The C-spot

This guide will run through a consolidated Enterprise edition install (without voice gateway integration, whereby all roles will be deployed on virtual machines.

The guide will be split up in different chapters.

The first chapter is all about preparing your Lync 2010 environment.

 

Prepare the Lync 2010 Enterprise Edition Server Infrastructure

The following sections outline the step to prepare the Lync 2010 Enterprise Edition server infrastructure.

1. Set Up Enterprise Edition Hardware and System Infrastructure

2. Install Prerequisite Software

· Lync Server requires Microsoft .Net Framework 3.5 with SP1.

· Prerequisite software for database servers.

· Message Queuing. Message Queuing (also known as MSMQ) role components and Directory Service Integration should be installed on the Front End Server, the Archiving Server, and the Monitoring Server if you plan to deploy the Lync Server 2010 Archiving or Monitoring Server roles. The Message Queuing components can be found in Server Manager or can be deployed by using servermanagercmd.exe or the Add-WindowsFeature Windows PowerShell cmdlet.

· Configure IIS:

Role Heading	Role Service
Common HTTP features installed	Static content
Common HTTP features installed	Default document
Common HTTP features installed	HTTP errors
Application development	ASP.NET
Application development	.NET extensibility
Application development	Internet Server API (ISAPI) extensions
Application development	ISAPI filters
Health and diagnostics	HTTP logging
Health and diagnostics	Logging tools
Health and diagnostics	Tracing
Security	Anonymous authentication (installed and enabled by default)
Security	Windows authentication
Security	Client Certificate Mapping authentication
Security	Request filtering
Performance	Static content compression
Management Tools	IIS Management Console
Management Tools	IIS Management Scripts and Tools

· Install the Remote Server Administration Tools

· Install Silverlight

Silverlight is required to run the Lync Server Control Panel. Although we won’t be using the Control Panel until everything is installed, you can install it now since we’re installing the prerequisite software. Silverlight needs to be installed on the Front-End servers.

· Install and Configure SQL Server

Lync Server 2010 leverages SQL Server for the back-end database and the Archiving and Monitoring databases. SQL Server needs to be installed before we can install Lync Server 2010. For this lab, SQL Server 2008 with Service Pack 1 will be used, and installed on the Back End Server as well as the Monitoring/Archiving Server.

3. DNS records

Lync Server 2010 leverages DNS for various features. Certain DNS records are required as part of the infrastructure preparation. Each server within this lab will already have an A record in DNS. This is attributed to the fact that I am using Active Directory-Integrated DNS, which has Dynamic DNS enabled by default. However, there are additional DNS records that are required before we proceed, including:

pool1.domain.com	A	IP of Front End Server
admin.domain.com	A	IP of Front End Pool
sip.domain.com	A	IP of Front End Pool
_sipinternaltls._tcp.domain.com	SRV	sip.domain.com Port: 5061

4. Grant Administration Permissions

Follow these steps to grant Administration permissions:

1. Ensure you are in the Users Container in Active Directory Users and Computers.

2. In the details pane, locate the CsAdministrator group, right-click on it, and select Properties.

3. On the CsAdministrator Properties page, click on the Members tab.

4. Click Add.

5. On the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box, type Administrator in the Enter the object names to select field, and then click OK.

6. On the CsAdministrator Properties page, click OK.

5. Create the Lync File Share

The user account that we will use to publish the topology must have full control (read/write/modify) on the file share in order for Topology Builder to configure the required permissions. Because I’m going with an Enterprise Edition deployment, the file share cannot be located on the Front End Server. As a result, We prefer to create the file share on the Monitoring/Archiving Server.

Log on to Lync Monitoring/Archiving server

2. Go Start, click Computer, and then click Local Disk (C:).

3. Right-click in the Details Pane, select New, and then select Folder.

4. Name the new folder LyncShare.

5. Right-click on the LyncShare folder, select Properties, click on the Sharing Tab, and then click Advanced Sharing.

6. On the Advanced Sharing dialog box, select the Share this folder option, leave the Share Name field as LyncShare.

 

/Tim

When renaming a custom addresslist in exchange 2007 through the EMC, the rename is not visible in the addressbook.  This is because the addressbooks in Outlook use the DisplayName. 

Solution: Change the DisplayName of the addresslist with PowerShell.

Get-addresslist “name” | set-addresslist –Displayname “name”

 

Another happy day in Powerhell

/Frederik

When installing Lync at a customer on Server 2008 R2 SP1, the installation failed with the following error while adding the first Lync Server Components:

Problem: The Lync Server 2010 Setup or Remove Component installation prerequisite check cannot locate the  Server 2008 R2 SP1 version of Microsoft Windows Media Format.

Use the command line listed below from a command prompt window to install Windows Media Format Runtime for Server 2008 R2 SP1 before you begin the installation of Lync Server 2010:

%systemroot%\system32\dism.exe /online /add-package /packagepath:%windir%\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~~6.1.7601.17514.mum /ignorecheck

 /Tim

After installing Lync at one of our customers we experienced the following problem when the user was trying to log in.

When I try to make the remote sign-in with the appropriate credentials, Lync reports me “Cannot sign in to Lync. Lync was unable to sign in. Please verify your logon credentials. But it only happened on Windows XP/Windows 7 machines.

When I try to sign-in using the same credentials and Windows 2008 R2 as the client, Lync is signin in!

TheLync server was running Windows 2008 R2. With Windows 7 and Windows 2008 R2, 128-bit encryption is (by default) required for all NTLM authentication requests. After disabling the 128-bit encryption requirement using information from http://technet.microsoft.com/en-us/library/dd566199(WS.10).aspx and running a gpupdate the computer was able to authenticate successfully.

/Tim

 

This blogpost is a full installation walkthrough and documentation guideline on how Forefront Endpoint Protection 2012 beta is installed (I did this today at one of our customers)

One of the main assumptions for the implementation of FEP 2012 beta, is having the availability of a fully operational System Center Configuration Manager 2012 platform, which was the case. (Thanks to my colleague Steve for this !!)

The following topics are documented:

· Installation walkthrough of the FEP 2012 beta server components

· Overview of FEP components within SCCM 2012 console

· Update OSD Task Sequence for FEP 2012 client deployment

· Walkthrough of a manual deployment of the FEP 2012 client

· Monitoring FEP 2012

Installation walkthrough of the FEP 2012 beta server components

· Start the FEPInstall from the installation medium

· If you choose here for Basic Topology, the FEP 2012 component will take all current settings from the running SCCM 2012 platform (file locations, SQL database, SQL reporting services, service account settings,…)

· Enter the Password for the SCCM 2012 service account

· Here we choose Use Microsoft Update…; this guarantees that the FEP 2012 client antivirus / antimalware signatures are automatically updated by using Microsoft Update. There is an automatic fallback scenario where the update engine can perform a direct update as well, if WSUS engine should be down.

· By selecting Basic SpyNet membership, the FEP 2012 application will send regular information to Microsoft regarding virusses and malware it detects on the network. The feature “Advanced SpyNet” has about the same functionality, but it also gives feedback to the end-users in the FEP client console, which is normally something we don’t want to bother our users with.

· As the installation prerequisite check is finished succesfully, we force the setup to automatically open the SCCM console

Overview of FEP components within SCCM 2012 console

After we installed the FEP 2012 server components in the previous step, this chapter gives a basic overview of the default FEP 2012 beta topics in the SCCM 2012 beta console.

The following SCCM options are available in Software Library console:

– Software Library / Overview / Application Management / Packages /

o FEP Deployment

o FEP Operations

o FEP Policies

The following SCCM options are available in Monitoring console:

– Monitoring / Overview / FEP Status

– Monitoring / Reportings / Reports

o FEP information for a specific computer

The following SCCM options are available in Assets & Compliance console:

– Overview / FEP Policies

o Default desktop policy

o Default server policy

– Overview / Compliance Settings / Configuration Items

o FEP … (several collections available)

– Overview / Device Collections / FEP Collections

o FEP … (several collections available)

Update OSD Task Sequence for FEP 2012 client deployment

As a lot of FEP specific parameters and settings have already been preconfigured within SCCM 2012 beta, we can immediately make use of those settings to start deployment of the FEP 2012 beta client to our environment.

In this first example, we update an existing OSD task sequence to install FEP 2012 beta client at the end of the OS deployment.

· Go to Software Library / Overview / Operating Systems / Task Sequence

· In our example, there was already a task sequence for deploying a Win7 client with some applications. For “safety reasons”, we first copy this task sequence to a new, which will be updated afterwards with FEP 2012 deployment.

· Select the new Task Sequence, right click / Edit

· Pick Add / General / Install Package

· Name : FEP 2012 beta client

· Description : This package installs the FEP 2012 beta client software

· Package : Click Browse / select “Microsoft Corporation FEP – Deployment 1.0” from the list off available packages

· Program: select “install” in the listbox

· Drag / Drop the new package at the end of the “install applications” list; this will install the package as the last component within the task sequence (just an example, not a requirement)

Walkthrough of a manual deployment of the FEP 2012 client

In the previous chapter, we explained how to update an OSD task sequence to install FEP 2012 beta as part of the overall OS deployment.

In this chapter, we talk about how to “manually” deploy the FEP 2012 beta client package to a set of computers.

· Go to the FEP 2012 beta deployment package (Software Library / Overview / Application Management / Packages / FEP – Deployment)

· Rightclick the package + choose Deploy from the context menu

· Software: Browse / Pick “Install”

· Collection : Browse / Any collection of machines to which you want to deploy FEP 2012; in this example, we pick the collection “ All desktop and server clients”

· Distribution Point: <your SCCM distribution point>

· Purpose : Required – means the package needs to be installed automatically

· Priority : Normal / High

· If your clients, network and SCCM Site settings support wake-on-lan, mark the option “send wake-up packets” to make sure all active and standby clients receive the package

· Define an assigment schedule when you want FEP to be deployed

· Choose “Download content…”; this will copy the installation files to the client machine first, and start deployment afterwards. This is the suggested setting for software deployment over LAN.

· Once this wizard is completed, a deployment task is scheduled for the specific collection. Once the SCCM Agent receives notification for installation, the FEP 2012 beta client will be installed on the clients.

· After a few minutes, by going to Monitoring / FEP Status, we can see 1 computer has FEP installed, and 2 other installations are pending

We are now at the status where FEP 2012 beta package can be deployed from within an OS Deployment task sequence, or by using a manual deployment to a specific computer collection.

Monitoring FEP 2012

On the last screen of the previous chapter, we get a graphical overview of FEP 2012 beta deployment Statistics. When clicking on the “1 computer has FEP deployed” link, it will bring you automatically to a newly created collection (automatically done by FEP) “Computers that succeeded FEP Deployment”.

This is a group of assets that have FEP client 2012 installed.

· Other Device viewing collections are also created automatically by FEP:

o Computers not targeted by FEP (will never get FEP client installed)

o Computers with out of date FEP Versions (have FEP installed, but is out of date)

o Computers Pending FEP Deployment (deploy is scheduled, but not started/finished yet)

· On any of the above mentioned FEP Device Collections, we have a new topic available “FEP OPERATIONS” (in the menu ribbon or by rightclicking on the collection / FEP Operations from the context menu)

· This has the following possibilities:

o Run Antimalware Definition updates (=update the virus engine)

o Run Quickscan

o Run Full scan

Configuring FEP Alerts

One could continuously check the different FEP monitoring components or collections within SCCM 2012 console. However, it is more efficient to configure alerts to warn the administrators / helpdesk users of any necessary information on FEP installations on our clients & servers.

· Go to Assets & Compliance

· From within the Ribbon, 2 additional FEP configurations are possible

o FEP email settings

o FEP Alerts

· FEP Email Settings:

ð Allow to configure SMTP server settings + notification email address

· FEP Alerts:

o Configure to which email addresses FEP alerts should be sent to, on specific malware detection occurance

That’s it folks !

Cheers,

/Peter

ICTinus was sponsor of the Belgian Techdays 2011; to create enough “animo”, we worked around the “Pirates of the Carribean 4” theme, where visitors of the booth could win movie tickets or even a HP sponsored SmartTouch PC.

At the Student Day, I presented ICTinus in real Jack Sparrow style…, followed by a “company movie”, presenting some of our consultants.

Check out the introduction and full movie at the following link:

Techdays 2011 ICTinus presentation (Pirates in IT…)

 

AAAAAAAhhhrghhhhh

/Peter

Although the creation/import of Exchange SSL certificates are straightforward (check out one of my other blogposts on trycatch.be/blogs/pdtit if you should need assistance on this) , you sometimes receive an error within the Exchange console or Powershell when manipulating SSL certificates:

Error: The certificate with thumbprint XXXXXXXXX was found but is not valid for use with Exchange Server (reason: PrivateKeyMissing)

Enable-ExchangeCertificate : The certificate with thumbprint “0000000000” was found but is not valid for use with Exchange Server
(reason: PrivateKeyMissing).
At line:1 char:29
Enable-ExchangeCertificate -Thumbprint 00000000000 -Services "IIS"

Cause: the real cause behind this error is not always that easy to determine; the most common reasons could be classified as “corrupt”, “initial CSR request was created on another Exchange Server” or “CSR was not created by Exchange Server at all”.

Solution:

To resolve this issue during SSL certificate installation in Exchange 2007 or 2010 server, use the following procedure:
Method 1: Repair Damaged Certificate (Windows Server 2003/2008)
1. Start / Run / MMC / add the Certificate Snap-In for the Local Computer account.
2. Double-Click on the recently imported certificate.
3. Select the Details tab.
4. Click on the Serial Number field and copy that string.
Note: You may use CTRL+C, but not right-click and copy.
5. Open up a command prompt session. (cmd.exe aka DOS Prompt).
6. Type: certutil -repairstore my "SerialNumber" (which was copied in the previous step.).
7. After running the above command, go back to the MMC and Right-Click Certificates and select Refresh (or hit F5 in the MMC).
8. Double-Click on the problem certificate. At the bottom of this window (General tab) it should state: "You have a private key that corresponds to this certificate."

It should know be possible to enable the Exchange certificate for IIS or other services (Enable-ExchangeCertificate…)

Cheers, Peter

For federation there is not much you must configure.

– Check the configuration on the lync frontend to make sure you add the domain you want to federate with in the ‘external access – federated domains’
– Create a srv record on your public dns:

_sipfederationtls._tcp.domainx.be

port: 5061

type: TCP

In some cases I noticed you should reboot your frontend and edge server in that specific order.

 

Lync 2010 Client Unsupported with OCS.

Logon with Lync 2010 client to an OCS 2007 server.

This scenario is not supported, the Lync Client only functions correctly when used with the intended Lync Server back-end. Now this approach is no different then what was supported between the last major releases of LCS and OCS as Office Communicator clients could not sign-in to LCS servers.

Although that was due to mainly the introduction of the Enhanced Presence states which LCS was not aware of. For this release it’s the basic fact that much of the new client capabilities stem from changes to the back-end server components, thus using the Lync client against and OCS 2007 R2 server will offer a pretty limited experience.

So, it is possible but with a lot of limited features, i don’t think is’t good idea to offer this solution to your users. They will have a lot of frustrations about the product.

/Tim