Lync 2013 / 2010 – Public Edge Certificate missing its private key

Recently i have seen the issue of your public cert missing its key on import. The situation is when you create the required .req for your public certificate on edge you send the details off to the certificate authority of choice. Once they create and return the .crt file and the necessary trusted root and intermediate certs you import them into the Lync edge server only to find that the ‘sip.<domainname>.com’ cert is missing its private key.?

Why would this be the case when you originally generated the request on the Lync edge server? At this moment the only reason i can see is if another certificate with the same name has previously been imported onto the server. Apart from them i cannot find any other logical reason for why sometimes the newly imported certificate misses the private key.

if you are in this position, the simple fix to the cert is as follows

– On the imported certificate without the private key, double click the cert to show the information associated with it. Click on the details tab and look for the field called ‘Serial’. Copy the serial key into notepad and remove the spaces below the unique code. ie

WAS 5a 12 6e 7e ee 11  AMENDED 5a126e7e11

now still on the edge server open command prompt and type the following

certutil –repairstore my <Amended unique serial number>

eg: certutil –repairstore my 5a12637e11

press enter to commit it.

you will then be presented to information and also confirmation that the update has been successful.

now if you go into the certificate store and refresh you will see the certificate will now have the private key within it.

At this point you can go back to your Lync deployment wizard and assign the public cert to your edge server.

Job Complete

Thanks

Iain S

Advertisements

Lync 2013 – Masking Information from Monitoring Reports – Video Config Guide

Hello all

This is a video guide on how to change the information in the backend SQL database for Monitoring information which has been added via the Lync CDR records.

In the video scenario what we are wanting to achieve is that some caller information and the certain callee has to be removed from all records within the monitoring database. IE: Say your company has a whistle blowing program were an employee can advise a team of any internal wrong doing within the company. Well this information would be sensitive information of who actually called the whistle blowing number and this could jeopardise the callee.

I hope this helps.

Regards

IainS

Lync 2013 – Move Response Groups from Lync 2010 to Lync 2013

In this blog post are the details whats needed to move you Lync 2010 response group over to Lync 2013. in truth there isn’t much to it really, just a couple of powershell commands.

to start with if you run the Get command to find information from your Lync topology about the response groups.

For Example

Get-CsRGSConfiguration then enter your pool <FQDN of your Lync 2010 Pool> this will bring details back about the Response Group application associated with Lync 2010.

Next Step is to backup the response group information just in case anything goes wrong. In order to back up your Response Groups, you need to make sure you have the Lync 2010 Resource Kit tools installed. After you have the tools installed, within your Lync Management shell, change the directory to where you installed the resource kit and then run:

Import-Module .\RgsImportExport.ps1

This will load the Powershell module so that you can interact with the Response Group service of Lync 2010. The next step is to run the export command in order to export the configuration.

Export-CsRgsConfiguration <service:poolFQDN> -Filename <path and file name for backup>

Example: Export-CsRgsConfiguration ApplicationServer:pool01.northernlync.local -Filename “C:\Lync_NLRgsConfig.zip”

Once this has exported we are now ready to migrate the response groups over from Lync 2010 to Lync 2013

In Lync powershell again we need to run the following commands

Move-CsRgsConfiguration -Source <Lync2010 Pool FQDN> -Destination <Lync2013 Pool FQDN>

eg: Move-CsRgsConfiguration -Source lyncse01.northernlync.local -Destination lync13pool.northernlync.local

Once this is complete, finally run a few commands in Lync Powershell to confirm the migration of the groups

Get-CsRgsAgentGroup  (ensure all the below is now pointing to the Lync 2013 environment 

Get-CsRgsQueue

Get-CsRgsWorkflow

thats it..

 

Lync 2013 – RTCSRV Frontend Service failing to start “showing as starting” PART 2 Certificate Store issue

Hello All

Here we are again for another blog post on a similar issue i posted about previous which was the RTCSRV service on the Lync 2013 front ends not starting.

This particular post is relating to the same RTCSRV service but this specific issue is Windows 2012 / r2 server build centric.

Ok so what was the problem.?? in both Standard and Enterprise edition builds you’ve ran through each element without issue, then you come to starting the services and bam, all of services start apart from the RTCSRV service which sits cycling on ‘starting’, so the first port of call for any issue like this is the event logs. At this point i was expecting the same damn issue with the quorum recovery due to the lync build still being RTM (not patched).

So after a quick glance at the event logs i ran in the updates to the topology. Jan 2014 updates. i then tried again with the service starting, and again it was stuck still cycling on the RTCSRV service. At this point i jumped back to the event logs as I’ve found that following the lync RTM build the information becomes a lot more ‘richer’ in content. As it happens this was the case, there was an error in the logs around certificates.? yet my installation was using an internal CA so why should i be getting these errors?

I checked the Internal CA for correct marking and trust, which all ticked out ok and then my next step was around certificates in general and the way windows 2012/r2 sees them differently. What i mean by this is the certs in the personal, intermediate and trusted root stores on windows 2008r2 server could in some cases be totally wrong and the lync services would start without issue. In Windows 2012/r2, Microsoft has done a lot of work around the certificate stores on the 2012 server build and put a lot more strict requirements within them. for example having a intermediate cert in the trusted root will throw an error in the event log. having duplicate trusts in the root trust will throw an error in the event log. etc etc

so what was the issue in my case. ? it was one i had seen before in a deployment and one which was totally unrelated to Lync and the Lync RTCSRV service. 

In the trusted root folder all certificates have to have a matching subject and issuer name or again an error would be thrown.. AND also having such an issue will stop the RTCSRV from starting for Lync.!!! crazy you might say.!

***What does Microsoft say about this.. Below

this is the event error in question

so to find this out there is a simple powershell command to run to identify this mismatched information on the trusted root certs.

Get-Childitem cert:\LocalMachine\root -Recurse | Where-Object {$_.Issuer -ne $_.Subject} | Format-List * | Out-File “c:\temp\certinformation.txt”

Once you have the information from your txt file, jump over to MMC and the certificate store and locate these certs in the root CA and move them to the intermediate store. Once you completed this close powershell and reopen to recycle the powershell information and rerun the command again. This time around you should have no information in your txt file.

Now if your running Standard edition simply start your fronted services.. If your running the enterprise edition, i would personally run the quorum recovery command to bring your fronted into sync, this will also start the services.

Thats it. i hope this has help other out 

 

 

 

 

 

Lync 2013 – Force the Lync client to always ‘show User Picture’ – video guide

Good Morning

This blog post and video guide describes how to force the Lync 2013 client to always show the end users Lync picture even after the user might have changed the setting not to show the picture.

pic1

To but a little bit of background around this, as with Lync 2010, Lync 2013 does not have the ability to block or stop a user from deselecting the option of showing their Lync picture.  This picture element is something I’m asked many times while working with customers.

I know this is something which we all would like as a option but as of today and as far as I’m aware this isn’t something close to Microsoft’s heart in fixing or providing a solution.

Also to confirm there isn’t any policies you can assign OR and registry setting to can associate to block the user changing their setting. So what solution and where is this setting stored….. Well its not in the xds database and actually its started within the front ends rtclocal database.

So to confirm before you go any further in the blog, I’m pretty certain that this solution will be one thats unsupported from Microsoft and also one that as we are going to change the rtclocal will be seen as a ‘borderline’ hack. Also i would like to point out I’ve ran this within my lab without issue for sometime, however i would suggest you test it within your lab area before you embark on using it in your production environment. <remember I hold no responsibility> 🙂

Ok no the small print is out of the way, what is the fix.. ?? Within the rtclocal there is a table called publishedstaticinstance which has a field that holds a massive binary value. As part of the challenge is to convert the binary into something thats readable and something we can update

pic2

Under the covers what this binary code states is DisplayADPhoto true/false.

So as part of the update we change for the status and update accordingly when the status is false.

As this is running on rtclocal, the way the guide runs this is via a scheduled task running a .ps1 powershell command. Also the SQL only checks the last 15 minutes of changes to reduce locks and database processing. Also the scheduled task I’ve created runs every 15 minutes so with the two you will never be out of sync with what a user is doing. (you could run this script more regular than every 15 minutes but given the requirement i think 15 is a good medium to use).

As for the SQL command some thanks go out to the tech net community as understanding the converts within the SQL was a slight challenge.

PS1. Script

function Enable-UserPhotos ($Domain, $OffSet) {(Get-CsPool (Get-CsComputer “$(hostname).$Domain”).Pool).Computers | % {Invoke-Sqlcmd -Query “update rtc.dbo.PublishedStaticInstance Set Data = CONVERT(image,convert(varbinary(4000),REPLACE(convert(varchar(4000),convert(varbinary(4000),Data)),'<displayADPhoto>false</displayADPhoto>’,'<displayADPhoto>true</displayADPhoto>’))) where [LastPubTime] >= DATEADD(mi,-$($OffSet),getdate()) AND convert(varchar(4000),convert(varbinary(4000),Data)) like ‘%<displayADPhoto>false</displayADPhoto>%’;” -ServerInstance “$($_)\RTCLOCAL”}
} Enable-UserPhotos -Domain ‘your domain name here’ -OffSet 15

KEY TAKEAWAYS

Remember the script is changing the rtclocal database on the fronted and this will be seen as not supported by microsoft.!

Video guide below.

Thanks!

Iain Smith

Lync 2013 – Ferrari Virtual SBC ‘Video’ Installation Guide against SIP trunk from PureIP

Hello All

Following the news from Ferrari that the new Virtual SBC OfficeMaster Gateway was available as a trial, i thought i would take the opportunity of deploying and configuring the gateway with connection to my SIP trunk via Provider PureIP.

Instead of the normal line by line installation guide, this time around I’ve completed a video guide of the actual installation and also the call testing.

The video was recorded using software, cam studio and the audio was captured using a Plantronic Blackwire 710 headset

Details about the Ferrari Electronics company can be found here http://www.ferrari-electronic.com/en/products/officemaster-gate.html 

For a trail installation of the Ferrari Office Master gateway you need to contact Ferrari at info@ferrari-electronic.de

Details about SIP trunk provider PureIP can be found here. http://www.pure-ip.co.uk

Key takeaways for me was the gateway is different to other vendor gateways whereas with the Ferrari appliance you complete the configuration via a GUI rather than a webpage portal to the appliance. The configuration was straight forward and nothing to taxing. One thing of interest to me was the gateway can work in a single NIC mode or in dual NIC mode for hand off between NICs. (Similar to how an Lync Edge server hands over from the internal NIC to the External NIC).

Also i think there is a wording issue on the tabs while setting up the routing as one tab says ‘Calls from ISDN’ when in fact it should say ‘Calls to ISDN’.

All in all, i was really pleased with the setup and installation of the gateway, and i look forward to getting my hands on the new physical appliance being released in Q1 2014.

Below is the the video installation setup.

Thanks Iain Smith – NorthernLync

Lync 2010/2013 – Dect Headset Review (Sennheiser DW Office, Logitech h820e, Jabra 9470pro)

Hello

The below is a unbiased view on three dect headsets that are all certified and compatible with lync 2013 and Lync 2010.

Using the same metrics/categories as i did with the bluetooth device review, i will score each headset on the following metrics, plus also giving a Pros and Cons synopsis including RRP pricing guide.

The three categories are (Sound, Functionality, Usability)

sennheiser-dw-office-p_575356vbimageshegnwi9470_1_1

(Left to right, Sennheiser DW office, Logitech h820e, Jabra 9470pro)

Dect Headset No1

Sennheiser DW Office

  • Sound – There is one thing to say with all the Sennhieser devices I’ve used and reviewed ALL have the best sound quality across the UC field. Again like the Sennsheiser bluetooth Presence device the sound quality is crystal clear. I’ve been using a DW office now for many months, and as the other two dect headsets have been released i’ve used these other devices for weeks at a time but it must be said its never ever been in my mind to replace the DW office. Simply put, its head and shoulders above the Logitech dect headset for sound. I’ve used this dect device in my daily job accepting calls from SIP connections/PSTN and Mobile and the device has never missed a beat.
  • Functionality – As with all three headsets they all almost mirror each other with basic  functionality with some having nice little extras over the other. For me the Sennheiser has a couple of neat features. One – being that it does not need a power supply to feed it an electric current. Its happy to utilise the USB connection to the headset to power it. (its worth noting this is the only dect headset in the review which can do this). Two – the device can also twin and connect to a desk-phone for better together capabilities. Three – you can twin unto 4 headsets to one base station. (this works well for training purposes etc), Four – it can be connected to your mobile/cell phone as well as a Lync headset.
  • Personally a trick the Sennheiser doesn’t have which would in my opinion would have been the icing on the cake is the lack of ringer in the base unit. More and more companies are not buying new desktop machines with sound cards and speakers these days as they are doing this to cut down on the revenue costs on hardware.If the DW office had the ringer function this would be perfect. I would hate to think one of my clients dismissed this excellent device due to a lack of ringing from the base unit. (note: only the Jabra dect device has a ringer in the base unit, but sadly that lacks in other areas)
  • Usability – I can sit with the headset on for hours and even sometimes i forget im wearing it until I’m reminded :). there is comfort and quality all around this headset. On first opening of the box, you might find the boom arm is very close to your cheek, this is by design and within the box is what Sennheiser calls a cheek deflector which is a little piece of plastic which snaps onto the start of the boom arm and makes the arm move away from your face area. The ear peice is leather and very comfortable to wear.
    For the distance on how far the dect range is (Line of sight 134mtrs, within a office <none line of site> 46mtrs)
  • Unbiased Verdict – the quality is what you would expect from Sennheiser devices. excellent sound and build. I wish it had a ringer in the base until as this would be in my opinion be the perfect all round product. Price point of this dect headset is the most expensive and could be seen as to expensive by some.
  • RRP – £299
  • Link http://en-uk.sennheiser.com/wireless-headset-office-hands-free-dect-dw

The release date is available now

Dect Headset No2

Logitech h820e

  • Sound – When i first saw this headset at the UC Expo in London in March, i couldn’t wait to get one of these devices to test and ultimately use in my day to day job. Oh how disappointed i was with this device when i received it. The sound is just awful, the boom arm and mic is super sensitive to the point where you can’t stop the sensitivity. (this is the same with the USB wired version). You literally have to move the flexible boom arm to a right angle to stop the sound distortion. Even with turning the sound down to the minimum setting within Lync makes no difference.
  • Functionality – Barring the sound issue, functionally the headset has a unique feature of showing the incall presence at the backend of the boom arm, this in itself is a nice feature when the headset is in use, people can see your on a call. As with the Sennheiser device, this dect device also doesn’t have a ringer option within the base unit. When the headset isnt being used you dock the headset vertically back onto the base unit, and there has been a few times where i thought it was docked but due to it being placed into the dock misaligned, it never charged and wasnt good enough to use on my next call.
  • Usability – The headset is really comfy with nice leather big ear pads and leather headband. Logitech have really thought about the comfort of this headset and it is as good if not better than the Sennheiser and Jabra devices . For the distance on how far the dect range is (Line of sight 64mtrs, within a office <none line of site> 31mtrs)
  • Unbiased Verdict – I can imagine the Logitech guys sitting round a meeting room table and saying ‘we have X amount of budget how do we use it…’, i think they spent 85% on comfort, and the remaining on the actual base unit, headset and packaging. If there was one saving grace for the logitech device its the price, its unbelievably cheap for a dect headset. You wont find a cheaper dect headset on the market. Downside is the sound, its a massive issue with this headsets.. Sort the mic sensitivity Logitech!! fix this and you will have a great UC device at a very good price.
  • RRP – £139.
  • Link – http://www.logitech.com/en-gb/product/wireless-headset-mono-h820e-business

Jabra 9470 Pro

  • Sound – The sound from this headset is really good, nothing really to complain about. On using it i hear no white noise and distortion, and the difference between the Pro 9470 and the Sennheiser DW office is the DW’s sound is more digital and clear. That said if id bought the Pro 9470 i would be happy to use it day to day.
  • Functionality – In terms of design of both the base unit and headset are both nice. i like the base unit lcd touch display which enables you to flip connections from desktop to bluetooth/mobile phone. ALSO it has the ringer which i really like and one i see customers asking more and more for. As for the headset it fits nice with large leather ear pads, and it also feels light on your head.
  • Usability – I used the Pro 9470 device of choice before i received the DW office. If the sound was just a little bit clearer i would be hard pressed to choose between these devices. I cant emphasise enough about the ringer feature and how useful it is.
  • Unbiased Verdict – This is a really good bit of kit, and one i would recommend to a client. There is nothing i can fault.
  • Overall Verdict

This is a relativity simple verdict, and if you see this as gold, silver and bronze awards. In third place is the logitech h820e this is because of its poor sound offering. In a joint first place is the Jabra Pro 9470 and the Sennheiser DW office. Reason why i cant make a distinction between these devices is due to the following. For the Jabra Pro, i cant fault the device in anyway, i like the base ringer option, and the base lcd touch display. Plus the device is £100 cheaper than the sennheiser DW office. For the Sennheiser DW Office I can’t get away from the quality sound and hardware. Also with the ability to add additional headsets to the base units, its perfect for training purposes. Downside for me is the price, you have to have deep pockets to afford a few of these if you are a customer.

– If you are a person who wants the best sound quality then in my opinion the Sennheiser DW Office is the best

– If you are a person on a limited budget and aren’t bothered by having the boom arm at a right angle. The Logitech is a good match

– If you are a person who wants a comfort fit with good sound quality and a long range of connectivity then the Jabra Pro 9470 is the one

Thanks for reading.

Regards

Iain Smith

Lync 2013 – Configuration Guide for using JetNEXUS Appliance as Reverse Proxy

Hello

A couple of weeks ago i created a detailed blog about life after TMG and what offerings there are in the way of a reverse proxy for Lync going forward. In that blog posting i mentioned IIS AAR and KEMP as options, but failed to mention JetNEXUS. Sorry JetNexus. !! So for that reason as a small ‘sorry’ ive given headspace to building one of their appliance’s in my lab to use as a RP against Lync 2013.

Also the people in the UK who are unsure on supportability of other vendor appliances I can confirm that JetNEXUS are primary based within UK with their HQ in Buckinghamshire.

Thanks to Gary Christie for supplying me with the license and details needed.

as usual the below is the lowdown on my Lab environment for the blog

DC = Win2008r2, AD level 2008r2

Lync 2013 SE, running on Windows2012

Windows 7, running the Lync 2013 Client

Peripheral devices for testing iphone 5 running IOS7beta5, Windows Phone 8

STEP 1 – creating the Virtual Jet Appliance. For this i, running the HyperV version of the Appliance

In your Hyper-V Manager, client right click on the server and select > Import Virtual Machine

1

Once you’ve selected the import option goto the Folder containing the ALB-X subfolders which in my case is C:\Users\SMITIAI\Downloads\jetNEXUS ALB-X VA\ ****NOTE: if you dont unpack the folder first you wont find the VMs!

next through the screen until you get to the import type screen. At this point Click “Copy the virtual machine (create a new unique ID)”

2

‘Next’ through the rest of the screens until you can select the finish button.

Once your Jet appliance is import select to connect and start the VM

3

STEP 2 – Configuration of IP’s base config

The simplest way to configure the initial install is to use the Jet Discovery software which comes with the appliance. Simply open the .exe and it will find your running appliance (Jdiscover.exe is in the same folder as the VM’s and at the time of writing the version is 3.6.1)

****Just to point out something completely bizarre at this point. On start up of the appliance it automatically selects an IP address from DHCP, which in my case it did find DHCP and subsequently associated itself and IP of xxx.xxx.1.204 which was/is the same IP to which my Lync 2013 SE was/is running on.!!?? odd. for me to get round this i had to down the SE to allow the appliance to finish starting up then i could change the IP on the appliance.. Look out for this little gotcha

Back to running the .exe, as stated it will find the Rp automatically and at this point you can add the necessary changes to the base config

4

once you’ve applied the required settings, right hand click and select connect to webportal

At this point the installation is complete. Next step is the RP configuration

STEP 3 – Setting up the RP as a Lync Reverse Proxy

Navigate to the IP address you specified PLUS the :PORTNUMBER 27376 ie: 192.168.1.223:27376

8

then apply the username and password (default is admin, password is jetnexus)

you will then jump into the jetnexus portal. The first thing im going to do in the portal is to update the password into a more sensible one. to do this you need to navigate to configure, security on the left hand pane

9

now onto further config work. Going to the Setup>appliance on the left hand pane i want to make sure my IP address for the RP is attached to the eth0 port.

10

If you did need to make any changes you just double click into the IP, Subnet etc to amend. Nice feature! (dont forgot to press update)

Im now going to add the default gateway into the RP

11

At this point nothing to taxing has taken place, so onto loading a jetpack. <A jetpack is a prebuilt configuration pack which you can get for Lync Frontend load balancing, Lync edge load balancing (both internal and External), exchange 2010, 2013 load balancing and last of all Lync Reverse Proxy )

Now to add the jet pack to my RP. to do this navigate to advance Software update. Of course you will have needed to created/download a jetpack first!.

I’m going to use the standard Lync RP jetpack then tweak to suit my needs

12

Now onto tweaking the appliance for my Lync environment

back to setup and IP services

13

lets now move onto importing our SSL cert to bind to the RP

to do this you need to navigate to the configure, then SSL

select import and selct your cert.

14

now lets bind the cert to the RP. now back to the setup, Ipservices and then select the actions TAB, then select SSL and use the dropdown to add your cert

15

now back to look and check your connection

16

and Finish

I must say the easiest of all the Reverse Proxy Appliances to set up for Lync. Using the LyncRP template was a breeze. Well done JetNexus, it was a simple setup and one i would recommend in the future.

Regards

Iain Smith

Lync 2013 – Enabling Sharepoint SkillSearch within the Lync Client

Happy Lunchtime

Thursdays 1 a day Lunchtime blog post

In this blog we will look at how to enable SharePoint searching within the Lync 2013 client. This is super simple to implement as its only 4 powershell commands

step 1

Login into one of your frontend Lync server/s (if you are EE).

open up Lync Management Shell

Firstly what we will do is do a simple get command to get an understanding of whats already within the client policy

using PS type Get-CSClientPolicy

11

you will see the information associated with each identity. For this blog post I will be adding the sharepoint setting to the global policy

with this in mind run the bellow PS command specifying your sharepoint portal information
Set-CSClientPolicy -identity global –SPSearchInternalURL http://<server>.<domain>/_vti_bin/search.asmx
Set-CSClientPolicy -identity global –SPSearchExternalURL http://<server>.<domain>/_vti_bin/search.asmx
Set-CSClientPolicy -identity global –SPSearchCenterInternalURL http://<server>.<domain>/SearchCenter/Pages/PeopleResults.aspx

Set-CSClientPolicy –SPSearchCenterExternalURL http://<server>.<domain>/SearchCenter/Pages/PeopleResults.aspx

***Its worth running the URL into IE before you run these powershells into the policy.

Once you’ve completed this, using your lync client, logout and kill the lync process for the client then log back in. Now using CTRL-right click open up the lync configuration option

ensure that the paths are being picked up by the client.

now in the lync client type a search ie: Application Development and select ‘Skills’

if you return a lot of entries you will see the option at the bottom of the Lync client to open the results within SharePoint

And that’s it…

Sametime for tomorrow for Fridays Lunchtime blog