Tuesday, 4 February 2014

Lync 2013 Resource Forest FIM Syncronization Guide

When company's buy other companies one of the big challenges from an IT side is managing multiple environments. In most cases a two-way trust is configured between both forests and most times it stay's this way until something like "Hey we want Lync" comes around.

In these kind of environments putting Lync Server into a resource forest makes the most sense. We can synchronize users from both forests into contact objects, and makes adding additional environments (more company purchase's) much more simplified.

In this post I am going to be going over how we can leverage FIM (Forefront Identity Manager) to synchronize user forest information into contact objects in the Lync resource forest. This method is recommended when you have multiple user forests and a ton (100s. 1000s, 10,000s) of users.

Guide Topology Overview

NOTE: The purpose of this Guide is to demonstrate the configuration of FIM for the use of user synchronization using Lync Server 2013 in a multiple forest configuration. It does not provide best practices on SQL, Windows or Lync configuration(s) or sizing.

The Forefront Identity Manager Server in this post will be running Windows Server 2008 R2 SP1. Also note that SQL is required for FIM, I installed SQL 2008 R2 on the FIM Server and will leverage that.

I have 3 forests total

LMLAB-A.COM = User Forest
LMLAB-B.COM = User Forest
LYNCMEBLOG.COM = Resource Forest (Lync 2013 Standard Edition)

More information on creating trusts (http://technet.microsoft.com/en-us/library/cc816590(v=ws.10).aspx)

Forefront Identity Manager prerequisites

Windows Server 2008 R2 SP1
SQL Server 2008+ (To install the FIM DB)
.NET FrameWork 4.5 (This is required to run the Lync FIM extensions)

Step 1: Forefront Identity Manager 2010 R2 Installation

Insert/Mount the FIM installation media, and open the FIMSplash.htm file and click "Install Synchronization Service"

Once the installer launches, click Next and accept the terms.

Specify your SQL Server and Instance name.

Click Next until installation begins, and wait for completion.

Step 2: Import LcsSync Folder into FIM Server

Download the Lync Server 2013 ResourceKit Install it into the default directory. Once the Resource Kit is installed go to %Program Files%\Microsoft Lync Server 2013\ResKit\LcsSync folder and copy all contents into the %Program Files%\Microsoft Forefront Identity Manager\2010\Synchronization Service\Extensions folder on the FIM Server.

Edit the lcscfg.xml file as shown below. NOTE: The “lcsma name” you choose here must be used when importing the Central Forest MA into FIM as demonstrated in Step 5.

Step 3: Extend Metaverse Shchema for Lync Attributes

Next, we need to extend the metaverse schema so the Lync Server attributes can be synchronized.

Open the “Synchronization Service Manager”, Click Metaverse Designer, at the top click Actions and “Import Metaverse Schema”. Select the Lcsmvschema.xml from the %drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\ folder where you imported the LcsSync files.

Next, click Tools -> Options, Select “Enable metaverse rules extension”, then click Browse. In the list of files, select lcssync.dll
Next select “Enable Provisioning Rules Extension”. Then click OK to close the Options window.

Step 4: Configure Object Deletion Rule
If a user object is deleted in a user forest, the corresponding contact object that is used by Lync Server in the recourse forest must also be deleted, a big reason why this is a favourable configuration in large organizations.

In the Synchronization Service Manager, click Metaverse Designer. Under the Object types right click person, on the right hand side in the Actions menu click "Configure Object Deletion Rule"

In the Configure Object Deletion Rule dialog box, click Rules Extension, then click OK.

Step 5: Create Lync Resource Forest Management Agent

Now we are ready to create the Management Agents that will synchronize the objects from the LMLAB-A forest to the Lync resource forest LYNCMEBLOG.COM

Click Management Agents at the top, which should bring you at a blank management agent screen. At the top click Actions, Import Management Agent.

Make your way to the extensions folder where you copied the LcsSync directory (%drive letter%:\Program Files\Microsoft Identity Integration Server\Extensions\) and import the "lcscentralforestma.xml" file and click Ok.

A new window will open "Create Management Agent" with a default name "Lcs Central Forest". This name must be the lcsma name  you specified in Step 2.

Once you click Next, you will see the connect to Active Directory screen. Replace all the FABRIKAM information with your Lync resource forest information, and click Next.

On the next screen is where we match the imported template partition with our partition of our Lync resource forest. Click the FRABIKAM partition on the left, then click your root partition from the left and click Match.

Next, click Deselect for the other partitions in the list. Until you deselect everything you will not be able to click Ok at the bottom. then click Ok.

Next window will allow you to specify a specific domain controller and OU level filtering.

To select the OU you wish to put your synchronized contact objects click Containers

In the select containers window select the OU you wish to have your synced objects reside. then click OK.

At this point we are done with the configuration of the Management Agent, the rest has already been configured by Microsoft, you can click Next and accept all the defaults to the end, and click Finish.

Notice on the bottom screen (Configure Extensions) the Rules extension name has already been populated to lcssync.dll which we defined in Step 3.

Step 6: Create User Forest Management Agent

This step of creating the User Forest MA is the same at the previous step, except we are just defining our User Forest (LMLAB-A.COM) instead of our Lync Forest (LYNCMEBLOG.COM)

This time we will select "lcsuserforestma.xml", then click Open.

For the name of the Management Agent can be anything, it does not tie into any other configuration. But I will advise to keep the names as the forest. Only because once you start adding more User Forest Management Agents, it starts to get confusing if you don't have a common naming convention.

Next window we will enter in our User Forest Active Directory information, then click Next.

The same can be done on the next window for Partition Matching. Match your existing root partition with the one already defined for NWTraders as we did in step 5. Then deselect the other partitions in the list so we can click OK.

This next step is an important one, this is where you will select the OU(s) where your current enabled users reside. Click Containers and select all the OU(s) that contain users that you wish to Lync enable.

Once you have selected all the OU(s) you wish to synchronize, click OK to close the container selection window, then click Next on the directory partitions window. 

Again at this point everything else is preconfigured, we can click Next all the way to the end, then click Finish.

ERROR: While clicking next through the "Configure Attribute Flow" you might receive an error 

'msExchUserHoldPolicies' of 'inetOrgPerson' is no longer available.

In order to get past this you will need to remove the attribute flow for msExchUserHoldPolicies

Expand "Object Type: inetOrgPerson, select msExchangeUserHoldPolicies and click Delete at the bottom.

And do the same for Object Type: user, select msExchangeUserHoldPolicies and click Delete at the bottom.

Now you can click Next to the end, then click Finish.

In the Management Agent window you will now see your Lync Forest Agent and your User Forest Agent(s). I went ahead and added LMLAB-B.COM but the process is the exact same for adding multiple User Forest Agents as defined in Step 6.

Step 7: Importing, Synchronizing and Provisioning

Here is a quick drill down of the Import, Synchronization and Provisioning in Step 7

#1 Lync Forest - Right click Lync Forest Management Agent, Click Run -> Full Import
#2 User Forest - Right click User Forest Management Agent, Click Run -> Full Import
#3 Lync Forest - Right click Lync Forest Management Agent, Click Run -> Full Sync
#4 User Forest - Right click User Forest Management Agent, Click Run -> Full Sync
#5 Lync Forest - Right click Lync Forest Management Agent, Click Run -> Export

This is the last step in synchronizing your user objects to the Lync Forest.

NOTE: During the import, synchronize and provisioning I am starting with the Lync Forest first, this is a requirement. If you do this in any other order the objects will not synchronize and provision correctly.

If we look at the Lync Resource Active Directory Users and Computers, and go to our OU that we specified in step 5 we have no users in that OU.

First we need to run a full import from the Lync resource forest and the user forest into the FIM connector space.

In the FIM Synchronization Service Manager, Management Agents, right click the Lync forest Management Agent and click Run...

In the Run Management Agent window, click Full Import then OK.

It should only take a few seconds to run, Refresh the agent by hitting F5, once its complete you will see to the left of the Management Agent the State of Idle. You will also see in the bottom left corder the Synchronization Statistics which will now have some values including Adds.

If you click Adds in the Synchronization Statistics box, you will see that the Distinguished Name of the OU you selected in step 5 has been added.

Next we will follow the same process for the User Forest Management Agent. right click the user forest Management Agent and click Run...

In the Run Management Agent window, click Full Import then OK.

It should only take a few seconds to run, Refresh the agent by hitting F5, once its complete you will see to the left of the Management Agent the State of Idle. You will also see in the bottom left corder the Synchronization Statistics which will now have some values including Adds.

If you click Adds in the Synchronization Statistics box, you will see the same user forest Distinguished Name's of the container and OUs that you specified. But now we also see the users that where in those OU(s).

Next we need to Synchronize the Metaverse with the data that was captured during the full import.

Right click your Lync forest Management Agent, and click Run...

 In the Run Management Agent window click Full Sync, and click OK.

Follow the same process but not on the User Forest Management Agent.

In the Run Management Agent window click Full Sync, and click OK.

And lastly we need to provision the Lync Resource Forest.

Right click your Lync forest Management Agent, and click Run...

n the Run Management Agent window click Export, and click OK.

In the Management Agents window in the bottom left corner "Export Statitics" click on Adds. Here you should see all the users that were in your User OU(s)

You can also confirm by looking in Active Directory Users and Computers in your Resource Forest OU you selected in step 5 and see the contact objects for your synchronized users.

Now our users from our user forest are synchronized as contact objects in the Lync 2013 resource forest. You can go ahead and enable these objects in Lync and test sign in.


Tuesday, 28 January 2014

No audio/video connectivity from Edge Server - TLS Negotiation

With a lot of people starting to adopt Lync 2013 the over excited System Administrator(s) are testing their abilities and trying to install/configure Lync Server them self's. I am not discouraging people from learning Lync but not in a PRODUCTION environment.

A friend and IT pro of mine was running into issues with a partially configured environment and a strange edge pool issue, where video and audio calls from external were hit and miss. I advised him to connect to each edge server individually (HOSTS file) and run traces.

What was discovered on the second edge server was quite interesting during the TLS negotiation.

It was confirmed that all the certificates were valid with the correct CN/SAN names on the edge server. It was then discovered there were over a dozen certificates in the personal store (from failed attempts) on the edge server. I asked for all unrequired certificates to be removed and the only ones left are the certificates being used.

After all the non valid certificates were removed, and the edge services restarted, VOILA video/audio issues resolved.

For anyone reading this post, and you are unclear of the path required to create valid certificates on the Edge and even on the Front-End servers I have added the Microsoft TechNet articles for the certificate requirements for both Edge and Front-End servers.

Remember, if your certificates are in need of a SAN change/re-key please delete your old certificates!

A clean environment is a healthy environment.

Certificate Requirements for Internal Servers

Certificate Requirements for External User Access

Thanks to Neal Horth for brining this odd error to my attention.


Saturday, 14 September 2013

New Blog - Office 365 Lync Online and Exchange Online

As of a few weeks ago I decided to start yet another blog on Office 365 topics. Some topics will intaily have some topics from this blog but will surround the tasks needed or information indended for Office 365.

Reasoning behind this is I have been working alot with Office 365 over the last 12 months (more then Lync Deployments) and feel I should share some deployment senerios, gotch-ya's and guids.

You can read this Office 365 blog at http://lyncmeonline.blogspot.ca/

On a side note, I will be adding more articles to this blog ( I haven't forgotten about it!!) But sadly my project focus has not been with Lync lately. So I will be making a best effort to update this blog more frequently.

Saturday, 20 July 2013

IIS ARR and Lync Server 2013 Reverse Proxy Setup

During a conversation about TMG now being discontinued I was pointed into the direction of using IIS ARR (Application Request Routing) as a reverse proxy for Lync 2013. After some quick digging the use of IIS ARR is a supported method as per the Microsoft Technet article http://technet.microsoft.com/en-us/library/gg398069.aspx.

NOTE: I have also been told by other consultants that they have configured and used IIS ARR with Lync 2010 and is fully supported. Mentioned in the "Information" section of this article  http://technet.microsoft.com/en-us/library/gg398069.aspx

The configuration of IIS ARR for Lync 2013 was very straight forward.

IIS ARR is supported on Windows Server 2008, 2008 R2 and Server 2012. For this post I will be using Server 2012.

As like TMG you will need to configure 2 Network Adapters. One will be for external communication with a default gateway to accept requests from the Internet, and the second adepter will be for communication to your Lync 2013 environment.

Also do not join your IIS ARR server to your domain


After your networking is configured, and confirmed you can browse the Internet and still ping your internal Lync 2013 environment, install IIS (Web Server) on your ARR server. Which can be done either by PowerShell or using Server Manager.

Next, Export your public Lync 2013 certificate and import it into your IIS ARR server

Next we will bind our imported certificate to port 443 in IIS.

Next we will install the Web Platform Components for downloading and installing IIS ARR

Internet Explorer will open, and click the green button on the right that says "Free Download"

Download and Install the Web Platform Installer 4.5

Once installed, you will be presented with the WebPI 4.5 Application window, here you can search for KB2589179" which will display the Application Request Routing 2.5. Select and click Add then Install.

After installation we can start the configuration of IIS to support Lync 2013. First close IIS Manager and reopen, you will now notice "Server Farms" option under Sites.

Right click on Server Farms, and select Create Server Farm...

Name your Server Farm (I used the External FQDN of my Lync web service)

Next specify the FQDN of your Enterprise Pool or Standard Edition Lync Server. Also drop down "Advanced Settings..." and change the default ports to 8080 and 4443 (which are our External Web Service ports). And click Finish

After clicking Finish you will be prompted to create the Rewrite Rules, click Yes.

Now your server farm is created with either your Enterprise Pool or Standard Edition Server defined. Next we will make some configuration changes to the Server Farm

Under Caching, disable the disk cache.

Specifically for Lync External web services, under Proxy, change the time-out to 200 seconds. This prevents the Lync Web App from experiencing disconnecting and reconnecting unexpectedly.

Under Routing Rules, disable the SSL offloading option.

Now we are going to configure the URL Rewrite rules. This is similar to what TMG did in rewriting the external meet/dialin/ext urls internally to your Lync Front End Servers.

Click the Root (Server Name) in IIS, and in the IIS settings click "URL Rewrite"

You will see 2 Rewrite rules already created, double click on the ARR_Name_loadbalance_SSL Rule.

The following changes need to be made.

The Pattern needs to be changed to (.*), Using: changed to Regular Expression and Action Properties changed from http:// to https://

Apply your Rewrite rule changes, and test. Now you should be able to open https://meet.domain.com externally (or by HOST record change meet/dialin/ext to external IP of IIS Server) and get to your Lync 2013 external services.

Notice the ping to the external ( IP Address as shown above, and that I cannot even ping the Standard Edition Front End Server.

Thank you for reading.