Lync 2013 on a single lable root domain

Similar Messages

• Understanding Lync 2013 Deployment for Single forest multiple domain Infrastructure

  Hello Everyone,
  I have an issue in understanding a deployment scenario of Lync 2013 Enterprise edition.
  We have a single forest multiple domain infra. 
  My My question here is, while AD prep, do we need to run Domainprep on every domain in the forest. 
  Thanks!
  Thank You!!! BR, Ammi.

  Hi Ammi,
  To prepare Active Directory Domain Services for your Lync Server 2013 deployment, you must perform three steps in a specific sequence.
  1.
   Preparing the Active Directory schema in Lync Server 2013
  Extends the Active Directory schema by adding new classes and attributes that are used by Lync Server.
  Run once for each forest in your deployment where Lync Server will be deployed.
  2. Preparing the forest for Lync Server 2013
  Creates global settings and universal groups that are used by Lync Server.
  Run once for each forest in your deployment where Lync Server will be deployed.
  3. Preparing domains for Lync Server 2013
  Adds permissions on objects to be used by members of universal groups.
  Run once per user domain or server domain.
  Hope it can be helpful.
  Best regards,
  Eric

• Lync 2013 federation failing for a specific domain

  Hello,
  We have recently migrated to Lync 2013 and noticed that one of the domains we federate with is unable to federate with us.
  we are getting the following error:
  Log Name:      Lync Server Source:        LS Protocol Stack  Event ID:      14428 Task Category: (1001)
  Level:         Error Keywords:      Classic User:          N/A Computer:      server.fqdn.com Description: TLS outgoing connection
  failures.
  Over the past 28 minutes, Lync Server has experienced TLS outgoing connection failures 4 time(s). The error code of the last failure is 0x80090325(SEC_E_UNTRUSTED_ROOT) while trying
  to connect to the server "sip.example.com" at address [10.10.10.10:5061], and the display name in the peer certificate is "Unavailable". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to
  reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is
  not trusted by the local machine. Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check
  that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local
  machine.
  Thanks

  Thanks Michael.
  That worked for one of two issues I'm seeing, I did use the same steps for the second issue but it didn't seem to work, I have imported the CA of the domain we would like to federate with to the trusted root certification authorities and the intermediate
  certification authorities per the certificate issuer's website guidelines. I did learn that the federated partner is also using OCS 2007 R2, not sure if this may have to do with this.
  Over the past 30 minutes, Lync Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x80072746 while trying to connect to
  the server "ocs.example.com" at address [10.10.10.10:5061], and the display name in the peer certificate is "ocs.example.com". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target
  principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine.
  Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by
  DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Is it possible Lync 2013 to be installed on a Domain Controller?

  I run a small infrastructure with two servers only,
  Both Domain Controllers with Windows 2008 R2 and the one is a file server too. I would like to know if I can install Lync 2013 Standard Server to any of them? I have not found a clear answer anywhere as I found for 2010.
  Thank You in advance
  Alexios

  Hi,
  Agree with Michael,
  You can't install Lync server on DC. You should use another server.
  Here is a similar may help you, it is for Lync server 2010 but similar for Lync server 2013:
  http://social.technet.microsoft.com/Forums/lync/en-US/0fa9f538-c076-4fdf-9c84-bd00499136ec/why-cant-lync-server-2010-be-installed-on-a-dc?forum=ocsplanningdeployment
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Lync 2013 mobility and external access not working

  Hi all.
  I installed and configured Lync Server 2013 Front End and Lync Server 2013 Edge on Windows Server 2012 R2.
  Internal lync clients (not mobile) can successfully connect to server and everything works fine for them. External users can connect only with manual configuration of address of external lync server in lync client, autodiscovery doesn't work.
  I also installed and configured IIS ARR Reverse Proxy on Windows Server 2012 R2 using this article -
  http://blogs.technet.com/b/nexthop/archive/2013/02/19/using-iis-arr-as-a-reverse-proxy-for-lync-server-2013.aspx. But it doesn't work too. When I try to connect I get 'Unable to connect to the server. Check your network connection or the server address and
  try again'.
  I configured dns records in the external dns zone.
  For Edge:
  sip.extdomain.ru – IP1
  lyncwebconf.extdomain.ru – IP2
  lyncav.extdomain.ru – IP3
  For Reverse Proxy:
  lyncdialin.extdomain.ru - IP4
  lyncmeet.extdomain.ru - IP4
  lyncextweb.extdomain.ru - IP4
  lyncdiscover.extdomain.ru - IP4
  I issued all needed certificates by the internal CA and added following alternative names.
  For FE certificate:
  sip.cherry.loc
  lync.cherry.loc
  dialin.cherry.loc
  meet.cherry.loc
  admin.cherry.loc
  lyncdiscoverinternal.cherry.loc
  lyncdiscover.cherry.loc
  lyncdialin.extdomain.ru
  lyncmeet.extdomain.ru
  lyncextweb.extdomain.ru
  lyncdiscover.extdomain.ru
  For Edge external and Reverse Proxy:
  lyncav.extdomain.ru
  sip.extdomain.ru
  lyncwebconf.extdomain.ru
  lyncdialin.extdomain.ru
  lyncmeet.extdomain.ru
  lyncextweb.extdomain.ru
  lyncdiscover.extdomain.ru
  cherry.loc
  The root certificate of internal CA installed on all servers and client devices.
  Using Wireshark I see that Reverse Proxy communicating with FE on port 4443.
  Here is an excerpt from mobile client log.
  GET https://lyncdiscover.extdomain.ru/?sipuri=sip:[email protected]
  Request Id: 0x6f54648
  HttpHeader:Cache-Control no-cache
  HttpHeader:Content-Length 1006
  HttpHeader:Content-Type application/vnd.microsoft.rtc.autodiscover+xml; v=1
  HttpHeader:Date Mon, 22 Sep 2014 11:17:45 GMT
  HttpHeader:Expires -1
  HttpHeader:Pragma no-cache
  HttpHeader:Server Microsoft-IIS/8.5
  HttpHeader:StatusCode 200
  HttpHeader:X-AspNet-Version 4.0.30319
  HttpHeader:X-Content-Type-Options nosniff
  HttpHeader:X-MS-Server-Fqdn lync.cherry.loc
  HttpHeader:X-Powered-By ASP.NET, ARR/2.5
  Ôªø<?xml version="1.0" encoding="utf-8"?><AutodiscoverResponse xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-
  instance" AccessLocation="External"><Root><Link token="Domain" href="https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/domain?originalDomain=extdomain.ru" /><Link token="User" href="https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru" 
  /><Link token="Self" href="https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root?originalDomain=extdomain.ru" /><Link token="OAuth"
  href="https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/oauth/user?originalDomain=extdomain.ru" /><Link token="External/XFrame" href="https://lync.cherry.loc/Autodiscover/XFrame/XFrame.html" /><Link
  token="Internal/XFrame" href="https://lync.cherry.loc/Autodiscover/XFrame/XFrame.html" 
  /><Link token="XFrame" href="https://lync.cherry.loc/Autodiscover/XFrame/XFrame.html" /></Root></AutodiscoverResponse>
  </ReceivedResponse>
  2014-09-22 15:17:53.041 Lync[299:715a000] INFO TRANSPORT CUcwaAutoDiscoveryResponse.cpp/119:location value is external
  2014-09-22 15:17:53.042 Lync[299:715a000] INFO TRANSPORT CUcwaAutoDiscoveryResponse.cpp/195:User url is
  https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru
  2014-09-22 15:17:53.042 Lync[299:715a000] INFO TRANSPORT CHttpRequestProcessor.cpp/266:Sending event to main thread for request(0x6f54648)
  2014-09-22 15:17:53.042 Lync[299:3c2a218c] INFO APPLICATION CTransportRequestRetrialQueue.cpp/822:Req. completed, Stopping timer.
  2014-09-22 15:17:53.043 Lync[299:3c2a218c] INFO APPLICATION CUcwaAutoDiscoveryGetUserUrlOperation.cpp/290:Received a root response
  2014-09-22 15:17:53.043 Lync[299:3c2a218c] INFO APPLICATION CUcwaAutoDiscoveryGetUserUrlOperation.cpp/224:UcwaAutoDiscoveryGetUserUrlOperation completed with
  url = https://lyncdiscover.extdomain.ru/?sipuri=sip:[email protected], userUrl = https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru, status = S_OK (S0-0-0)
  2014-09-22 15:17:53.043 Lync[299:3c2a218c] INFO APPLICATION CTransportRequestRetrialQueue.cpp/725:Response received for req. GET-UnAuthenticatedGet(0x6f54648): S_OK (S0-0-0) (Success); Done with req.; Stopping resend timer
  2014-09-22 15:17:53.044 Lync[299:3c2a218c] INFO TRANSPORT CCredentialManager.cpp/176:getSpecificCredential for serviceId(1) returning: credType (1) signInName ([email protected]) domain (cherry) username (user) password.empty() (0) certificate.isValid() (0)
  privateKey.empty() (1) compatibleServiceIds(1)
  2014-09-22 15:17:53.044 Lync[299:3c2a218c] INFO TRANSPORT CMetaDataManager.cpp/403:Received a request to get the meta data of type 0 for url
  https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru
  2014-09-22 15:17:53.044 Lync[299:3c2a218c] INFO TRANSPORT CMetaDataManager.cpp/458:Sending Unauthenticated get to get the web-ticket url
  2014-09-22 15:17:53.044 Lync[299:3c2a218c] INFO TRANSPORT CTransportThread.cpp/135:Added Request() to Request Processor queue
  2014-09-22 15:17:53.045 Lync[299:3c2a218c] INFO TRANSPORT CAuthenticationResolver.cpp/109:Waiting on Meta Data from https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru
  2014-09-22 15:17:53.045 Lync[299:659a000] INFO TRANSPORT CTransportThread.cpp/347:Sent Request() to Request Processor
  2014-09-22 15:17:53.045 Lync[299:3c2a218c] INFO APPLICATION CTransportRequestRetrialQueue.cpp/385:Submitting new req. GET-AuthenticatedUserGetRequest(0x6e83da8)
  2014-09-22 15:17:53.045 Lync[299:659a000] WARNING TRANSPORT CCredentialManager.cpp/317:CCredentialManager::getSpecificCredential returning NULL credential
  for serviceId (4) type (1)!
  2014-09-22 15:17:53.046 Lync[299:3c2a218c] INFO APPLICATION CUcwaAutoDiscoveryService.cpp/1263:Submitting Authenticated AutoDiscovery request to
  https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru
  2014-09-22 15:17:53.046 Lync[299:659a000] INFO TRANSPORT TransportUtilityFunctions.cpp/689:<SentRequest>
  GET https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru
  Request Id: 0x133b6a8
  HttpHeader:Accept
  </SentRequest>
  2014-09-22 15:17:53.046 Lync[299:659a000] INFO UTILITIES CHttpStreamPool.cpp/399:Allocating stream 0x6e73850 for url - https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user with persistent id as 16
  2014-09-22 15:17:53.047 Lync[299:659a000] VERBOSE TRANSPORT CHttpProxyHelper.cpp/435:CHttpProxyHelper::discoverProxy : No proxy found for url 
  https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru. Sending over direct connection.
  2014-09-22 15:17:53.050 Lync[299:659a000] ERROR TRANSPORT CHttpConnection.cpp/1029:Request Type = 0x%u0x6e743a0 Error domain = kCFErrorDomainCFNetwork code = 0x2 ErrorDescription = The operation couldn’t be completed. (kCFErrorDomainCFNetwork error 2.) ErrorFailureReason
  = ErrorRecoverySuggestion =  
  2014-09-22 15:17:53.050 Lync[299:659a000] ERROR UTILITIES CHttpConnection.cpp/958:GetAddrInfo returned error 0x8
  2014-09-22 15:17:53.050 Lync[299:659a000] INFO UTILITIES CHttpStreamPool.cpp/467:Releasing stream 0x6e73850.
  2014-09-22 15:17:53.050 Lync[299:659a000] INFO UTILITIES CHttpStreamPool.cpp/599:Releasing stream 0x6e73850.
  2014-09-22 15:17:53.051 Lync[299:659a000] INFO TRANSPORT CHttpRequestProcessor.cpp/173:Received response of request() with status = 0x22020001
  2014-09-22 15:17:53.051 Lync[299:659a000] INFO TRANSPORT CHttpRequestProcessor.cpp/201:Request resulted in E_ConnectionError (E2-2-1). The retry counter is: 0
  2014-09-22 15:17:53.051 Lync[299:659a000] WARNING TRANSPORT CCredentialManager.cpp/317:CCredentialManager::getSpecificCredential returning NULL credential
  for serviceId (4) type (1)!
  2014-09-22 15:17:53.052 Lync[299:659a000] INFO TRANSPORT TransportUtilityFunctions.cpp/689:<SentRequest>
  GET https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru
  Request Id: 0x133b6a8
  HttpHeader:Accept
  </SentRequest>
  2014-09-22 15:17:53.052 Lync[299:659a000] INFO UTILITIES CHttpStreamPool.cpp/399:Allocating stream 0x14102a0 for url - https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user with persistent id as 16
  2014-09-22 15:17:53.053 Lync[299:659a000] VERBOSE TRANSPORT CHttpProxyHelper.cpp/435:CHttpProxyHelper::discoverProxy : No proxy found for url
  https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru. Sending over direct connection.
  2014-09-22 15:17:53.056 Lync[299:659a000] ERROR TRANSPORT CHttpConnection.cpp/1029:Request Type = 0x%u0x14080f0 Error domain = kCFErrorDomainCFNetwork code =
  0x2 ErrorDescription = The operation couldn’t be completed. (kCFErrorDomainCFNetwork error 2.) ErrorFailureReason = ErrorRecoverySuggestion =
  2014-09-22 15:17:53.056 Lync[299:659a000] ERROR UTILITIES CHttpConnection.cpp/958:GetAddrInfo returned error 0x8
  2014-09-22 15:17:53.056 Lync[299:659a000] INFO UTILITIES CHttpStreamPool.cpp/467:Releasing stream 0x14102a0.
  2014-09-22 15:17:53.056 Lync[299:659a000] INFO UTILITIES CHttpStreamPool.cpp/599:Releasing stream 0x14102a0.
  2014-09-22 15:17:53.057 Lync[299:659a000] INFO TRANSPORT CHttpRequestProcessor.cpp/173:Received response of request() with status = 0x22020001
  2014-09-22 15:17:53.057 Lync[299:659a000] INFO TRANSPORT CHttpRequestProcessor.cpp/201:Request resulted in E_ConnectionError (E2-2-1). The retry counter is: 1
  2014-09-22 15:17:53.057 Lync[299:659a000] INFO TRANSPORT CHttpRequestProcessor.cpp/266:Sending event to main thread for request(0x133b6a8)
  2014-09-22 15:17:53.058 Lync[299:3c2a218c] INFO TRANSPORT CMetaDataManager.cpp/572:Received response for meta data request of type 60 with status 570556417
  2014-09-22 15:17:53.058 Lync[299:3c2a218c] ERROR TRANSPORT CMetaDataManager.cpp/588:Unable to get a response to an unauthenticated get to url
  https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru
  2014-09-22 15:17:53.059 Lync[299:3c2a218c] INFO TRANSPORT CAuthenticationResolver.cpp/208:MetaData retrieval for url https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru completed with status 570556417
  2014-09-22 15:17:53.059 Lync[299:3c2a218c] INFO TRANSPORT CAuthenticationResolver.cpp/238:Deleting 1 pended Meta data requests for url
  https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru
  2014-09-22 15:17:53.059 Lync[299:3c2a218c] ERROR TRANSPORT CAuthenticationResolver.cpp/334:Unable to get the meta data for server url
  https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root/user?originalDomain=extdomain.ru
  2014-09-22 15:17:53.059 Lync[299:3c2a218c] INFO TRANSPORT CAuthenticationResolver.cpp/337:Failing request to the request manager
  2014-09-22 15:17:53.060 Lync[299:3c2a218c] INFO TRANSPORT CRequestManager.cpp/284:Failing secure request UcwaAutoDiscoveryRequest with status E_ConnectionError (E2-2-1)
  2014-09-22 15:17:53.060 Lync[299:3c2a218c] INFO APPLICATION CTransportRequestRetrialQueue.cpp/822:Req. completed, Stopping timer.
  2014-09-22 15:17:53.060 Lync[299:3c2a218c] INFO APPLICATION CUcwaAutoDiscoveryService.cpp/1358:Received autodiscovery response with status E_ConnectionError (E2-2-1)
  2014-09-22 15:17:53.060 Lync[299:3c2a218c] INFO APPLICATION CUcwaAutoDiscoveryService.cpp/1316:Raising Autodiscovery event with status E_ConnectionError (E2-2-1) for eventType 0
  2014-09-22 15:17:53.061 Lync[299:3c2a218c] INFO APPLICATION CUcwaAutoDiscoveryServiceRetrialWrapper.cpp/417:Received event for type 0 with status E_ConnectionError (E2-2-1)
  2014-09-22 15:17:53.061 Lync[299:3c2a218c] INFO APPLICATION CUcwaAutoDiscoveryServiceRetrialWrapper.cpp/539:Autodiscovery scheduled retrial timer. Timer 0.000000 seconds
  2014-09-22 15:17:53.061 Lync[299:3c2a218c] INFO APPLICATION CAlertReporter.cpp/64:Alert received! Category 1, Type 201, level 0, error E_ConnectionError (E2-2-1), context '', hasAction=false
  2014-09-22 15:17:53.061 Lync[299:3c2a218c] INFO APPLICATION CAlertReporter.cpp/117:Alert cleared of Category 1, Type 201, cleared 0 alerts
  2014-09-22 15:17:53.062 Lync[299:3c2a218c] INFO APPLICATION CTransportRequestRetrialQueue.cpp/725:Response received for req. GET-AuthenticatedUserGetRequest (0x6e83da8): E_ConnectionError (E2-2-1) (RemoteNetworkTemporaryError); Done with req.; Stopping resend
  timer
  2014-09-22 15:17:53.062 Lync[299:3c2a218c] INFO UI CMAlertViewController.mm/87:ObservableListItem Added event received
  2014-09-22 15:17:53.062 Lync[299:3c2a218c] INFO UI CMAlertViewController.mm/97:showalert is 1
  2014-09-22 15:17:53.063 Lync[299:3c2a218c] INFO UI CMConversationCommon.mm/43:not signed in
  2014-09-22 15:17:53.063 Lync[299:3c2a218c] INFO UI CMConversationCommon.mm/43:not signed in
  2014-09-22 15:17:53.063 Lync[299:3c2a218c] INFO UI CMConversationCommon.mm/43:not signed in
  2014-09-22 15:17:53.063 Lync[299:3c2a218c] INFO UI CMConversationCommon.mm/43:not signed in
  2014-09-22 15:17:53.063 Lync[299:3c2a218c] INFO UI CMConversationCommon.mm/43:not signed in
  2014-09-22 15:17:53.064 Lync[299:3c2a218c] INFO UI CMNotificationManager.mm/697:desired view is alert, size 1
  2014-09-22 15:17:53.064 Lync[299:3c2a218c] INFO UI CMNotificationManager.mm/737:adding the desired view
  2014-09-22 15:17:53.065 Lync[299:3c2a218c] INFO UI CMNotificationManager.mm/472:reposition floating views
  2014-09-22 15:17:53.065 Lync[299:3c2a218c] INFO UI CMAlertViewController.mm/104:showalert is 1
  2014-09-22 15:17:53.065 Lync[299:3c2a218c] INFO UI CMAlertViewController.mm/108:showalert is 0
  2014-09-22 15:17:53.066 Lync[299:3c2a218c] INFO UI CMUIUtil.mm/410:Mapping error code = 0x22020001, context = , type = 201
  2014-09-22 15:17:53.066 Lync[299:3c2a218c] INFO UI CMUIUtil.mm/1708:Mapped error message is 'Unable to connect to the server. Check your network connection or the server address and try again. 

  Result of Lync Connectivity Analyzer.
  External Auto discover service : https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root
  Starting Lync server autodiscovery
  Please wait; this test may take several minutes to complete...
  Starting automatic discovery for secure (HTTPS) internal channel
  lyncdiscoverinternal.extdomain.ru can't be resolved by the DNS server. Skipping internal discovery.
  Starting automatic discovery for secure (HTTPS) external channel
  Server discovery has completed for https://lyncdiscover.extdomain.ru/.
  Automatic discovery results for https://lyncdiscover.extdomain.ru/
  Access Location : Internal
  SIP Server Internal Access : lync.cherry.loc
  SIP Server External Access : sip.extdomain.ru
  SIP Client Internal Access : lync.cherry.loc
  SIP Client External Access : sip.extdomain.ru
  Internal Auth broker service : https://lync.cherry.loc/Reach/sip.svc
  External Auth broker service : https://lync.cherry.loc/Reach/sip.svc
  Internal Auto discover service : https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root
  External Auto discover service : https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root
  Internal MCX service : https://lync.cherry.loc/Mcx/McxService.svc
  External MCX service : https://lync.cherry.loc/Mcx/McxService.svc
  Internal UCWA service : https://lync.cherry.loc/ucwa/v1/applications
  External UCWA service : https://lync.cherry.loc/ucwa/v1/applications
  Internal Webscheduler service : https://lync.cherry.loc/Scheduler
  External Webscheduler service : https://lync.cherry.loc/Scheduler
  Total server discovery time: 5,0 seconds
  Server discovery succeeded for secure (HTTPS) external channel against URL https://lyncdiscover.extdomain.ru/
  Starting automatic discovery for unsecure (HTTP) external channel
  Couldn't connect to URL http://lyncdiscover.extdomain.ru/[email protected] (HTTP status code NotAcceptable)
  Server discovery failed for unsecured external channel against http://lyncdiscover.extdomain.ru/
  Starting the requirement tests for Lync Mobile 2013 App
  Please wait; this test may take several minutes to complete...
  Testing the app requirements using the following discovery response:
  Access Location : Internal
  SIP Server Internal Access : lync.cherry.loc
  SIP Server External Access : sip.extdomain.ru
  SIP Client Internal Access : lync.cherry.loc
  SIP Client External Access : sip.extdomain.ru
  Internal Auth broker service : https://lync.cherry.loc/Reach/sip.svc
  External Auth broker service : https://lync.cherry.loc/Reach/sip.svc
  Internal Auto discover service : https://lync.cherry.loc/Autodiscover/AutodiscoverService.svc/root
  Internal MCX service : https://lync.cherry.loc/Mcx/McxService.svc
  External MCX service : https://lync.cherry.loc/Mcx/McxService.svc
  Internal UCWA service : https://lync.cherry.loc/ucwa/v1/applications
  External UCWA service : https://lync.cherry.loc/ucwa/v1/applications
  Internal Webscheduler service : https://lync.cherry.loc/Scheduler
  External Webscheduler service : https://lync.cherry.loc/Scheduler
  Starting tests for Mobility (UCWA) service
  Verifying internal Ucwa service: https://lync.cherry.loc/ucwa/v1/applications
  Successfully created the UCWA service
  Completed tests for Mobility (UCWA) service
  Verification failed for Mobility (UCWA) service. The service could not be reached from an external network.
  Select All results above for more information about the failures. Detailed information can also be found in the log file.
  Your deployment meets the minimum requirements for Lync Mobile 2013 App.

• Lync 2013 client doesn't read proxy.pac file Lync exclusions

  Hi all,
  I have a very annoying issue where by the Lync 2013 client ignores the proxy.pac file exclusions set below:
  (host == "lync.test.domain") || (host == "lyncdiscoverinternal.test.domain") ||
  (host == "lyncwacdca.test.domain") ||
  (host == "lyncwacdcb.test.domain") ||
  (host == "lyncwebintdca.test.domain") ||
  (host == "lyncwebintdcb.test.domain")
  IE is set to use automatic configuration script of
  http://proxy.test.domain:8083/proxy.pac This file can be reached through and IE browser, downloaded and it's syntax read.
  If I set my proxy server and exclusions manually within IE9 then they are adhered to. That is Lync 2013 is able to read.
  My thinking: that some application may be iterferring with Lync 2013 getting to
  http://proxy.test.domain:8083/proxy.pac or reading in the exclusions set within the file.
  If I enter https://lync.test.domain into the browser URL search field I can see that it is being sent straight out to the proxy as opposed to bypassing it.
  Does anyone have an example of their proxy.pac exclusion set for Lync 2013 just in case my syntax is not looking the best.
  Cheers

  Update to this issue - solution was to move the proxy exclusions to the top of the proxy.pac
  Outcome resulted in Windows WinHTTP processing the the Lync proxy exclusions prior to the Lync.exe firing during logon. I don't believe you would see this in a typical infrastructure. Since initially looking into this issue I  have been
  able to show through packet traces, large periods of latency in delivery of desktop profile items due to backend profile storage issues.
  In eddition this moving the exclusions to the top of the pac file I made use of substrings. I don't believe the use of substrings is any better or worst, but just easier for others to understand what the exclusion allows specifically.
  Example of pac exclusion now:
  if (url.substring(0,39) == "http://lyncdiscoverinternal.testdomain.") { return "DIRECT"; } //matches 31 characters including last . or period
  I entered similar entries for all required exclusions. The result was Lync signing in within 6 seconds as opposed to the 40 second (through the user of legacy SRV records).

• Lync 2013 and SSL with edge

  Dear All,
  It is always come to be a confusing, about certificate when it comes to lync 2013 and edge. suppose i have domain abc.com and i have to plan to add additional sip domain like xyz.com, abc.com, dfg.com etc. and my default domain would be abc.com so my naming
  option would be like this meet.abc.com/sipdomain/meet. I am little confuse how this is teckle in frontend and edge role. Do i have to get new request in edge or have to just import certificate generated in frontend and import into edge. 

  Thanks Eric and Thamara,
  So for internal CA, which means i have to install active directory certiificate and no need to buy certificate from public authority. and  which include following entries on first front end server admin.defaultsipdomain.com, dialin.defaultsipdomain,
   lyncdiscoverinternal.defaultsipdomain,  lyncdiscover.defaultsipdomain.com
  Or i should i get it from public authority and add all edge and front end requirement and reverse proxy in ucc certificate  and use same to import into front end and edge and reverse proxy. 

• New lync 2013 , 2 subdomains ,ad one domain in foreign country

  As you can see in the picture below, I have the main AD called main.prod and two child1 and child2 subdomains. What is more  I have AD called international.prod placed in foreign country.  I have mbox, cas  using child1.main.prod domain and
  lync 2010  with UM funcion. The more I have 2way trust  between child2.main.prod subdomain and international.prod domain. Now what I would like to do is : make CAS in subdomain child2.main.prod which is authorising people from domain international.prod
  and have mailboxes on mbox from subdomain child1.main.prod as it is shown in the picture. Do you think it make sense? Or I have to make mbox in subdomain child2.main.prod????
  WHat else: I would like resign Lync 2010 and  install new  Lync 2013 and make people from subdomains: child1 and child2 and domain international.prod using this new Lync ,and move UM funcionality from old 2010 lync into new 2013.
  Any contraindications, suggestions??

  Lync Server supports the following topologies for Exchange UM integration:
  Multiple domain (that is, a root domain with one or more child domains). Lync Server, and Microsoft Exchange servers are deployed in different domains from the domain where you create users. Exchange UM servers can be deployed in different
  domains from the Lync Server pool they support.
  Lisa Zheng
  TechNet Community Support

• Lync 2013 & Active Directory Intra Domain Migrations

  Hi all,
  Hopefully this is the correction forum to ask.  Suppose the following scenario
  Parent Domain containing Lync 2013 Servers
  Child domains consisting of user accounts
  It is intended that child domains containing Lync 2013 enabled users be migrated to the parent domain. 
  A few questions
  Is it possible to migrate user accounts to another domain and configure the migrated (technically new) account to link back to Lync so as to retain contact information?
  Or prior to migration have contacts exported so they can be imported into the new Lync 2013 accounts?
  Thanks,

  Within a single forest it quite possible to have Lync installed in one domain and User a part of another domain 
  All we have to do during the Lync server install process run the domain prepaerationn wizard for all the domain weher we shall either have Lync user object or Lync server object 
  Please refer http://technet.microsoft.com/en-us/library/gg398630.aspx
  I believe As long as the user SIP URI Doesn't change you can export the user data information and after the migration if you can import in user information 
  Please refer http://technet.microsoft.com/en-us/library/jj204897.aspx
  PLEASE REMEMBER, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answered"

• SCCM 2012 R2 and single lable domain

  Hello,
  we have a followng case: root forest domain is single label domain such as ABC, it has child domain CORP.ABC. In the technet article just a little information about it, it says what SCCM supports site systems and clients, can we install SCCM in the single
  lable domain? Or in the child domain when forest domain is single label domain? Will schema be extended without problems and MP data published?

  Extending the schema is independent of the domain being single labled.
  SLD restrictions are listed here:
  http://technet.microsoft.com/de-de/library/gg682077.aspx#BKMK_SupConfigSLD
  Torsten Meringer | http://www.mssccmfaq.de

• Lync 2013 Clients in Child Domain Log "The server returned HTTP status code '403 (0x193)' with text 'Forbidden'."

  Hey All, I am really stumped on this one. 
  Environment - Is using split DNS
  Forest Root Domain - Contains new Lync 2013 Server Standard, ADDS, DNS, Enterprise CA, Workstations
  Clients in this domain connect and work beautifully. No errors. 
  Child Domain - ADDS, DNS, Workstation, Lync 2013 client
  Client autodiscovers, and then asks for a password. Enter the password and this comes up...
  Can't sign in to Lync, You didnt get signed in, It might be your sign-in address or logon credentials..  blah blah blah" 
  Client log shows 
  Error:
  There was an error communicating with the endpoint at 'https://domainlync13srv.Domain.net/WebTicket/WebTicketService.svc'.
  The server returned HTTP status code '403 (0x193)' with text 'Forbidden'.
  The server understood the request, but cannot fulfill it.
  As far as i can tell certificates are correctly configured with all the SAN's possible in my forest. The user is correctly set up in Lync control panel. Autodiscovery seems to be working as it should. EWS is working correctly. 
  Repaired client, removed cached creds, has all lync 2013 updates no dice
  Thank you all! 

  I am an IDIOT. 
  I did not prepare the child domain with the LYNC setup tool. Logged on to a file server in the child domain with domain admin rights and sure enough the setup said the domain was "partial". Ran the setup and bam it all started working. 

• Lync 2013 FE server certificate - different domain name

  Hi,
  I am implementing a small Lync infrastructure with the following components in a Resource Forest - Account Forest type implementation with a bi-directional Trust between the two forests:
    1 x Lync 2013 FE Standard,   1 x Mediation server  and  1 x Office Web App server
  Both AD forests have their PKI CAs, the certificate on the FE server is signed by the CA from the Account domain. All servers and workstations have both Root certificates implemented.
  User’s SIP domain name (account forest) is different from the FE server (resource forest) domain name.
  Question: When internal users sign-in to Lync they get a warning prompt as follows:
  “Lync cannot verify that the server is trusted for your sign-in address. Connect anyway?”
  Users can select to connect and everything functions correctly, however, I would like to get rid of the warning message at the beginning.
  Any idea what may be wrong, is something missing on the certificate ?
  Thanks for your help,
  Luca

  You can try to edit the internal web services FQDN and ensure your other populated DNS records point to a FQDN that matches the sip domain, or use the TrustModelData workaround here:http://support.microsoft.com/kb/2833618
  Here are a couple extra articles that dive in to what's happening: http://terenceluk.blogspot.com/2013/04/signing-into-lync-2013-client-presents.html?m=1
  http://blogs.technet.com/b/jenstr/archive/2011/02/10/lync-cannot-verify-that-the-server-is-trusted-for-your-sign-in-address.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync 2013 /w Edge not working properly (internal/external same domain name and all "external" users"

  Hi,
  I've got some issues with a Lync 2013 setup.
  The config consists of 2 lync servers. One FE and one Edge. All seems to work except audio in meetings and Sip.
  The setup is like this (fake ip's used):
  Front End:
  Internal IP: 172.16.0.10
  External IP: x.x.185.10
  All ports open in Cisco ASA
  internal AD DNS: dialin/lync/meet/lyncdiscover to Front end internal ip. edge/lsedge/sip points to edge internal ip
  EDGE:
  Interal IP: 172.16.0.11 (no gateway configured)
  External IPS: x.x.185.11, x.x.185.12, x.x.185.13
  All external IP's are direct internet facing, no NAT (a firewall is in place).
  All external interfaces are using a wildcard certificate.
  All server are running in a remote data center, so basically no internal users. We all connect to the external interfaces. The Windows domain name (AD) is the same as our External DNS (companyname.com).
  Autodiscover works, we can logon, chat but there is no audio. The audio test failes. Also SIP is not working with a sip trunk.
  External DNS: sip/webconf/av are pointing to their external ip's. sipexternal is a cname to sip. lyncdiscover/lync/dialin/meet all point to the Frond end External ip.
  _sip._tls/_sipfederationtls.tcp/_xmpp-server.tcp all point to the sip.companyname.com ip.
  I just can't figure out what is wrong.

  @PSingh123 I'll try the logs in a minute and get back with the results.
  @PaulB_NZ Thanks for the input. In my opinion the FE does need an external IP. How else will you be able to connect if you are a remote worker?
  The Edge is (asfar as i know) needed for Enterprise voice and Federation with other (external) sip domains. It's not needed for basic (chat/video/whiteboard etc) Lync functionality for both internal and external (remote) users.
  The Edge is to communicate with services/users outside the origanisation.
  I do still think that the basic topology (FE with internal IP and Nat'ed external ip working with an Edge with internal IP and 1 external IP nat'ed to 3 DMZ ip's) is correct in this case.
  I can be wrong and in that case would like to be pointed to the correct configuration.
  75           
  Points
  Top 15
  PSingh123        
  Partner        
  Joined  Jun 2007        
  9
  PSingh123's threads
  Show activity

• Can I add a two way trusted but in different forest domain to My existing Lync 2013 Topology !

  HI !
  We have an installed Lync 2013 Std Edt. setup and its working perfectly for one domain. Our network infrastructure ( LAN ) is being shared with our sister company. They have their own forest and domain and a two ways trust relationship with our domain. I
  want to add them in our Lync 2013 topology, is it possible ?? if yes, thn what are the requirements and which changes i need to consider.
  Response from experts would be greatly appreciated. 

  Yes, You must establish a two-way trust between the central forest and user forests to enable distribution group expansion when groups from user forests are synchronized as contacts to the central forest.
  Also you can refer below link
  http://technet.microsoft.com/en-us/library/gg670909%28v=ocs.14%29.aspx
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical