About Me

My Photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015) - before that, a Lync Server MVP (2010-2014). My day job is titled "Principal Consulting Engineer" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.


Expanding preview of SfB services in O365


Reference:  http://tsoorad.blogspot.com/2015/09/skype-for-business-hybrid-with-o365.html

Now see this:


This is looking better and better!


Microsoft Surface Pro 4


Surface Pro 4 and Surface Book.  Ooooh.  Aaaaaah.  Cannot choose.  But I will have to.  The horror of it all!

The Surface Pro 4 appears to need a separate keyboard, while the Surface Book appears to come with.  I value screen size over almost everything else.  And I use my 16GB RAM on a regular basis for virtuals.

Christmas is coming.  Just sayin’



AudioCodes 4xxHD PIN Authentication

Here is a view of my house; I rolled back the rock the other day and ran into a little PIN Authentication issue.



As we know, since Lync 2013 and the advent of the full-blown LyncDiscover.domain.com and LyncDiscoverInternal.domain.com concepts, the Lync 2013 (and now SfB) client does not need anything to accomplish a login other than being able to find LyncDiscover which then tells the client where to go. You can read up on this here.

Where’s the Beef?

I recently ran into an issue with SfB PIN Authentication while using AudioCodes 420HD handsets.  The phone would login using UPN – e.g. user.name@domain.net with a password.  As you know, this can be a royal PITA doing the alphabet soup thing on a 3x4 dialpad.  Configuring the phone via web for login credentials worked also.  But the same user could not use PIN Auth.  And using the phone as a common area phone, where the UPN does not exist, did not work at all.  The phone would come back and say that the account name or PIN was not correct.  Futzing around with it for a goodly amount of time would sometimes give us a failure to find the Lync Server.  Hmmm.

The killer is that all the desktop clients in the environment could login just fine, and to make matters worse, a Polycom VVX600 could login with PIN AUTH for real CSUser accounts as well as the common area phone that failed to login to the 420HD.

So, off we went looking for a solution.

A Bit more Background

DHCP got checked.  It was perfect.  Right down to the Time Zone offset.  All was good.  We spell checked all of the settings – not expecting to find anything (the UPN login worked), but doing our due diligence.

We then went looking at phone traces, CSLogger output on the FE pool, and finally port mirroring on the phone itself.  What we saw was the phone discovering DHCP, getting an address, and generally being successful.  But failing for PIN Auth.  CSLogger showed wonderful results when using a UPN login, but Snooper revealed that when doing PIN Auth, the phone never contacted the pool.  There was simply nothing.  Ouch.  Back to the phone for some port mirroring to attempt to see what was what.


OK, see all that?  What the 4xxHD phone is doing is cranking through a raft of hard-coded lookups based on the DHCP information presented in the form of the domain name.  Look at what is failing.

Documentation Check

Reading the first bit of AudioCodes documentation does not mention those DNS records the phone is obviously looking for.  I started with LRTR-09937, which is the latest (and supposedly greatest) administrators guide for 4xxHD phones.  Section 2.1 (page 17) has this list.


Further down on page 32 I see this:


Uh oh. I think I am seeing a pattern here. 

But, down on page 139, we have some troubleshooting tips, which by the way, are the exact errors we were seeing…Note that there is no mention of SRV records…


LTRT-21920, which is specifically for the phone model in question, has the exact same information in section 5.2.1

And finally, we find this little gem (LTRT 21920 page 9 if you are following along):


Off we go to check the DNS requirements per Microsoft documentation…

This one indicates that LEGACY clients require _sipinternaltls._tcp.domain.com AND the LyncDiscover.

This one reinforces that position in the “aiutomatic client sign-in” section

And this one is more of the same.

THEN I find this:  https://technet.microsoft.com/en-us/library/gg412806(v=ocs.14).aspx which states:

This section describes the hardware, port, Domain Name System (DNS), Dynamic Host Configuration Protocol (DHCP), and security configurations that must be in place before you deploy IP phones…

Oh yes, I remember that, and still I have to ask why does UPN work and not PIN Auth, and why does the Polycom have zero issue either way, yet the 4xxHD will only do UPN and not PIN Auth.

Why four different pages I have no idea, but there you go.

Another question is why a Polycom does not seem to need these records to operate successfully – but I don’t have an answer to that – we will assume the Polycom UC firmware/software is more updated perhaps?

OK, back to our DNS server in question and wala!  no _sipinternaltls._tcp.domain.net.  So we add that.  Reboot the phone.



The only conclusion I can reach is that AudioCodes 4xxHD phones are still acting as a legacy client, and therefore need the legacy SRV records to function properly.

A question remains, though, as to why the exact same phone will login with a UPN without the legacy records yet fails PIN Auth.  Same firmware, different result.  I guess I will go back to recommending that all DNS records for legacy and Lync 2013/SfB be implemented just in case.




AudioCodes Updates phone firmware

AudioCodes has just released a firmware update for their popular 4xxHD series handsets.

An updated firmware version for AudioCodes’ Lync-compatible 400HD Series of IP Phones is ready. Herewith is a general outline of things, with maybe a few comments from me.

Better Together over Ethernet (BToE) PC application version was not updated in this release:

Firmware Version name:

  • UC420HD_2.
  • UC430HD_2.
  • UC440HD_2.

This version introduce several new features:


USB Headset beta

(supported only by 430HD and 440HD IP Phone models). The following USB headsets are supported:

<jmw> It’s about time! Feature parity with the competition is a worthy goal.  As soon as I have another 430 or 440 I will try out other headsets.

  • Jabra UC-150
  • Jabra Speak 510+
  • Jabra Speak 410
  • Jabra PRO 9470
  • Microsoft LX-3000
  • Plantronics C-310M
  • Plantronics C-320M
  • Plantronics HW720


Block Sign-Out for Common Area Users

Administrators can now disable end users from signing out of a common area phone. To support the feature, the new configuration file parameter, voip/common_area/enhanced_mode has been added. The default is 0 (disabled). When enabled, the Sign out soft key is not displayed on the LCD.



<jmw> YES!  Finally!


through Web

A new Web page has been added that allows users to sign-in through the phone's Web-based management interface.

<jmw> This could be set in earlier builds, but that did not work as well as this new method.  I like it much better.  The functionality is much improved, and when tied to the blocking of the Common Area User concept removes a goodly percentage of help desk calls asking how to log in to the phone.


And then there is this little gem in the “new features” section of LTRT-08267…


AudioCodes' enterprise voicemail servers are now supported as an alternative option to Microsoft Exchange Server.
<jmw> We are checking on what exactly this means.  Gotta love those developers who work up something but never tell anyone about it.

There is a blurb in the same LTRT that I found: 

Voicemail is supported for Microsoft Exchange Server 2010 and later. A version supporting Voicemail for Microsoft Exchange Server 2007 will be provided upon a specific request.

But I don’t this is meaning the same thing.  I think this means accessing the local Exchange Server user mailbox to listen to voice mail. Again, I am working with an internal AC engineer to determine what the “new feature” is meant to be.


Better Together over Ethernet (BToE) PC Application (1.0.20):

  • Support for Microsoft Windows 10
  • Compatible with Skype for Business
  • GUI enhancements

Disable Local Three-way Conferencing

Administrators can now disable the local three-way conference capability. By default (when not in BToE pairing mode), when phones are in call state, the phone's LCD displays options to enable local three-way conferencing. To support the feature, a new configuration file parameter, lync/local3wayConf/enabled has been added.

Allow Users to Display Phone or Extension Number

Administrators can now allow users to define whether to display their telephone or extension number on the phone's LCD. This is only possible if the enterprise's Active Directory includes both telephone and extension numbers. To support the feature, the new configuration file parameter, lync/sign_in/line_type_display/ext has been added. The default is 1 (extension number is displayed).

Core Dump file generation can be enabled and downloaded through the phone's Web-based management interface.

For the complete list of new features & known limitations, please refer to LTRT-08267 400HD Series of IP Phones for Microsoft Lync Release Notes Version 2.0.11.pdf.

Related docs

  • LTRT-08267 400HD IP Phone Series for Microsoft Lync Release Notes Ver. 2.0.11.pdf
  • LTRT-09937 400HD Series IP Phone with Microsoft Lync Administrator's Manual Ver. 2.0.11.pdf
  • LTRT-11897 420HD IP Phone with Microsoft Lync User's Manual Ver. 2.0.11.pdf
  • LTRT-11935 430HD and 440HD IP Phone with Microsoft Lync User's Manual Ver. 2.0.11.pdf
  • LTRT-11842 420HD IP Phone for Lync Quick Guide.pdf
  • LTRT-11960 430HD IP Phone for Lync Quick Guide.pdf
  • LTRT-11980 440HD IP Phone for Lync Quick Guide.pdf

Clearly, at least two of the “new” items will require that you prepare configuration files for your handsets.  But that is trivial, IMHO.  You already have your TFTP ready to go, right?  Aren’t you just dying to try out this new firmware?  You can get it here!



Plantronics Voyager Focus UC B825-M

This has been a great month for toys showing up at my door.  For the last week I have been mucking around with this new Plantronics headset.  Oh so nice to have nifty toys to play with on a regular basis.  Even better when the toy fits in with work, and better still when they are great toys instead of the alternative.


Let’s take a look at the Plantronics official blather about this B825-M:  The initial claim is “Certified for Skype for Business” and also “Optimized for Lync” and then we have the top line come on:

Keep the focus on your conversation, not background noise, with the sophisticated noise canceling and immersive stereo sound of the Plantronics Voyager Focus UC Stereo Bluetooth headset.

The B825-M certainly does that.  Excellent audio; stereo separation is equally good, and the tone quality is outstanding.  ANC works as good as any other offering.  Solid controls, Great battery life.

A Few Upfront Observations

Wow.  The headset announces battery time when you turn it on.  12 hours.  That’s all day folks.  And it plays out in testing.  I don’t think I ever did 12 hours straight, but I did have this thing clamped to my gourd for several all-day sessions.  Comfort during those marathons was quite good.  And the battery did not die, so that was good.

There is no user guide in the box.  So minus 1 for OOBE.  However, you can get the guide here.  Which is different from the location quoted on the kindergarten instructions attached to the headset as it comes out of the packaging.  Moving on.

The stand is just for charging.  D’oh!  Or you can charge with a separate USB cable (supplied).

After finding the appropriate set of instructions (page 5) of the aforementioned user guide, I had my Nokia and my computer connected and answering calls, making calls, and doing Pandora within just a few minutes.  But I had to read the guide to figure out the controls.  I must be a meathead because whoever puts the packaging together obviously thinks that initial setup should have been transparently evident.  No so in my case.  I had to read.

Sad smile

When doing all this, keep in mind that simply plugging the USB dongle into your computer results in pairing up with SfB/Lync perfectly.  Pairing to your cell phone is headset to cell directly.  Which means that you can take your headset to lunch if you want to, but leave your computer behind.


SfB/Lync Impact

With my Nokia streaming music, the SfB receives a call.  Phone mutes, answer the call.  Talk away.  When you disconnect the call, the whole mess goes back to music.  Sweet!  And the device is doing this, not some convoluted Windows O/S machinations that loses its’ grip on reality every third day.

Controls in SfB/Lync work as expected with zero reading on my part.  After plugging in the BT adapter, total configuration time for SfB/Lync was about 20 seconds to get to this point here and be ready to rock.


You cannot go wrong with “plug it in and it works” – Plantronics has this part all figured out.  So nice.


The literature claims a 150 foot range.  For you metric folks, that would be 45.72 meters, or for the group that likes big numbers, 4572 cm.  I don’t think I got that much range.  Maybe I have a bunch of stuff in my walls, which would certainly be a mitigating factor.  But I could wander about the Tsoorad Atrium and you would never know it.


Plantronics has this sensor thing dialed in.  When a call shows up, the act of putting the headset on your head answers the call.  I love this.  If you are in a call, or music is streaming, taking the headset off your head pauses the music or puts the call on hold.  What’s not to love about that?  And yes, refitting the unit to  your gourd un-holds the call and puts you back into the action.  Nice job Plantronics Engineering Team!

Aural Evaluation

Very good to excellent.  George Thorogood had great tone quality – and its better with the ANC on.  The headset ships with the ANC “on” and I cannot see why you would want to turn it off.  You can tap the center of the left ear cup to pause audio feed so you can hear the world.  But dang, isn’t one of the main points to this headset is that you can isolate yourself from those horrible outside world events (and people)?  Having said all that (which wasn’t all that much) I think the aural quality is right up there with the best – although some engineer who listened to a lawyer did not allow the volume to get high enough on the Db scale to please me.

Quality Statement

Build quality and overall fit and feel are excellent.  Typical Plantronics. Ho hum.



With the range caveat acknowledged, this one is a keeper!  ‘Nuff said.

You can get your very own piece of goodness right here.



Lync/SfB Storage Service 32054

Jeremy Silber solves another one.  Deep stuff with a simple fix.



Change SfB Dial in Conferencing Access Number

Have you ever been REQUIRED to change a Dial in Conferencing Access number SIP URI?  I cannot figure out why, but if you need to do so, keep in mind that this is not supported.  A picture is worth a thousand words, or in this case, a few hundred.




Plantronics Savi W745

Another new toy.  That makes two this month so far.  Any more coming my way?  Time will tell.  This time we have the Plantronics Savi W745.  Actually, I got a W745M – with the M meaning what you think it might mean.  Yes, Skype/Lync optimized.  And, a special bonus.

This item right here.


My first complaint? The box is HUGE. I actually felt compassion for the poor delivery guy as he struggled to my door from the truck. But so much goodness exists inside.  Adelante!

The quality of the boxing material was quite good.  Almost as good as the quality of the contents.  Plantronics did not skimp on the Savi W745M in any sense.  Nice.  Even the ear piece fake leather feels very nice.


Let’s take apart the Plantronics market-jibber-jabber and see if the claims stand up to hardships that are the Tsoorad Test Lab.

“Choose the style that's right for you with more wearing style choices than any other wireless headset system on the market. Convertible (over-the-ear, behind-the-head, over-the-head), over-the-ear and over-the-head (monaural and binaural) designs available.”

My comment?  If you cannot find something in the Savi 745 box that works for you, then you must look like SpongeBob.  There is more options than you can possibly fathom.  The package has a “fit kit” that has multiple ear thingies, and there is also the wire-strappy thing that goes around the back of your head, and multiple doohickey’s for sizing your ear canal.  I ended up with this after trying all the options.


“With one-touch call answer/end, vol+/-, mute and flash, manage calls from any connected device up to 350 feet from the charging base. Automatically routes mobile calls to the mobile phone or headset – whichever device is within easy reach. Transfer audio between headset and mobile phone with a press of a button so you can leave the office and take the mobile call with you.”

A Boeing 737 flight crew should have so many buttons to push!  Options?  You got it.  Want to connect to your cell and SfB/Lync at the same time? No sweat.  Transfer calls?  Nobody would call me, so I had to do it myself, but it worked.

“Three-way connectivity lets you easily switch and mix audio between desk phone, PC and mobile phones with one intelligent, wireless headset system. Ideal for office professionals who use multiple devices and require best-in-class sound quality for their business communications.”

I have to say, I was forced into reading the Quick Start Guide to get everything sussed out.  But, in the end, it works.  I did not download the software that enabled the cell phone to SfB/Lync UC presence feature, but I hate software add-ins.  I have too many of them already.  And I can tell when my battery is dead because the headset dies.  And I don’t want another “something” in my system tray, it’s already full.

And the Added Bonus


That’s a second battery Martha!  And it hot swaps!  Be still my beating heart.  This means that in the midst of the all-day marathon customer call, my headset is battery-survivable.  And it is W745M only.  So something just for us SfB/Lync homies. Sold!

SfB/Lync Compatibility

I have the “M” model – as in this unit bears the “Optimized for Microsoft Lync” imprimatur.  How does that work out?  Well, let’s just say it took longer to unbox this thing and get it plugged in that to get to this point here:


At which point, as expected, everything in my SfB client was golden.  I mean, it all worked and I did not have to do anything.  That is the way it should be.


  • Quality product?  Check.
  • Comfort?  Yep.
  • Controls?  Check.
  • Audio? Check.
  • SfB/Lync logo product?  Check.
  • More instructions for “how to use” than the obligatory safety briefing?  Oh yes.  How nice.  Finally.
  • Extra battery included?  Awesome.

Now, I could use the word “epitome” as in “…the Plantronics Savi W745M is the epitome of SfB headset functionality.”  But I won’t.  Primarily because I have not had the opportunity to test the binaural version.  If that ever occurs, I might very well have to update this article.

The 745 has so many wearing options that you can easily get confused.  But, in the end, the DECT capability, the comfort, and the aural quality make this – dare I say it – the leader in headsets for your UC needs.  And when you consider that the Savi W745M works seamlessly with SfB/Lync and your mobile at the same time, I think you have a winner.

You can get one right here.



Sennheiser SP 20 ML

Another new toy.  You know I love them.  So bright and shiny; full of supposed goodness; replete with stuff the average user is just dying to have at their fingertips.

In this case, Sennheiser has produced their version of the speakerphone “hockey puck” – optimized for Lync, and capable of doing the same for your average “mobile device.”  That could be right handy – my Nokia must have the world’s smallest speaker.  Which is odd, because the alarm function will blow the wax out of your ears, but the volume for the phone call has you wondering if the phone is even turned on!

First off, the Sennheiser rep who squirreled this little puppy away for me was absolutely glowing about the SP 20.  Not being a huge speakerphone user, let’s take a look at this device from the viewpoint of someone who don’t know Jack.  Which would be me.  How lucky, eh wot?

Here is the official, in-the-wild, Sennheiser market-speak for the SP 20.  Note that the website thinks there is some difference between the pedestrian SP 20, and the oh-so-much better SP 20 ML.  It’s like watching Khan from the “Wrath of…”  Ah well.  there is your obscure movie reference if you wish to have a partial explanation of  where my brain goes sometimes.  My SO says I usually off in space somewhere, but we won’t talk about that.

Designed for Unified Communications business professionals on the move using softphone via PC, mobile phone or tablet. Users who travel light and demand excellent conference sound will appreciate its user-friendly functionality and exceptional design. Compatible with major UC providers and softphone brands such as Skype for Business, Avaya, Cisco and IBM.

Here is the obligatory pretty picture from the previous link.  Note the attached cables.  None of this separate cable stuff here. No sirree!  And they have a nice storage slot on the bottom of the SP 20 also.  Along with an arrangement to hold the end connector solid so that you don’t pull this out of your bag with it looking like the reavers from the Matrix® series.


Here is the real thing, in a real call, muted.  The controls and lights and all seem very top-notch.  Overall construction quality seem equally nice and solid.  The attached cables are, according to my Stanley tape measure, 30 inches.  That will be 76.2 cm, but only if you are wired into that metric thing.


SfB/Lync Optimized?

I guess so!  I did nothing but plug the SP 20 into the first available USB port, and presto!  It was working.  How can you go wrong with that?


Starting with the SP 20 in the box, to get to the point where my SfB client showed the SP 20 as an audio device option took about 30 seconds.  Audio quality is somewhere in the excellent category.  Controls worked as expect, with button pushes being reflected in both SfB and the operating system – like the volume slider going up and down.

Now on to the Fancy Stuff

Sennheiser would have you believe that the the SP 20 can connect to your cell phone and via the SP 20, connect into a Lync/SfB call.  Please wait while I wade through the extensive documentation that came with the SP 20.  While you are waiting, you should consider the concept that the SP 20 ships with a “Safety Guide” that comes in 17 (!!) languages and is easily three times the size of the user guide.  At least they did not warn me not to take the SP 20 into the shower.  But they did warn about everything else!  Gotta love them lawyers.

Wow.  Just discovered “music mode”  Nice. At one point I had the SP 20 answering calls from Lync whilst still playing muzack from my Nokia.

There is software to download, which I did not seeing as how everything I tried worked.


I like it.  In my usage, I used the SP 20 ML with SfB with zero issues.  Plug it in and it worked.  Great quality build, great audio, attached cables, and it works on my cell.  So much to like in such a small package.  According to Sennheiser marketing:

“A CONFERENCE CALL IN YOUR BRIEFCASE...Turn any room into your office...No more searching for an available conference room. Set up an impromptu conference or share a call with high quality sound – in any room.”

I can see that this unit will easily enable a small conference room.  You can get one right here.



Skype for Business Hybrid with O365 telephony

Compelling.  According to Merriam-Webster: (adjective) com·pel·ling \kəm-ˈpe-liŋ\:

  1. : very interesting : able to capture and hold your attention
  2. : capable of causing someone to believe or agree
  3. : strong and forceful : causing you to feel that you must do something

As of July 1, 2015, Microsoft announced their intention to provide PBX-in-the-cloud features to Office 365 subscribers.  For details of that announcement, see this.  These feature sets will be combined with a new O365 licensing model that includes a deprecation of the E4 license in favor of an E5 license.  For details on this development, see this.

What does this mean to the average organization using Skype for Business Server 2015 or Lync Server 2013 deployed on premises?  Simply put, it unchains that organization from constraints that may have stopped that company from making a move into the obvious advantages of using Office 365 for those organization users for whom it makes the most sense.  Furthermore, by providing PBX functionality to the O365 user, the organization now finds itself in the best of both worlds: on premises users can be moved into O365 where that move creates a monetary advantage for the organization – namely, leveraging existing telephony investments until EOL, and then moving totally into the Microsoft O365 environment; and this also, and to the point of this article, creates an entirely new solution set for servicing branch office scenarios.  With the constant movement towards telecommuting and distributed organizations, these new developments create a compelling reason to reexamine Office 365 from the telephony point of view.

The intent of this article is to examine the branch office reasons from a monetary point of view. Certain assumptions have been made to create a baseline in terms of cost and technology. These assumptions are for illustration purposes only and may or may not be accurate for the reader’s application.

Scenario and Assumptions

Warning: Do not attempt to use these numbers without cross-checking for yourself. These numbers are accurate based on MY research and past projects. YMMV.

Scenario [Sample Company, Inc.]

A medium size company with ~1000 users, of which ~600 are in one location, which the organization owns/leases. The other ~400 users are either pure road-warrior sales types, or knowledge workers in a branch office. The average branch office is 10 users, and the largest is 20 users. To make our scenario a little easier to grasp, Sample Company, Inc. is projecting zero growth. The sales types have a desk at one of the branch offices or at the home office. The home office has lobby phones, elevators, conference rooms, and a reception area. The ACD team is located at the home office, but has representatives that work from home or in one of the branch offices. Sample Company’s PBX is located in the home office server room, with PRI and SIP provided by the same carrier that provides the MPLS. Branch offices have a mix of separate internet connections and MPLS.


Existing Telephony Environment:

  • PBX centrally located with SIP Trunks.
  • Branch offices with 10-20 users
    • Branch offices have mix of independent PRI, some with ISR to home office, some with standalone PBX
  • SfB is deployed inside the home office with Edge and dial-in conferencing
  • Media gateway (SBC) is deployed in the home office upstream of the PBX and is making routing decisions based on LDAP lookup.
  • Costs shown are first year only
Business requirements
  • Replace PBX with SfB.
  • Provide full SfB on-premises including Enterprise Voice
  • Must maintain existing PBX due to contractual obligations and to allow a phased approach to replacing the existing ACD solution.
  • Provide full telephony service for branch office scenario
  • Allow users to keep their existing DID
SfB article assumptions
  • VM space already exists in Branch Offices
  • VM is Hyper-V already existing on Windows Server DataCenter install (no additional server license needed)
  • VM capacity is such that SBS or SE with Edge and Reverse Proxy can be added with no performance impact
  • Dial tone is desired in central site PBX outage or Branch Office PRI outage.
  • Survivable outbound path is desired in network outage
  • Network is MPLS; Branch offices have internet connections that are a mix of MPLS and separate data feeds.
License costs are hard to figure
  • Client CAL is needed, it may or may not be part of the license agreement
  • Office package is needed to accomplish any meaningful knowledge worker output
  • Office and SfB user licenses can also be Office 365 licenses (but at that point why not just put the users up on O365?)
Random Technical Items
  • SBA provisioned with T1 and SIP
  • SBS needs ISR and SBC
  • If decision is made to go with a full user pool at the branch, then the SE option is chosen
    • If SE, branch office needs ISR, SBC, Edge, Reverse Proxy.
  • SBC could possibly provide both SIP and PRI negating the need for ISR.
    • This will depend on existing telephony solution at branch office
  • Calculations for cost of SBA and SBC will not be accurate if more than 20 users due to SIP channel costs
  • Remote Install Assistance from SBA/ISR vendor not included in calculations
  • Call Center solution not determined at this time

What does the SfB O365 solution NOT provide based on these requirements and assumptions?

The only requirement not met is the dial tone being available in the event of case of a branch office network failure. In this event, I submit that the popularity of the personal (or corporate-supplied) cell phone reduces the risk of losing business to this outage to an insignificant minimum. After all, no matter what is done, the risk cannot be reduced to zero. So it becomes a tradeoff of costs.

Comparing each of the three scenarios for the “traditional” Lync/SfB solution, the Office 365 SfB Voice solution comes out at 41.5% of the cost of the least expensive (SBA) solution.  Yes, I know that the numbers could float higher and make that difference less dramatic; but I think this is a close estimate.  And keep in mind that using O365 licensing comes with your Office package licensing which would shift CAPEX to OPEX and make the O365 more attractive.

Cost Estimates

So, let’s take a quick look at the costs so that you can get an idea of the layout for each scenario and, more importantly, why Office 365 Hybrid Voice solutions are making me use the word “compelling.”

Here is our sample data put into a quickie spreadsheet, just to see what ONE site would look like.  As you can see, each scenario has its’ own colum using elements as needed to create the solution.  Some of the cells get a 12x multiplier – because, duh, there are 12 months in a year.  


If your math is anything like my math, that works out to about 58.5% less expensive (6400/15400 if you are interested), and meets all the requirements except the dial-tone-surviving thing.  Based on overall SBA sales, I submit that requirement is turning out to be not that important to business executives.

For Sample Company, Inc,, who is needing approximately 20 of these sites, what does that look like?  Well, the 41.5% number still carries through, as you would expect,



My numbers might not match your research or your empirical numbers from your providers.  However, I think that the ratios won’t change that much and I could have easily increased the cost for the branch office deployment by including such things as remote install assistance for the SBA, ISR, and provisioning costs for the internet and PRI feeds.  Also, remember that the licensing costs can be shifted over to the O365 subscription which would shuffle cost, but not increase the O365 cost.  And where you buy your license, and who you buy from might change all of that also.  As a final thought, there is also the MAC (move,add,change) costs that are incurred with PBX maintenance and traditional telephony providers that are not being considered here.  We also did not include the costs of establishing the on-premises SfB presence.

All in all, I think Office 365 Cloud PBX with PSTN Calling creates a compelling (there’s that word!) reason for you to take a close look at the O365 SfB Voice features, costs, and how that picture matches up with (or against) your existing solution; and then consider where you are going in the future.

As always, YMMV.


Skype / Lync 2013 and DeviceLock ® DLP

This handy bit of software advertises the following benefits:


The Problem

The environment was seeing SfB and Lync 2013 clients unable to make PSTN calls, forward to voice mail, operate from a VPN with any consistency, and multiple other instances of random badness.

Identifying the Cause

As it turns out, the organization had deployed a small number of laptops with the aforementioned DLP product, apparently in the default configuration.

The Fix

Using a laptop without the DLP software deployed resulted in zero issues.  Ergo, this DeviceLock DLP product, in its’ default configuration, breaks SfB/Lync 2013 client software. If your organization wants to deploy this, ensure that the configuration is customized to leave SfB/Lync 2013 clients alone!



SfB User Tips n Tricks eBook

Fellow MVP Matt Landis has a new book out that will make any novice or expert user of Skype for Business even more productive.


Get your copy today!



Lync 2013 Edge Server Replication Failing

Background reading: http://tsoorad.blogspot.com/2015/07/windows-pki-sha-1-to-sha-2.html

Environment Outline:

Mixed Lync 2013 (Edge) with SfB user pools.  CMS on SfB SE. Operating systems:  All user pools are 2012R2, Edge servers are 2012 (no R2).  Windows updates are current.  PKI is public for Edge external land FE external; PKI is AD DS for FE internal and Edge internal.  Customer changed  AD certificate authority from sha-1 to sha-2.  New root cert pushed to all servers via active directory routines; edge server new trusted root manually imported.

The Issue:

Lync Edge server fails to pick up on the concept that the domain root cert had changed even after we manually imported the new root cert (sha-2) into the certificate store. The certs on both the CMS master and the Edge server all chained up properly, but the cmsreplication was failing. All the certificates assigned to all services in the Lync/SfB environment checked good, were all current, and all showed that they chained properly to either the internal PKI root or the Digicert root.  Basic connection testing using <telnet fqdn 4443> were successful both directions.

The Fix:

We had to reboot the Edge server to get it to recognize the trusted root cert chain.

Logic path:

The CMS master was presenting the edge server with changes, but the Edge server did not like the new cert on the CMS master. The Edge server had a copy of the new Root Cert, but would not accept the TLS from the CMS master until the Edge restarted. Restarting services on the Edge server did not resolve the issue; a reboot was needed.


If you change the domain Root cert, Lync and SfB may or may not like the root certificate change AT THE OPERATING SYSTEM LEVEL, until a reboot, or even longer. <Sigh>



Windows PKI SHA-1 to SHA-2

(How do you hear me now?)

Thanks go to fellow CDW co-workers Dean Sesko, Russell Despain, and Keith Crosby


What is the issue here?

Basically, the issue is that SHA-1 for PKI is going away in favor of SHA-2, and you WILL have customers that need help with this.





Any Microsoft supported operating system, properly patched/upgraded, and any Microsoft supported application, again properly patched/upgraded, will support SHA-2 PKI certificates.



…there are some caveats: notably around XP and Server 2003, and oddly, Server 2008.


So, there is not an issue with Microsoft supported products; the issue is with BYOD and Microsoft making a HUGE effort to support alternative browsers and operating systems. And those browsers and operating systems are fixing on deprecating their support of SHA-1.



However, there are going to be numerous AD internal CA’s out there that are issuing SHA-1 certificates, and depending on how the environment is configured, the customer will need to renew their application certificates for internal use. Logically, it makes sense that the desirable outcome of renewing the application certificates is that the issuing PKI be SHA-2.

CDW AD resident experts advise instantiating a new Root CA, and if needed, a new subordinate CA for issuing SHA-2 certificates. But, you know those pesky customers, they may not want to do this. Which would call for modifying the existing structure to hand out SHA-2 vice SHA-1.



Experimentation over the last several hours has revealed the following:

  • Migrating the existing SHA-1 CA went just fine.
  • The new SHA-2 Root Certificates updated almost immediately into the Trusted Root


  • I was able to request new SfB certificates and they were issued by the CA based on the new 3DES/SHA-2 root
    • However, the host server was not able to chain them up into the Trusted Root.
    • I rebooted.
    • I ran GPUpdate –force
    • I rebooted.
  • After waiting overnight, THEN the new certs chained up properly. Why this delay in chaining to the new Root I have no idea. I suggest that if you do this for real, that you do the work on one day and then plan on waiting for at least 8 hours before attempting to get new certificates and expecting them to chain up to the new root.



After updating the internal certificates on my SfBSE to a new SHA-2 I successfully tested

  • using Win8.1 and Win7sp1
    • IE 11
    • Chrome Version 43.0.2357.134
  • Surface Pro 2 (8.1) IE
  • iPad (iOS 8.0.2) Safari

Firefox 39 fails – due to it not liking the root cert – why is FF so blinking difficult? Why does it have to have its’ own key chain? The O/S has the root cert! It does this same shit when installed on *nix. After manually importing my new root cert, it worked just fine.



  • SIP Phones.  I had to restart services (stop-cswindowsservice start-cswindowsservice) AFTER I changed the certificate to the new SHA-2 certificate before my AudioCodes 420HD and Polycom VVX-600 would log in.  Why, I do not know.


The SfB/Lync Connection!

You may have been wondering why *I* am worried about this.  Well, on literally every project with which I have been involved over the last few years, they all had *nix and Mac workstations, along with loads of iPhones, iPads, *nix tablets, droids, surface tablets, and here and there the odd Windows phone.  And, you have to know that, in most cases, all of these were attached to an internal corporate wireless.  And in some cases, the internal wireless was dropping these devices into the production network, which put them in a position to being able to directly contact Lync/SfB resources on internal servers, that, for the most part, had a PKI certificate from an internal CA.  With SHA-1.  You knew it had to be simple, right?

Any input to solving/addressing the observed delay would be most welcome. I, for one, totally expected to have the new certificate chain immediately – the appropriate root cert was in place!



Addasound Crystal UC2702 & UC2822

A Little Background

VOIP is here to stay.  And a high number of my projects include a goodly percentage of users who already know and love their headset and have no intention of using a “traditional” telephony handset.  Personally, I feel that handsets have their place; but not anywhere near my laptop.

Handsets aside, you can imagine that the competition for the headset market is a little heated.  Vendors compete; features get better, prices get a little lower, all is good.  Microsoft even maintains a 3PIP (Microsoft-defined 3rd Party Interoperability Program) and has a web site that shows you all the stuff that has been approved for either the “Optimized” or “Certified” or otherwise qualified to wear the Lync/SfB logo.

But there are many other devices, while not on the list, that work just fine with Lync or SfB.  I have in mind a USB headset that I purchased from the local bodega years ago that, to this day, works just peachy-keen with my SfB, Skype, and services such as Ventrilo.

And as the market evolves, new players come on board.  Addasound is one of these new players. Addasound comes out of Denmark and has burgeoning line of headsets that work just fine with Skype for Business.  What we are here for today is to take a look at two of these headsets and get a little feel for their quality, comfort, and suitability with SfB.

One of the Addasound selling points is that they have a full line to connect to just about whatever your connection is, or will be.  Conceivably you could buy an Addasound headset (provided you choose the right one) and convert it at a later date to a different type of connector.  Pretty slick.   A little search of a popular website showed a plethora of options.

Crystal UC2702

Addasound says that “…Crystal 2702 Headsets specially designed for cost-effective call center users. Guaranteed comfort, simultaneously providing excellent noise-cancellation and great call quality to users.”  Here is the official blurb.


  • Noise cancelling microphone blocks 80% background noise and highlights your voice.
  • Easily compatible with different telephone and PC via varieties of QD cords.
  • Maximum volume control protects your hearing under intensive usage.
  • Ultra lightweight design for all-day comfort.
  • Adjustable headband to be most suitable for your wearing.

Ok.  They are right comfortable. Lightweight. Noise cancellation was excellent also. Audio quality, to my un-metered ear, was very nice.


Controls worked as expected, Volume up/down, mute, end call, A very basic set of controls. Oddly, the headset shows up this way in SfB and Device Manager:


General Impression

As opposed to General Patton – build quality seems to be on par with the market.  That is to say, I found nothing wrong with connections, materials, button pushing, or cables.  Everything seems to be as good as anyone else.  For my gourd, this unit is more comfortable than others I have tried.

I plugged into an available USB port, my Windows 8.1 discovered and installed, and SfB started using the new device.  Can’t ask for more than that!  On a minor odd note, SfB calls, when using this headset, did not mute, or reduce the volume of other streams.  This could be just my setup though.

Crystal UC2822

Quoting the Addasound website:  “…ADDASOUND always keeps pace with the developments of the call center industry in order to provide headsets that meet the special requirements of professional users. With its strong R&D background, ADDASOUND made Crystal 2822 an ergonomic noice cancelling headset especially for call centers and noisy working environments. “


  • Advanced evaporation technology to display textured appearance
  • 180° horizontal adjustable ear cap and 270°-300° bendable boom to fit custom need of every user
  • Ergonomic design for an extremely comfortable wearing experience
  • Ultra lightweight design allows all-day wearing

This headset showed up in Device Manager much the same way that the 2702’s did.  Based on reading this, the 2822 model is more adjustable and does wide-band audio processing. And due to the adjustable ear cups, the 2822 was markedly more comfortable than the 2702 model.

And to save space, the comments made above regarding the 2702 can be applied to the 2822 as well.  Nice, solid, comfortable headsets. If I had to choose, I would pick the 2822 as it fit my aural device holder better than the 2702.

The only question I have after comparing the two models is the 2822 is touted as having “Classic Nordic Design” – please, someone explain to me what that is.



Logitech ConferenceCam Connect

Business conferencing is an excellent way to connect knowledge workers with others for collaboration.  Various vendors will be most happy to provide your company with seriously expensive solutions to getting full audio and video to the various meeting attendees.  The problem of course, is the size of the meeting room, or rooms.

Microsoft will happily provide you with metrics that show the average meeting size is in the 4-5 person range.  Yet the room systems are sized more for the 12-20 person room. What to do?

There are some options out there:  Logitech BCC950 is one; if you have a 5-10 person meeting room, this is a great choice.  If you want to get into the slightly bigger room, Logitech also has the CC3000e

However, one of the current trends in the corporate office space is towards open floors.  With conference rooms of various sizes – to include those little rooms where only 3-4 fit comfortably.  And they are usually just a table and chairs, no frills.  And with wireless becoming almost ubiquitous, they often don’t have Cat5 or a telephone, sometimes they don’t even have a power outlet on the wall.  Just a space with a door that can be closed for privacy.

So, you take your laptop into your meeting, but you have 2-3 others in the room with you – and your laptop video is not going to cut it.  Now what?

Logitech has a solution for your dilemma.  The ConferenceCam Connect.

What is it?

Well it is this right here!  .


Here is the support site, and there is a setup guide in PDF format on this page.  I doubt you will need it.  Even *I* figured it out all by myself..  The remote control stores on the device itself and covers up the onboard controls and the camera lens.  Pretty slick.  It comes OOBE with a USB cable that can charge it from your USB port and also a handy power outlet charger.  But, it can also run for an undermined length of time on an internal battery.  Testing continues here at the secret Tsoorad Test Lab, but I can tell you that several hours of use does not kill it. Because I am a lazy typist, the ConferenceCam Connect will hereafter be referred to as “CCC.”

A friendly Logitech representative offered up this market-speak regarding the CCC:  “…It offers full HD 1080p video calling with a 90 degree field of view.  It has a 4x zoom, also in full HD.  You are able to pan, tilt, and zoom with a remote control or downloadable app.  It is Bluetooth and NFC enabled.  The unit has 360 degree wideband audio.  Your meeting participants can hear and be heard within a 12 foot range. “

Oh really?  I did not measure the angle of the dangle, but it seems like something close to 90 degrees.  And it does in fact do the zoomy thing, It also pans lefty-righty and uppy-downy.  And the audio is “very good” to “excellent” in terms of sound quality.  Here is the field of view with the CCC about 30 inches from my right shoulder.  Note the excellent image quality.


About the zoom, tilt, and pan: you need to have camera zoomed IN to some degree before tilt and pan worked.  I don’t know if this was just my unit or because the tilt/pan is being done electronically by image manipulation.  The camera lens itself is not moving.  I guess I just sort of expected that the behavior of the BCC950 and the CC3000 would have carried forward – and their cameras definitely are mechanical zoom, tilt, and pan.

For those interested in the zoom, here is the same view angle, but at full zoom. Don’t I look good?


Build quality seems to be first rate.  Fit, finish, audio quality, image quality – all great.  Just what you would expect from Logitech business products.

You can read up on all the official Logitech market-speak here, as well as look at all the pertinent device specifications.Here is a riveting video on the CCC.  For those of us who need the kindergarten version of “how to use this thing?” here it is.

Skype for Business

But we are here because of Skype for Business, or Lync.  Right?  Ok, so how did that go?  Pretty well.  The box says it is “Optimized for Lync” while on this product datasheet PDF, if you zoom in, has a “Certified for Skype for Business” logo.  Right, but does it actually work?  BORING.  Power up, connect up; bing-bong, done.  I did have to actually select the unit as my default device.  The horrors of it all!

And then I find out that I can screen share my phone with this thing, and the CCC can HDMI up to my TV.  Oh nice.  Makes you think of turning your local small gathering room into your favorite hangout.  Basically, if you have an HDMI cable, you can (I tested this one) host the meeting on your phone using Lync Mobile, screen share to the CCC, and then put that up on the big screen for all to see.  Slick.

And if you have a semi-permanent office space with a desktop, the CCC makes a pretty nice external camera and speaker phone.  The laptop user who needs to run to the aforementioned small conference room doesn’t even need to bring the power brick.  Just a USB cable.  I am assuming that the reason the CCC does not work with my Logitech USB dongle is due to the bandwidth (or lack thereof) in the BT channel. 


If you are looking for a relatively inexpensive “something” to place into a smallish conference room for people to use in that room, this little gem just might your ticket.

If you desire to possess one of these paragons of meeting goodness, you can get one right here.



SfB Front End Prerequisite Install Script

In the SfB documentation, there are two separate references to installing operating system prerequisites before you can install Skype for Business Server 2015 Front ends.  In case you have not compared them, here are the two references:



For the analytical types, comparing the two versions of the PowerShell scripts reveals differences.  I spent a little time comparing the two and then combining them into one string.  Oh, and I tested the outcome by installing a SfB Standard Edition just to check my work.

Here is the script:

Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client, Server-Media-Foundation, BITS

I only did this for the Server 2012 R2 prerequisite installs, because, frankly, I cannot understand why anyone would install a new SfB server on anything but 2012 R2.



Deploy SfB Monitoring Reports on separate SSRS

Oy vay.  This should have been easy.  But no.


SfB EE pool.  I was operating from FE01.  In the same site as the “new” SSRS server.

Using NT Authentication\Network Service to run everything on the SQL install for the SSRS server.

Using an established SFBService account with known passwords.

Using Mixed Windows/SQL authentication.

Using a domain admin account for installs that is CSAdministrator and RTCUniversalServerAdmin as well as added explicitly to the SQL install perms. 

Much like fellow MVP Greig Sheridan, we got this error - to quote the install wizard explicitly:

Could not get objects from namespace root\Microsoft\SqlServer\ReportServer. The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) Cannot get the ReportServerWebService URL. Verify that Reporting Services is deployed and configured properly on the target SQL instance:"fqdn.domain.com", and that WMI is included on the exception list of firewall setting on the server that is running Reporting Services.Invalid parameter

Fix It.

Unlike Greig, I had no option to use a server in the same site.  I was already using a server in the same site.  And before you ask the obvious question, yes, it was the same AD DS site and also the same SfB site (and no they do not necessarily line up, but why would they not?)(Why make life tough?)(and yes, there are times that one SfB site might serve several AD DS sites)

We then worked through the various permissions and the frustrations associated with looking at something that should be working but not. I also queried the local system admin team and determined that leaving the server firewall disabled would create strife between them and the local SecPol Gestapo.  So that option, which I was sure would fix it, was not a valid choice.

So, rather than dither and whine, I opened some firewall rules one at a time, and got success.  And now I know what allows this to work. 

Firewall Rules






SQL 2014 AlwaysOn and Skype for Business Server 2015

Let's do SQL AlwaysOn Availability Groups for Skype for Business Server 2015

If your SfB project is heading into the "I need SfB to be highly available" realm, then you need to start investigating what it is going to take to bring just ONE three node pool of SfB front end servers into being.  Beyond the obvious need for three servers to form the SfB Enterprise Pool, there is no point in doing an SFB EE Pool and have only one SQL server behind it - you will have created a single point of failure in a critical system component - to whit, the supporting backend SQL databases that the pool members use for re-hydration.

SfB is not totally different from Lync Server 2013 in this regard; however, one key difference is that now SfB officially supports using SQL Server AlwaysOn Availability Group (AG) as a supported SQL backend - this in addition to standalones, clusters, and mirrors.  If you have a SQL team that wants to use AG as the standard build, then that is what you wil do, eh?  The point to this article is to walk through a simple EE pool with AG installation into an existing Lync 2013 environment to highlight some of the lessons learned over the past month or so.

I am not including screen caps of every step, there are plenty of guides out there in blog-land to walk you through SQL and SfB installs.

Before cranking up some VM space and mounting the ISO's, you may want to consider some needed data points.  DNS, IP space, and construction details are always nice to know ahead of time. Aside from five host servers, their FQDN's and appropriate VM host space, here are a few items to ponder:
  • Identify the Windows Failover Cluster (WFC) cluster name and IP - do you need to read up on WFC before you start?
  • Identify FSW location - do you need to read up on File Share Witness before you start?
  • Identify a SQL file share for enabling the AG itself.  SQL is going to want a share that it can use to shuttle the initial database backups into so that it can copy them onto (into?) the target secondary node.  Why it just don't do it direct is beyond my ken; I just do what I'm told! 
  • Identify the SQL AG group listener FQDN and IP - maybe you should do some background on this subject too.  It certainly would have helped me a bit.
  • Identify the SQL service account - don't try this with "network services" or you will be assigning certificates to logins
  • Firewalls on the SQL servers need to opened for inbound traffic to flow properly.  1433 and 5022 TCP; 1434 UDP.
  • SQL Database location - these must be IDENTICAL between SQL AG nodes.
To quickly summarize, we are talking about:
  • 3 FQDNs and IP to match for the SfB EE pool (maybe more!)
  • 2 FQDNs and IP to match for our SQL 2014 Enterprise Edition nodes
  • 1 FQDN and IP for the WFC cluster
  • 1 FQDN and IP for the SQL AG listener
  • Service accounts
  • File locations
  • Firewalls
  • Database location

Prepare two servers for SQL.  I used 2 cores and 8GB RAM.  Because I am only hosting SfB databases on these servers, I used 200GB for drive C and will put everything on the same drive. You may wish to follow a more esoteric construction with separate drives, perhaps SAN-based, and you may need way more space than that especially if your database team is using these servers for other purposes.  You may even have to live with the database team telling you what and where, and by whom.  If you are having a SQL team provide you an instance and space, then make SURE of the instance name, your permissions to that instance, and the space your environment will need. Permissions will be important.
And of course, you will need three servers for your SfB pool.

Install SQLAlwaysOn-A operating system (I used server 2012 R2)
Install WFC via server manager
Install .net 3.5
Lather, rinse, repeat for SQLAlwaysOn-B

Patch and then patch again. Dang. You would think doing updates ONCE would be sufficient.  But...no.

Install SQL 2014 Enterprise  - use the SQL Service account for all services.  And you might as well make sure the SQL agent is running.  If you don't, the ensuing SfB install will complain about it.

FWIW, I also installed SSRS on both nodes.  No, SSRS cannot cluster or failover, but you CAN AG the databases, and install SfB templates to each node, and then, if needed, use the second node for your reports.

Configure WFC (see http://stevenpoitras.com/2014/02/microsoft-failover-cluster-configuration-nutanix/)
Configure FSW quorum - you will need FSW from above.

Configure WFC cluster listener with static IP.

Move resources (like change the active) between nodes - this verifies that both nodes can r/w both DNS and FSW and that either node can be listener.

Leave the WFC cluster active on whichever node you want to be the primary - I use SQLAlwaysOn-A for this.
Ensure that Windows firewall sql inbound rules are done:  tcp 1433, 5022, udp 1434

Some Lync 2013 work

Official Lync 2013 documentation on TechNet

From 2013:

Open topology builder from 2013 and save the tbxml, twice, just to be really sure.

Hey, we get to SfB yet?

In case you need to brush up on all of this…

Install SfB admin tools on something other than an existing Lync 2013 server
Open topology from SfB tools.  Save the tbxml.  Twice.  And not with the same file names you used for saving the 2013 version. No turning back now unless you have the tbxml files and the exports.
You've just upgraded the topology.  You did the 2013 tbxml saves and the configuration exports, right?

Configure topology.  In my case, a net new EE pool.
Make sure that your primary node SQL server has the database folder already defined, and that you remember what you called it; no point in having the Topology Builder choose defaults if you don't have to.  Or worse, use the SQL defaults and have your databases buried about 15 levels down.  I used c:\sfbdata.

What you need to do is ensure that the AG listener is defined up top, but the SQLAlwaysOn-A node is defined down below.  You go back and change this later... But here is the reason:  There is no AG yet, there cannot be an AG created until there are databases.  And the databases don’t get created until topology publishes.  So put the proposed listener at the top entry, and the specific first node down at the bottom.

Publish topology which will install the databases on sqlalwayson-A.tsoorad.net, which you need to do to get the AG to work - cannot make an AG without having a Database to work with!
When the topology publishes, it will flip up a SQL database configure screen.  I ALWAYS put my databases somewhere defined by my project. I NEVER let SQL just throw things around.  In this case, we are using c:\sfbdata for all SfB database work.  This will include the future CMS and the Persistent Chat.

At this point, I paused and did

"install-csdatabase -centralmanagementdatabase -sqlserverfqdn SQLAlwaysOn-A.tsoorad.net -databasepaths c:\sfbdata"

- because I know I am going to be moving the CMS to the new pool at some point and I want those two databases (xds and lis) to be part of the AG.  If you wait until later, you will be doing parts of this all over again. Then I paused again for persistent chat databases:

"Install-CsDatabase -DatabaseType persistentchat -SqlServerFqdn SQLAlwaysOn-A.tsoorad.net -DatabasePaths c:\sfbdata -v"


"Install-CsDatabase -DatabaseType persistentchatcompliance -SqlServerFqdn SQLAlwaysOn-A.tsoorad.net -DatabasePaths c:\sfbdata -v"

- same reasoning as before.  Tastes great, less filling.

Back to SQL...
OK, now we have SfB databases!

Set all SfB databases to FULL backup – some SQL BrightBoy probably has some zippy tsql to do this; being archaic, I do it onesy-twosy.

Backup all databases using SQL Management Studio - just accept the default location - these are not really your backups, this is just a step to ensure that the AG forms properly. AG requires the databases to be backed up first.  Yes, same comment here for the backups.  I am sure there is some zippy method that I have never bothered learning.

Robocopy the database file structure  - robocopy is your friend -  the file structure must be exact between servers
If you installed SSRS on both nodes, so go remove reportserver db and reportservertempdb from SQLAlwaysOn-B.tsoorad.net or you won't be able to add those databases to the AG as the database locations will have files in them and that is a no-no.  Luckily, you can just delete the databases from the Management Studio.
Configure AG (see http://stevenpoitras.com/2014/02/configure-sql-db-availability-group/)

You may need to add your cluster nodes by NETBIOS to sys.server by doing

sp_addlinkedserver @server=”serverNETBIOS’'

I don’t know that this is an absolute requirement, but adding my nodes before trying to create the AG seemed to make some errors go away.  At any rate, I have done it ever since as a matter of rote.  YMMV.

SQL Permissions on Node 2
I have the topology already published, so now go look at the databases that you have already made members of the AG.  The AG retains the security logins on the database when it establishes the secondary copy; however the same mechanism does NOT replicate the Master.do database logins;  Read this as your logins to the secondary (now primary) will fail for the various RTC and CS groups.  You will need to work out a method to get the security logins AND their respective SIDS along with lining up those SIDs to the respective database permissions.  One option to perform this work (and have it done right the first time) is to run a script such as this (http://www.sqlsoldier.com/wp/sqlserver/transferring-logins-to-a-database-mirror).

SfB Install
Initial install for the first EE pool members.
Had a nasty time with the prereq script.  Had to remount the original O/S ISO before the install-windowsfeature -source would work :(  I had a copy of the \sxs local to the machine, but the installer did not like it for some reason.  Do Windows updates until it don’t wupdate no mo!  Don’t forget kb2982006 is a "hotfix available" special. Until you run the script to install all the Skype for Business operating system prerequisites, the hotfix will refuse to install, so you need to run windows updates AFTER the prerequisite script.
Continued with install.  Started seeing issues across the new pool members of speech files not installing.    Nothing clears it out. Arbitrary reboot of all EE pool members fixed it.  (This install is starting to turn into a nightmare)(I never had these odd issues with Lync 2013, or with pre-GA SfB either!)
Finally have EE members installing as expected.  Why me? All three EE members acted differently during install.  Huh?  The servers are as close to identical as we can get them.  Installed from same source.  Used all default locations.  Patched from WSUS source.  Each server had the same number of updates in the same order.  WTFO.

Persistent Chat
We chose to install Pchat to a single server, but use the existing SQL BE and collocate with the FE Pool databases. See above, eh?

Go back to the topology builder and change the SQL definition for the EE pool  - remember up there where we set SQL to the AG AND the single node?  Now that we have the pool up we need to tell the pool to talk to the SQL AG listener, not just the one node...

Well, we got done. IMHO, way too much manual effort, but apparently with SQL being the way it is, the product group was forced into a corner.  Maybe the future holds an automated version of this, but until then,