I am in the process of deploying two central site lync and need to identify all possible certificate SAN so we can access LYNC internally ,externally and on Mobile without any issues.

I identified below DNS records

• Dailin.uc.contoso.com
• Meet.uc.contoso.com
• sip.uc.contoso.com
• admin.uc.contoso.com
• access1.uc.contoso.com
• Webcon1.uc.contoso.com
• av1.uc.contoso.com
• lyncdiscover.uc.contoso.com
• Websrv-ext.uc.contoso.com
• wacweb01-ext.uc.contoso.com
• sipinternal.uc.contoso.com
• lyncdiscoverinternal.uc.contoso.com
• site1-lyncpool-001.uc.contoso.com
• site2-lyncpool-001.uc.contoso.com
• site1-medpool-001.uc.contoso.com
• site2-medpool-001.uc.contoso.com
• Site1-chatpool-001. .uc.contoso.com
• Site1-lyncfe-001.contoso.local
• Site1-lyncfe-002.contoso.local
• Site1-lyncme-001.contoso.local
• Site1-pchat-001.contoso.local
• SITE2-lyncfe-001.contoso.local
• SITE2-lyncme-001.contoso.local
• Site1-lyncbe-001.contoso.local
• SITE2-lyncbe-001.contoso.local
• _sip_tls.uc.contoso.com
• _sipinternaltls._tcp.uc.contoso.com
• _ntp._udp.uc.contoso.com

Now, my question is do I need all of them to be the part of SAN for the default certificate (Server Default, Webservices internal, Webservices external) ?

I’ll also purchase public certificate for LYNC external/Mobile so will I keep the same SAN name as I kept for internal certificate using internal PKI?

Would SRV records also be the SAN in the certificate?

Thanks.

DirectoryEntry newUser = directoryEntry.Children.Add("CN=" + model.Account.FullName, "user");
if (model.Account.SamAccountName != null) newUser.Properties["sAMAccountName"].Value = model.Account.SamAccountName;
newUser.CommitChanges();

setUserPassword("CN=" + model.Account.FullName + "," + model.Account.Path, model.Account.Password);

newUser.RefreshCache();

if (model.Account.FirstName != null) newUser.Properties["givenName"].Add(model.Account.FirstName);
if (model.Account.LastName != null) newUser.Properties["sn"].Add(model.Account.LastName);
if (model.Account.MiddleName != null) newUser.Properties["initials"].Add(model.Account.MiddleName);

if (model.Account.UPNLogon != null && model.Account.DomainName != null) newUser.Properties["userPrincipalName"].Add(model.Account.UPNLogon + "@" + model.Account.DomainName);
if (model.Organization.DisplayName != null) newUser.Properties["displayName"].Add(model.Organization.DisplayName);
if (model.Organization.Email != null) newUser.Properties["mail"].Add(model.Organization.Email);

newUser.Properties["LockOutTime"].Value = 0; //unlock account
newUser.Properties["userAccountControl"].Value = 0x200; // enable account
newUser.CommitChanges();

string homeMDB = profile.Exchange13_Profile.ExchangeDB;

IMailboxStore mailbox;
try
{
     IMailboxStore mailbox = (IMailboxStore)NewUser;
     mailbox.CreateMailbox(sHomeMDB);
     NewUser.CommitChanges();
}
catch (InvalidCastException e)
{
     MessageBox.Show(e.Message.ToString());
}

The above code successfully creates a new user and enables it on the AD server. But I am unable to create/enable the Exchange mailbox, as the IMailboxStore namespace needs cdoexm.dll. I've tried to locate cdoexm.dll on the Domain Controller, MailBox Server, and Client Access Server, but in vein.

I know the alternate way of doing this, is by using Powershell cmdlets, but I don't want to do that.

Now precisely stating my questions:

• How to add the COM cdoexm.dll? Or
• Is there any other way around to use IMailBoxStore? Or
• Is there any way to enable the AD user's mailbox and Lync account other than PowerShell?

The first two questions are resolved as CDOEXM is now obsolete from Exchange 2010 and onward.

Is it possible to configure Lync 2013 to only send a single 180/183 ringing back upstream after an INVITE to Lync triggers multiple INVITEs to Lync subscriber endpoints that each end up generating a 180/183 message.

In case of simultaneous ring, I want Lync to consume all these 180s to avoid unnecessary messaging back to the originator INVITE'ing Lync that is behind a SBC.

It seems to be acting as a forking proxy rather than b2bua.

applied couple of working certificates after a quick install (Lync). Soon-after logging Lync, I tried to message by double-clicking one of the users from my contacts list; suddenly, I face app crash that prompts me to restart the application. This continues after restarting the app.

Microsoft Error Reporting log version: 2.0

Error Signature:
Exception: EXC_BAD_ACCESS
Date/Time: 2014-11-28 05:44:49 +0000
Application Name: Microsoft Lync
Application Bundle ID: com.microsoft.Lync
Application Signature: UCCP
Application Version: 14.0.10.141024
Crashed Module Name: unknown
Crashed Module Version: unknown
Crashed Module Offset: unknown
Blame Module Name: Microsoft Lync
Blame Module Version: 14.0.10.141024
Blame Module Offset: 0x02019556
Application LCID: 1033
Extra app info: Reg=English Loc=0x0409
Crashed thread: 0

my company email hosted by google and I already have lync server 2013, but i lose some lync features due to exchange missing.

can i install exchange internally to support lync server (contacts, tasks, calendar)without configuring email service and because its internally does it causes any issue for lync external users to prepare meetings or tasks 

I had Microsoft on the phone working a non-Lync related problem and their usually desktop viewing software was not working so we decided to use Lync. The Microsoft tech sent me a Lync meeting and when I click on the Lync URL, the meeting launches and all is well until he makes me the presenter and I try to share my desktop, the connection drops.

Question is I am trying to figure out how this works and whether we are using our Edge server in all of this. We have 3 FE servers and a single Edge on our DMZ. When I click the Lync meeting URl in Outlook, I am guessing the request just goes out our firewall and connects to their Edge? I am trying to figure out how this works so I can start looking at why when I try to share my desktop, it kills the connection.

Microsoft is not a federated partner so I am thinking all this traffic is bypassing our Edge and just going through our firewall. If that is the case its probably our proxy server or our firewall.

Hi Team,

If we are to look at a scenario to have HA for Lync Edge,

1. Can I use 2 x Edge Servers, Hardware Load Balanced with Single Public IP and Single External Interface IPs(Single FQDN & IP Address)?
2. Can I use 2 x Edge Servers, DNS Load Balanced with Single Public IP andSingle External Interface IPs(Single FQDN & IP Address)?
3. What would be the primary factor when deciding the Edge LB method(DNS vs HLB)?

Cheers,
Chris!

I have a Lync deployment with those servers:

1 Edge server

1 Front End 

1 Proxy server IIS ARR 

1 WAC Server

The problem is client has only one public IP and 443 port NAT is assigned to DMZ nic of Edge server, could be possible publishing to internet for external users (meet, dialin, webconf and office) with other port like 4443 using iis arr?

Something like:

meet.contoso.com:4443

dialin.contoso.com:4443

office.contoso.com:4443

Thanks in advanced

Hi all

Is it possible to restrict the number of lync session that use enterprise cal if i got more standart cal than enterprise ones.

I mean if i got 200 enterprises cal an 1000 standards cal how can i restrict the use of this 200 cals.

The goal is when 200 users uses theres cal nobody else can use the enterprises features given by Lync.

kind regards

Hi Everyone,

I've been using ARR 3.0 in my Lync/Exchange 2013 lab for a while, and I'm trying to find the pros/cons when comparing ARR to the new Web Proxy feature.

From what I can tell, the web proxy service looks like it's more useful when used with exchange as a user can authenticate via ADFS.

Any thoughts on this one?

Hello,

In our company we have deployed Lync 2013 Standard with last CU

1. Front End - External web serwis and mobile sing by wildcard certyfikate trusted in Internet, and Internal webserwis sing by our Internal CA not trusted in internet

In Topology is registred: LyncFE.company.local

Default SIP domain is company.com

2. Edge Server  - All in one server sing by our Internal CA not trusted in internet with Subject Alternative Names: sip.company.local, sip.company.com, LyncEDGE.company.com

In Topology is registred: LyncEDGE.company.local

3. Reversed Proxyand NAT and firewall setup our firewall with Port Translating

LyncEDGE.comapny.local have asigned by NAT public IP Adres 10.10.10.10

LyncFE.company.local have asingned by NAT public adres IP 10.10.10.11

Incoming traffic for 10.10.10.10 and 10.10.10.11 Lync ports TCP/UDP from documentation

Outgoing traffic for 10.10.10.10 (LyncEDGE) on TCP 5061 need for federation

4. DNS setup

We have split domain and DNS like this:

Company.local (Internal DNS) and Company.com (External DNS)

DNS Records in our External DNS:

LyncEDGE.company.com record A 10.10.10.10

LyncFE.company.com record A 10.10.10.11

sip.comapny.com TLS --> LyncEDGE.copmany.com

_sipfederationtls._tcp.company.com -> LyncEDGE.copmany.com

_sipinternaltls._tcp.company.com --> -> LyncEDGE.copmany.com

lyncdiscover.company.com --> 10.10.10.10

In this setup works for now: Lync Audio Video, Mobile access. And now we trying setup Federation and Push notyfication and when we testing we get 504 form serwer.

------------------------------------------------------------------------------------------------------------------------------------------------------

Test-CsFederatedPartner -TargetFqdn lyncedge.company.local (This is the name of our LyncEDGE server in topology)-Domain microsoft.com
Test-CsFederatedPartner : A 504 (Server time-out) response was received from
the network and the operation failed. See the exception details for more
information.
At line:1 char:1
+ Test-CsFederatedPartner -TargetFqdn lyncedge.pep.local -Domain microsoft.com
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OperationStopped: (:) [Test-CsFederatedPartner],
    FailureResponseException
    + FullyQualifiedErrorId : WorkflowNotCompleted,Microsoft.Rtc.Management.Sy
   ntheticTransactions.TestFederatedPartnerCmdlet

--------------------------------------------------------------------------------------------------------------------------------------------------------

My lyncedge.company.com was add by Microsoft as Federation for Skype

telnet form Front End server to LyncEDGE.company.local on port 5061 works

Firewall show outbond traffic form LyncEDGE.company.com (10.10.10.10) to Microsoft site

But still i cant get working federation and push notyfication for mobile some one can advise where problem can be? I think problem is with our certyficate setup on EDGE server that is sing by our Internal CA not trusted in Internet.

I have the "AlwaysOn" CLS logging scenario running in my Lync 2013 Enterprise deployment.  I did not configure the CacheFileNetworkFolder option since i don't care about retaining these logs anywhere other than on the local drives of the Lync servers so i just left it blank.  Now every few hours or so I am getting Event ID 33020 in each Lync server and SCOM is firing an alert as well.

The CsClsLogging configuration is as follows:

PS C:\> Get-CsClsConfiguration


Identity                      : Global
Scenarios                     : {Name=AlwaysOn, Name=MediaConnectivity, Name=ApplicationSharing,
                                Name=AudioVideoConferencingIssue...}
SearchTerms                   : {Type=Phone;Inserts=ItemE164,ItemURI,ItemSIP,ItemPII,
                                Type=URI;Inserts=ItemURI,ItemSIP,ItemPII,
                                Type=CallId;Inserts=ItemCALLID,ItemURI,ItemSIP,ItemPII,
                                Type=ConfId;Inserts=ItemCONFID,ItemURI,ItemSIP,ItemPII...}
SecurityGroups                : {}
Regions                       : {}
EtlFileFolder                 : C:\CLSTracing
EtlFileRolloverSizeMB         : 20
EtlFileRolloverMinutes        : 60
TmfFileSearchPath             : C:\Program Files\Common Files\Microsoft Lync Server 2013\Tracing\
CacheFileLocalFolders         : C:\CLSTracing
CacheFileNetworkFolder        :
CacheFileLocalRetentionPeriod : 14
CacheFileLocalMaxDiskUsage    : 80
ComponentThrottleLimit        : 5000
ComponentThrottleSample       : 3
MinimumClsAgentServiceVersion : 6

Is there a way to stop the flow of these events without having to configure CLS to transfer the logs to a network share?

Hi,

A question come to my mind: if you have deployed ordinary pool pairing solution, how the rest of your topology survive if one pool goes down? As you know edge-, mediation server-, director- and all trusted applications pools have a configuration the "next hop" which is pointing to one of your FE pool. What is happening for those app pools where the next hop is pointing to this FE pool which goes down?

Ewan MacKellar and Andrew Ehrensing touched this only lightly (for edge only) on their sessions "Design your Lync 2013 Deployment to be Disaster Proof".Here are the slides. On the slide they have written: "Manual change of ‘next hop’ Edge to SE Server". That was kind of reason to not use Standard edition. But is it really true for Enterprise pool's as well? If you need to do pool failover, do you need to do manual configuration as well? Or based on Ewan and Andrew: if you have STD pools with pool pairing you donot need to do manual change?

I made one test with two pools (not pool paired) and one mediation server (test environment). When I take the "next hop" pool down, none of the calls from PSTN was working until the pool was up again. This was actually reason for this question :)

Petri

Our domain is hosted at Verio/Rapidsite.  The Zone File for the site has different columns than those identified in the setup information for Lync, so I am not sure how to set up the DNS changes to get Lync working.  The fields to be populated at Verio are Name, Ttl, Class, Type and Spec.  Our domain name is intergraphic.com.

How do I apply the necessary information in this situation?

I am looking at performing an installation of Lync 2013 in an environment where Lync 2010 is used already in a resource forest.  The resource forest will be decommissioned eventually so the need is to install Lync 2013 into the user forest and not migrate the users, but remove them from Lync 2010 and then add them to Lync 2013.  Ideally we would like this process to be staged and not a cutover.

I have some questions:

1) Can the two Lync environments coexist in the same topology between forests?

2) If 1 is yes, will users in Lync 2013 be able to find users in Lync 2010 and vice versa in the address book?

3) If 1 is no I'm guessing that there is no way to federate since the SIP domains will be the same.

I am currently running Lync 2013 Enterprise in a test environment and was curious if anyone could share their hardware setup. Total memory used per Front End, Total memory used per Edge, and for how many users. I have run the planning tools to drill down for our environment but was curious to see other setups. Thanks

I am seeing the following error very frequently on all my Lync servers that are running the CLS agent:

LS Centralized Logging Agent Event ID 33041

It appears the errors started with the install of the August CU updating Lync to 5.0.8308.738.  Note, this error is with CLS, not Lync Debugging tools.  I have verified that ClsAgent.exe is using C:\Program Files\Common Files\Microsoft Lync Server 2013\Tracing\default.tmx, which is 23041 KB and dated 8/3/2014.

Anyone else seeing this?  Anyone have a fix?

We have a weird problem in our installation where Lync keeps complaining about connectivity issues to external reach proxy on our front end server.

The event log error codes are 41024 and 41026.

Here's the error from the snooper utility: 

TL_ERROR(TF_COMPONENT) [0]1A14.0EE4::12/12/2014-10:31:30.901.0000000d (DataMCURunTime,DataProxies.ProcessResponse:1197.idx(601)) (0000000001595A27)Failed poking Proxy error=[The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.], type=[ExternalReachProxy], url=[https://dunords36.du.local:4443/Reach/DataCollaborationRelayWebService.svc]

The problem is that it makes the test with the INTERNAL FQDN (dunords36.du.local) and thus the SSL trust fails as the certificate is for our EXTERNAL FQDN on the front end server! I have verified this by testing the above URL with the external address and the internal one. With the external one the certificate is OK.

If you're wondering; we do not use a reverse proxy. Instead we just have the firewall change the port and forward the traffic to our front end server. Our lync setup is a NAT'ed setup.

I know about the security risks so this is not what the discussion is about.

I can't find anywhere where i can change the above behaviour and tell lync to make the test on the correct, external FQDN. The settings in the topology builder all seems to be OK. And as you can see it does make the test on port 4443 which in our topology builder is configured for our external FQDN.

Hi All,

Happy New Year.

We are facing an issue with Lync Server. We have a setup of two Front-End Servers. One Front-End Server is down, as the OS got corrupted (Some Hardware is also getting replaced) and the Lync setup is now running on single point of failure as only one FE server is up and running.

Once I get server OS fine, then is there a way I can restore my faulty FE server (Re-installing FE server with same name in disaster recovery mode)?? If yes, then please let me know how and a article related to that will be very helpful.

Never giveup till you get what to want.