Chris Madge Rotating Header Image

Infrastructure

Installing and Fixing Lync Mobility

Dec 22nd, 2011
by chris.
No comments yet

If your users are anything like my users the release of the Lync Client for mobile devices had them super excited and the pressure was on to “make it work”

Unfortunately there are a significant number of ‘gotchas’ and with our roll out we seemed to hit them all.

Here are the steps we took, the problems we ran into and how we fixed them.

 

1. First Step to deploying Lync Mobility is to install the CU4 update.

Before you install the updates ensure you have a backup of the server or a snapshot. The last thing you want to do is rebuild your front end server.

Once you have your backup/snapshot.

a. Install the “Dynamic Content Compression” feature in the IIS role in Server Manager

image

b. The next thing you need to do is stop the services before installation. In Lync Server Management Shell – Type “Stop-CSWindowsService”

c. From a Elevated Command Prompt: type Net Stop W3SVC

d. Run the CU4 Updates Available Here: http://www.microsoft.com/download/en/details.aspx?id=11551

e. Once the CU4 updates are installed. Reboot the Front End Server.

2. Create your DNS Records.

On your internal domain server:

a. Create a CNAME record for your front end server. The CNAME record should be “Lyncdiscoverinternal.internaldomain.com” which points to the FQDN of your FrontEnd Server. e.g. “Frontend.internalDomain.com

b. Create an Public A Record for your Reverse Proxy

nbd. The assumption here is that you have created a Reverse Proxy for your WebComponents already. If you haven’t created a reverse proxy with TMG this is a pre-requisite. For documentation on how to setup the Reverse Proxy I recommend Daryl Hunter’s Blog. He does a really good job of going step by step.. http://www.darylhunter.me/blog/2011/11/lync-2010-reverse-proxy-part-1.html

The A Record should point to the IP address of your TMG FW proxy.

The A record should be : “Lyncdiscover” pointing to 212.111.111.101

3. Install the Autodiscover/Mobility Update

a. Shut down the “CS-WindowsService” via the Lync Server Management Shell again

b. Stop the Web server “net stop w3svc”

c. Download the Update: http://www.microsoft.com/download/en/details.aspx?id=28356 and install it.

Adam Jacobs on his blog (link) recommends installing this way.

First you’ll need to copy the McxStandalone.msi to C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup, then execute C:\Program Files\Microsoft Lync Server
2010\Deployment\Bootstrapper.exe

However, double clicking the msi worked for me.

d. Reboot the Front End server.

4. Powershell Commands

We need to run some Powershell commands:

The first one enables listening on the Internal Side:  Set-CsWebServer –Identity frontend.internaldomain.com -McxSipPrimaryListeningPort 5086

The next command is for the External Site: Set-CsWebServer –Identity frontend.internaldomain.com -McxSipExternalListeningPort 5087

The Next Command is : Enable-CsTopology –verbose

This next set of commands is to enable push notifications:

Set-CsPushNotificationConfiguration

New-CsHostingProvider –Identity “LyncOnline” –Enabled $True –ProxyFqdn “sipfed.online.lync.com” –VerificationLevel UseSourceVerification

New-CsAllowedDomain –Identity “push.lync.com”

 

The last Powershell Command is to update the Database (I totally forgot about this step thanks to @itommyclarke for reminding me

If you are running Standard server you need to run this command: Install-CsDatabase –Update –LocalDatabases

If your Enterprise SQL Backend is on another server: Install-CsDatabase –Update –ConfiguredDatabases –SqlServerFqdn <SQL Server FQDN>

Lastly if you have the Monitoring and Archiving roles co-located on the same server as your other databases you will need to run this command:

Install-CsDatabase –Update –ConfiguredDatabases –SqlServerFqdn <SQL Server FQDN> –ExcludeCollocatedStores

 

5. File Edits

This is SUPER important.

a. We will start with the ApplicationHost.config file found here :C:\Windows\System32\inetsrv\config

This I took from Microsoft (link)

  • Use a text editor such as Notepad to open the applicationHost.config file, located at C:\Windows\System32\inetsrv\config\applicationHost.config.
  • Search for the following: 
    &lt;Add name="CSExtMcxAppPool"
  • At the end of the line, before the ending angle bracket (>), type the following: 
    CLRConfigFile="C:\Program Files\Microsoft Lync Server 2010\Web Components\Mcx\Ext\Aspnet_mcx.config"
  • Search for the following: 
    &lt;Add name="CSIntMcxAppPool"
  • At the end of the line, before the ending angle bracket (>), type the following: 
    CLRConfigFile="C:\Program Files\Microsoft Lync Server 2010\Web Components\Mcx\Int\Aspnet_mcx.config"

 

b. The next two files we need to check are:

C:\Program Files\Microsoft Lync Server 2010\Web Components\External Website\web.config (open with Notepad)

Add this at the end of the file before the <rules> tag

<rule name=”autodiscover rule 1″ enabled=”true” stopProcessing=”true”>

<match url=”(.*)” />

<conditions logicalGrouping=”MatchAll”>

<add input=”{HTTP_HOST}” pattern=”.*lyncdiscover.*” />

<add input=”{REQUEST_URI}” pattern=”Autodiscover/AutodiscoverService.svc/root” negate=”true” />

</conditions>

<action type=”Rewrite” url=”Autodiscover/AutodiscoverService.svc/root” />

</rule>

<rule name=”Client access policy Rule” enabled=”true” stopProcessing=”true”>

<match url=”clientaccesspolicy.xml” />

<action type=”Rewrite” url=”meet/clientaccesspolicy.aspx” />

</rule>

Make sure that you do not have two Client Access Policy rules in the file or it will create Internal Server Errors on your Autodiscover Service.

The Next file is for the internal site: C:\Program Files\Microsoft Lync Server 2010\Web Components\Internal Website

The code is entered in the exact same place except you need this code:

<rule name=”autodiscover rule 1″ enabled=”true” stopProcessing=”true”>

<match url=”(.*)” />

<conditions logicalGrouping=”MatchAll”>

<add input=”{HTTP_HOST}” pattern=”.*lyncdiscoverinternal.*” />

<add input=”{REQUEST_URI}” pattern=”Autodiscover/AutodiscoverService.svc/root” negate=”true” />

</conditions>

<action type=”Rewrite” url=”Autodiscover/AutodiscoverService.svc/root” />

</rule>

<rule name=”Client access policy Rule” enabled=”true” stopProcessing=”true”>

<match url=”clientaccesspolicy.xml” />

<action type=”Rewrite” url=”meet/clientaccesspolicy.aspx” />

</rule>

Again make sure tha you dont  have two: “<rule name=”Client access policy Rule”….> rules.

If you don’t have these lines in your web.config files it can cause some big problems. I chased .net errors for a good week before I figured out what the problem was.

 

6. Certificates

 

We will start with the Internal Certs

On your FE server. Run the Lync Server Deployment Wizard again.

Choose to Install Lync Server

Run “Request, Install or Assign Certificates

image

Request new Certificates from your internal CA (Ensure that all three certificates are selected)

image

The Mobility and CU4 updates will fill in all the proper Subject Alternative Names (SAN).

Assign the certificates.

The External Certificates

Now Microsoft does not support Wildcard Certificates for UC purposes. We had a Wildcard Cert on our TMG Front End prior to the CU4 updates and it worked fine.

However, with the Mobility updates it did not work. You will need a UCC certificate from your Public Certificate Vendor. The SAN’s that need to be included on the Cert are:

  • meet.publicdomain.com
  • dialin.publicdomain.com
  • lyncdiscover.publicdomain.com

 

7. The Firewall Rules

 

We will need to create a new FW rule for the Lync Discover Service:

On your TMG Firewall Create a Web Site Publishing Rule:

image

Create a rule

image

It’s an Allow Rule

image

Publish a Single Web Site

image

Use SSL

image

Enter the name of your Lync Front End Server

image

Set the Path as /* and Forward the Original Host Header

image

The public DNS name of the autodiscover service: LyncDiscover.PublicDomain.com

image

Use the same Web Listener that you are using for your other Web Components (Meet,Dialin and Addressbook)

image

Set Delegation as:  No delegation, but client may authenticate directly

image

Complete The Rule with the default settings.

Once the rule is created go back and edit it.

On the Bridging Tab. Redirect the ports to 8080 and 4443

image

Click on the Listener Tab and choose properties to Edit the listener

On the Certificates Tab replace the Certificate with the new public certificate you created in Step 5

image

 

Conclusion

Hopefully this helps in your installation of the Lync Mobility features. Cheers.

Setting users as Local Admin on Workstations

Mar 18th, 2011
by chris.
No comments yet

In the Windows XP era, System Administrators were forced to give end users local admin access on their desktop. Unfortunately, the end users got used to having this extra power and now that we are no longer forced to give them Admin access for political reasons we are now unable to take it away.

The question is how do you give end users local admin en masse without giving away the whole farm. I have seen in some organizations that the Domain Users have been added to the local admins group. The problem with this is that everyone who is a domain user will now have access to that workstation not just the actively logged in user. I have also seen in a couple of instances where “Everyone” was added to the Local Administrators group. This is a horrible security practice and should be avoided at all costs as your are allowing everyone authenticated or not full access to the system.

The easiest way to get all around all of this is to add the local “Interactive” user to the local admins. This will ensure that only the currently logged in user has local admin access to the computer. (and the domain admins of course).

Here at The RSC Group we are going through a standardization of processes and procedures. A lot of Group Policies are getting written, SCCM is in place for Software distribution and Software Updates etc.. As a result this issue came up and here is how we solved it.

1. We created a Active Directory OU in which to place the computer accounts of the workstations we wanted to manage.

2. We created a Group Policy Object (GPO) and applied it to the new OU that we created.

3. In that GPO we defined a “Startup” script that would add the “Interactive” user into the local admins.

This Startup Script that we added we stole from a Computing.Net forum see here

Here is the code:

Set oWshNet = CreateObject("WScript.Network")

‘Well Known Security Identifiers in Windows (Server) Operating Systems
http://support.microsoft.com/?id=243330

sGroupSID = "S-1-5-32-544" ‘ Well Known SID of the group Administrators
sComputer = oWshNet.ComputerName
sDomainGroup = "Domain users"

Set oWMIService = GetObject("winmgmts:\\" & sComputer & "\root\cimv2")
Set colItems = oWMIService.ExecQuery ("Select * from Win32_Group WHERE SID = ‘" & sGroupSID & "’")
For Each oItem in colItems

sAdminGroup = oItem.Name

Next
Set objGroup = GetObject("WinNT://" & sComputer & "/" & sAdminGroup & ",group")

‘ suppress errors in case group is already a member
On Error Resume Next

‘finds localized name of the Interactive account
Set objSid = oWMIService.Get ("Win32_SID.SID=’S-1-5-4′")
DNPath = "WinNT://" & objSid.ReferencedDomainName & "/" & objSid.AccountName

‘adds Interactiv group to local Administrators group
If NOT objGroup.IsMember(DNPath) Then objGroup.Add(DNPath)

 

‘if domain users are member of local admin group, remove it
Set localdomain = oWMIService.ExecQuery ("Select * from Win32_NTDomain")
For Each objItem in localdomain
DNPath = "WinNT://" & objItem.DomainName & "/" & sDomainGroup
If objGroup.IsMember(DNPath) Then objGroup.Remove(DNPath)
Next

4. We pasted this code into a notepad and saved it as “Localadmin.vbs” and added it to the GPO.

5. Send the target machines for a reboot and the actively logged in user will have local admin rights.

Doing an Authoritative Restore on an Active Directory Domain

Nov 16th, 2010
by admin.
No comments yet

 

image

Sometimes organizations no matter the size allow people to have way more Administrative Access than they should. Have you ever had someone who didn’t know what they were doing mess up your Active Directory Infrastructure?

If you are an architect or IT manager in your organization take a second to think about how many Domain Admins that you have? Do you really need many admins? Are you admins abiding by your change management process? Far too often even with a change management process in place, admins try to sneak changes in under the wire hoping no one will notice. If you work for an enterprise you will see this on a much larger scale than perhaps a small to medium business.

A good practice is to have object auditing enabled on your AD infrastructure. There are number of tools available that do a really good job at this. Some good examples are the tools provided by Quest and Scriptlogic both of these products do a really good job of helping you keep solid track of what is occurring in your infrastructure. If you are using tools like Arcsight or Tripwire to audit your entire network these tools will give you generic information about AD but not the granular info that you need e.g. what changed and who changed it.

However, unless a government regulation requires them to . Most organizations do not have these types of tools in place and sometimes things get deleted or even worse yet entire portions of your tree gets corrupted.

This is when you need to do authoritative restore. This should be a last resort after you have tried everything else to reverse the changes.

1. You need a backup. If you do not have a vaild Systems State backup then I am afraid you are out of luck.

2. Reboot your DC Press F8 until the Advanced Options Menu shows up

3. Choose DSRM (Directory Services Restore Mode) and press enter

4. Logon using the DSRM password. (You created this when you promoted the Domain Controller.. If you didn’t promote the DC find the person who did or check your organizations AD documentation)

5. Click Start –> Run – > Ntbackup.exe

6. Click Restore – and select System State

7. Reboot server and go back into the DSRM

8. Once you have rebooted start a command prompt

9. Type NTDSUTIL

10. Type authoritative restore

11. Restore the OU  – type “restore subtree (e.g. OU=Users,OU=Employees,DC=chrismadge,DC=com

12. A popup will occur asking if you are sure you want to perform the Authoritative Restore.. Click Yes

13. The restore will occur. Hooray!

nbd…. Should you need to restore your entire active directory cause this person caused wide spread damage. Instead of typing “restore subtree” and specifying the OU. type “restore database”

Know your role(s)

Nov 30th, 2009
by chris.
No comments yet

I was asked the other day what the FSMO roles were. I remember them being apart of one of the Windows 2k3 MCSE exams but couldn’t remember for the life of me what they were. It was certainly embarrassing and as soon as I was at a workstation I looked up what they were. I thought that I would share them all with you just in case you forgot as well.

When there is only one Domain Controller in an environment that DC holds obviously all the roles. However in larger environments it is a best to distribute them amongst your other Domain Controllers in the forest.

Schema Master

In an AD forest the Schema Master is where all the Schema changes and updates happen. Once the changes to the Schema are made it is replicated to the other Domain controllers. Like most FSMO roles, there can only be one Schema Master in the whole forest.

Domain Naming Master

This Server/Role holds the rights to add and delete domains from the forest. It is also the server that controls federation and links to other directory environments. Like the Schema role, there can only be one Domain Naming Master.

Infrastructure Master

The Infrastructure Master role is a little more complicated. Within an AD structure all the different elements are referenced by the GUID, SID and the DN for the object. Within the forest and the federated relationships the Infrastructure Master is responsible for updating the GUID/SID and DN for the other Domain Controllers.

Relative ID (RID) Master
The GUID and SID’s that we referenced earlier when they are created they are created on the various domain controllers. So whenever someone creates a user account, an OU or a Security Group it creates the GUID and SID as well as the Relative ID. A RID is created for each GUID and SID. Each DC is allotted a certain amount of RID’s when it runs out of RID’s it must ask the RID master for more. There can only be one RID master.

PDC Emulator

In NT4 days (1997-2000) there were two types of domain controllers Primary DC’s and Backup DC’s. A PDC emulator is only required only in a mixed environment.

  • Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
  • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
  • Account lockout is processed on the PDC emulator.
  • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.
  • The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.* (Borrowed from Daniel Petri)

There can be a PDC emulator in each Domain in the Forest and the only role that can be held by multiple servers in a forest.

and that’s the FSMO roles.. Next time I’m asked hopefully I’ll remember!