Got a colleague ringing me the other day with a strange issue:
He has Lync 2013 on premises with their voicemail hosted on Office 365 Exchange online, all configured and working wonderful.
However, for some users, the “HostedVoiceMail” attribute changes from “$true” to null. If he runs the “Set-csuser –identity Domain\Username –HostedVoiceMail $true” command again it will set it, but that will disappear as soon as DirSync runs again.
Did some investigation, and apparently – If it’s a shared mailbox, DirSync will switch it back from “$true” to “null”.
There is a workaround to fix this!
Go to your DirSync server, and at the following path: “%Program Files%\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell”, or ““%Program Files%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell” if you’re using Azure, you will find “miisclient.exe”:
Open “miisclient.exe” and click the “Management Agents” tab:
Right-click “Source AD” and choose “Properties”:
In the new window, choose “Configure Attribute Flow”, and expand “Object Type: user”:
Under “Object Type: user” click “msExchUCVoiceMailSettings” once. At the Build Attribute Flow window below, uncheck the “Allow Nulls” box:
Click OK, and close the MIIS client.
Re-enable the user for hosted voicemail, then resync. The user’s HostedVoiceMail setting will remain unchanged.
When you’re trying to view different reports in Lync Server 2013 monitoring, you might get the following error:
“Report processing stopped because too many rows in summary tables are missing in the call detail recording (CDR) database. To resolve this issue, run dbo.RtcGenerateSummaryTables on the LcsCDR database.”
Additional parameters might appear instead of “dbo.RtcGenerateSummaryTables”, depending on the report you wish to view.
To fix this problem, start SQL Management Studio on your SQL server and choose the Lync Monitoring instance:
Once connected, expand “Databases”->”LcsCDR”->”Programmability”:
In “Programmability”, expand “Stored Procedures”:
And scroll down until you find the procedure mentioned in the error:
Right-click the procedure and choose “Execute Stored Procedure”:
A new “Execute Procedure” window will open, Press “OK”:
A script will run and will (hopefully) return a ‘0’ value, meaning everything went ok:
That’s it! Return to your reports webpage and refresh:
Lync Server 2013 CU1 brought great news with it: Finally, Lync users can now pick-up calls on behalf of other users, when these are either away from their desk or in a call.
The configuration is done mostly (Forget it, entirely) by PowerShell and Command prompt.
To begin, you’ll need two major components:
The Lync Server 2013 CU1 installed on your servers. (Download)
The Microsoft Lync Server 2013 Resource Kit Tools. (Download)
Let’s start with the simple stuff:
Call pick-ups uses the same mechanism as Call parks to enable other users to fetch the call. So we’ll have to create a “Call Park Orbit”. The great advantage here is that we don’t have to use actual extensions, and anyway users are used to dial weird combinations like “#1250” or “*001” to fetch calls.
We now can assign numbers beginning with “#” or “*”, as long as we have at least three digits to follow, e.g: “#100”, or “*555”.
To create a new Call pick-up orbit, run the following command from Lync 2013 Management Shell:
New-CsCallParkOrbit -Identity "<Give it a name>" -Type GroupPickup -NumberRangeStart "#100" -NumberRangeEnd "#110" -CallParkService "<FEPool.doamin.local>"
Note you can assign any numbers you want to “NumberRangeStart” and “NumberRangeEnd“.
It should be something like this:
If you did it right you should see event ID 31054 in the Lync Server event viewer:
Now the fun begins:
The application we use to configure the Call Pick-up can be found in the Lync Server 2013 Resource Kit. It’s called “SEFAUtil.exe” (Secondary Extension Feature Activation) and has to be run as a Trusted Application. This is where things get a little messy – We cannot use our Front-End severs for that (You wouldn’t want to configure your FE server as a Trusted Pool, nor it is supported by Microsoft), so you’ll have to use another server for that.
To configure the trusted application pool, run the following command from one of your Front-End servers:
The server will ask you to run “Enable-CsTopology“. Hang on with that…
Within the trusted application pool, you have to configure the trusted application. The name of the application MUST be “SEFAUtil”, as the command shows:
New-CsTrustedApplication –ApplicationId "sefautil" –TrustedApplicationPoolFqdn "<The server from the previous stage>" -Port xxxx
You can use any port you’d like. (Try not to use 25, 80, 443, etc…)
Now, run “Enable-CsTopology” and wait for the replication to occur.
Now – we’re ready to assign users with the new feature:
On the server that you have designated as the Trusted application pool, install the Lync Server 2013 Resource Kit.
From an elevated Command prompt or PowerShell, go to “C:\Program Files\Microsoft Lync Server 2013\ResKit“.
First: let’s test SEFAutil.exe. Gladly, it works in a very simple way: If it works – It will give you an output. If it’s not working – You’ll get a blank new line… That’s all there is to it. So to test, run the following command:
If you typed the command correctly and the application is trusted, you’ll get a reply from the server looking like this:
PS C:\Program Files\Microsoft Lync Server 2013\ResKit> .\SEFAUtil.exe /server:Dazy.duck.local Donald@Duck.com User Aor: sip:Donald@Duck.com Display Name: Donald Duck UM Enabled: True Simulring enabled: False User Ring time: 00:00:20 Call Forward No Answer to: voicemail PS C:\Program Files\Microsoft Lync Server 2013\ResKit>
If you got no output – Check your trusted apps or typing.
Now: Let’s say you want to enable all users to fetch calls directed to the user “Donald@Duck.com”. Just use the following command:
That’s all the configuration needed on the Lync side.
Next step is to configure a publishing rule in TMG 2010. Unfortunately, you cannot use your External web url, since Lync traffic is bridged to port TCP 4443, and Office Web Apps Server works HTTPS, meaning TCP 443.#
Since TMG is end of life, You can now use IIS ARR to publish Lync Server 2013.
It’s been out quite a while and it works just fine. Here’s how to enable users to communicate with Lync server from their mobile devices…
Prerequisites, clarifications and supported platforms:
You must install Lync Server CU4 (KB2493736) for this to work. I usually download the LyncServerUpdateInstaller.exe file and let it automatically install all the needed updates. (If you have a more recent update – It’s already on there).
You must download the “Microsoft Lync Server 2010 Mobility Service and Microsoft Lync Server 2010 Autodiscover Service” McxStandalone.msi. Don’t tempt to just run it now, we have a few things to do before that.
Your Edge server is used only for push notifications, via Lync Online. You can run the CU4 installation tool there to update your server, but you must not install the mobility update on your Edge Srver.
Your reverse proxy (ISA\TMG\UAG) or any other device you’re using for that matter is what we’ll use to publish this service. Infact, we use the meet.yourdomain.com publishing rule.
If you feel like being useful, pre-publish a new external DNS A record called LyncDiscover.yourdomain.com and point it to the IP adsress of your ‘meet’ rule.
I recommend using a trusted, valid, 3rd. party certificate on your reverse proxy server – it saves you loads of trouble.
There are currently Lync mobile apps for WP7, Android, iPhones and iPads. I know not about any Symbian apps soon.
There is something Blackberry-ish, Never saw it working.
So, Let’s get started.
Install the updates needed by launchig the Lync Server update installer from where you saved the file:
Once finished, the installer shows you you’re all good. It also saves the installation logs of every update in the folder from which you launced the installer.
After installing the updates, we need to update the system. We will use the following Lync Powershell command to do so. If you’re using a single standard server like me, your command should look like this:
Now we can start configuring the system for the mobility part. This will be done mostly by using the Lync Server Management Shell.
A prerequiste for this service to work is to have IIS Dynamic Compresion enabled. It can be quickly installed using two commands in Poweshell:
Import-Module Serv* (You can type the whole “ServerManager” command, but I always end up typing it twice so I’m getting lazy here…)
To configure the listening ports for the sevice, we will run one command twice, with two variables; the Primary listening port (internal) and the External listening port. These ports are documented in the Microsoft Lync Server 2010 Mobility Guide. To do that we will use the command “Set-CsWebServer” and provide our Front-end server’s FQDN and ports:
Then, we will update the topology using the followong command:
Now, remember I told you not to run the McxStandalone.msi file? here’s why: You should now take this file and paste it to the following location:
"C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup" and just paste the file there:
After the file is there, you can either launch the Lync Server Deployment Wizard and choose “Setup or remove Lync server components”:
Or just go to the Lync Server deployment folder (“C:\Program Files\Microsoft Lync Server 2010\Deployment”) and run the file “Bootstrapper.exe” This will install the update directly from the folder where we put it.
To view the log browse to your %tmp% folder and look for the latest Bootstrap-CsMachine log. If everything worked right, you will see a similar screen to this:
This tells you you have successfuly installed the service!
But we’re not done yet. If you used the Lync Server Deployment Wizard, don’t close it just yet. If not, this might be a good time to open it. We now need to generate a new certifiacte request and assign a new certifiacte for the Front-end server.
Why you’re asking? well, the answer will be revealed in the certificate wizard: If you look closely, you’ll see that two SANs were added automatically to the request: Lyncdiscover and LyncDiscoverInternal. They are added to every SIP domain configured in your topology:
You can now assign the certifiacte to your server and move on to the nest step:
The service works now, you just need to configure the reverse proxy. But wait – what’s a mobile app without push notifications? Well… Setting that up is rather easy if you have Lync Federation enabled and is done by running four Powershell commands:
If you’ll check your Lync Server Control now, you’ll see you have a new provider:
And a new federation partner:
That’s it, configuration on the fron-end side is done.
Now, for your reverse proxy:
If you’re using TMG like I do, it’s rather easy. All you have to do is add “Lyncdiscover.youdomain.com” to the Public names and make sure you have c ertifiacte that corresponds to that name on your listener:
That’s about it.
Now, let’s test what we just did:
I have a WP7 device and want to connect it to Lync. If everything was configured correctly, we will go through these steps:
I’ll launch the Lync on my phone, it will show me this screen:
I will now insert only my Lync sign-in address and my password – this is all it takes for automatic sign in!
The app thinks for a while them launches the first screen:
It will ask you for your phone number – You can skip this step if you don’t have Enterprise Voice implemented:
Now it will ask you if you wish to enable push notifications:
And That’s it – you’re signed in:
How does push notifications look like?
Look at the top of the screenshot, this is what you see when you get the message:
If you did not respond to the notification, the live tile will remind you you have one unread message in Lync:
Finally, after doing some digging, here’s how to do it:
Log on to Office 365 OWA at https://outlook.com/<your.domain>:
Once logged on, go to “Help, About”:
In the new window, look for “Host Name”:
Copy the the host name and close this window.
Now we can create a new profile in Outlook with the following configuration;
Choose to manually configure server settings:
then choose “Microsoft Exchange or compatible service”:
in the Server Settings window in the Server field, paste the name of the Host Name you copied earlier.
Now, for this to work correctly, you need to add the word “mailbox” betwin the Host name and the rest of the FQDN. So if my Host Name is “sinprd0602.outlook.com”, my Server name here should be “sinprd0602.mailbox.outlook.com”. Do the same for the name you copied:
Don’t forget to enter your Office 365 email address at the “User Name” field, then click “More Settings” and go to the “Connection” tab. Check the “Connect to Microsft Exchange using HTTP” box and click “Exchange Proxy Settings…”:
In the next window, fill the following details:
Type the Host Name you copied earlier in the “Use this URL to connect to my proxy server for Exchange” field.
Check the “Only connect to proxy server that have this principal name in their certificate” box and type: msstd:outlook.com.
Make sure both checkboxes are marked for connecting using HTTP first, and make sure you set the authentication method to “Basic”:
Click “OK” twice, then click “Check name” and enter your password at the prompt. the server and user names should be underlined:
Click “Next” and “Finish” and open Outlook, enter your password if prompted. That’s it, You’re connected!
The purpose of this step by step article is to create user certificates with a validity period of 3 years instead of the default one year.
Since all users will visit the IT services desk to have the certificates installed on their mobile devices, we will use the “Enroll on behalf” option in ADCS 2008R2.
On my next article, we will see how to configure Forefront TMG 2010 to use Kerberos Constrained Delegation with Exchange Server 2010 SP1.
Note – not all steps are required in all organization. See what fits you best.
Logged on as the Domain Administrator, open the User certificate MMC Snap-in:
Right-click on the Personal certificate store, and choose “All tasks”, “Request new certificate”:
In the first window click ‘Next’:
Choose your enrollment policy:
In the certificate template screen choose “Enrollment Agent” and click “Enroll”:
This is what you should see:
The new certificate is in your personal certificate store and you can now enroll certificates on behalf of other users:
To assign this privilege to other users, right-click your personal certificate store, choose “All Tasks”, “Advanced Operations”, “Enroll On Behalf Of”:
Click “Next” on the first screen:
Choose your Enrollment policy:
Click “Browse” to choose the enrollment agent certificate you just created:
Choose your certificate and Click “OK”:
Choose the “Enrollment Agent” certificate template again, and click “Next”:
Click “Browse” to select the user you would like to enroll the certificate to:
Here I chose one user from the helpdesk staff:
It looks like this, now Click “enroll”:
And now you can choose whether to enroll another user or finish the operation:
Now you can see that the IT Helpdesk users 1 and 2 have also the ability to enroll certificates on behalf of users:
That’s done; let’s create the certificate template for the mobile devices:
Open your CA console, expand to “Certificate templates”, then right click it and choose “Manage”:
This will open the certificate templates snap-in. Scroll down to the User certificate template and choose “Duplicate Template”:
It will ask you which template would you like to create – I normally choose Windows Server 2008:
Once you press OK, the new certificate template is opened. Name your certificate template and change the certificate validity period. I think 3 years is more than enough:
Switch to the “Issuance Requirements” tab and change the following:
· Check the “This number of authorized signatures” box and type ‘1’ in the box.
· Make sure that the policy type required in the signature is “Application policy”.
· Change the Application policy to “Certificate Request Agent” from the drop down menu.
· Click OK to close the template.
This is just half way. You also need to start the registry editor and go to:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\CertSvc\Configuration\<Your CA Name>.
There, look for the value “ValidityPeriodUnits” Change it from 2 (default) to as high as you want. Note that you can only set the validity period on the template to as much as it’s set on the registry (i.e. even if you set the certificate template to 10 years and the registry is set to 3, you will only be able to extend the validity period to 3 years). This change does not affect predefined templates.
Now you can see the template in the templates list:
Go back to your CA mmc snap-in, and from “Certificate Templates”, choose “New”, “Certificate template to issue”:
Choose your new template and click OK:
You can see it under “Certificate Templates”:
Now – Let’s request a certificate on behalf of a user:
Right-click your personal certificate store, then choose “All Tasks”, “Advanced Operations”, “Enroll On Behalf Of”:
Click “Next” on the first screen:
Then, choose your Enrollment policy:
Click “Browse” to choose your enrollment agent certificate:
Choose your signing certificate and click “OK”: (Note you have more than one now)
Choose your new certificate and click “Next”:
Select the user you want to enroll the certificate to and click “Enroll”: