Monthly Archives: June 2013

Lync 2013 - DNS Settings

If you are setting up Lync Server for the first time or have been running Lync Server, you will notice that Lync depends heavily on DNS records.  In many cases, a Lync deployment cannot be setup correctly without using a split-dns setup and using a masked UPN; which can make things even more tricky.  Here is a complete listing of DNS records I used to deploy Lync 2013.  I have verifed federation works properly, IMs, conferencing, dial-in meetings, mobile and desktop client sign-in, and desk phones.  Note, records indicated in Red are records that are required/standard in every lync deployment.

Internal DNS Records

Record Type Value Points to
A lyncdiscoverinternal.mydomain.com Lync front end server
A lyncdiscover.mydomain.com Lync reverse proxy
(needed for mobile devices to work interally)
A lync.mydomain.com Lync front end server
A sip.mydomain.com Lync front end server
(multiple A records if enterprise pool)
A dialin.mydomain.com Lync front end server
A meet.mydomain.com Lync front end server
SRV _ntp._udp.mydomain.com Domain Controller/Time Server
SRV _sip._tls.mydomain.com sip.mydomain.com
SRV _xmpp-server._tcp.mydomain.com sip.mydomain.com
SRV _sipinternaltls.mydomain.com sip.mydomain.com
SRV _sipfederationtls.mydomain.com sip.mydomain.com

**Note, you should have A records for all of the hosts in your Lync deployment (front end servers, pools, proxies, etc.).  Those are not covered in the list as they are 100% user defined when deploying Lync.

External DNS Records

Record Type Value Points to
A webconf.mydomain.com Edge server IP as specified in setup wizard
A av.mydomain.com Edge server IP as specified in setup wizard
A sip.mydomain.com Edge server IP as specified in setup wizard
A meet.mydomain.com Lync Reverse Proxy IP
A dialin.mydomain.com Lync Reverse Proxy  IP
A lync.mydomain.com Lync Reverse Proxy IP
A lyncdiscover.mydomain.com Lync Reverse Proxy IP
SRV _sip._tls.mydomain.com sip.mydomain.com
SRV _sipfederationtls._tcp.mydomain.com sip.mydomain.com
SRV _xmpp-server._tcp.mydomain.com sip.mydomain.com

 

Deploying a Read-Only Domain Controller with Server 2008 R2

Recently, I just configured a MPLS link to a remote office and noticed user experience isn't quite what it is at the centralized office.  In an effort to help speed up the user's experience (response time in domain authentication and DNS resolution), we will be going over setting up a Read-Only Domain Controller to allow users to authenticate to the domain in the event the connection between the remote site and the main site would go down, as well as create a cached copy of DNS at the remote site to help increase response times in DNS intensive applications (particularly, web browsing experience).

Requirements

  • Active Directory has been properly configured at a main facility
  • You have servers that are running Windows Server 2003 or greater
  • The domain functional level is set to Server 2003 or higher
  • If there is windows server 2003 environment, the Active Directory schema needs to be extended for RODC installation by running the command: adprep /rodcprep
  • PDC emulator operation master should be on Windows server 2008
    • Execute the following command to find out which machine is the PDC emulator if you are unsure:
      • dsquery server -hasfsmo pdc

Instructions

  1. Deploy a new server (I used Server 2008 R2 in this example).
  2. Open up Server Manager, right click on Roles and select Add Roles
    1. Server Manager - Add Role
  3. Click Next on the Before You Begin screen.
    1. Before you begin
  4. Check Active Directory Domain Services on the Add Roles Wizard and click Next >
    1. Add Role - Select Server Roles
  5. Click Next > on the Active Directory Domain Services screen.
    1. Add Role - ADDS
  6. Click Install on the Confirm Installation Selections screen.
    1. Add Role - Confirmation
  7. Click Close when the installation is done.
    1. Add Role - Results
  8. Click on Active Directory Domain Services once the installation is done, back in Server Manager.
    1. Server Manager - Active Directory Domain Services
  9. Select Run the Active Directory Domain Services Installation Wizard (dcpromo.exe)
    1. Run the active directory domain services installation wizard
  10. Once you see the Active Directory Domain Services Installation Wizard, check the Use advanced mode installation checkbox and click Next >
    1. dcpromo - Use advanced mode installation
  11. Click Next > on the Operating System Compatibility step.
    1. dcpromo - Operating System Compatibility
  12. Check Existing forest, and then check Add domain controller to an existing domain

    1. dcpromo - Deployment Configuration
  13. On the Network Credentials page, type in the name of the domain you want to  connect to and then specify the credentials to add the machine.  These credentials must have at least domain admin privileges to join the DC to the network.
    1. dcpromo - network credentials
  14. On the select a domain screen, select your domain and click Next >
    1. dcpromo - Select a domain
  15. Select a site and then click Next >
    1. dcpromo - Select a site
  16. On the Additional Domain Controller Options page, check DNS Server, Global catalog, and Read-only domain controller (RODC) boxes for each of the rolls and select Next >
    1. Here is some information on what each of the choices do. This is from the following KB article by Microsoft: http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx
      • DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this check box. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the WAN to the hub site is offline.
      • Global catalog: This option is selected by default. It adds the read-only directory partitions of the global catalog to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.
      • Read-only domain controller. When you create an RODC account, this option is selected by default and you cannot clear it.
    2. dcpromo - Additional Domain Controller Options
  17. On the Specify the Password Replication Policy step, adjust the settings for each group, specifying if you want to cache user credentials on the Read-Only domain controller.  In this tutorial, I left all of the options Deny except the Allowed RODC Password Replication Group, which is default per Microsoft.  Click Next > once you have determined the settings you want to use.
    1. dcpromo - Specify the Password Replication Policy
  18. On the Delegation of RODC Installation and Administration step, click the Set... button and select either a user or security group of users that you wish to have Administrative access to the read-only domain controller.  If this is a remote office where you have a designated IT member(s), you would want to create a security group on your read/write DC and then select the group.  However, if you will always know only one individual will login to the RODC, you can specify their user as the one to have local Administrative privileges.  Lastly, if you don't want anyone to be able to mess with the RODC, you can simply click Next > and that will only allow members of the Domain Admins or Enterprise Admins security groups to manage the RODC.  Click Next > once you have decided what security group or user you wish to allow local administrative access to the machine.
    1. dcpromo - Delegation of RODC Installation and Administration
  19. Click Next > on the Install from Media screen to pull the most current information from one of your active domain controllers.
    1. dcpromo - Install from media
  20. Click Next > on the Source Domain Controller screen to Let the wizard choose an appropriate domain controller to replicate from.  If you prefer replication from a specific machine, you may check the Use this specific domain controller box, select the machine from the list, and then click Next >.
    1. dcpromo - Source Domain Controller
  21. Click Next > on the Location to store the Database, Log Files, and SYSVOL; unless you wish to relocate those files to a separate partition.
    1. dcpromo - Location for database - log files - sysvol
  22. On the Directory Services Restore Mode Administrator Password, enter a strong password to be used in the event you need to put the DC in restore mode.
    1. dcpromo - Directory Services Restore Mode Administrator Password
  23. At this point, you can export the settings to make an answer file or you can click Next > for the server to begin applying the configuration.
    1. dcpromo - summary
  24. Click Finish once done and Restart when prompted.

Upon restart, you should be good to go!  I would recommend running the Microsoft Best Practice analyzer and checking the Windows event logs to ensure everything is good to go.

How to list users inside a domain group

Open up a command prompt on any machine in the domain and execute the following command:

NET GROUP "GROUP NAME" /DOMAIN

At this point, you should see the list of users in correspond group.

NET GROUP Domain

Reverse Sync from iPod (Restore backup from iPod to iTunes)

Recently, we had a drive in our main machine at home fail and of course we didn't backup anything.  As hardware on the drive itself failed, we were unable to run any recovery tools to revive anything off the drive.  Fortunately, much of what was on the machine was on a different drive, except for my iTunes library. Luckily, we had recently synchronized one of our iPod's to the machine and we were able to recover almost the entire iTunes library from the device (cheap backup device eh? :P).

So, how do I recover all of my music/media from my iPod?
Here is how using Windows 8:

  1. Close out of iTunes if you have it open
  2. Open up task manager and click on Services
  3. Stop the following services: Apple Mobile Device, Bonjour, iPod Service
    iPod Service
  4. Make sure your machine is setup to show hidden files
    1. Click on Windows Explorer and select the View Tab
    2. Click on the Options button and select Change folder and search options
      Folder Options
    3. Select the View Tab and check Show hidden files, folders, or drives
      Show Hidden Files
    4. Click OK
  5. Connect the iPod
  6. Select your iPod (Removable Disk) from Windows Explorer (the ipod should be visible if you disabled the services mentioned in the previous steps)
    Select iPod
  7. Navigate to iPod_Control and select Music
  8. Copy all of the files to your desktop
    Copy Files from iPod
  9. Open up iTunes (ignore the warning about the bonjour service not running if it pops up--that's ok)
  10. Click on the little icon in the top left corner and select Preferences from the menu
    iTunes Preferences
  11. Click on Advanced
  12. Check the box that says Keep iTunes Media folder organized
  13. Check the box that says Copy files to iTunes Media folder when adding to library
    Keep iTunes Media organized
  14. Click OK
  15. On your desktop, right click on the Music folder you copied from your iPod and select Properties
  16. Uncheck Hidden and select Apply changes to this folder, subfolders, and files when prompted.
    unhide files
  17. Click OK
  18. Open up the Music folder on your desktop and then drag the folders over to the Music part of iTunes
    Copy Files to iTunes

At this point your tunes should automatically be populating back into iTunes.  iTunes will automatically copy the files from your desktop over to iTunes and properly place them inside your My Music folder.  Just note that doing this process requires double the amount of space on your hard drive temporarily while iTunes copies the files from your desktop, but once all files have been copied, you can safely remove the folder on your desktop and resync your iPod to iTunes.

Lync 2013 Android Client - Version of Lync has been blocked error

Symptom: When logging into the Lync 2013 on an Android or iOS device, you receive the following error:

This version of Lync has been blocked by your system administrator.  Please check for updates or contact your Lync support team.

Lync 2013 Mobile Version

 

Solution: This error is caused by not running the latest version of Lync Server 2013.  Make sure you have at least the February Cumulative Update 1 patch applied to your server.  Without this patch, the Lync client will not be able to login.

You can grab a copy of the patch from: http://www.microsoft.com/en-us/download/details.aspx?id=36820

Details on how to install the patch can be found here: http://support.microsoft.com/kb/2809243

Ford Explorer Sport 2013 - Keyless Entry Code

Recently, I purchased a Ford Explorer and for whatever reason the keyless entry code was not bundled with the owner's manual nor is it listed when you type the VIN number into Ford's website and browse the vehicle's installed accessories.

Luckily, rather than bringing the vehicle back into the dealership, there is a way to lookup the default entry code.  On the fuse box, the car has a label with a 5 digit code (sometimes followed by a single letter).

Next question is, where is the fuse box?  Interestingly, there are two on the explorer.  The first one is under the hood, on the right side inside of a "black box".  The second one is in the typical spot underneath the steering wheel on the driver side (if anyone has an explorer in Europe and it has the steering wheel on the right side of the car, you should let me know if the fuse box is on the side with the steering wheel or still on the left side by what would be the passenger :P).  Oddly enough, at a quick glance I couldn't find the fuse box as it was hidden by a piece of plastic.  Luckily, if you can grab a flashlight and stick your head underneath the steering wheel far enough, you should be able to see the sticker, otherwise you will have the pull the hex screw off and remove the plastic guard.

For whatever reason, this isn't inside the owners manual, so hopefully this helps someone else with their explorer 🙂

Enabling Skype Federation - Lync Server 2010-2013

Most articles are saying that Skype federation is now available and "you're good to go with federation enabled".  The problem though is you are more than likely missing the "Skype" option when you select Add a contact not in my organization and you may need to enable PIC provisioning for Skype.  This guide will go through enabling PIC federation through Office 365 and bringing back the Skype icon to the Lync client.

NOTE: This guide assumes you have configured your edge servers and have verified federation to other partners works.

Here is what my Lync client looked like before following the instructions below:

Lync client without Skype

Enabling Federation and Public IM Connectivity (PIC)

  1. Login to your Office 365 Portal
  2. Select Lync from the Admin dropdown
    Lync Menu Office365
  3. Select External Communications
  4. Ensure the following settings:
    1. Domain federation mode: Turned on for all domains except blocked domains
    2. Public IM connectivity mode: Enabled
      Lync Online Control Panel

Adding Skype option to Lync Client

  1. Navigate to your front end server
  2. Open up the Lync 2010/2013 Management Shell
  3. Execute the following command to list what providers you federate to
    1. Get-CsPublicProvider
  4. If you have a provider that has a ProxyFqdn of federation.messenger.msn.com, execute the following command to remove it (replacing MSN with the Identity that had federation.messenger.msn.com for your environment):
    1. Remove-CsPublicProvider -Identity MSN
  5. Execute the following command to add Skype as a federated provider
    1. New-CsPublicProvider -Identity Skype -ProxyFqdn federation.messenger.msn.com -IconUrl "https://images.edge.messenger.live.com/Messenger_16x16.png" -VerificationLevel 2 -Enabled 1
  6. Close your Lync client and reopen for the option to be available

Powershell Lync Skype

Adding Skype contacts to Lync

  1. Click the Add a Contact icon
  2. Select Add a Contact Not in My Organization
  3. Select Skype.
    1. Lync client with Skype
  4. In the IM Address field, enter the Microsoft Account (MSA) of the Skype user in the format user(domain name)@msn.com.
    1. Example: If someone's email was [email protected], the entry would be bob(contoso.com)@msn.com

  5. In the Add to contact group dropdown box, select the contact group to put the user in.
  6. In the Set privacy relationship dropdown box, select the appropriate relationship.
  7. Click OK.
  8. NOTE: Once the Skype user adds your account, the federated user will appear online.  Until the user adds you to their Skype list, the contact will appear offline.

Adding Lync user to Skype

  1. Sign into Skype
  2. Click the Add User icon
    Add User Icon Skype
  3. Type in the user's SIP address
    1. For example: [email protected]
      1. Note: You do not need to use the MSA format when adding the contact to your list from Skype
  4. Select (single click) the name when it appears in the search list
  5. Click the Add to Contacts button
    Adding Lync Contact - Skype
  6. NOTE: If you add the user to Skype first before Lync, the user will show up with a question mark (?) icon for a status until the Lync user approves the request/adds you to their contacts list.

Awesome Tidbits

When setting up Lync-to-Skype federation for the first time, I was seeing the following symptom.  Lync users could see the Skype user Offline, the Skype user could not add the Lync user as it would not pull the directory, and IMs would not work because the users had not accepted each other.  Doing a log on the front end server, resulted with the following error message as well:

TL_INFO(TF_PROTOCOL) [0]1838.0B20::06/05/2013-14:36:41.206.00008d15 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:2420.idx(196))[506561689] $$begin_record
Trace-Correlation-Id: 506561689
Instance-Id: B0B5F
Direction: incoming
Peer: myedgepool.mydomain.local:5061
Message-Type: response
SIP/2.0 480 temporary unavailable
Start-Line: SIP/2.0 480 temporary unavailable
FROM: "Jack Stromberg"<sip:[email protected]>;tag=0f6bccf745;epid=1aadaf98be
TO: <sip:person(hotmail.com)@msn.com>;tag=qwemztox
CALL-ID: a0b5bb30381640c08b30ee2bda403905
CSEQ: 1 INVITE
Via: SIP/2.0/TLS 192.168.169.221:53811;branch=z9hG4bK6DC1D74D.F39C6D8A52E04898;branched=FALSE;ms-received-port=53811;ms-received-cid=718100,SIP/2.0/TLS 192.168.170.142:50017;ms-received-port=50017;ms-received-cid=208A00
CONTENT-LENGTH: 0
ms-diagnostics: 1035;reason="Previous hop public IM provider did not report diagnostic information";Domain="msn.com";PeerServer="federation.messenger.msn.com";source="sip.mydomain.com"
ms-diagnostics-public: 1035;reason="Previous hop public IM provider did not report diagnostic information";Domain="msn.com";PeerServer="federation.messenger.msn.com"
$$end_record

Findings: Doing some research, the 480 temporary unavailable error with 1035;reason="Previous hop public IM provider did not report diagnostic information" means that there are federation issues.  Since I know I enabled PIC Federation through Office 365 and federation worked to other partners (hotmail users for example), I assumed this was an issue with the PIC configuration.

Solution: According to a technet article recently posted (http://community.office365.com/en-us/blogs/office_365_technical_blog/archive/2013/06/01/troubleshooting-lync-skype-connectivity.aspx) if you are having issues federating to Skype, you may have to toggle the Public IM Connectivity mode switch in your Office 365 Lync portal.  If you are a small business user, you are almost gaurenteed to be affected by the upgrade to Office 365 2013.  If you are an enterprise business, it appears you should be fine, but in my case, I still saw issues connecting under an underprise account.

Additionally, it turns out I needed to submit a request to the old PIC provisioning crew at Microsoft in another scenario.  Once they enabled federation to Skype, I was able to go on my merry way.  You can start the request process here (their website can be quite frustrating... I couldn't get half the pages to load and ended up sending them an email): https://pic.lync.com/provision/Logon/Logon.aspx?rret=https%3a%2f%2fpic.lync.com%2fprovision%2fAgreementNumber.aspx%2f