setup.exe) on all of the servers you are upgrading;

                (3) Start the Skype for Business services on all of the servers you upgraded. To start the services in a Front End pool, connect to one of the servers in the pool and run the Start-CsPool cmdlet. All the servers in the pool should be running Skype for Business Server before you use the Start-CsPool cmdlet. To start the services in all other pools (e.g. Edge pool, Mediation pool), run the Start-CsWindowsService cmdlet on every server in the pool;

                Server FQDN: lyncfe01.adeo.local, Pool FQDN: lyncfe01.adeo.local

                On Lync FE 01 I’ll stop all the services using Stop-cswindowsservice

                clip_image043

                Now on the same server I’ll load the Skype4B ISO and start the setup

                D:\Setup\amd64\Setup.exe

                clip_image029[1]

                clip_image030[1]

                clip_image031[1]

                Started at 1:40pm

                clip_image044

                clip_image045

                clip_image046

                clip_image047

                clip_image048

                clip_image049

                NOTE:

                The required time for the upgrade process is estimated around 75-90 Minutes for each FE Server.

                clip_image050

                clip_image051

                Starting ‘Verifying upgrade readiness…’

                ‘Verifying upgrade readiness…’ completed successfully

                Starting ‘Installing missing prerequisites…’

                ‘Installing missing prerequisites…’ completed successfully

                Starting ‘Uninstalling roles…’

                ‘Uninstalling roles…’ completed successfully

                Starting ‘Detaching database…’

                ‘Detaching database…’ completed successfully

                Starting ‘Uninstalling local management services…’

                ‘Uninstalling local management services…’ completed successfully

                Starting ‘Installing and configuring core components…’

                ‘Installing and configuring core components…’ completed successfully

                Starting ‘Installing administrative tools…’

                ‘Installing administrative tools…’ completed successfully

                Starting ‘Installing local management services…’

                ‘Installing local management services…’ completed successfully

                Starting ‘Attaching database…’

                ‘Attaching database…’ completed successfully

                Starting ‘Upgrading database…’

                ‘Upgrading database…’ completed successfully

                Starting ‘Enabling replica…’

                ‘Enabling replica…’ completed successfully

                Starting ‘Installing roles…’

                ‘Installing roles…’ completed successfully

                Starting ‘Verifying installation…’

                ‘Verifying installation…’ completed successfully

                clip_image052

                Upgrade the SBS (Survivable Branch Server) in the pool to Skype4B

                clip_image053

                clip_image054

                Publish the topology

                clip_image055

                I’ll stop the service before I start the upgrade process.

                clip_image056

                I’ll load the ISO on the second server and start the upgrade.

                D:\Setup\amd64\Setup.exe

                clip_image029[2]

                clip_image030[2]

                clip_image031[2]

                clip_image057

                Apparently I forgot to update Lync to the latest CU

                clip_image058

                clip_image059

                clip_image060

                clip_image061

                Resetting Root Password for FreePBX 14.0.5.1–Sangoma Linux 7

                Many people have been through this same problem either due to forgetting the root password, typing it wrong or due to console language conversion issue.

                Mine was due to using a remote console which didn’t translate my keyboard properly and caused a wrong password.

                So I ended up having access to the GUI screen but not the root. So first thing came to my mind is should I reformat the machine and reinstall it since it doesn’t take long time? but no I like challenges and started digging into how do I reset the password.

                Since I do still have the access to console I can try from the Kernel, the default ISO install FreePBX with Sangoma 7 Distro which is based on Centos Kernel 3.10.0-862.2.2.3 el7.x86_64.

                So I first attempt I tried was following the same method of resetting root password on Centos through Kernel.

                1- Restarting the machine to get into Kernel:

                When Restarting Press E to edit the Kernel

                image

                Once pressed E you will get this screen:

                image

                2- Edit the Kernel:

                Scroll down until you find “rhgb quiet” and replace it with “init=/bin/bash” without quotes.

                image

                So eventually it’ll look like this

                image

                3- Resetting Root Password:

                Once it’s changed, press ctrl-X to initiate the process of resetting the root password:

                You will get Bash cmd prompt, Type the following commands

                A- First to check the status of root partition by running following command on the single user mode.

                Mount | grep root

                In this distro of Linux you might not get anything but normally you should get partition details.

                B- To make the partition writable, you’ll have to type in the following command

                mount -o remount,rw /

                C- To Change the root password type

                passwd root

                Type your new password and you’ll get a message that all authentication tokens updated successfully

                clip_image001

                After this restart and try to login, and you’ll see that it works fine

                clip_image001[4]

                Result:

                After restarting the machine, I tried to get into web GUI to start configuring the FreePBX but I received the following error:

                Whoops\Exception\ErrorException (E_ERROR)

                Class ‘PicoFeed\Reader\Reader’ not found

                After doing some research it was obviously an error related to a recent update pushed by FreePBX

                clip_image001[6]

                Solution:

                and the solution was running this cmd

                fwconsole ma upgrade dashboard –edge

                clip_image001[8]
                image
                Winking smile

                Hope someone would find this useful 

                Enabling E5 users on-cloud and calling from/to between IP/PBX users–Part 4





                In hybrid scenario you might want to use PBX Online or/and use your existing on-premises PBX. Sometimes the regulation in your country is strict toward the VoIP traffic and that it can’t be used on-cloud and for this type of scenarios you’ll want to deploy the Hybrid topology and route all your VoIP traffic for online users toward your on-premises PBX ..

                This can be easily managed with Skype for Business/Online and with few powershell commands you can control the call flow.

                clip_image001
                clip_image002
                clip_image003
                clip_image004
                clip_image005
                clip_image006
                clip_image007









                Skype 4 Business Edge and Hybrid Configuration–Part 2





                  Configuring Edge Server

                  Edge prerequisites

                  Install Prerequisites

                  • Microsoft .Net Framework 3.5, HTTP Activation, Windows Identity foundation, Telnet Client.

                  Add-WindowsFeature NET-Framework-Core, NET-Framework-45-Core, NET-Framework-45-ASPNET,  Web-Net-Ext45, NET-WCF-HTTP-Activation45, Windows-Identity-Foundation, Telnet-Client -Source X:\sources\sxs

                  Setup NETBIOS

                  In order to configure Skype 4 Business Edge, we’ll have to change the Netbios to give it the name of our Domain but we won’t join it to the domain.

                  clip_image001

                  clip_image002

                  Setup NICs

                  Edge Server must have 2 NICs, one Local NIC will point out to the Front end server but must not have Default gateway so traffic can only flow through the DMZ out to the internet and back in. but still it must be able to ping to the FE from Edge and vice versa.

                  DMZ network can have 1 DMZ address (Public Address to be NATTED to) or 3 DMZ addresses for public IP addresses with standard HTTPS ports.

                  clip_image003

                  clip_image004

                  Configure Hostnames

                  Edit the Edge server’s host file to include Lync FE and DC’s IP addresses and Hostname

                  clip_image005

                  clip_image006

                  Now I will go back to Skype for Business FE server, I’ll launch the topology builder and add new Edge server

                  I will add the first Edge pool which contains of a single Edge server

                  clip_image007

                  Next, you will have to choose if you want to enable federation with partners or other service providers …e.g. (Google)

                  clip_image008

                  I am intending to use a single Public IP address with a different ports (nonstandard) since this is a lab. For production it’s recommended to use 3 public IP addresses for Access Edge, AV and WebConf services.

                  clip_image009

                  Next I will choose the last option which says that the Edge pool is translated by NAT. I will configure my firewall to NAT ports to the Edge’s DMZ IP addresses from the Public so I am choosing this option.

                  clip_image010

                  clip_image011

                  This is the FQDN’s the default configuration .. It’ll only use a single FQDN for all services if you’re going to use a single public IP address with a different ports.

                  IMPORTANT NOTE

                  When you use a single IP address with a different ports, the Access Edge port will normally change to 5061 (Not 443 like in the _sip._tls.domain.com) SRV record which will cause failure if you forgot to change this port to match the one in your Topology’s Access Edge settings.

                  Next I’ll have to enter my Edge server’s Local IP address.

                  clip_image012

                  clip_image013

                  Next I will be asked to enter the DMZ’s IP address which the wizard calls (Private External IP address)

                  clip_image014

                  Here I am going to place the NAT IP address which is my Public IP address.

                  clip_image015

                  Next I’ll have to choose which Lync FE pool will be used as the next hop to the Edge pool. In this case I’ll be choosing my main pool since the second is only for resilience purpose.

                  clip_image016

                  Then I’ll associate the mediation pool for Edge server for external media traffic. I can assign both in this case.

                  clip_image017

                  Now I’ll click on Finish and right click on the Site name’s properties to enable the SIP federation and XMPP federation then Publish the topology.

                  clip_image018

                  clip_image019

                  clip_image020

                  clip_image021

                  Now I will setup Azure Active Directory Sync on my DC server in order to sync the required users for the test purpose.

                  My domain is adeo.local so I want to change the UPN for users to match the synced domain. (Adeo-office365.ga) and moh10ly.com

                  clip_image022

                  Installing Azure Active Directory Sync

                  Now I will install the prerequisites which consist of the following

                  clip_image023

                  Net framework 4.5.2 is required for AADS but it’s already installed on my server

                  clip_image024

                  Next I will install Microsoft Online Service Sign in assistant

                  clip_image025

                  Next I will install Azure AD Module

                  clip_image026

                  Finally Azure AD Sync

                  clip_image027

                  Before moving forward, I’ll have to go to the Office 365 portal and activate DirSync

                  clip_image028

                  Then use a global admin credentials from O365.

                  clip_image029

                  Adding the forest using an enterprise admin user account

                  clip_image030

                  clip_image031

                  Due to the fact that my domain adeo-office365.ga’s public dns host doesn’t have SRV configuration because it’s hosted by the famous free domain service (Freenom) so I’ll have to add my original domain moh10ly.com as Lync (S4B) requires SRV records to point to the on-premises lync.

                  clip_image032

                  clip_image033

                  clip_image034

                  clip_image035

                  clip_image036

                  I will only sync one OU, so I will untick the Sync now box and click on Finish

                  clip_image037

                  I will go to the following path

                  “C:\Program Files\Microsoft Azure AD Sync\UIShell” and create a shortcut for the GUI application of AADS on the desktop

                  “C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe”

                  clip_image038

                  To get this GUI app to work, you will have to sign out of your account and sign back in as your username will be added to the local administrators and have the authority to open it

                  Log off, log back in

                  clip_image039

                  Next I will go to the connectors tab and double click on the ADDS connector (Adeo.local)

                  clip_image040

                  I will go to the Configure Directory Partitions and under Credentials I’ll choose “Alternate credentials for this directory partition” then enter my on-premises AD Enterprise admin credentials

                  clip_image041

                  I’ll click on Containers

                  clip_image042

                  I’ll untick the DC=Adeo,Dc=Local box and only choose Dirsync OU then click OK and apply

                  clip_image043

                  Before I start syncing my AD , I will go to Skype for Business Server and add my domain moh10ly.com as a SIP domain

                  clip_image044

                  Next I am going to change the FQDN of the SIP access edge for public domain to moh10ly.com and the default port for the Access Edge to 443 and publish the topology

                  clip_image045

                  clip_image046

                  I needed to finally check if all my FE servers are replicating. So then I can move to Edge server to install Lync components

                  clip_image047

                  On the Edge server, I’ll use ISO for Skype 4 business to install the setup

                  clip_image048

                  clip_image049

                  First thing I’ll install the local Configuration Store

                  I’ll click on Run and then I’ll be asked to import the configuration file which I’ll must export from Lync FE (Skype 4 b FE) server

                  clip_image050

                  In this case, I’ll go to Lync FE and open Lync Management shell and enter the following Cmdlet

                  Export-CsConfiguration -FileName c:\top.zip

                  clip_image051

                  This cmdlet will export a file to the root C drive . I’ll copy this file to the edge server.

                  clip_image052

                  I’ll click next to continue, this should start installing the local store

                  clip_image053

                  clip_image054

                  clip_image055

                  Next I’ll request a certificate for Internal NIC For edge server

                  clip_image056

                  clip_image057

                  clip_image058

                  I’ll take the CSR (Certificate sign request) code and get a certificate from my local CA

                  clip_image059

                  I’ll open MMC and add Certificates console and import the PKCS certificate

                  clip_image060

                  clip_image061

                  After importing the certificate I’ll assign it to the internal NIC by clicking on Assign to the Edge Internal

                  clip_image062

                  clip_image063

                  clip_image064

                  clip_image065

                  Once we assign the certfiicate to the internal edge. The replication service for Edge and FE will start working

                  clip_image066

                  Now I’ll import my Public Certificate to Edge Server’s DMZ NIC

                  I already imported my public certificate, now I’ll go to the S4B wizard and assign it there

                  clip_image067

                  clip_image068

                  Unlike IN lync 2013 when you Click on Start service in the Wizard all services start on their own but on Skype for business you ‘ll have to start the services manually by yourself.

                  clip_image069

                  So Instead I used the service console to start the services.

                  Now I’ll go back to the FE And enable remote connectivity to Skype for Business from outside and make sure that replication works fine by checking the Topology or from cmdlet

                  clip_image070

                  clip_image071

                  clip_image072

                  clip_image073

                  Setting up Hybrid integration with Skype online for Business (O365)

                  NOTE:

                  In order for Skype for Business Hybrid configuration to work successfully for users homed on cloud and on-prem .. Users must be created first on-premises, enabled on Skype for Business on-premises and from the Skype for Business on-prem Control panel moved to Office 365 Skype for Business online.

                  Otherwise users will not be able to see each other’s presence information due to missing attributes if users were to be created directly online or on Active Directory and not enabled on-premises first.

                  https://technet.microsoft.com/en-us/library/jj205126.aspx

                  https://technet.microsoft.com/en-us/library/jj204669.aspx

                  In order to allow Hybrid environment to function properly, we’ll have to federate our Skype for Business on-premises’s Edge server as microsoft says below

                  Federation allows users in your on-premises deployment to communicate with Office 365 users in your organization. To configure federation, run the following cmdlets in the Skype for Business Server Management Shell:

                  From <https://technet.microsoft.com/en-us/library/jj205126.aspx>

                  On the front end server, we’ll run the following CMDlet

                  Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -UseDnsSrvRouting -EnablePartnerDiscovery $true

                  clip_image074

                  Next cmdlet will create a new public federated provider for skype for business online.. However it already exists so we must delete it from control panel or the cmdlet will fail with the following message

                  New-CsHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $True -HostsOCSUsers $True -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/Autodiscoverservice.svc/root

                  clip_image075

                  I’ll delete the hosted provider “Skype for Business Online”

                  clip_image076

                  I’ll try the cmdlet again after deleting the provider ..

                  New-CSHostingProvider -Identity SkypeforBusinessOnline -ProxyFqdn “sipfed.online.lync.com” -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root

                  clip_image077

                  Since it worked already, I will go back to the control panel and make sure it is enabled

                  clip_image078

                  Next is : Configure your Skype for Business Online tenant for a shared SIP address space

                  Note:

                  To configure a shared SIP address space, establish a remote PowerShell session with Skype for Business Online, and then run the following cmdlet:

                  We’ll have to download skype for business online powershell

                  https://onedrive.live.com/redir?resid=82488EABA4ACDB15!38849&authkey=!AKW6Ln4Rkn6QuUI&ithint=file{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}2cexe

                  After launching the PowerShell module as an administrator I’ll run the following cmdlet

                  clip_image079 (Connect to Skype for Business online (Lync Online) Powershell)

                  Import-Module SkypeOnlineConnector

                  clip_image080

                  Now I’ll connect to my Office 365 tenant

                  clip_image081

                  $cred = Get-Credential

                  $CSSession = New-CsOnlineSession -Credential $cred

                  Import-PSSession $CSSession -AllowClobber

                  clip_image082

                  Now I’ll configure the shared sip address

                  Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

                  From <https://technet.microsoft.com/en-us/library/jj205126.aspx>

                  clip_image083

                  To double check my configuration I will see if the SharedSipAddresSpace is enabled or not

                  Get-CsTenantFederationConfiguration

                  clip_image084

                  To double check that the hybrid configuration is setup properly we can use the Skype for business on-premises Hybrid UI wizard from the Home Menu under “Connection to Skype for Business Online”

                  clip_image085

                  Using the Skype for Business 2015 User interface to setup Hybrid configuration:

                  After you sign in it does automatically logs you in and configure the three following options

                  1. Federation for the Edge server
                  2. Federation with Office 365.
                  3. Shared SIP address space.

                  clip_image086

                  clip_image087

                  Now I will configure my DNS Settings as recommended by Microsoft for the Hybrid Integration scenario

                  DNS Settings

                  When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.

                  From <https://technet.microsoft.com/en-us/library/jj205403.aspx>

                  1. Update some DNS records to direct all SIP traffic to Skype for Business on-premises:
                  • Update the lyncdiscover.contoso.com A record to point to the FQDN of the on-premises reverse proxy server.
                  • Update the _sip._tls.contoso.com SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
                  • Update the _sipfederationtls._tcp.contoso.com SRV record to resolve to the public IP or VIP address of the Access Edge service of Skype for Business on-premises.
                  • If your organization uses split DNS (sometimes called “split-brain DNS”), make sure that users resolving names through the internal DNS zone are directed to the Front End Pool.

                  From <https://support.office.com/en-us/article/Configure-Skype-for-Business-Server-2015-Hybrid-b06ee805-4349-4519-82fb-b06ed57c0bd0>

                  According to Microsoft’s configuration of the Public DNS, you will have to configure only the SRV records to point to your edge server however, running a simple wireshark on your Skype for business client machine you can notice the following:

                  clip_image088

                  Microsoft Lync / Skype client first requires the Lyncdiscover / Lyncdiscoverinternal record in order to see where the user is located… then gets redirected to webdir.online.lync.com which is the Cname value to the Lyncdiscover Cname in the public DNS and tries to login the user through Login.microsoftonline.com then finds no user there and logs in using the SRV eventually in the end as in the below snapshot which I’ve used Wireshark for to monitor the DNS traffic that the Lync Client requests upon login request.

                  clip_image089

                  NOTE:

                  What have me confused here is that Microsoft says only SRV records must be pointing to your On-premises Lync/Skype for Business Edge server.. So you must enter something else other than SIP.domain.com (Which in normal cases might be the common name of your Edge certificate) for the value of the SRV Record since the SIP.domain.com and Lyncdiscover.domain.com must be pointing to Office 365.

                  I tried using the Public IP address of my Edge server just to check if my on-premises user will connect without any issue however I did have an issue with the Certificate saying “There was a problem verifying the certificate from the server”.

                  clip_image090

                  Luckily the Public certificate that I had on my edge server had multiple SANs (Subject Alternative Names) and one of them was WAC.moh10ly.com which I was intending to use for the WAC Server (Office Web Apps Server) and then I created an A record on my public DNS WAC.moh10ly.com that points to my Edge server’s Public IP address…. although the Wac.moh10ly.com is not a common name but it worked and I was able to federate with Office 365 users and was able to move users from on-premises to office 365 and back to on-premises as demonstrated later in the article.

                  “When creating DNS SRV records for hybrid deployments, the records, _sipfederationtls._tcp.<domain> and _sip._tls.<domain>, should point to the on-premises Access Proxy.”

                  From <https://support.office.com/en-us/article/Configure-Skype-for-Business-Server-2015-Hybrid-b06ee805-4349-4519-82fb-b06ed57c0bd0>

                  clip_image091

                  Now I have changed all the SRV records to direct to the new A record

                  clip_image092

                  And finally deleted the A sip record and created a new CNAME record that points to sipdir.online.lync.com

                  clip_image093

                  clip_image094

                  I have already a user synced from my local AD to the cloud (office 365) that’s not enabled for Skype for business on-premises .. Once this user is synced and have been assigned a license it should be directly enabled for Skype for Business Online and I should be able to sign in to it without any issue.

                  Note:

                  In order for both users (homed online and On-premises) to see eachother’s presence the synced user must be enabled on the On-premises Server before moved to the cloud or else the presence and M will fail.

                  Time to test, I was able to sign in to the Online homed user (admin) and now I’ll be adding the on-premises homed user to the list to check the presence, IM ..etc

                  clip_image095

                  Here I added the user admin to my other account Mohammed.hamada and vice versa.

                  clip_image096

                  The Presence appears to be working fine for user homed on-premises as it shows when I changed it to “busy, be right back..etc” on the cloud user’s Client however the Office 365 homed user’s presence takes time to change on the on-premises user’s list and the IM doesn’t seem to work properly as messages sometimes doesn’t go through and fail.

                  Sending a message from the on-premises User (Mohammed Hamada) to (ADMIN)

                  clip_image097

                  Now sending an IM from Admin to Mohammed Hamada

                  clip_image098

                  To make sure that the issue is not within my on-premises server, I will use a different Skype for Business online account and see if IM work both ways.

                  This is my other user.. The presence information seems to work properly and now I’ll test the IM

                  clip_image099

                  IM between my On-premises and another user on another Office 365 tenant seems to be working fine back and forth as in the below snapshots so the issue might be related to Office 365 tenant which I am using for this test (could be related to trial version)

                  I am going to open a case with MS and see why this issue happens since my on-premises work fine with other tenants.

                  clip_image100

                  clip_image101

                  Now It’s time to move users from and to cloud and on-premises to check how easy, flexible or hard this process is.

                  I currently have 2 users, one on cloud and one synced and homed online (Office365)

                  clip_image102

                  In order to move users, you can go to Users tab after the hybrid config is finished and find the user you want to move then click on Actions and chose to move the users to the Skype for Business Online as in the below snapshot

                  Note:

                  Before you move the user to Office 365, you must assign license to the user or else the move will fail.

                  clip_image103

                  clip_image104

                  clip_image105

                  clip_image106

                  clip_image107

                  You can move the user back from Office 365 to your on-premises Skype for Business server with the same process exactly except that you’ll have to choose which pool you need to move the user to.

                  Checking where the user is hosted from Skype for business Management shell

                  The Hosting Provider will show you where the user is working from now.

                  clip_image108

                  clip_image109

                  clip_image110

                  Hope this has been helpful

                  References:

                  https://technet.microsoft.com/en-us/library/jj204967.aspx

                  https://technet.microsoft.com/en-us/library/jj205403.aspx

                  https://technet.microsoft.com/en-us/library/jj205126.aspx

                  https://technet.microsoft.com/en-us/library/jj204669.aspx

                  https://support.office.com/en-us/article/Configure-Skype-for-Business-Server-2015-Hybrid-b06ee805-4349-4519-82fb-b06ed57c0bd0

                  https://channel9.msdn.com/Events/Ignite/2015/BRK4129









                Install Frontend Skype for Business 2015–Part 1





                Install prerequisites

                Frontend/Standard edition as well

                Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client, Windows-Identity-Foundation

                Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS

                From <https://technet.microsoft.com/en-us/library/dn933900.aspx>

                Check prerequisites for hotfix

                NOTE: If KB2919355 is installed first then you need to Uninstall it and install Windows8.1-KB2982006-x64 first

                clip_image001[5]

                clip_image002[4]

                get-hotfix KB3173424,KB2919355,KB2919442

                clip_image003[4]

                From <https://support.microsoft.com/en-us/help/3057448/-the-update-is-not-applicable-to-your-computer-error-when-you-install>

                Download IIS hotfix

                https://www.microsoft.com/en-us/download/details.aspx?id=44051

                From <https://technet.microsoft.com/en-us/library/dn951388.aspx>

                Installing Director Prerequesties

                Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client

                From <https://technet.microsoft.com/en-us/library/dn951388.aspx>

                Easier solution:

                Prerequisite not satisfied: Before you install Skype for Business Server 2015, you must install an update for Windows Server 2012 R2. For details about the update, see Microsoft Knowledge Base article 2982006, “IIS crashes occasionally when a request is sent to a default document in Windows 8.1 or Windows Server 2012 R2” at http://go.microsoft.com/fwlink/?LinkId=519376

                Solution:

                Extract the .msu to cab

                Expand -F:* C:\Windows8.1-KB2982006-x64.msu c:\

                clip_image004[4]

                Install CAB

                dism /Online /Add-Package /PackagePath:C:\Windows8.1-KB2982006-x64.cab

                clip_image005[4]

                Check Powershell version = 3

                $psversiontable

                clip_image006[4]

                Install prerequisites

                clip_image007[4]

                clip_image008[4]

                Restart is required

                clip_image009[4]

                clip_image010[4]

                clip_image011[4]

                clip_image012[4]

                Prepare Active Directory

                clip_image013[4]

                clip_image014[4]

                clip_image015[4]

                clip_image016[4]

                clip_image017[4]

                clip_image018[4]

                clip_image019[4]

                Install Administrative tools

                clip_image020[4]

                clip_image021[4]

                clip_image022[4]

                clip_image023[4]

                Prepare First standard edition server

                clip_image024[4]

                clip_image025[4]

                clip_image026[4]

                clip_image027[4]

                clip_image028[6]

                clip_image029[6]

                clip_image030[6]

                clip_image031[6]

                clip_image032[6]

                clip_image033[6]

                clip_image034[6]

                clip_image035[6]

                clip_image036[4]

                I will create a shared folder

                clip_image037[4]

                clip_image038[4]

                clip_image039[6]

                clip_image040[6]

                clip_image041[6]

                clip_image042[4]

                clip_image043[4]

                It’s time to publish the topology

                clip_image044[4]

                clip_image045[4]

                Publishing failed with an error that states the following

                clip_image046[4]

                So I will double check that I am member of the required groups

                clip_image047[4]

                It seems not, I will add Csadministrator and RTCUniversalServerAdmins

                clip_image048[4]

                Solution:

                Still I get the same error every time I try to publish the topology. Apparently the way I solved this was by creating a new topology where the standard pool name must match the server’s hostname otherwise Topology won’t be able to access the SQL Express that’s installed by Lync setup.

                So in this case I am going to re-create my topology as following

                Moh10ly.com is my public domain which is going to be my sip domain in this case not my local one (Lab.com)

                clip_image028[7]

                clip_image029[7]

                clip_image030[7]

                clip_image031[7]

                clip_image032[7]

                Next I will put my server’s FQDN in the pool name, my FQDN Is

                clip_image049[4]

                clip_image050[4]

                clip_image033[7]

                clip_image034[7]

                clip_image035[7]

                clip_image051[4]

                clip_image052[4]

                clip_image039[7]

                clip_image040[7]

                clip_image041[7]

                clip_image053[4]

                clip_image054[4]

                Now it’s time to publish the topology once again

                clip_image055[4]

                clip_image056[4]

                clip_image057[4]

                Seems we have passed the permission issue as soon as the Standard edition FE server matches the FQDN of the server

                clip_image058[4]

                clip_image059[4]

                We’ll look up at the open to-do list now

                The to do list seems a bit different from Lync 2013 as it requires the part about the certificate

                clip_image060[4]

                I will run the Local setup for the server since I only have one server now.

                clip_image061[4]

                Before we run the local setup we need to make sure that our account has the required privileges which is shown under the Install local CS below. Since I already have configured the account’s privileges I will continue my setup.

                clip_image062[4]

                clip_image063[4]

                clip_image064[4]

                clip_image065[4]

                There’s nothing new about the local store installation on S4B except that it checks and downloads updates during this process as the report shows below.

                clip_image066[4]

                Detailed steps for the local store installation can be found in the sub page.

                clip_image067[4]

                Now it’s time to move to the next step and check for the prerequisites

                clip_image068[4]

                clip_image069[4]

                clip_image070[4]

                S4B says that a prerequisite is not meet, checking the link posted in the error information it seems that it needs a hotfix to be installed on the server

                http://go.microsoft.com/fwlink/?LinkId=519376

                clip_image071[4]

                I am attaching the hotfix after requesting and Installing as requested

                <<478232_intl_x64_zip.rar>>

                clip_image072[4]

                clip_image073[4]

                After finishing we’ll double check if the prerequisites are meet or not

                Running the setup again it seems that the prerequisite has been satisfied.

                clip_image074[4]

                The setup and in particular the next step could take approximately about 5-10 minutes depending on the resources you have assigned to the Skype for business server.

                clip_image075[4]

                clip_image076[4]

                I will navigate to the MSI file location and try to install it without using the wizard.

                clip_image077[4]

                The file path is as showed in the previous path:

                C:\Programdata\Microsoft\Skype for Business Server\Deployment\cache\6.0.9319.0\

                clip_image078[4]

                So the problem is that Windows Identity foundation is not installed. Although I have copied the prerequisite cmdlet from the official Microsoft Skype for business’s technet article but it seems they have missed out there so I will adjust the powershell cmdlet to include it which means you won’t face this issue.

                clip_image079[4]

                clip_image080[4]

                Now I’ll re-run the setup again

                clip_image081[4]

                We have passed the error already and now in the process of assigning accounts to SQL services.

                The setup might take approximately 30-60 minutes installing all the required components.

                clip_image082[4]

                clip_image083[4]

                In order to continue to the next step we must deploy CA (Certification Authority) to issue a certificate for Skype for Business Front end web services.

                I already have one CA deployed on my CA so I will just go ahead and click run on the step 3

                This process will be easy as it’s automated if you have configured your CA properly. First click on Request

                clip_image084[4]

                Now S4B certificate request wizard provides new user interface that’s easier and faster to fill, I will fill it and go ahead with issuing the certificate.

                clip_image085[4]

                clip_image086[4]

                clip_image087[4]

                clip_image088[4]

                clip_image089[4]

                clip_image090[4]

                clip_image091[4]

                And it’s done

                clip_image092[4]

                I will do the same steps for the OAuthTokenIssuer

                clip_image093[4]

                clip_image094[4]

                Now it’s time to start the Services and check eventviewer

                Trying to start the services from the wizard fails with event ID 20002 so instead I am going to try Lync Management shell instead

                clip_image095[4]

                Trying Management shell with the cmdlet start-cswindowsservices seems to work

                clip_image096[4]

                clip_image097[4]

                All the services are running now

                clip_image098[5]

                See you later at Part 2