Lync 2013 Certificates for DR Pool

Similar Messages

• Steps to enable lync 2013 QOS for audio

  Experts,
  I am on the way to enable lync 2013 QOS for audio only. We have already decided the ports ranges and make sure that its not override.
  I just want to now, what will be happen to existing users using eEnterprise voice during i will lock the ports in servers and clients with GPO.
  What is user impact during the implementation. I can't see any TechNet article for same. Do we have some recommended steps to follow to avoid any issue to existing users ??
  Anil MCC 2011,ITIL V3,MCSA 2003,MCTS 2010, My Blog : http://messagingschool.wordpress.com

  While you configure QoS nothing will happen with existing users or even existing calls.  All that happens when you set a port range for Audio in the Lync is the next calls after the user picks up the change (client refreshes policies every 8 hours or
  on log out/in) will us that port range.
  If you have already decided on the port range you simply need to create the corresponding GPOs for both Server and Client as you mention.  There is no harm in doing it mid-day unless you had defined ports before/specific firewall rules across the environment
  for those ports - but that doesn't sound like the scenario here.
  Thanks,
  Richard
  Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Lync 2013 Certificate Count

  Hello, I'm new to Lync. 
  Can someone help me in determining how many certificates I need for the following:
  Lync 2013 Standard in Production Site A and DR Site A with pools paired
  Lync 2013 Standard in Production Site B and DR Site B with pools paired
  Can I get away with a single certificate and include all the SAN names, or do I need a certificate per pool pair or certificate per site?
  Thanks.

  Since these are internal servers, it's preferable to use an internal CA and use separate certificates. 
  Since the subject/common name of the cert should be the FQDN of the pool:
  http://technet.microsoft.com/en-us/library/gg398094.aspx.  You'll want at least one cert per pool.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications

• Lync 2013 High Availablity in Pool

  Hi MS recommends to have 3 FE servers in Lync 2013 Pool. I have few questions to clarify
  1. why MS says if we have 2 FE servers then it will work as Lync 2010. what makes the differences between Lync 2010 (with 2 FE servers and Lync 2013 with 3 FE servers)
  1. with 2 FE servers in Lync 2013 pool, what will happen if my BE server goes down?
  3. I know the quorum used in Lync 2013 High availability (windows fabric) . Where the quorum will be stored? what model it is using?
  Thanks

  Enterprise Edition pools now are recommended to have a minimum of three, yes THREE front-end servers. This is due to the "Windows Fabric" replication architecture based on Azure. The back-end SQL database is no longer the store for real-time data.
  If you BE Server down, Lync will work for 10 min. then become down
  In order to function the Windows Fabric needs to achieve a status of Quorum. This means a certain number of servers (Voters) must be able to communicate with each other to ensure that the pool is capable of maintaining consistency (Quorum). There are 2
  different pool states in which we must maintain\achieve quorum which differ in how many voters must be available.
  Cold Pool Startup\Quorum Lost – when a pool is first starting or after quorum has been lost, that pool must have roughly 85% of its servers available to achieve quorum¹.
  Operating Pool – after a pool has been started we need at least 50% of the servers available to maintain quorum².
  ¹ This means that when defining a pool within topology builder only add the servers that will be deployed at that time, not in the future. If you put 6 servers in a pool within topology builder and only deploy 3, we will never achieve quorum because
  we don’t have approximitley 85% of the servers operational. Thus, the front end services will never start.
  ²If quorum is lost then all Front End services will be shutdown to protect the cluster from data loss.
  To identify the Quorum voters a given servers Windows Fabric identifies check C:\ProgramData\Windows Fabric\Settings.xml. This file is updated when the Windows Fabric Host service starts up, thus any changes to pool members requires a service restart on
  all Front Ends in the pool, one at a time. The To-Do list in topology builder lets you know that after publishing the topology. If this isn't completed your servers will have a skewed view of the topology which could cause issues.  Depending on the number
  of servers within the pool, this will dictate which voters are required.
  Even # Server Pool (Figure 1) – each server will have 1 vote and the SQL instance will have 1 vote. The SQL server will act as a tiebreaker.
  Odd #Server Pool (Figure 2) – each server will have 1 vote.
  For more info, You can refer below link
  http://jasonshave.blogspot.com/2012/11/lync-server-2013-ha-design-changes-and.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Lync 2013 sizing for 12000 uers

  Hi,
     I have 12000 user to be planned for lync 2013. features required IM/presence, A/V, Web conferencing, Desktop sharing, persistence chat,  External access, federation etc.    HA is required.  below is the sizing , please let
  me know,  in case i can reduce the component.
  1.  3 FE servers in a pool + 2 SQL mirrored , 2 Edge servers in a pool, 2 persistence in a pool + 2 backend mirrored DB, 2 Web apps server   ...... can i reduce any servers from here???
  2 .   two HLB for external FE traffic, two  HLB for internal FE traffic  ........     can i reduce any HLB here? can i reduce DNS load balancing here?
  3.    DNS load balancing for a EDGE server pool .....do  i need to use HLB for any case?
  find picture for MS planning tool output
  thx

  1. The planning tool is correct, you will need 2 HLBs for the Front End Pool
  2. DNS LB on Edge limitations are a loss of failover with the following:
  Federation with OCS 2007\2007 R2
  Exchange UM for remote users using Exchange UM prior to Exchange 2010 with SP1
  Connectivity to public IM users
  3. If you add a PC pool and add 2 PC servers to the Pool you get HA
  4. WebApp, 2 servers with HLB
  http://technet.microsoft.com/en-us/library/gg615011.aspx
  I just want to point out that often times a lack of full understanding often results in customers requesting the platinum coated solution. In my opinion we can often over complicate a deployment resulting in more risk..
  Do have a read of Jason's thought at http://jasonshave.blogspot.co.nz/2012/11/lync-server-2013-ha-design-changes-and.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Lync Sorted blog

• Lync 2013 Certificate

  Hi
  I have Lync 2013
  I have 2 edge servers
  once my internal certificate expired and I make renew for the internal certificate the RTCSRV certificate stopped , how can I solve this issue
  what is the names should the certificate included ( Edge server certificate)
  MCP MCSA MCSE MCT MCTS CCNA

  Absolutely! This is a very common issue with deployments where you have more than one Edge server. The certificate request is usually generated from one of the Edge servers and the resultant certificate is imported on to the other Edge servers. But the
  certificate isn't visible in the certificate Assign wizard as it is missing the private key. The important step here is to export the certificate with the private key before you import it on the other Edge servers.
  Note: If you find a post informative, please mark it so using the arrow to the left. If it answers a question you have asked, please mark the thread as answered to aid others when they are looking for solutions to similar problems or queries.
  The opinions expressed here are solely my own and do not express the views or opinions of my employer.

• Office web Apps server Lync 2013 Certificate

  Hi,
   I'll be installing Office web app (OWA) server with Lync 2013 std edition. External users access is disabled but federation is enabled, mean OWA will be exposed to internet as wabweb.contoso.com, the interal host name of OWA server is owa.contoso.local
  Does the certificate on the on OWA server need to have owa.contoso.local and certificate principle name and wabweb.contoso.com as SAN? or only owa.contoso.local is enough?

  It really depends on how you publish the server to the internet. You have some options. If you are publishing this via a reverse proxy, internally you would have a private cert with .local on it and the public name on the reverse proxy.  If you are
  punching a firewall hole/NAT directly to the server your best option is to use a public cert on that server directly.
  That all said, personally I like to make both the internal and external farm URL the same, and use a public cert on the server (if no reverse proxy is in play).  So I would actually enter the OWAS Farm as wabweb.contoso.com in topology builder, than
  when creating the farm via PowerShell make that both the internal and external URL and get a certificate with a single name on it of wabweb.contoso.com.
  Richard
  Richard Brynteson, Lync MVP | http://masteringlync.com | http://lyncvalidator.com

• Lync 2013 - Skype for business User Interface

  Hello,
  We are using Lync 2013 with Lync 2013 server with CU from August 2014 (so not ready for Skype for Business).
  I have installed latest Desktop Updates for Windows and Office, and now everytime we log on we get the Skype for Business UI with the question to restart the client with the Lync UI.
  I have followed the recommendation in this article:
  https://technet.microsoft.com/library/dn954919.aspx
  I have set this:
  In the [HKEY_CURRENT_USER\Software\Microsoft\Office\Lync] key, create a new
  Binary value.
  The Value name must be  EnableSkypeUI, and the
  Value data   must be set  to 00 00 00 00.
  But this settings seems to be completely ignored... doesn't do anything.
  We can't set the policy on the server, as the server is not yet up-to-date and doesn't know about a Skype UI policy.
  Can somebody please tell me how I can start the updated Lync / Skype for Business client with the Lync UI as a default (without disturbing the user with the restart-the-client pop-up)?
  Thanks a lot!

  Hi,
  As mentioned the Lync Server is not up-to-date, based on my knowledge this is why the issue occurs.
  Please refer to this article below:
  https://technet.microsoft.com/library/dn954919.aspx
  You can configure the client experience only if you are running Lync Server 2013 with the December 2014 Cumulative Update (5.0.8308.857) or later installed. The latest one is:
  KB 3036869 February 2015 Cumulative Update 5.0.8308.871 for Lync Server 2013 Core Management Server.
  You can specify the client experience the users in your organization will see by using the
  Set-CSClientPolicy cmdlet with the EnableSkypeUI parameter:
  Set-CsClientPolicy -Identity Global -EnableSkypeUI $true
  Regards,
  Melon Chen
  TechNet Community Support
  It's recommended to download and install
  Configuration Analyzer Tool (OffCAT), which is developed by Microsoft Support teams. Once the tool is installed, you can run it at any time to scan for hundreds of known issues in Office
  programs. Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Outlook 2013/lync 2013- promping for password

  In our setup we have an exchange 2007 server, and running office 2013 incl lync 32 bit. When I login to a computer and enter outlook or lync, it connect without any problems or credentials popup.
  But if the pc goes to standby and "wakes" up again, outlook request for login info. The strange thing is, that username should be like domain\username, but sometime outlook in username already have typed
  [email protected] - and then it won´t work even password is entered correctly
  The same goes for lync. Actually even lync is prompting for login, lync in the background already are signed in - so why come with this login prompt in lync?.
  The above was also the same in office 2010 and 2007, but just wondering if that is something that can not be changed. Is it is something with security settings or is this password prompt caused on client side or is it something setup on server. If users
  are logging into windows 7 after standby, there should be no need to sign in several more times in the different programs.

  As per your description, Lync is actually signed in while it prompts for login. Lync generally prompts you for credentials only after you're signed in and when it must connect to an external service such as the Microsoft Exchange Free/Busy service or the
  Exchange Calendar service. If Lync continues to prompt you for credentials after it has done this several times, there's probably an issue with Outlook or with the Exchange services. 
  So, according to your statement, you might need to troubleshoot on Outlook/Exchange side. Please try steps/method listed in this article to see if they can stop this prompt:
  http://support.microsoft.com/kb/290684/en-us

• Exchange 2013 Certificates for Hybrid Deployment Clarification

   I have an Exchange 2013 servers (CAS and Mailbox on separate server) which I wanted to setup for Hybrid deployment. I already have a certificate acquired from 3rd party with 3 names (mail, autodiscover and owa). the certificate was installed in the
  CAS server. As per the hybrid deployment documentation I need also to install a certificate in the mailbox server, questions:
  1. Can I use the same certificate for installation in the mailbox server?
  2. Can I also use the same certificate in the Hybrid Configuration wizard for the "certificate to use with securing the hybrid mail transport"?
  3. Do I need to include the primary smtp domain (xxxxx.com) in the certificate since current configuration points to the mail.xxx.com as the certificate common name?

  Hi,
  Here are my answers you can refer to:
  1. It depends.
  The certificate used for hybrid secure mail transport must be installed on all on-premises Exchange 2013 Mailbox and Client Access servers.
  If you're configuring a hybrid deployment in an organization that has Exchange servers deployed in multiple Active Directory forests, you must use a separate third-party CA certificate for each Active Directory forest.
  2. Yes. But we recommend that you use a dedicated third-party certificate for any optional AD FS server, another certificate for the Exchange services for your hybrid deployment, and if needed, another certificate on your Exchange servers for other needed
  services or features.
  3. Yes. Here are the minimum suggested FQDNs that should be included on certificates: domain.com, autodiscover.domain.com, edge.domain.com
  For more information, you can refer to the following article:
  http://technet.microsoft.com/en-us/library/hh563848(v=exchg.150).aspx
  If you have any question, please feel free to let me know.
  Thanks,
  Angela Shi
  TechNet Community Support

• Understanding Lync 2013 Deployment for Single forest multiple domain Infrastructure

  Hello Everyone,
  I have an issue in understanding a deployment scenario of Lync 2013 Enterprise edition.
  We have a single forest multiple domain infra. 
  My My question here is, while AD prep, do we need to run Domainprep on every domain in the forest. 
  Thanks!
  Thank You!!! BR, Ammi.

  Hi Ammi,
  To prepare Active Directory Domain Services for your Lync Server 2013 deployment, you must perform three steps in a specific sequence.
  1.
   Preparing the Active Directory schema in Lync Server 2013
  Extends the Active Directory schema by adding new classes and attributes that are used by Lync Server.
  Run once for each forest in your deployment where Lync Server will be deployed.
  2. Preparing the forest for Lync Server 2013
  Creates global settings and universal groups that are used by Lync Server.
  Run once for each forest in your deployment where Lync Server will be deployed.
  3. Preparing domains for Lync Server 2013
  Adds permissions on objects to be used by members of universal groups.
  Run once per user domain or server domain.
  Hope it can be helpful.
  Best regards,
  Eric

• Lync 2013 .apk for Android

  Is there a download link for the Lync 2013 .apk? As id like to install it on my Nexus 7. 

  Hi,
  Please access the following link in the Nexus and install the Lync 2013 online:
  https://play.google.com/store/apps/details?id=com.microsoft.office.lync15&referrer=utm_source%3Dappbrain%26utm_medium%3Dappbrain_web%26utm_campaign%3Dappbrain_web
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.
  Sean Xiao
  TechNet Community Support

• Lync 2013 / Skype for Business sharing photos with federated contacts

  In the new SfB client I can see photos of federated contacts. I'm on Office 365 and this only happens for Federated contacts also hosted on Office 365 where we have an Exchange organisation relationship. I'm not sure if this
  is because of the new client, updated server software in Office 365 or something I just missed before.
  If I look into the client debug files I can see that the photo URL for Office 365 includes the wssecurity (federated authentication) but for onprem system it's missing.
  I have customers with Lync onprem asking for sharing the high res photos with external organisations. The classic URL-sharing is not a viable solution for several reasons. So, based on these findings:
  Is the wssecurity (Web Service Security) in the EWS path something that will come to SfB server for onpremises making ot possible to enable photo sharing between organisations having federated identity configured in Exchange?
  Lync Onprem (with highres photos configured)
  <photo type="exchange">
  <uri>
  <ewsUrl>https://mail.example.com/EWS/Exchange.asmx</ewsUrl>
  <primarySMTP>[email protected]</primarySMTP>
  </uri>
  <hash>"89E39E74"</hash>
  </photo>
  Lync Online
  <photo type="exchange">
  <uri>
  <ewsUrl>https://outlook.office365.com/EWS/Exchange.asmx/WSSecurity</ewsUrl>
  <primarySMTP>[email protected]</primarySMTP>
  </uri>
  <hash>"634A0794"</hash>
  </photo

  Hi,
  The Skype For Business Server update will come soon, I couldn't find any information about if the WSSecurity would be added to the EWS path for sfb. You can check when the update for Skype For Business comes. Thank you for your understanding.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support

• Lync 2013 / Skype for Business avatar problem

  Hello there,
  we’ve experienced a quite strange problem. When setting own user picture in Exchange OWA 2013 the picture right away is visible in SfB (Skype for Business) and everything work. The problem when deleting this
  picture in OWA it never vanishes from SfB. Also when setting a new picture the new picture also shows in SfB BUT then deleting this picture again in OWA the very first picture comes back. I’ve tried to delete all kind of caches (Lync / Outlook / OAB) in Explorer
  and Registry already but it just does not help. I’m quite sure that this is a local problem because we I sign in to another client computer with the same account the empty user picture is showing (as it should). Is there any way to get rid of this somewhere
  cached picture? It’s obviously not a problem at the server side.
  Thanks for help!
  Cheers
  Robert

  Hi,
  The photo cache on Lync client side: %userprofile%\AppData\Local\Microsoft\Office\15.0\Lync \sip_<SIP URI>\ABS_<SIP URI>.cache, try to delete it and test again.
  Please also try to repair Office and then have a test.
  Best Regards,
  Eason Huang
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Eason Huang
  TechNet Community Support