Yearly Archives: 2013

Lync 2013 - Failing Voicemail and Forwarded calls after replacing front end ssl certificate

Leave a reply

Problem: While setting up my first Lync Enterprise Pool, I generated a new certificate on a new front end server, and replaced the certificate on the first front end server to match.  While Lync 2013 will accept the changes, you will begin to slowly see Lync's familiar errors such as failures in forwarding calls, contacting voicemail, etc., with services such as IM, direct internal/external calling working great.

Solution: Turns out that you must restart, at a minimum, the front-end service on all other machines in the Lync enterprise pool after you apply the new SSL certificate.  Unfortunately, this will logout your users from their Lync client for 30 seconds to a minute while the service restarts, but users should be able to remain on a call if the mediation service is still up.  Looking forward to when the new SSL certs expire, I would schedule this as maintenance in the evening where you could simply restart each of the Lync Front End services/servers to prevent unexpected behavior after applying the certificate.

Here was the error I began to see from the Lync 2013 client while trying to call my voicemail:

The description for Event ID 11 from source Lync cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event:

Lync
80ef01f4
RequestUri: sip:[email protected];opaque=app:voicemail
From: sip:[email protected];tag=693ec81203
To: sip:[email protected];opaque=app:voicemail;tag=7CBCF099907DE2498340425795C4E09A
Call-ID: e3535707c76342fd909faaa232247182
Content-type: multipart/alternative;boundary="----=_NextPart_000_0039_01CE980F.27472B30";call-type=audiovideo

------=_NextPart_000_0039_01CE980F.27472B30
Content-Type: application/sdp
Content-Transfer-Encoding: 7bit
Content-ID: <[email protected]>
Content-Disposition: session; handling=optional; ms-proxy-2007fallback

...........

...........

..........

------=_NextPart_000_0039_01CE980F.27472B30
Content-Type: application/sdp
Content-Transfer-Encoding: 7bit
Content-ID: <[email protected]>
Content-Disposition: session; handling=optional

........

........

........

------=_NextPart_000_0039_01CE980F.27472B30--
Response Data:

183 Session Progress
500 The server encountered an unexpected internal error
ms-diagnostics: 1;reason="Service Unavailable";AppUri="http%3A%2F%2Fwww.microsoft.com%2FLCS%2FDefaultRouting";reason="Failed when constructing the outgoing request";source="lyncserver.mydomain.local";OriginalPresenceState="0";CurrentPresenceState="0";MeInsideUser="Yes";ConversationInitiatedBy="0";SourceNetwork="0";RemotePartyCanDoIM="No"

 

Lync 2013 GUI Error: Unfortunately, I didn't grab a screenshot, but the error I was received was "Error ID 1 Source ID 243"

Side notes: When doing a premiliary search on the Lync error (before I made it to event viewer), I stumbled accross an article by Romans Fomicevs that had the exact same issue as me as well.  He's got some additional tracing and insight on the subject as well, definitely go give him a +1 on his Google page! 🙂 http://blog.yogi-way.lv/2013/07/lync-server-2013-and-new-internal.html

Request SSL Certificate With a Subject Alternative Name (SAN) via enterprise CA with a GUI

Leave a reply

For those that want to quickly request a new SSL certificate via your Enterprise Certificate Authority, using a GUI instead of certutil commands, here is a tutorial on how to do so.

  1. Login to the server you want the SSL cert with the SAN address.
  2. Click Start->Run->MMC
    mmc
  3. Click File->Add/Remove Snap-Ins
    mmc - add-remove snap-in
  4. Select Certificates and click Add >
    mmc - add-remove-snap-in-certificates
  5. Select Computer account and click Next >
    certificates snap-in computer account
  6. Click Finish
    certificates snap-in local computer
  7. Click OK
    add-remove snap-ins local certificates
  8. Expand Certificates (Local Computer)->Personal->Certificates
    mmc - personal certificates
  9. Right click on the right pane and select All Tasks -> Request New Certificate...
    mmc - personal certificates request
  10. Click Next on the Certificate Enrollment screen
    certificate enrollment welcome
  11. Select Active Directory Enrollment Policy and click Next
    certificate enrollment policy
  12. Check what type of certificate you would like to request and click on the "Click here to configure settings." link
    certificate enrollment selected policy

    1. Note: you must have configured a template for this link to show up.  By default you will only see Computer, which will not allow you to request the certificate with the SAN address
  13. On the certificate properties page, enter in the following info for the Subject name
    1. Common name
    2. Country
    3. Locality
    4. Organization
    5. Organization Unit
    6. State
  14. On the certificate properties page, enter in the following info for the Alternative Name
    1. DNS of the FQDN (common name)
    2. DNS of the SAN name (short name)
  15. You should now have something like this
    certificate request - properties
  16. Optionally, click on the Private Key tab, expand Key options, and check Make private key exportable
    certificate request - private key exportable
  17. Click OK on the Certificate Properties window
  18. Click Enroll
    certificate enrollment - enroll
  19. Click Finish once the request has been signed
    certificate enrollment - success

At this point, you can export the certificate from the machine or have your application reference it.

Enterprise PKI - CDP Location #1 Expired

12 Replies

Synopsis: After the first year of deployment of one of my two-tier Enterprise PKI environments, I noticed that certificates were generating weird errors, new certificates could not be issued automatically, nor could certificates be requested manually.

Here is an image of what the subordinate certificate authority looked like in Server Manager; showing CDP Location #1 expired.

Active Directory Certificate Services Error

Here was an error that prompted my investigation, when requesting a certificate manually.

Status: Request denied
The revocation function was unable to check revocation because the revocation server was offline.  Error Constructing or Publishing Certificate.  The request ID is 640.

Certificate Enrollment Error

Here were some of the errors in event viewer on the subordinate CA:

Event ID: 48
Level: Warning
Revocation status for a certificate in the chain for CA certificate 0 for My CA0 could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

Event ID: 100
Level: Error
Active Directory Certificate Services did not start: Could not load or verify the current CA certificate. My CA The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

Revocation status for a certificate in the chain for CA certificate 0 for My CA could not be verified because a server is currently unavailable.  The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613).

Upon inspection, it turns out the CDP Location for the subordinate certificate authority had expired.

According to a couple technet article I stumbled across, if i ran certutil -CRL, it would renew the CDP location and all would be happy.  Not surprisingly, I received another error:
CertUtil: -CRL command FAILED: 0x800706ba (WIN32: 1722)
CertUtil: The RPC server is unavailable.
CertUtil Failed Command

Solution: When setting up my PKI environment, the CDP was manually published to the Subordinate CA for security reasons (the Root CA should be turned off most of the time).  That being said, manually generating a new CRL from the Root CA, coping it over to the Subordinate CA's directory that is publishing the CRL, and restarting the Active Directory Certificate Services service did the trick for me.

To manually generate the CRL from the Root CA

  1.  Open up Active Directory Certificate Services (Start->Administrative Tools->Certification Authority)
    Certification Authority - Start Menu
  2. Under Certificate Authority, expand your CA, right click on Revoked Certificates, and select All Tasks -> Publish.
    Certification Authority - Publish CRL
  3. Click New CRL when the Publish CRL dialog box pops up and click OK
    Publish CRL
  4. Navigate to the directory where the CDP gets published via Windows Explorer
    1. The default directory for this is usually at C:\Windows\System32\CertSrv\CertEnroll
  5. Copy the YourCAName.crl file to an external hard drive to copy over to your subordinate ca.

Importing the CRL on the subordinate CA

The latest CRL is fetched from a published website.  In this case, I needed to replace that CRL so the service could properly startup/continue processing certificate.  To do so, I logged into the server hosting the CRL file, opened up IIS, and browsed to the area hosting the CDP.  Last, I copied the CRL file we generated on the Root CA to this directory.

  1. Remote to the machine hosting the CRL file
  2. Open up IIS Manager (Start->Administrative Tools->Internet Information Services (IIS) Manager
    IIS Start Menu
  3. Expand the server, Sites, Default Web Site, and right click on CDP, select Explore
    IIS Manager - Explore
  4. Copy the CRL we generated from the Root CA to the directory that just opened (if your certificate authority was working before, replace the old CRL with this one).

Restarting the service

  1. Click Start->Administrative Tools->Services
    Services
  2. Right click on Active Directory Certificate Services and select Restart (or Start if the service blew up like mine)
    Active Directory Certificate Services Restart

Configuring Google Chrome via Group Policy

19 Replies

Synopsis: As more companies shift from Internet Explorer to Google Chrome, the ability to administer certain controls over the web browser from a centralized place becomes increasingly difficult.  As such, one of the most sought featured in administering the web browser is the ability to deploy shortcuts to the end users to frequently accessed resources on both the intranet and internet.  Luckily, Google has acknowledged the need to be centrally administered in corporate environments using Active Directory and Group Policy to easily complete this task.

Tutorial:

  1. Grab a copy of the Google Chrome ADM/ADMX templates from here: http://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip
  2. Extract the contents of the policy_templates.zip file once you have downloaded it to your local machine.
  3. Navigate to the windows folder and then navigate into the folder with the template you want to use (in this case, I will be deploying ADMX; read below on which one you should use)
    Chrome Policy Templates

    1. If you are using computers with an operating system newer than Windows Server 2003 or XP, select the ADMX folder
    2. If you are using computers with an operating system older than Windows Server 2008 and Vista, select the ADM folder
  4. If you are using Server 2003, you will use the adm file and follow step 2 below.  If you are using Server 2008 and newer, you will use the admx and adml files mentioned in step 1 below.
    Chrome ADMX and ADML

    1. If you are running Server 2008 or newer, enter the admx folde rand copy the .adml file from the language folder (en-US for example) to %systemroot%\sysvol\yourdomain\policies\PolicyDefinitions\<ll-cc> (ll-cc being the language specific folder, such as en-US) and copy the .admx file from the root of the admx folder to %systemroot%\sysvol\yourdomain\policies\PolicyDefinitions
      1. If you are from another region, copy the file to the correct language folder (if it doesn't exist, go ahead and create it).
      2. If you get an Access Denied prompt, try running Windows Explorer as an Administrator
        Run explorer as administrator
    2. If you are running Server 2003 or older, copy the .adm file to your domain controller from the Google\Policy_Templates\adm\<ll-cc> Google folder and complete the following steps to import it:
      1. Open the Group Policy Object that you want to edit inside of Group Policy Management.
      2. In the console tree, navigate to Group Policy object/Computer Configuration (or User Configuration)/Administrative Templates and right click on Administrative Templates
      3. Click Add/Remove Templates.
      4. Click the Add button and navigate to the .adm file
      5. More details on this process can be found here: http://technet.microsoft.com/en-us/library/cc739134(v=ws.10).aspx
  5. Open up Group Policy Management (Start->Administrative Tools->Group Policy Management)
    Group Policy Management
  6. Right click the Group Policy Object you want, and select Edit...
  7. Under Computer Configuration->Policies->Administrative Templates, you should now see a Google object.  Expand that to find the policies you can deploy.
    Editting Group Policy Object

Here is a screenshot of a few of the policies Google offers (more policies can be found in each of the folders as shown in the screenshot below).

Google Policies

Happy web browsing!

Side notes: The only thing I haven't figured out how to do is successfully deploy bookmarks/favorites to Google Chrome.  It appears at this time, it is not possible to do so via Group Policy.  If anyone has any ideas on how to achieve this, please leave a comment below; it would be greatly appreciated! 🙂

Lync Server 2013 - Cannot find any suitable disks for database files. You must manually specify database paths. error

6 Replies

Symptom: You receive the following error while running Step 2: Setup or Remove Lync Server Components under the Lync Server 2013 - Deployment Wizard.

Install-CsDatabase: Command execution failed: “Cannot find any suitable disks for database files. You must manually specify database paths.”

Solution: Verify you have at least 16GB of free disk space on the partition you are installing Lync Server 2013.

Dell PowerConnect 5548 - Enable port mirroring/monitoring via command line

Leave a reply

To enable port mirror/monitoring on the Dell PowerConnect 5548 series switches, please follow the following steps:

  1. SSH or Telnet to the switch
  2. Login to the switch
  3. Execute the command: enable
  4. Execute the command: config
  5. Execute the command: interface gigabitethernet 1/0/##
    1. In this case, use the port number of the device that will be getting the traffic to analyze.  This is the interface your "wireshark" machine would be connected to, to do a packet capture.
  6. Execute the command: port monitor gigabitethernet 1/0/##
    1. In this case, use the port number of the device you want to see the network traffic/activity on.  For example, if my device that I wanted to monitor was on gigabit port 1/0/5, I would use that, not the machine that is going to receive the traffic (not your "wireshark" machine).

Once you are done with the forward, you can disable port monitoring/mirror by executing the following command after running through steps 1-5 again: no port monitor gigabitethernet 1/0/##

Last, if you want to see the status of your mirrored/monitored port, you can do so by executing the following command after repeating steps 1-3: show ports monitor

[Office 365] - Forwarding email from one mailbox to another with ADFS turned on

3 Replies

Synopsis: Employee leaves on personal matters for a month and their department lead requests for mail to be forwarded to their manager.  Typically, mail forwarding would be setup inside of the Exchange console, however, in this case, Exchange is managed by Office 365 (not a hybrid exchange deployment) and the users are being federated to Office 365 via ADFS.  When trying to enable mail forwarding, as outlined in the this help document by the Office 365 team http://community.office365.com/en-us/wikis/exchange/how-to-forward-email-in-office-365.aspx, I would receive an error message.

Symptom: When enabling mail forwarding for the user inside of the Office 365 Exchange portal, I received the following error message:

The action 'Set-Mailbox', 'EmailAddresses', can't be performed on the object 'Firstname Lastname' because the object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

Solution:

Personally, I think this is a bug in Office 365, but they say it is because we are on premise (if all of exchange is managed by them, how can they not enable mail forwarding?).  Any who, the work around is to manage the user's mailbox and set forwarding up as if they would.  See the steps below to achieve the same result:

  1. Login to your Office 365 admin portal.
  2. Click on the Admin dropdown and select Exchange
    Exchange
  3. Once in the Exchange portal, click on your username and select Another user...
    Exchange - Another User
  4. Type in the mailbox you want to edit and click ok
    Select Mailbox
  5. On the "Managing on behalf of" screen, select Forward your email
    Exchange - Forward Your Email
  6. Scroll down to forwarding and type in the email address of the user you want all emails to go to and click start forwarding.  You can optionally select if you want to leave a copy for the user's mailbox or have them silently forwarded.
    Exchange - Start Forwarding
  7. That's it! 🙂

Lync 2013 - DNS Settings

55 Replies

If you are setting up Lync Server for the first time or have been running Lync Server, you will notice that Lync depends heavily on DNS records.  In many cases, a Lync deployment cannot be setup correctly without using a split-dns setup and using a masked UPN; which can make things even more tricky.  Here is a complete listing of DNS records I used to deploy Lync 2013.  I have verifed federation works properly, IMs, conferencing, dial-in meetings, mobile and desktop client sign-in, and desk phones.  Note, records indicated in Red are records that are required/standard in every lync deployment.

Internal DNS Records

Record Type Value Points to
A lyncdiscoverinternal.mydomain.com Lync front end server
A lyncdiscover.mydomain.com Lync reverse proxy
(needed for mobile devices to work interally)
A lync.mydomain.com Lync front end server
A sip.mydomain.com Lync front end server
(multiple A records if enterprise pool)
A dialin.mydomain.com Lync front end server
A meet.mydomain.com Lync front end server
SRV _ntp._udp.mydomain.com Domain Controller/Time Server
SRV _sip._tls.mydomain.com sip.mydomain.com
SRV _xmpp-server._tcp.mydomain.com sip.mydomain.com
SRV _sipinternaltls.mydomain.com sip.mydomain.com
SRV _sipfederationtls.mydomain.com sip.mydomain.com

**Note, you should have A records for all of the hosts in your Lync deployment (front end servers, pools, proxies, etc.).  Those are not covered in the list as they are 100% user defined when deploying Lync.

External DNS Records

Record Type Value Points to
A webconf.mydomain.com Edge server IP as specified in setup wizard
A av.mydomain.com Edge server IP as specified in setup wizard
A sip.mydomain.com Edge server IP as specified in setup wizard
A meet.mydomain.com Lync Reverse Proxy IP
A dialin.mydomain.com Lync Reverse Proxy  IP
A lync.mydomain.com Lync Reverse Proxy IP
A lyncdiscover.mydomain.com Lync Reverse Proxy IP
SRV _sip._tls.mydomain.com sip.mydomain.com
SRV _sipfederationtls._tcp.mydomain.com sip.mydomain.com
SRV _xmpp-server._tcp.mydomain.com sip.mydomain.com

 

Deploying a Read-Only Domain Controller with Server 2008 R2

1 Reply

Recently, I just configured a MPLS link to a remote office and noticed user experience isn't quite what it is at the centralized office.  In an effort to help speed up the user's experience (response time in domain authentication and DNS resolution), we will be going over setting up a Read-Only Domain Controller to allow users to authenticate to the domain in the event the connection between the remote site and the main site would go down, as well as create a cached copy of DNS at the remote site to help increase response times in DNS intensive applications (particularly, web browsing experience).

Requirements

  • Active Directory has been properly configured at a main facility
  • You have servers that are running Windows Server 2003 or greater
  • The domain functional level is set to Server 2003 or higher
  • If there is windows server 2003 environment, the Active Directory schema needs to be extended for RODC installation by running the command: adprep /rodcprep
  • PDC emulator operation master should be on Windows server 2008
    • Execute the following command to find out which machine is the PDC emulator if you are unsure:
      • dsquery server -hasfsmo pdc

Instructions

  1. Deploy a new server (I used Server 2008 R2 in this example).
  2. Open up Server Manager, right click on Roles and select Add Roles
    1. Server Manager - Add Role
  3. Click Next on the Before You Begin screen.
    1. Before you begin
  4. Check Active Directory Domain Services on the Add Roles Wizard and click Next >
    1. Add Role - Select Server Roles
  5. Click Next > on the Active Directory Domain Services screen.
    1. Add Role - ADDS
  6. Click Install on the Confirm Installation Selections screen.
    1. Add Role - Confirmation
  7. Click Close when the installation is done.
    1. Add Role - Results
  8. Click on Active Directory Domain Services once the installation is done, back in Server Manager.
    1. Server Manager - Active Directory Domain Services
  9. Select Run the Active Directory Domain Services Installation Wizard (dcpromo.exe)
    1. Run the active directory domain services installation wizard
  10. Once you see the Active Directory Domain Services Installation Wizard, check the Use advanced mode installation checkbox and click Next >
    1. dcpromo - Use advanced mode installation
  11. Click Next > on the Operating System Compatibility step.
    1. dcpromo - Operating System Compatibility
  12. Check Existing forest, and then check Add domain controller to an existing domain

    1. dcpromo - Deployment Configuration
  13. On the Network Credentials page, type in the name of the domain you want to  connect to and then specify the credentials to add the machine.  These credentials must have at least domain admin privileges to join the DC to the network.
    1. dcpromo - network credentials
  14. On the select a domain screen, select your domain and click Next >
    1. dcpromo - Select a domain
  15. Select a site and then click Next >
    1. dcpromo - Select a site
  16. On the Additional Domain Controller Options page, check DNS Server, Global catalog, and Read-only domain controller (RODC) boxes for each of the rolls and select Next >
    1. Here is some information on what each of the choices do. This is from the following KB article by Microsoft: http://technet.microsoft.com/en-us/library/cc754629(v=ws.10).aspx
      • DNS server: This option is selected by default so that your domain controller can function as a DNS server. If you do not want the domain controller to be a DNS server, clear this check box. However, if you do not install the DNS server role on the RODC and the RODC is the only domain controller in the branch office, users in the branch office will not be able to perform name resolution when the WAN to the hub site is offline.
      • Global catalog: This option is selected by default. It adds the read-only directory partitions of the global catalog to the domain controller, and it enables global catalog search functionality. If you do not want the domain controller to be a global catalog server, clear this option. However, if you do not install a global catalog server in the branch office or enable universal group membership caching for the site that includes the RODC, users in the branch office will not be able to log on to the domain when the WAN to the hub site is offline.
      • Read-only domain controller. When you create an RODC account, this option is selected by default and you cannot clear it.
    2. dcpromo - Additional Domain Controller Options
  17. On the Specify the Password Replication Policy step, adjust the settings for each group, specifying if you want to cache user credentials on the Read-Only domain controller.  In this tutorial, I left all of the options Deny except the Allowed RODC Password Replication Group, which is default per Microsoft.  Click Next > once you have determined the settings you want to use.
    1. dcpromo - Specify the Password Replication Policy
  18. On the Delegation of RODC Installation and Administration step, click the Set... button and select either a user or security group of users that you wish to have Administrative access to the read-only domain controller.  If this is a remote office where you have a designated IT member(s), you would want to create a security group on your read/write DC and then select the group.  However, if you will always know only one individual will login to the RODC, you can specify their user as the one to have local Administrative privileges.  Lastly, if you don't want anyone to be able to mess with the RODC, you can simply click Next > and that will only allow members of the Domain Admins or Enterprise Admins security groups to manage the RODC.  Click Next > once you have decided what security group or user you wish to allow local administrative access to the machine.
    1. dcpromo - Delegation of RODC Installation and Administration
  19. Click Next > on the Install from Media screen to pull the most current information from one of your active domain controllers.
    1. dcpromo - Install from media
  20. Click Next > on the Source Domain Controller screen to Let the wizard choose an appropriate domain controller to replicate from.  If you prefer replication from a specific machine, you may check the Use this specific domain controller box, select the machine from the list, and then click Next >.
    1. dcpromo - Source Domain Controller
  21. Click Next > on the Location to store the Database, Log Files, and SYSVOL; unless you wish to relocate those files to a separate partition.
    1. dcpromo - Location for database - log files - sysvol
  22. On the Directory Services Restore Mode Administrator Password, enter a strong password to be used in the event you need to put the DC in restore mode.
    1. dcpromo - Directory Services Restore Mode Administrator Password
  23. At this point, you can export the settings to make an answer file or you can click Next > for the server to begin applying the configuration.
    1. dcpromo - summary
  24. Click Finish once done and Restart when prompted.

Upon restart, you should be good to go!  I would recommend running the Microsoft Best Practice analyzer and checking the Windows event logs to ensure everything is good to go.