Lync 2013 Deployment – Standard Edition

Starting with a single Standard Edition Lync Server in a fresh Active Directory forest future articles will build on this deployment with additional component installation like Group Chat, Edge Services, Exchange Server integration, etc.

Throughout this series of articles the same basic instructional flow is used as in other articles.  Although it may not have been obvious, the usage of bulleted items is intentionally specific.  Steps starting with a bullet are typically mandatory to reach the same level of installation completion as the article intends to provide at the end.  Yet normal paragraphs without bullets may include optional steps intended to provide a deeper understanding of a previous action or cover the installation of optional tools or components used to aid in knowledge transfer of the topic at hand.  This format aids in skimming through the article for repeated installations.

Environment

For these articles specific to Lync Server 2013 a new lab environment has been created which is nearly identical to the one used in previous Lync Server 2010 articles.  One important change worth noting is that the internal Active Directory namespace is now configured as schertz.name as opposed to the previously used schertz.local domain name.  This was done to match newer best practices of moving away from using invalid Top Level Domain (TLD) names which would prevent the ability to issue public certificates for those internal services, as described in this previous article.  The primary SIP domain namespace will continue to be mslync.net throughout all articles.

  • Physical Host: Windows Server 2008 R2 Hyper-V running on a Core2 Duo desktop-class system with 8GB RAM.
  • Domain Controller: A single Windows Server 2012 x64 Standard Edition guest promoted to a domain controller for the new Active Directory forest root domain of schertz.name.
  • Lync Server: A second virtual guest running Windows Server 2012 x64 Standard Edition and joined to the schertz.name domain.
  • The default domain administrator account used to perform all steps is a member of the Domain Admins, Enterprise Admins, and Schema Admins domain security groups.
  • The Forest and Domain functional levels were set to Windows Server 2012.
  • A Windows Enterprise Certificate Authority was deployed on the domain controller to provide SSL certificates for internal services. The CA configuration was updated to provide access to the Certificate Revocation List via HTTP, as explained in this article.

Server and Forest Preparation

Before installation any of the Lync Server components it is best to install any prerequisite components on the targeted server so that steps like Active Directory preparation are easily dealt with.

  • Mount the Windows Server 2012 installation media on the server to an available drive letter as some of the components to be installed will need to be read from the installation media as provided by the Source parameter in the following cmdlet (e.g. D:\sources\sxs).      

     

  • Launch Windows PowerShell by selecting ‘Run As Administrator’ and enter the following cmdlet to quickly install the .NET Framework package, the Remote Server Administrative Tools, and all additional prerequisites followed immediately by a required server reboot. (The Telnet Client is not a requirement but is helpful to have installed when troubleshooting any connectivity issues.)

Install-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Windows-Identity-Foundation, Desktop-Experience, Telnet-Client, BITS -Source D:\sources\sxs -Restart

image

  • After the server finishes rebooting disconnect the Windows Server media and mount the Lync Server 2013 installation media.     

     

  • Launch the Lync Server 2013 Deployment Wizard from the following path and then select Yes if prompted to install the Microsoft Visual C++ Runtime package.

D:\Setup\amd64\setup.exe

  • Confirm the default Installation Location or change the path to a different directory if desired.

C:\Program Files\Microsoft Lync Server 2013

  • At the main menu of the deployment wizard select Prepare Active Directory and then click Run on Step 1: Prepare Schema.

If deploying in an environment with a single domain controller there is no need to run the optional verification processes.

  • Select Run on Step 3: Prepare Current Forest and select the Local Domain as the Universal Group Location if desired.  If Lync is being installed into a multiple domain forest and the universal groups need to be stored in a domain other than the domain that the current server is a member of then enter the desired domain FQDN.      

     

  • Advance to Step 5: Prepare Current Domain to complete the Active Directory preparation steps.

To confirm some of the changes which were applied in these steps a few items can be spot checked.

  • Run adsiedit.msc and connect to the Schema container to view the properties for the following object.  Confirm that the UpperRange attribute value is set to 1150 (which was incremented up from 1100 in Lync Server 2010).

CN=ms-RTC-SIP-SchemaVersion,CN=Schema,CN=Configuration,DC=schertz,DC=name

image

  • Run dsa.msc to open Active Directory Users and Computers and then browse to the default Users container.  Look for a number of groups starting with ‘CS’ and ‘RTC’ in their names.  These groups were created during the Forest preparation step in the chosen domain.

image

  • Run adsiedit.msc and connect to the Configuration container and browse to the following path.  Notice that a number of empty containers have been created where some of the Topology configuration will be stored when later published.

CN=RTC Service,CN=Services,CN=Configuration,DC=schertz,DC=name

image

Lync Server Preparation

This process will install the SQL Native Client and SQL Server Express components, as well as configure Windows Firewall exceptions for remote SQL connectivity. Mostly importantly it also deploys a SQL Express named instance, simply called RTC.  This instance will be the default location for the Central Management Store which is where Lync will store the majority of the global (forest-wide) configuration data.  The RTC Service container shown above in the AD Configuration partition is still used to store some data, but mainly for coexistence with previous versions of OCS.

  • Return to the main menu of the deployment wizard and select Prepare First Standard Edition server.  It is normal for the installation to take a few minutes to complete during this step.

image

A quick glance at the Programs and Features control panel shows all of the components which were installed on the server once this process is completed.

image

The SQL Server Configuration Manager can be used to verify that the local SQL services are properly installed and running.

image

The newly installed SQL Server Express instance default database files can be found in the following location.

%ProgramFiles%\Microsoft SQL Server\MSSQL11.RTC\MSSQL

image

  • Before moving further the domain Administrator account used throughout this process should be added as a member to the domain security groups CsAdministrator and RTCUniversalServerAdmins

image

  • This user account should then logoff and back on to the Windows Server where Lync is being installed to update the associated security token.  Once logged back on use the following whoami commands in the Windows Command Prompt to verify the new group membership.

whoami /groups /fo list | findstr /i CsAdmin        whoami /groups /fo list | findstr /i RTC

image

The final preparation step is to manually create a file share on the server which will later be referenced during the Lync Server topology configuration.

  • Create a new folder on the server (e.g. lyncshare) anywhere on the server.  The following path was used in this lab deployment.

C:\LyncShare

  • Verify that the local Administrators group is already granted Full Control at the file permission level and then enable sharing for this folder.  Provide a name for the new share (e.g. lyncshare) and then assign Full Control share permissions to the administrator account currently being used to perform the installation.  These permissions will be more granularly defined when the Topology is published in a later step.

image

Deployment and Administration Tools Installation

Now that the first Lync server in the environment has been fully prepared the next step is install and run the Topology Builder tool.

  • Return to the main menu of the Lync Server 2013 Deployment Wizard and select the Install Administrative Tools option.  An installation window will briefly appear followed by a green check box next to the component name in the wizard, indicating the installation was complete.

To verify the installation is is complete simply search the Windows Start Menu for “lync” to see the administrative tools.

image

Outside of the installation media Microsoft also provides a handful of great administrative and troubleshooting tools for Lync Server 2013.  It is recommended to download and install each of these packages on the server as they include some important tools used in other blog articles like OCSLogger, Snooper, or DBAnalyze.

If all of the above packages are installed into the default directory then the tools can be found and launched from their respective installation directories.

%ProgramFiles%\Microsoft Lync Server 2013

image

Additionally it can be helpful to have access to the SQL Express database management tools on the local server.  Normally this is not needed but can be used for following some of the validation steps throughout these articles.  (Download and install only the SQLManagementStudio_x64_ENU.exe package from the following Microsoft Download page.)

Topology Definition

This section covers creating a new Lync Topology in a new Active Directory forest and domain.

  • Launch the Lync Server 2013 Topology Builder application and select New Topology from the initial prompt.      

     

  • Save a new .tbxml file with any desired name (e.g. lynctopo.tbxml).
  • For the Primary SIP domain enter the desired domain namespace (e.g. mslync.net). 

Add any additional desired SIP domains at this point , but a single SIP domain is sufficient for most deployments as well as this series of articles.

  • Select a Name for the first site to be created in the topology (e.g. Chicago) and enter a Description if desired.      

     

  • Specify the locality information associated with the first Lync site and then complete the wizard.

At this point the Define New Front End Pool wizard should be automatically launched.

  • On the Define Front End Pool FQDN page enter the Fully Qualified Domain Name (FQDN) of the Windows domain member server where the Lync Front End services will be hosted.  This would be the same server that all of the prerequisite components have been installed on.  Make sure that the server’s FQDN is correctly configured so that it matches exactly what is entered into the topology as this is how the later installation process identifies which components to install on the server.

image  image

  • Select Standard Edition Server and advance to the next page.

image

  • On the Select Features page choose the desired options for this installation.  To start only Conferencing and Enterprise Voice features will be selected, with additional components to be addressed in later articles.

image

  • Retain the default enabled setting of Collocate Mediation Server on the Select Collocated Server Roles page.      

     

  • On the Associate Server Roles with this Front End Pool page leave the option blank as an Edge Server does not yet exist.  This setting will be addressed when an Edge Server is deployed in a later article.
  • As this is a Standard Edition server then there will be no configurable options available on the Define the SQL Store page.  Take note of the automatically defined SQL Server store which is comprised of the server’s FQDN (lync.schertz.name) followed by the previously installed SQL Express instance name (RTC).

image

  • On the Define a File Store page enter the name of the Windows file share created in the previous section (e.g. lyncshare).

image

  • On the Specify the Web Services URL page the External Base URL will automatically be set to the same FQDN as the internal Front End server (e.g. lync.schertz.name).  For the purposes of this article the default setting will be retained and in the future when external services are published this will be updated to reflect the external namespace.      

     

  • The next page Select an Office Web Apps Server is new to Lync Server 2013 and is used to either define a new OWAS pool FQDN or associate this server with an existing OWAS pool.  As a later article will cover deploying OWAS simply uncheck this option and then click Finish to complete the wizard.  (Note that until this server is deployed that PowerPoint content sharing will be unavailable in Lync conferences as this is no longer performed by the Front End server.)

image

Upon completion the Topology Builder window should refresh and the defined settings will be populated as shown.

image

  • Back at the main Topology Builder window select Edit Properties on the Lync Server root-level object.  Highlight the Simple URLs section and enter the desired Administrative Access URL (e.g. https://admin.mslync.net).  Technically his is an optional step as the administrative access URL is not required, but is a recommended way to access the Lync Server Control Panel via a web browser internally.      

     

  • Move down to the Central Management Server section and select the new Front End server (e.g. lync.schertz.name) as the location to install the CMS component on.

image

The final process is to publish the changes made to the topology into the Central Management Server database which also updates information in the RTC services container in Active Directory and sets up the folder structure and permissions on the file share.

    • From the Action menu select Publish Topology.  The local server FQDN for the Central Management Store location should already be populated in the drop-down menu due to the previous step.  If all configuration steps were performed correctly then the wizard should complete without any errors or warnings.

image

As indicated by the To-Do List shown under Next Steps a couple of DNS records will need to be manually created to match the FQDN set in the Lync Server topology.

  • Create new DNS Host (A) records for the Simple URLs on the internal DNS server’s forward lookup zone which match the SIP domain used.  Each record should point to the static IP address used by the server where the Standard Edition roles will be deployed, thus the same IP address as the lync.schertz.name server is used for all records.

meet.mslync.net        dialin.mslync.net         admin.mslync.net

image

To validate and understand the changes the Topology Builder has applied to Active Directory there are a number of places to look throughout the various results logs, within Active Directory, and the SQL databases themselves.

  • Use adsiedit.msc to connect to the Configuration context and browse to the path shown below and notice that the previously empty containers are now populated with child objects and attributes.

CN=RTC Service,CN=Services,CN=Configuration,DC=schertz,DC=name

image

  • The SQL Server Management Studio tool (if installed) can be used to connect to the RTC instance on the Lync Server to view the databases new xds and lis databases.

image

  • The raw database files can be found on the Lync Server in the default installation directory shown below.

image

  • Additionally the defined file share is now populated with the new folder structure and the required share permissions.

image

 

Install Lync Server System

The next step is to install a second SQL Express named instance called RTCLOCAL on the local server which will contain a replica of the existing RTC named instance.

Only the first Standard Edition server in the organization would contain the authoritative RTC instance installed in the previous article, while all other Lync Front End Servers (and even Edge Servers) would contain their own RTCLOCAL instance to replicate the Central Management Store data.  This approach also allows for redundancy and availability features which were lacking in previous versions of OCS.  This RTCLOCAL instance can only ever be stored in an automatically installed SQL Express instance, it is not supported to locate this data in a full SQL Server instance on a Standard Edition server installation.

As the Administrative Tools have already been installed on the server then the Lync Server 2013 Deployment Wizard can be found in the Start Menu on the local server.  The Lync Server installation media is no longer required as the installation files have been copied to the server in the following default directory.

%ProgramFiles%\Microsoft Lync Server 2013\Deployment

image

  • On the Windows Start Menu search for ‘Deploy’ to locate and launch the Lync Server 2013 Deployment Wizard.  From the main menu select Install or Update Lync Server System.      

     

  • On Step 1: Install Local Configuration Store select Run and leave the default setting of Retrieve the configuration data directly from the Central Management Store and complete the wizard.

image

Reviewing the results in the execution window should confirm that the second SQL Express instance of RtcLocal was installed as well as the core Lync Server components.

Checking prerequisite PowerShell…prerequisite satisfied.        Checking prerequisite WindowsIdentityFoundation…prerequisite satisfied.         Checking prerequisite SqlInstanceRtcLocalinstalling…success         Checking prerequisite VCredist…prerequisite satisfied.         Checking prerequisite SqlNativeClient…prerequisite satisfied.         Checking prerequisite SqlClrTypes…prerequisite satisfied.         Checking prerequisite SqlSharedManagementObjects…prerequisite satisfied.         Checking prerequisite UcmaRedist…prerequisite satisfied.         Installing OcsCore.msi(Feature_LocalMgmtStore)…success

Secondly the Local CMS replica was instantiated by importing the configuration from the existing CMS database an then replicating the database data itself.

Import-CsConfiguration -FileName “C:\Users\ADMINI~1.SCH\AppData\Local\Temp\2\CSConfigData-2013_03_16-08_10_01.zip” -Verbose -LocalStore

> Enable local replica service

Enable-CSReplica -Verbose -Confirm:$false -Report “C:\Users\administrator.SCHERTZ\AppData\Local\Temp\2\Enable-CSReplica-[2013_03_16][08_08_59].html”

An additional step is performed here which is new to Lync 2013: the automatic replication of certificates to the CMS.  Although no certificates have been installed yet for this deployment had there been one then this action would have replicated any existing OAuth certificates required for server to server MTLS communications in Lync Server 2013.

> Replicate-CsCmsCertificates

Logging status to: C:\Users\administrator.SCHERTZ\AppData\Local\Temp\2\ReplicateCMSCertificates-[2013_03_16][08_08_59].html

To confirm the installation location of the RTCLOCAL database files on the server check the default SQL Server installation directory for the existence of the xds files.

%ProgramFiles%\Microsoft SQL Server\MSSQL11.RTCLOCAL\MSSQL\DATA

image

  • On the Lync Server 2013 Deployment Wizard advance to Step 2: Setup or Remove Lync Server Components and click Run to start the Set Up Lync server Components wizard.

Once again the Bootstrapper application will execute and perform a prerequisite check before installing additional components.  These include a third SQL instance called LyncLocal and additional Windows Speech components and foreign language packs.

Checking prerequisite SqlSharedManagementObjects…prerequisite satisfied.        Checking prerequisite UcmaRedist…prerequisite satisfied.         Checking prerequisite WinFab…installing…success         Checking prerequisite MicrosoftIdentityExtensions…installing…success         Checking prerequisite SqlInstanceLyncLocalinstalling…success         Checking prerequisite SqlInstanceRtc…prerequisite satisfied.         Checking prerequisite RewriteModule…installing…success         Checking prerequisite SpeechPlatformRuntime…installing…success         Checking prerequisite MSSpeech_TTS_ca-ES_Herena…installing…success         Checking prerequisite MSSpeech_TTS_da-DK_Helle…installing…success

Immediately following will be the installation of the Lync server components which make up the different services and roles on the Front End server (e.g. AVMCU, Mediation Server).

Installing OcsMcu.msi(OcsMCUCommon, ASMCU, AVMCU, IMMCU)…success        Installing AppServer.msi(Feature_AppServer)…success         Installing Ats.msi(Feature_Ats)…success         Installing CPS.msi(Feature_CPS)…success         Installing DataMcu.msi(Feature_DataMCU)…success       

During the WebComponents installation a number of features will be installed which are the different virtual web directories and application pools in IIS.

Installing WebComponents.msi(Feature_Web_Common, Feature_Web_External, Feature_Web_GroupExpansion_Ext, Feature_Web_HybridConfig_Ext, Feature_Web_Internal, Feature_Web_JoinLauncher_Ext, Feature_Web_JoinLauncher_Int, Feature_Web_LocationInfo_Int, Feature_Web_Lwa_Ext, Feature_Web_Lwa_Int, Feature_Web_Mcx_Ext, Feature_Web_Mcx_Int,

To confirm the installation and configuration of the various web services launch Internet Information Services Manager (inetmgr.exe) and browse to the Sites folder to see the status of the two new web sites.

image

Then select the Application Pools object to view the various Lync web services which were installed for both the internal and external web sites.

image

Also check the installed services by running the Services control panel applet (services.msc).  They will not yet be running as server certificates must be imported first, which is the next step in the deployment.

image

To review exactly what SQL instances were installed and their roles the Microsoft SQL Server Management Studio (if installed as covered in the previous article) can be used to view each instance and database.

image

Instance Database Description
RTC lis Location Information Services data
RTC xds Central Management Store data
RTCLOCAL rtc Standard Edition Pool data
RTCLOCAL rtcdyn Standard Edition transient user data
RTCLOCAL xds Local replica of Central Management Store data
LYNCLOCAL lyss Lync Storage Service data

Returning to the server deployment process the next step is to request and assign server certificates so that the Lync services can be started.

  • Run Step 3: Request, Install or Assign Certificates and then expand the Default Certificate entry to verify that all roles are checked.  Click Request to start the Certificate Request wizard and enter the information listed in the following tables.

Delayed or Immediate Requests

  • Send the request immediately to an online certificate authority

Choose a certificate Authority

  • Select from a list detected in your environment                  (DC.schertz.name\schertz-RootCA)

Certificate Authority Account

Skipped as the current Administrator account has sufficient permissions to perform this action.


Specify Alternate Certificate Template

Skipped as the Windows CA certificate template of ‘Web Server’ will be used by default.


Name and Security Settings

Friendly Name Lync Front End Cert
Bit Length 2048
  •  ”Mark the certificate’s private key as exportable”

Organization Information

Organization Schertz Lab
Organizational Unit Home

Geographical Information

Country/Region United States
State/Province Illinois
City/Locality Chicago

Subject Name / Subject Alternate Names

The following names will be automatically populated for the subject name and subject alternative name.

Subject Name lync.schertz.name
Subject Alternative Name lync.schertz.name              dialin.mslync.net               meet.mslync.net               admin.mslync.net               Lyncdiscoverinternal.mslync.net               Lyncdiscover.mslync.net

SIP Domain setting on Subject Alternate Names (SANs)

Configured SIP Domains mslync.net

Configure Additional Subject Alternate Names

Skipped as no additional SIP domains are configured in the topology so there are none to add to the certificate request.

Completing the process will execute the Request-CsCertificate cmdlet with the provided configuration information, performing an online certificate request against the CA and then automatically importing the issued certificate into the Local Computer store.  (The following results were snipped down to just the important items.)

> Request Certificate

Request-CSCertificate -New -Type Default,WebServicesInternal,WebServicesExternal -CA “DC.schertz.name\schertz-RootCA” -Country US -State “Illinois” -City “Chicago” -FriendlyName “Lync Front End Cert” -KeySize 2048 -PrivateKeyExportable $True -Organization “Schertz Lab” -OU “Home” -DomainName “sip.mslync.net” -AllSipDomain -Verbose -Report

Create a certificate request based on Lync Server configuration for this computer.        Issued thumbprint “C6D87D6224A91E103734C582034E7FBE22F46A4A” for use “Default,WebServicesInternal,WebServicesExternal” by “DC.schertz.name\schertz-RootCA”.         No changes were made to the Central Management Store.        

“Request-CSCertificate” processing has completed successfully.

  • In the next window verify that Assign this certificate to Lync Server certificate usages is selected and then click Finish  to launch the Certificate Assignment wizard next.      

     

  • Complete the wizard which automatically runs the Set-CsCertificate cmdlet to assign the desired certificate to the three server usages.

> Assign Certificate

Set-CSCertificate -Type Default,WebServicesInternal,WebServicesExternal -Thumbprint C6D87D6224A91E103734C582034E7FBE22F46A4A -Confirm:$false -Report        

The following certificate was assigned for the type “Default“:         Default: C6D87D6224A91E103734C582034E7FBE22F46A4A lync.schertz.name 03/16/2015 CN=schertz-RootCA, DC=schertz, DC=name 5A0000000313D2DB08C6C90DCE000000000003        

The following certificate was assigned for the type “WebServicesInternal“:         WebServicesInternal: C6D87D6224A91E103734C582034E7FBE22F46A4A lync.schertz.name 03/16/2015 CN=schertz-RootCA, DC=schertz, DC=name 5A0000000313D2DB08C6C90DCE000000000003        

The following certificate was assigned for the type “WebServicesExternal“:         WebServicesExternal: C6D87D6224A91E103734C582034E7FBE22F46A4A lync.schertz.name 03/16/2015 CN=schertz-RootCA, DC=schertz, DC=name 5A0000000313D2DB08C6C90DCE000000000003

At this point the main Certificate Wizard window should reflect the new status by adding a green check mark to the Default certificate and its usages.

image

Since this is the first Lync 2013 server in the topology then an additional shared certificate needs to be created for use with a new open authentication standard called OAuth.  This certificate will be used for server-to-server communications between Lync 2013 servers in addition to other 2013 products which support OAuth like Exchange Server and Office Web Apps Server.

  • On the main Certificate Wizard window expand and highlight the OAuthTokenIssuer entry and click Request to start the Certificate Request wizard and enter the information listed in the following tables.

Delayed or Immediate Requests

  • Send the request immediately to an online certificate authority

Choose a certificate Authority

  • Select from a list detected in your environment                  (DC.schertz.name\schertz-RootCA)

Certificate Authority Account

Skipped as the current Administrator account has sufficient permissions to perform this action.


Specify Alternate Certificate Template

Skipped as the Windows CA certificate template of ‘Web Server’ will be used by default.


Name and Security Settings

Friendly Name Lync OAuth Cert
Bit Length 2048

Organization Information

Organization Schertz Lab
Organizational Unit Home

Geographical Information

Country/Region United States
State/Province Illinois
City/Locality Chicago

Subject Name / Subject Alternate Names

The following names will be automatically populated for the subject name and subject alternative name.

Subject Name lync.schertz.name
Subject Alternative Name <blank>

Configure Additional Subject Alternate Names

Skipped as no additional SIP domains are configured in the topology so there are none to add to the certificate request.

Completing the process will execute the Request-CsCertificate cmdlet with the provided configuration information, performing an online certificate request against the CA and then automatically importing the issued certificate into the Local Computer store.  (The following results were snipped down to just the important items.)

> Request Certificate

Request-CSCertificate -New -Type OAuthTokenIssuer -CA “DC.schertz.name\schertz-RootCA” -Country US -State “Illinois” -City “Chicago” -FriendlyName “Lync OAuth Cert” -KeySize 2048 -PrivateKeyExportable $True -Organization “Schertz Lab” -OU “Home” -AllSipDomain -Verbose -Report

Create a certificate request based on Lync Server configuration for this computer.        Issued thumbprint “2A55DA39DD43DAEB2AC2510AFB61EE21103ADCDB” for use “OAuthTokenIssuer” by “DC.schertz.name\schertz-RootCA”.         No changes were made to the Central Management Store.        

“Request-CSCertificate” processing has completed successfully.

  • In the next window verify that Assign this certificate to Lync Server certificate usages is selected and then click Finish to launch the Certificate Assignment wizard.      

     

  • Complete the wizard which automatically runs the Set-CsCertificate cmdlet to assign the desired certificate to the OAuth usage.

> Assign Certificate

Set-CSCertificate -Identity Global -Type OAuthTokenIssuer -Thumbprint 2A55DA39DD43DAEB2AC2510AFB61EE21AA6ADCDB -Confirm:$false -Report

The following certificate was assigned for the type “OAuthTokenIssuer“:         OAuthTokenIssuer: 2A55DA39DD43DAEB2AC2510AFB61EE21AA6ADCDB mslync.net 03/16/2015 CN=schertz-RootCA, DC=schertz, DC=name 5A00000004B92C660018992201000000000004

> Export Global Configuration Store

Export-CSConfiguration -FileName “C:\Users\ADMINI~1.SCH\AppData\Local\Temp\2\CSConfigData-2013_03_16-13_27_15.zip”

> Import Local Configuration Store

Import-CSConfiguration -LocalStore -FileName “C:\Users\ADMINI~1.SCH\AppData\Local\Temp\2\CSConfigData-2013_03_16-13_27_15.zip”

> Replicate-CsCmsCertificates

 

The main difference between the two certificate requests is that the creation of the OAuth certificate also triggers a database replication task as this certificate is automatically replicated to all Lync Servers in the topology.

To review the new certificates on the server use either the Certificates snap-in available in the Microsoft Management Console (mmc.exe) or IIS Manager (inetmgr.exe).  In IIS Manager for example highlight the server object in the Connections window and then open Server Certificates in the IIS section to view the two Lync server certificates.

image

View each certificate file to see the configured parameters and compare the Subject Name and SAN fields (the OAuth certificate will not include any SAN entries).

image     image

  • Returning to the Lync Server 2013 Deployment Wizard move on to Step 4: Start Services and click Run to trigger an automatic start of all Lync services.  This process may take a few minutes as due to some service dependencies they are started in a specific order and not all simultaneously.

> Start Services

Start-CSWindowsService -NoWait -Verbose -Report

Start services for the Lync Server computer “lync.schertz.name”.       

“Start-CSWindowsService” processing has completed successfully.       

To verify that all services have started successfully click Run on the Service Status (Optional) step to launch the Services control panel applet.  Depending on how soon after the previous step this is performed one or more of the services may still be in a stopped or starting state.  (Note that the Lync Server Audio Test Service will typically not be running as this service will routinely start and stop itself.)

image

If the Lync Server Front-End service (or any other prerequisite service) is still reported as starting then check the server CPU in Task Manager as it may still be fully tasked with all of the first-time processes performed after a fresh server installation.

image

DNS Configuration

Since this deployment is using a Standard Edition server then the required server host record (e.g. lync.schertz.name) already exists in the form of the Dynamic DNS record created by the server when it was previously joined to the domain.  But a number of additional DNS records need to be manually created to match the various Autodiscover and Simple URLs which were defined in the topology in the previous article.

  • Review the Subject Alternative Name field on the Default certificate which was just assigned to the Front End server as it will contain all of the FQDNs which need to be represented in the appropriate internal DNS forward lookup zones.

DNS Name=sip.mslync.net         DNS Name=lync.schertz.name         DNS Name=dialin.mslync.net         DNS Name=meet.mslync.net         DNS Name=admin.mslync.net         DNS Name=LyncdiscoverInternal.mslync.net         DNS Name=Lyncdiscover.mslync.net

As mentioned the server FQDN is already automatically defined in the proper DNS zone so that entry can be ignored (e.g. lync.schertz.name).  The Simple URLs (dialin, meet, admin) were manually created in the previous article after publishing the topology so all that remains to be created are the Automatic Client Sign-In and Autodiscover records.

It is important to understand the different between the legacy Automatic Client Sign-In process and the newer Lync Autodiscover approach as these are two completely different solutions.

In the legacy scenario OCS 2007 and Lync 2010 clients locate their SIP registrar directly by looking for one or more predefined hostnames (e.g. sip.<sipdomain>).  Yet in the newer Autodiscover scenario Lync 2013 clients are programmed to first look for a different set of predefined hostnames (e.g. lyncdiscover.<sipdomain>).  But these names will instead direct the client to a web service which will in turn respond back to the client with the appropriate SIP registrar URL.  So in the first case the clients are attempting to locate a SIP registrar directly, where as in the second and more flexible solution they are attempting to locate a service which will tell them where to find their SIP registrar.  This advancement in Lync provides for additional flexibility not previously made available, most notably the ability to support distributed Access Edge registrations in enterprise networks with multiple Edge pools.

Legacy Automatic Client Sign-In

This section is only required if any legacy clients will be used with the environment (e.g. Lync 2010).  All Lync 2013 clients will leverage the newer Autodiscover process, although some 2013 clients still support this legacy mode as a fall-back.

  • Using DNS Manager create a new Host (A) record in the DNS zone which matches the SIP domain namespace (e.g. sip.mslync.net) using the same IP address as the Lync Front End server.

image

  • Create a new Service Location (SRV) record in the same zone (e.g. _sipinternaltls._tcp.mslync.net) and define the Port number as 5061 and the Host offering this service as the previously created host record (e.g. sip.mslync.net)

image

To verify the new DNS record configuration run the following command from the Windows Command Prompt.

C:\>nslookup -q=srv _sipinternaltls._tcp.mslync.net       

_sipinternaltls._tcp.mslync.net SRV service location:                   priority       = 0                   weight         = 0                   port           = 5061                   svr hostname   = sip.mslync.net         sip.mslync.net internet address = 192.168.1.33

Lync Autodiscover

Either a Host (A) or an Alias (CNAME) record can be used for the Autodiscover records.  But some Lync clients (primarily the mobility clients) do not support a CNAME record which points to a Host record in a different domain namespace, so in the topology used in this series of articles it would be poor practice to create an alias in the SIP domain namespace (e.g. lyncdiscoverinternal.mslync.net) which then pointed to the server’s FQDN (e.g. lync.schertz.name) in another namespace.

Thus two configuration possibilities are available: either use a Host record with the server’s IP address, or create an Alias record pointing to a Host record in the same namespace (e.g. sip.mslync.net).  In an Enterprise Edition deployment this Lyncdiscoverinternal record would typically be an alias pointing to the Internal Web Service FQDN (e.g. lyncweb.<sipdomain>) but as this is a Standard Edition server then in the internal web service FQDN is the same as the server’s FQDN (e.g. lync.schertz.name) so the simplest configuration would be to just create a host record here.

Only the Lyncdiscoverinternal entry should be created on internal DNS zones as Lyncdiscover is used by external clients and thus should be reserved for external DNS zones which will be addressed in a later article.

  • Create a new Host (A) record in the DNS zone which matches the SIP domain namespace (e.g. lyncdiscoverinternal.mslync.net) using the same IP address as the Lync Front End server.

image

 

 

 

 

Advertisements

Leave a comment

Filed under Uncategorized

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s