Hi All 

I deployed Lync 2013 and cant seem to get the lync mobile services working.See exctract of Lync 2013 remote connectivity analyzer.

Error 1

An error occurred while sending the request.
The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.
The remote certificate is invalid according to the validation procedure.

Error 2

Server discovery failed for secured external channel against https://lyncdiscover.domain.co.za/

Error 3

An error occurred while sending the request.
The remote name could not be resolved: 'LFE.domain.local' 

Please assist, public certificate is a wild card cert and the android client has the following error.

"Lync is attempting to redirect you to :

Issued bt:Internal CA

Subject:LFE.domain.local

Signature Algorithm: SHA1withRSA.

Sandile

Lync 2013 Setup
(It’s a College Campus & Lync is for Internal Students & No External Connectivity for Students).

The management has decided that they will not spend money on HLB for a small Campus of 1000 Users including Students, Teachers & Management. They still want all roles to be installed except Enterprise Voice. We’re using DNS Load balancing for SIP Traffic. I’m looking for a work-around for HTTP traffic even if it is not HA. Some URL’s say HLB is a must when you are using DNS Load Balancing.

Front End Servers:
LyFE01.domain.com IP: xx.xx.xx.1
LyFE02.domain.com IP: xx.xx.xx.2

Back End Servers:
(Primary, SQL Instance: LYDB) LyBE01.domain.com IP: xx.xx.xx.3
(Mirror, SQL Instance: LYDB)LyBE02.domain.com IP: xx.xx.xx.4
(Witness, SQL Instance: LYDBWIT)LyBE03.domain.com IP: xx.xx.xx.5

Pool Name: Lyncpool.domain.comIP: xx.xx.xx.6

Web Services URL:
Internal URL: WebLyncInt.domain.com
External URL: WebLyncExt.domain.com

Single SQL Instance for Backend, Archiving & Monitoring: LYDB

DNS RECORDS:
Host ‘A’ records for all nodes: xx.xx.xx.1, xx.xx.xx.2, xx.xx.xx.3, xx.xx.xx.4, xx.xx.xx.5

Host ‘A’ records for the Lync Pool as below:
Lyncpool.domain.com - xx.xx.xx.1
Lyncpool.domain.com - xx.xx.xx.2

Simple URL’s

https://lync.domain.com/Meet - Meet Simple URL
https://lync.domain.com/DialIn - DialIn Simple URL
https://lync.domain.com/Admin - Admin Simple URL

DNS Record for Simple URL’s:
Lync.domain.com– xx.xx.xx.1
Lync.domain.com– xx.xx.xx.2

Other DNS Records: SRV Record for SIP

Q1. As per my above plan, I’ve setup DNS Load balancing for my sip traffic and there is no hardware load-balancer available. In such a setup will it not work technically or is it mandatory?

Q2. I’m not worried about High Availability for HTTP Traffic, so in this case if I create a single DNS Record for WebLyncInt.domain.com and point it to one front end server, will this work. For ex:

WebLyncInt.domain.com– xx.xx.xx.1

Q3. Am I missing any other DNS record which is needed to be created for auto-discovery, sign-in etc?

Q4. The campus is still running Exchange 2003 in their network. This is the reason why I’m archiving on SQL. When I enable users for LYNC, if I select the option to use “email address” as their sign-in name will it work or should I’ve to use only SAM account Name?

Q5. What will happen if I don’t change the WEB Services URL & leave it to default pool name? I mean if I don’t override internal FQDN for Web Services, what will get affected?

Please Guide. Thanks.

Fahad

Hi,

I have set up SEFAUtil on a computer where I am able to run it and it returns a correct output. Recently we developed an webservice that is running on a different server and needs to make some modification to Lync server using SEFAUtil. However, when trying to invoke the util remotely in PowerShell (or with winrs in cmd), it returns an error message when /verbose parameter is present:

Cannot read contacts from Active Directory: Active Directory error "-2147016672"

However, if no parameters are passed to the util, it successfully prints out its help so this means that the remote command works, but the problem is somewhere between SEFA and Lync server. We have also tried issuing command Enable-PSRemoting, but this did not change the situation.

Is there any way of invoking SEFAUtil remotely and getting the result?

Thanks.

Hi,

On Lync server 2013 we are trying to disable the option to change the photo on lync client, the global policy has been set to display only AD photos, this didn't work so we create a client policy with the same setting and applied to users but is not working. Is there something that we are missing?

Regards.

Hi,

We have a customer who'd like to patch their VDI client to be the latest version 'lync2013-kb2889860-fullfile-x86-glb.exe' however as they are on Wyse termainals with a limited amount of HDD space the patch will not apply, is there a way to only extract the VDI relevant patches like you can on the server patch?

Particularly the September 2014 update for Lync 2013 (KB2889860) which resolved the Lync VDI account lockout issue.

Cheers

Lync Tips Blog - tomcottonuk@googlemail.com - If this post has been useful please click the green arrow to the left or click 'Propose as answer'

Hi there.

Two edge servers in one edge pool.

Every edge server has 1 LAN IP, and three DMZ ips. There's only a gateway on DMZ nic.

Do you need to put static persistent routes or not?

bostjanc

We have rolled out a pilot of Lync 2013 and need to remove it, in advance of installing Office 2013 with Lync in it. There is an UninstallString in the uninstall registry key that should uninstall it, however, when I try that, it errors out. the uninstall script from the registry is this:

MsiExec.exe /X{90150000-012C-0000-0000-0000000FF1CE} 

and when I run that, there's 2 entries in the log file:

DEBUG: Error 2746:  Transform 90012D0000000015.0.4420.1017 invalid for package C:\windows\Installer\95f30.msi. Expected product {90150000-012D-0000-0000-0000000FF1CE}, found product {90150000-012C-0000-0000-0000000FF1CE}.

DEBUG: Error 2746:  Transform 90012E0000000015.0.4420.1017 invalid for package C:\windows\Installer\95f30.msi. Expected product {90150000-012E-0000-0000-0000000FF1CE}, found product {90150000-012C-0000-0000-0000000FF1CE}.

And at the end of the log is:

CustomAction DcaRemoveSpawn returned actual error code 1603 (note this may not be 100% accurate if translation happened inside sandbox)
Action ended 11:12:13: DcaRemoveSpawn. Return value 3.
Action ended 11:12:13: INSTALL. Return value 3.

and it doesn't uninstall. Sure, it uninstalls from Add/Remove, but that's not really an option.

We're having the same issue with Office 2013 - the UninstallString in the registry doesn't work and throws the same error.

Anyone have any suggestions?

Hi,

i just configured pool pairing and when i try to publish it, the publish topology is grayed out !!

Hi,

I'm applying rollup updates when i run the commnad

Uninstall-CsMirrorDatabase -DatabaseType Application -SqlServerFQDN SQL01.contoso.com -SqlInstanceName Default -DropExistingDatabasesOnMirror–Verbose

I get the following error

The command execution failed:The topology does not define any mirror for the database role ApplicationStore installed on SQL server SQL01.contoso.com\default

Hi,

I am getting error while importing the local configuration file on edge server.

Error returned while installing ocscore.msi(feature_localmgmtstore), code 1603

failed to create network share (---- -xds-replica)

failed to drop network share (---  -xds-replica)

I am able to telnet from CMS server to Edge server over port 4443.



Lync 2013 Oct 2014 RU env. All on-prem.  No Voip.

We set up our Lync 2013 environment to use an internal PKI cert.  Our edge and reverse proxy is using a public CA cert from Thawte.  Lync Mobile from outside our network on Iphones or Andorids works fine.  On our internal network it is another story.

After calling MS we added INTERNAL DNS records for our External web url and lyncdiscover.sipdomain.com to point to the reverse proxy external IP address.  This made the Ipads/Iphones/Android devices work for IM only if they were hooked up on our internal corporate wireless network.

Now if I take that same Ipad that is working for IM/Presence on our internal wireless and try to join a lync meeting, it fails when hitting the urlhttps://meet.sipdomain.com.  I'm assuming it is hitting our internal DNS record of meet.sipdomain.com that points to FE server. That server/s have our INTERNAL PKI cert on them.

I'm just not understanding why MS designed the system like this stating to use an internal CA for all the FE servers when you can't BYOD without installing a cert on them.  I'm guessing to resolve my problem I need to push out our INTERNAL PKI cert to the Ipads that are used on our internal corp wireless.  For some reason the android devices will give you a cert warning if you click on thehttps://meet.sipdomain.com url and you can then accept the warning and proceed to join the meeting.

Hi Team,

We are planning to bring in F5 load balancer for our Edge 2013 pool. We have 2 edge servers under a pool.

Here are the details:

Front end pool : Sip.contoso.com

Edge pool: Edge.contoso.com

Edge server 1 : Edge1.contoso.com

Edge server 2: Edge 2.contoso.com

We know that we need to specify the VIP of HLB when we put load balancer for Front end pool and FE pool A record should be pointed to VIP of HLB.

Question:

1. How do we configure HLB for Edge pool? (Where to point DNS records)

Many thanks.

Hey guys,

I just set up our Lync 2013 frontend server, which is running fine internally. The Edge is runing as well, but I still have to do the port forwardings in the firewall and the external DNS configuration. But I got an understanding issue.

I followed these instructions. "Edge server IP as specified in setup wizard" is very clear, but what exactly is meant with "Lync Reverse Proxy IP"

Just to explain a bit the infrastructure, we got a Sophos UTM as firewall. In total we have attached 4 external IPs to the Sophos. For sure the external IP's on the FW are NATed to the 192.168.50.X of the external Edge interface.

80.123.250.160 sip.mydomain.com

80.123.250.161webconf.mydomain.com

80.123.250.162 av.mydomain.com

80.123.250.163 mail.mydomain.com and general stuff

So if I understand it correct, it should just be one of the IP's which are connected to the FW, so I could just take the 80.123.250.160 or am I missing something?

Thanks in advance.

Kind regards,

Chris

Hi,

we have Office Professional Plus 2013 installed to our Lync 2013 pilot batch including me. Now Lync 2013 client is part of office setup, when we face problem with any lync 2013 client, we simply cannot uninstall the Lync 2013 client. Can anyone suggest how to uninstall Lync 2013 client without uninstalling entire office setup ?

Cloud and Unified Solution Specialist..

I have setup Lync 2013 for interop with Cisco VCS.  I can make video calls from VCS devices to Lync client but not from Lync to VCS devices.

Doing a trace, it is not matching my static route and instead routing toward the edge.  I have removed the Applicationpool and route, rebooted, then added it back.  It still does not work.

Our Lync domain is domain.com and VCS domain is vc.domain.com

Here is what the Application Pool and route look like.  When calling someone at @vc.domain.com it routes to the edge instead of the pool defined in the trustedapp.

App Pool and App:

Identity             : TrustedApplicationPool:pdx-vcs-1.domain.local
Registrar            : Registrar:pdx-lync-pool-2.domain.local
FileStore            :
ThrottleAsServer     : True
TreatAsAuthenticated : True
OutboundOnly         : False
RequiresReplication  : False
AudioPortStart       :
AudioPortCount       : 0
AppSharingPortStart  :
AppSharingPortCount  : 0
VideoPortStart       :
VideoPortCount       : 0
Applications         : {urn:application:vcsapplication1}
DependentServiceList : {}

ServiceId            : 1-ExternalServer-5
SiteId               : Site:PDXHQ
PoolFqdn             : pdx-vcs-1.domain.local
Version              : 6
Role                 : TrustedApplicationPool


Identity                   : pdx-vcs-1.domain.local/urn:application:vcsapplication
                             1
ComputerGruus              : {pdx-vcs-1.domain.local sip:pdx-vcs-1.domain.local@domain.c
                             om;gruu;opaque=srvr:vcsapplication1:o0sQGDMMbV6ibP
                             S4LsrBvwAA}
ServiceGruu                : sip:pdx-vcs-1.domain.local@domain.com;gruu;opaque=srvr:v
                             csapplication1:o0sQGDMMbV6ibPS4LsrBvwAA
Protocol                   : Mtls
ApplicationId              : urn:application:vcsapplication1
TrustedApplicationPoolFqdn : pdx-vcs-1.domain.local
Port                       : 65072
LegacyApplicationName      : vcsapplication1

Static Route:

Transport               : TransportChoice=Certificate=Microsoft.Rtc.Management.
                          WritableConfig.Settings.SipProxy.UseDefaultCert;Fqdn=
                          pdx-vcs-1.domain.local;Port=65072
MatchUri                : vc.domain.com
MatchOnlyPhoneUri       : False
Enabled                 : True
ReplaceHostInRequestUri : False
Element                 : <Route xmlns="urn:schema:Microsoft.Rtc.Management.Set
                          tings.SipProxy.2008" MatchUri="vc.domain.com"
                          MatchOnlyPhoneUri="false" Enabled="true"
                          ReplaceHostInRequestUri="false">
                            <Transport Port="65072">
                              <TLS Fqdn="pdx-vcs-1.domain.local">
                                <UseDefaultCert />
                              </TLS>
                            </Transport>
                          </Route>

Trace:

Hi All,

While configuring pool paring between pool1.contoso.com and pool2.contoso.com, i encountered an error, upon anlyzing i found that there is no 'Associated pool with Office Web Apps Server' option in pool2.contoso.com but i can see the same in pool1.contoso.com.

I went ahead and configured the pooling but publish topology is disabled and i see the following error ..

The topology includes one or more backup service with invalid configuration.

· The backup service "BackupServer:Pool1.contoso.com" in cluster "Pool1.contoso.com" is configured to backup data from service "ConferencingServer:Pool1.contoso.com" and component "DataConf", but backup cluster"Pool2.contoso.com" does not either define similar type of service or enable it for backup.

· The backup service "BackupServer:Pool1.contoso.com" in cluster "Pool1.contoso.com" is configured to backup conference data from service "ConferencingServer:Pool1.contoso.com". Either both of these service need to depend on WAC service or none of them should have WAC service dependency.

Good morning,

I have come across an issue when using pin-point DNS zones compared to a split brain DNS architecture which I would like some feedback on. I  am successfully able to reproduce the problem in my home lab instantly, using just a single standard edition front end server and single edge server. The sum of the problem is that when using pin-point DNS, calls will be preceded by two 'pips' before the call starts to ring - so a delay in the call setup process. In contrast, when using a split brain DNS zone there is no delay at all and the call goes straight through.

After looking at logs I can see that this is because of how the two different DNS methods handle the av.mydomain.com lookup that is referenced through ICE.

Ordinarily with a split brain DNS architecture, there is no record for av.mydomain.com internally (as it's not a requirement), so the lookup fails and the call setup is almost instant. However the nature of pin-point DNS means that when there is no record found for av.mydomain.com, the request is then forwarded to the outside world which is what I believe is causing this call setup delay resulting in the two 'pips'. If I create a pin point zone for av.mydomain.com (even without a record in it) then the problem goes away.

The above can be confirmed by performing an NSLOOKUP against av.mydomain.com from an internal client; with split brain it won't resolve, but with pin-point it will resolve to the public IP for av.mydomain.com based on the public DNS record.

I've reproduced this in a lab by creating a response group and calling it from a client without issue using split brain DNS, and then converting all those records to pin-point DNS zones which then results in a 2 pip delay calling that same response group.

As I find most deployments are typically leveraging split brain DNS, has anyone experienced this when using pint point DNS? I am 100% sure that if someone has a home lab that they were to flip over to pin-point DNS from split brain that they would be able to reproduce the problem. Naturally the edge presence is critical for the introduction of ICE / MRAS, without which this problem wouldn't exist.

Would love some feedback on this one.

Kind regards
Ben

Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you've asked, please mark the thread as answered to aid others when they're looking for solutions to similar problems or queries.

Hi

I have Lync 2013

I have 2 edge servers

once my internal certificate expired and I make renew for the internal certificate the RTCSRV certificate stopped , how can I solve this issue

what is the names should the certificate included ( Edge server certificate)

MCP MCSA MCSE MCT MCTS CCNA

Hi All,

Questions:

1. How do we point DNS record to load balance multiple edge servers (Edge pool) by HLB?
2. Should there be just 1 ip on each external NIC of the edge servers?
3. Should there be Public IP addresses in there ?(I don’t see a reason why there should as the HLB is public facing)
4. What configuration do I need to do in terms of the edge pool?
5. Does this need a VIP on the HLB and if so should all of the external services point to this IP or should each service be loadbalaced across one of the 3 IPs on each server?
6. Are we missing something regarding the load balancing of the Edge Pool internal side etc?

Please Advise. Thanks.