Unfortunately there are a significant number of ‘gotchas’ and with our roll out we seemed to hit them all.

Here are the steps we took, the problems we ran into and how we fixed them.

1. First Step to deploying Lync Mobility is to install the CU4 update.

Before you install the updates ensure you have a backup of the server or a snapshot. The last thing you want to do is rebuild your front end server.

Once you have your backup/snapshot.

a. Install the “Dynamic Content Compression” feature in the IIS role in Server Manager

b. The next thing you need to do is stop the services before installation. In Lync Server Management Shell – Type “Stop-CSWindowsService”

c. From a Elevated Command Prompt: type Net Stop W3SVC

d. Run the CU4 Updates Available Here: http://www.microsoft.com/download/en/details.aspx?id=11551

e. Once the CU4 updates are installed. Reboot the Front End Server.

2. Create your DNS Records.

On your internal domain server:

a. Create a CNAME record for your front end server. The CNAME record should be “Lyncdiscoverinternal.internaldomain.com” which points to the FQDN of your FrontEnd Server. e.g. “Frontend.internalDomain.com

b. Create an Public A Record for your Reverse Proxy

nbd. The assumption here is that you have created a Reverse Proxy for your WebComponents already. If you haven’t created a reverse proxy with TMG this is a pre-requisite. For documentation on how to setup the Reverse Proxy I recommend Daryl Hunter’s Blog. He does a really good job of going step by step.. http://www.darylhunter.me/blog/2011/11/lync-2010-reverse-proxy-part-1.html

The A Record should point to the IP address of your TMG FW proxy.

The A record should be : “Lyncdiscover” pointing to 212.111.111.101

3. Install the Autodiscover/Mobility Update

a. Shut down the “CS-WindowsService” via the Lync Server Management Shell again

b. Stop the Web server “net stop w3svc”

c. Download the Update: http://www.microsoft.com/download/en/details.aspx?id=28356 and install it.

Adam Jacobs on his blog (link) recommends installing this way.

First you’ll need to copy the McxStandalone.msi to C:\ProgramData\Microsoft\Lync Server\Deployment\cache\4.0.7577.0\setup, then execute C:\Program Files\Microsoft Lync Server
2010\Deployment\Bootstrapper.exe

However, double clicking the msi worked for me.

d. Reboot the Front End server.

4. Powershell Commands

We need to run some Powershell commands:

The first one enables listening on the Internal Side:  Set-CsWebServer –Identity frontend.internaldomain.com -McxSipPrimaryListeningPort 5086

The next command is for the External Site: Set-CsWebServer –Identity frontend.internaldomain.com -McxSipExternalListeningPort 5087

The Next Command is : Enable-CsTopology –verbose

This next set of commands is to enable push notifications:

Set-CsPushNotificationConfiguration

New-CsHostingProvider –Identity “LyncOnline” –Enabled $True –ProxyFqdn “sipfed.online.lync.com” –VerificationLevel UseSourceVerification

New-CsAllowedDomain –Identity “push.lync.com”

The last Powershell Command is to update the Database (I totally forgot about this step thanks to @itommyclarke for reminding me

If you are running Standard server you need to run this command: Install-CsDatabase –Update –LocalDatabases

If your Enterprise SQL Backend is on another server: Install-CsDatabase –Update –ConfiguredDatabases –SqlServerFqdn <SQL Server FQDN>

Lastly if you have the Monitoring and Archiving roles co-located on the same server as your other databases you will need to run this command:

Install-CsDatabase –Update –ConfiguredDatabases –SqlServerFqdn <SQL Server FQDN> –ExcludeCollocatedStores

5. File Edits

This is SUPER important.

a. We will start with the ApplicationHost.config file found here :C:\Windows\System32\inetsrv\config

This I took from Microsoft (link)

• Use a text editor such as Notepad to open the applicationHost.config file, located at C:\Windows\System32\inetsrv\config\applicationHost.config.
• Search for the following:

  <Add name="CSExtMcxAppPool"

• At the end of the line, before the ending angle bracket (>), type the following:

  CLRConfigFile="C:\Program Files\Microsoft Lync Server 2010\Web Components\Mcx\Ext\Aspnet_mcx.config"

• Search for the following:

  <Add name="CSIntMcxAppPool"

• At the end of the line, before the ending angle bracket (>), type the following:

  CLRConfigFile="C:\Program Files\Microsoft Lync Server 2010\Web Components\Mcx\Int\Aspnet_mcx.config"

b. The next two files we need to check are:

C:\Program Files\Microsoft Lync Server 2010\Web Components\External Website\web.config (open with Notepad)

Add this at the end of the file before the <rules> tag

<rule name=”autodiscover rule 1″ enabled=”true” stopProcessing=”true”>

<match url=”(.*)” />

<conditions logicalGrouping=”MatchAll”>

<add input=”{HTTP_HOST}” pattern=”.*lyncdiscover.*” />

<add input=”{REQUEST_URI}” pattern=”Autodiscover/AutodiscoverService.svc/root” negate=”true” />

</conditions>

<action type=”Rewrite” url=”Autodiscover/AutodiscoverService.svc/root” />

</rule>

<rule name=”Client access policy Rule” enabled=”true” stopProcessing=”true”>

<match url=”clientaccesspolicy.xml” />

<action type=”Rewrite” url=”meet/clientaccesspolicy.aspx” />

</rule>

Make sure that you do not have two Client Access Policy rules in the file or it will create Internal Server Errors on your Autodiscover Service.

The Next file is for the internal site: C:\Program Files\Microsoft Lync Server 2010\Web Components\Internal Website

The code is entered in the exact same place except you need this code:

<rule name=”autodiscover rule 1″ enabled=”true” stopProcessing=”true”>

<match url=”(.*)” />

<conditions logicalGrouping=”MatchAll”>

<add input=”{HTTP_HOST}” pattern=”.*lyncdiscoverinternal.*” />

<add input=”{REQUEST_URI}” pattern=”Autodiscover/AutodiscoverService.svc/root” negate=”true” />

</conditions>

<action type=”Rewrite” url=”Autodiscover/AutodiscoverService.svc/root” />

</rule>

<rule name=”Client access policy Rule” enabled=”true” stopProcessing=”true”>

<match url=”clientaccesspolicy.xml” />

<action type=”Rewrite” url=”meet/clientaccesspolicy.aspx” />

</rule>

Again make sure tha you dont  have two: “<rule name=”Client access policy Rule”….> rules.

If you don’t have these lines in your web.config files it can cause some big problems. I chased .net errors for a good week before I figured out what the problem was.

 

6. Certificates

We will start with the Internal Certs

On your FE server. Run the Lync Server Deployment Wizard again.

Choose to Install Lync Server

Run “Request, Install or Assign Certificates

Request new Certificates from your internal CA (Ensure that all three certificates are selected)

The Mobility and CU4 updates will fill in all the proper Subject Alternative Names (SAN).

Assign the certificates.

The External Certificates

Now Microsoft does not support Wildcard Certificates for UC purposes. We had a Wildcard Cert on our TMG Front End prior to the CU4 updates and it worked fine.

However, with the Mobility updates it did not work. You will need a UCC certificate from your Public Certificate Vendor. The SAN’s that need to be included on the Cert are:

• meet.publicdomain.com
• dialin.publicdomain.com
• lyncdiscover.publicdomain.com

7. The Firewall Rules

We will need to create a new FW rule for the Lync Discover Service:

On your TMG Firewall Create a Web Site Publishing Rule:

Create a rule

It’s an Allow Rule

Publish a Single Web Site

Use SSL

Enter the name of your Lync Front End Server

Set the Path as /* and Forward the Original Host Header

The public DNS name of the autodiscover service: LyncDiscover.PublicDomain.com

Use the same Web Listener that you are using for your other Web Components (Meet,Dialin and Addressbook)

Set Delegation as:  No delegation, but client may authenticate directly

Complete The Rule with the default settings.

Once the rule is created go back and edit it.

On the Bridging Tab. Redirect the ports to 8080 and 4443

Click on the Listener Tab and choose properties to Edit the listener

On the Certificates Tab replace the Certificate with the new public certificate you created in Step 5

Conclusion

Hopefully this helps in your installation of the Lync Mobility features. Cheers.

http://www.ultimate-communications.com/2011/12/best-practices-when-updating-lync-server-with-those-cumulative-updates-lync/

One of the things that I struggle with in my current role is the tension between freedom/creativity and bureaucracy/structure. I have seen the devastation that comes from organizations that have a ‘Wild West’ philosophy where everyone is able to do as they please. The end result is mayhem and un-productivity. However, I have seen the exact opposite where an organization is so structured and bureaucratic that working in that organization feels often like a prison. Gareth Morgan (2006) addresses this in his book Images of Organization. He writes:

(Max) Weber is famous among organization theorists for his work on the nature of bureaucracy. However, his main concern was to understand how different societies and epochs are characterized by different forms of social domination. He viewed bureaucracy as a special mode of social domination and was interested in the role of bureaucratic organizations in creating and sustaining structures of domination. (pg 294)

Like my previous post, I agree with Morgan (2006) and Weber in the concept of bureaucratic organizations can be structures of domination. Weber came up with 3 types of domination that he gathered from historical research. (see attached jpg taken from pg 295). I struggle because I see myself sometimes in the ‘rational-legal’ category. I wonder about the impact I’m having on my organization. Am I dominating our people with rules and procedures? Am I stifling creativity with bureaucracy? Obviously there needs to be a tension but where does that tension rest? Any ideas?

Morgan, G. (2006). Images of organization.London, UK: Sage Publications.

You need to remove these reg entries below and the server will autodiscover… Hooray~!!!

Remove these entries
x86
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SMS\Mobile Client]
     "GPRequestedSiteAssignmentCode"="SITECODE"
     "GPSiteAssignmentRetryInterval(Min)"=dword:0000003c
     "GPSiteAssignmentRetryDuration(Hour)"=dword:0000000c
x64
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\SMS\Mobile Client]
     "GPRequestedSiteAssignmentCode"="SITECODE"
     "GPSiteAssignmentRetryInterval(Min)"=dword:0000003c
     "GPSiteAssignmentRetryDuration(Hour)"=dword:0000000c

The first website gave me a PowerShell script that installed all the Roles and Features I needed.

The script can be found here and the one you need is “PrepSiteServer2‘’

The second site gives you step by step instructions on how to install SCCM 2007 SP2 on Windows Server 2008 and even walks you through all the gotcha’s

Here is the URL: http://blogs.southworks.net/aortega/2009/09/16/deploy-sccm-2007-sp2-rc-on-windows-server-2008-r2/

1. Have and use an Antivirus Client (Microsoft Security Essentials/Sophos AV for OSX is free.. No Excuses)

2. Uninstall Adobe Flash Player. Adobe Flash has more holes than swiss cheese and no matter how many updates they put out you can’t really fix bad code. Yep you’ll lose out on some functionality but honestly for what you’ll gain in time recovered in not rebuilding your machine weekly it’s worth it

3. Create an Admin account on your computer and change your day to day account to a “regular user” account. If the virus doesn’t have admin rights. It can’t install.. This is probably the most critical change.

4. Be smart about what you click on. Just cause it’s on facebook does not mean that is safe. No some dad in the US did not find his daughter on a webcam so stop clicking the link. It’s called clickjacking and it can seriously mess up your PC. (btw.. there is no such thing as nude photos of Anna Kornikova either)

5. If it sounds to good to be true.. It probably is. (e.g. watching cricket online  for free) Do not install anything on your machine that is not from a reputable source. This includes Active X controls and “plugins”

6. Update your computer and your web browser regularly. Windows, PC or Linux it doesn’t matter just get it done. You can configure Windows Update to install at 3 in the morning while you’re hopefully sleeping

That’s it.. While this advice is not bulletproof it will help mitigate most of the threats out there. 

Cheers,

C

The feature that we were looking to use was the Organization Browser in Mysites.

When we began looking in Central Admin on the surface everything appeared to be configured correctly. The UPS had been configured to use a service account that had replication rights in Active Directory. The credentials were correct.

However, when we initiated a sync the Forefront Identity Manager Synchronization Service would change it’s status to “starting” and would never start. The Forefront Identity Manager Service would never get started and would remain disabled.

After pouring over the event logs and testing numerous different configurations. We finally ended up calling Microsoft Product Support Services(WiPro).  After several days of troubleshooting as a matter of last resort we decided to blow away the UPS databases in Sharepoint and recreate the service from scratch. The reason that this is a last resort is that deleting the databases clears all of the data that is contained in mysites.  However, even after we tried this it still didn’t work.

I could go on for quite a bit about all the things we tried. At the end of the day it was about 30 hours of troubleshooting. However, I’ll cut straight to the chase and give you the solution that worked for us here at The RSC Group.

Solution:

1)      Download and run Microsoft SharePoint Foundation 2010 (url:-  http://support.microsoft.com/hotfix/KBHotfix.aspx?kbln=en-us&kbnum=2475880  )

2)      After that Download and run Microsoft SharePoint Server 2010 (url:- http://support.microsoft.com/hotfix/KBHotfix.aspx?kbln=en-us&kbnum=2475878 )

3)  After that only once run Products Configuration Wizard (Start -> All Programs -> Microsoft SharePoint 2010 products -> SharePoint 2010 Products Configuration Wizard)

4)  restart the server.

 5) Recreate the UPA.

 6. Un-Provision the Sync service using power shell by following http://technet.microsoft.com/en-us/library/ff681014.aspx

 7. then run the command Get-SPServiceInstance

 8. copy the id for the User Profile Sync service.

 9. then run the command Stop-SPServiceInstance -Id “Id for the User Profile Sync Service”

 10. Go to start — run — MMC — file — add/ remove snappin — select certificate — add then select

 11. Found My user account | Service Account | Computer Account

 12. Except service account  added the other two account

 13.  Clicked  Ok.

 14. Deleted all the certificated related to FIM from all the folders.

 15.  Opened regedit — Hkey Local Machine — System — Current Control Set — Services — Fim Service and changed the database name to point to the new sync database.

 16.  Went to regedit — Hkey Local Machine — System — Current Control Set — Services — and changed the database name to point to the new sync database.

 17. Did an IISreset.

 18. Stopped SharePoint timer and SharePoint admin service from services.msc

 19.  Cleared SharePoint Config cache.

 20. Ran the below command

stsadm -o execadmsvcjobs

 21. Started the SharePoint timer and SharePoint Admin service from services.msc

 22. IIsreset

 23. After that started the User Profile Synchronization service. (It actually started)

 24.  Created Synchronization connector.

 25. Went in UPA service ->Configure Synchronization connections-> create new

 26. After that Start Profile Synchronization -> select Start full Synchronization.

The question is how do you give end users local admin en masse without giving away the whole farm. I have seen in some organizations that the Domain Users have been added to the local admins group. The problem with this is that everyone who is a domain user will now have access to that workstation not just the actively logged in user. I have also seen in a couple of instances where “Everyone” was added to the Local Administrators group. This is a horrible security practice and should be avoided at all costs as your are allowing everyone authenticated or not full access to the system.

The easiest way to get all around all of this is to add the local “Interactive” user to the local admins. This will ensure that only the currently logged in user has local admin access to the computer. (and the domain admins of course).

Here at The RSC Group we are going through a standardization of processes and procedures. A lot of Group Policies are getting written, SCCM is in place for Software distribution and Software Updates etc.. As a result this issue came up and here is how we solved it.

1. We created a Active Directory OU in which to place the computer accounts of the workstations we wanted to manage.

2. We created a Group Policy Object (GPO) and applied it to the new OU that we created.

3. In that GPO we defined a “Startup” script that would add the “Interactive” user into the local admins.

This Startup Script that we added we stole from a Computing.Net forum see here

Here is the code:

Set oWshNet = CreateObject("WScript.Network")

‘Well Known Security Identifiers in Windows (Server) Operating Systems
‘http://support.microsoft.com/?id=243330

sGroupSID = "S-1-5-32-544" ‘ Well Known SID of the group Administrators
sComputer = oWshNet.ComputerName
sDomainGroup = "Domain users"

Set oWMIService = GetObject("winmgmts:\\" & sComputer & "\root\cimv2")
Set colItems = oWMIService.ExecQuery ("Select * from Win32_Group WHERE SID = ‘" & sGroupSID & "’")
For Each oItem in colItems

sAdminGroup = oItem.Name

Next
Set objGroup = GetObject("WinNT://" & sComputer & "/" & sAdminGroup & ",group")

‘ suppress errors in case group is already a member
On Error Resume Next

‘finds localized name of the Interactive account
Set objSid = oWMIService.Get ("Win32_SID.SID=’S-1-5-4′")
DNPath = "WinNT://" & objSid.ReferencedDomainName & "/" & objSid.AccountName

‘adds Interactiv group to local Administrators group
If NOT objGroup.IsMember(DNPath) Then objGroup.Add(DNPath)

 

‘if domain users are member of local admin group, remove it
Set localdomain = oWMIService.ExecQuery ("Select * from Win32_NTDomain")
For Each objItem in localdomain
DNPath = "WinNT://" & objItem.DomainName & "/" & sDomainGroup
If objGroup.IsMember(DNPath) Then objGroup.Remove(DNPath)
Next

4. We pasted this code into a notepad and saved it as “Localadmin.vbs” and added it to the GPO.

5. Send the target machines for a reboot and the actively logged in user will have local admin rights.

My wife and I recently travelled to a 5 star resort in Puerto Vallarta and despite an above average price price per night. They still felt the need to charge 11 USD dollars per night for WIFI access per device. There was no way around this, The authentication mechanism used a 10 digit code to authenticate NAC and allow that MAC address to access to the internet VLAN. Yes we could spoof the MAC address on the other devices but only one device could connect at a time and if the NAC appliance discovered two devices presenting the same MAC it would shut down both ports.

The way to get around this is to:

1) Build a Bluetooth PAN network between two laptops.

a) Laptop 1 will use the WIFI code provided by the hotel or resort.

b) Once the connection is established ensure internet access by browsing to www.google.com

c) Next go into the bluetooth driver. We used two macbooks. So went into the System Preferences -> Bluetooth

d) We paired the two macbooks (which is easy with OSX) and once the devices were paired. We went to advanced and shared the internet connection (see screenshot)

The next step is to share the internet connection. We again went into the System Preferences and this time into the “Sharing” control panel. We shared the Airport connection with the Bluetooth PAN.

At this point Laptop 2 should be able to reach the internet without a WIFI connection.

2) The next step is to share the bluetooth network from Laptop 2 using WIFI.

a) On laptop 2 go into the System Preferences -> Sharing

b) Choose Internet Sharing and Select the “Bluetooth PAN” and share via Airport.

c) You will then have the option to create SSID you for your WIFI access point. I would also highly recommend enabling WEP and specifying a 128bit 10 digit WEP code. Even if it’s as simple as your phone number although I would recommend a more complex code. You now have a Wifi access point that you can share with all your devices.

Sometimes organizations no matter the size allow people to have way more Administrative Access than they should. Have you ever had someone who didn’t know what they were doing mess up your Active Directory Infrastructure?

If you are an architect or IT manager in your organization take a second to think about how many Domain Admins that you have? Do you really need many admins? Are you admins abiding by your change management process? Far too often even with a change management process in place, admins try to sneak changes in under the wire hoping no one will notice. If you work for an enterprise you will see this on a much larger scale than perhaps a small to medium business.

A good practice is to have object auditing enabled on your AD infrastructure. There are number of tools available that do a really good job at this. Some good examples are the tools provided by Quest and Scriptlogic both of these products do a really good job of helping you keep solid track of what is occurring in your infrastructure. If you are using tools like Arcsight or Tripwire to audit your entire network these tools will give you generic information about AD but not the granular info that you need e.g. what changed and who changed it.

However, unless a government regulation requires them to . Most organizations do not have these types of tools in place and sometimes things get deleted or even worse yet entire portions of your tree gets corrupted.

This is when you need to do authoritative restore. This should be a last resort after you have tried everything else to reverse the changes.

1. You need a backup. If you do not have a vaild Systems State backup then I am afraid you are out of luck.

2. Reboot your DC Press F8 until the Advanced Options Menu shows up

3. Choose DSRM (Directory Services Restore Mode) and press enter

4. Logon using the DSRM password. (You created this when you promoted the Domain Controller.. If you didn’t promote the DC find the person who did or check your organizations AD documentation)

5. Click Start –> Run – > Ntbackup.exe

6. Click Restore – and select System State

7. Reboot server and go back into the DSRM

8. Once you have rebooted start a command prompt

9. Type NTDSUTIL

10. Type authoritative restore

11. Restore the OU  – type “restore subtree (e.g. OU=Users,OU=Employees,DC=chrismadge,DC=com

12. A popup will occur asking if you are sure you want to perform the Authoritative Restore.. Click Yes

13. The restore will occur. Hooray!

nbd…. Should you need to restore your entire active directory cause this person caused wide spread damage. Instead of typing “restore subtree” and specifying the OU. type “restore database”