About Me

My Photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015) - before that, a Lync Server MVP (2010-2014). My day job is titled "Principal Consulting Engineer" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.


Skype / Lync 2013 and DeviceLock ® DLP

This handy bit of software advertises the following benefits:


The Problem

The environment was seeing SfB and Lync 2013 clients unable to make PSTN calls, forward to voice mail, operate from a VPN with any consistency, and multiple other instances of random badness.

Identifying the Cause

As it turns out, the organization had deployed a small number of laptops with the aforementioned DLP product, apparently in the default configuration.

The Fix

Using a laptop without the DLP software deployed resulted in zero issues.  Ergo, this DeviceLock DLP product, in its’ default configuration, breaks SfB/Lync 2013 client software. If your organization wants to deploy this, ensure that the configuration is customized to leave SfB/Lync 2013 clients alone!



SfB User Tips n Tricks eBook

Fellow MVP Matt Landis has a new book out that will make any novice or expert user of Skype for Business even more productive.


Get your copy today!



Lync 2013 Edge Server Replication Failing

Background reading: http://tsoorad.blogspot.com/2015/07/windows-pki-sha-1-to-sha-2.html

Environment Outline:

Mixed Lync 2013 (Edge) with SfB user pools.  CMS on SfB SE. Operating systems:  All user pools are 2012R2, Edge servers are 2012 (no R2).  Windows updates are current.  PKI is public for Edge external land FE external; PKI is AD DS for FE internal and Edge internal.  Customer changed  AD certificate authority from sha-1 to sha-2.  New root cert pushed to all servers via active directory routines; edge server new trusted root manually imported.

The Issue:

Lync Edge server fails to pick up on the concept that the domain root cert had changed even after we manually imported the new root cert (sha-2) into the certificate store. The certs on both the CMS master and the Edge server all chained up properly, but the cmsreplication was failing. All the certificates assigned to all services in the Lync/SfB environment checked good, were all current, and all showed that they chained properly to either the internal PKI root or the Digicert root.  Basic connection testing using <telnet fqdn 4443> were successful both directions.

The Fix:

We had to reboot the Edge server to get it to recognize the trusted root cert chain.

Logic path:

The CMS master was presenting the edge server with changes, but the Edge server did not like the new cert on the CMS master. The Edge server had a copy of the new Root Cert, but would not accept the TLS from the CMS master until the Edge restarted. Restarting services on the Edge server did not resolve the issue; a reboot was needed.


If you change the domain Root cert, Lync and SfB may or may not like the root certificate change AT THE OPERATING SYSTEM LEVEL, until a reboot, or even longer. <Sigh>



Windows PKI SHA-1 to SHA-2

(How do you hear me now?)

Thanks go to fellow CDW co-workers Dean Sesko, Russell Despain, and Keith Crosby


What is the issue here?

Basically, the issue is that SHA-1 for PKI is going away in favor of SHA-2, and you WILL have customers that need help with this.





Any Microsoft supported operating system, properly patched/upgraded, and any Microsoft supported application, again properly patched/upgraded, will support SHA-2 PKI certificates.



…there are some caveats: notably around XP and Server 2003, and oddly, Server 2008.


So, there is not an issue with Microsoft supported products; the issue is with BYOD and Microsoft making a HUGE effort to support alternative browsers and operating systems. And those browsers and operating systems are fixing on deprecating their support of SHA-1.



However, there are going to be numerous AD internal CA’s out there that are issuing SHA-1 certificates, and depending on how the environment is configured, the customer will need to renew their application certificates for internal use. Logically, it makes sense that the desirable outcome of renewing the application certificates is that the issuing PKI be SHA-2.

CDW AD resident experts advise instantiating a new Root CA, and if needed, a new subordinate CA for issuing SHA-2 certificates. But, you know those pesky customers, they may not want to do this. Which would call for modifying the existing structure to hand out SHA-2 vice SHA-1.



Experimentation over the last several hours has revealed the following:

  • Migrating the existing SHA-1 CA went just fine.
  • The new SHA-2 Root Certificates updated almost immediately into the Trusted Root


  • I was able to request new SfB certificates and they were issued by the CA based on the new 3DES/SHA-2 root
    • However, the host server was not able to chain them up into the Trusted Root.
    • I rebooted.
    • I ran GPUpdate –force
    • I rebooted.
  • After waiting overnight, THEN the new certs chained up properly. Why this delay in chaining to the new Root I have no idea. I suggest that if you do this for real, that you do the work on one day and then plan on waiting for at least 8 hours before attempting to get new certificates and expecting them to chain up to the new root.



After updating the internal certificates on my SfBSE to a new SHA-2 I successfully tested

  • using Win8.1 and Win7sp1
    • IE 11
    • Chrome Version 43.0.2357.134
  • Surface Pro 2 (8.1) IE
  • iPad (iOS 8.0.2) Safari

Firefox 39 fails – due to it not liking the root cert – why is FF so blinking difficult? Why does it have to have its’ own key chain? The O/S has the root cert! It does this same shit when installed on *nix. After manually importing my new root cert, it worked just fine.



  • SIP Phones.  I had to restart services (stop-cswindowsservice start-cswindowsservice) AFTER I changed the certificate to the new SHA-2 certificate before my AudioCodes 420HD and Polycom VVX-600 would log in.  Why, I do not know.


The SfB/Lync Connection!

You may have been wondering why *I* am worried about this.  Well, on literally every project with which I have been involved over the last few years, they all had *nix and Mac workstations, along with loads of iPhones, iPads, *nix tablets, droids, surface tablets, and here and there the odd Windows phone.  And, you have to know that, in most cases, all of these were attached to an internal corporate wireless.  And in some cases, the internal wireless was dropping these devices into the production network, which put them in a position to being able to directly contact Lync/SfB resources on internal servers, that, for the most part, had a PKI certificate from an internal CA.  With SHA-1.  You knew it had to be simple, right?

Any input to solving/addressing the observed delay would be most welcome. I, for one, totally expected to have the new certificate chain immediately – the appropriate root cert was in place!



Addasound Crystal UC2702 & UC2822

A Little Background

VOIP is here to stay.  And a high number of my projects include a goodly percentage of users who already know and love their headset and have no intention of using a “traditional” telephony handset.  Personally, I feel that handsets have their place; but not anywhere near my laptop.

Handsets aside, you can imagine that the competition for the headset market is a little heated.  Vendors compete; features get better, prices get a little lower, all is good.  Microsoft even maintains a 3PIP (Microsoft-defined 3rd Party Interoperability Program) and has a web site that shows you all the stuff that has been approved for either the “Optimized” or “Certified” or otherwise qualified to wear the Lync/SfB logo.

But there are many other devices, while not on the list, that work just fine with Lync or SfB.  I have in mind a USB headset that I purchased from the local bodega years ago that, to this day, works just peachy-keen with my SfB, Skype, and services such as Ventrilo.

And as the market evolves, new players come on board.  Addasound is one of these new players. Addasound comes out of Denmark and has burgeoning line of headsets that work just fine with Skype for Business.  What we are here for today is to take a look at two of these headsets and get a little feel for their quality, comfort, and suitability with SfB.

One of the Addasound selling points is that they have a full line to connect to just about whatever your connection is, or will be.  Conceivably you could buy an Addasound headset (provided you choose the right one) and convert it at a later date to a different type of connector.  Pretty slick.   A little search of a popular website showed a plethora of options.

Crystal UC2702

Addasound says that “…Crystal 2702 Headsets specially designed for cost-effective call center users. Guaranteed comfort, simultaneously providing excellent noise-cancellation and great call quality to users.”  Here is the official blurb.


  • Noise cancelling microphone blocks 80% background noise and highlights your voice.
  • Easily compatible with different telephone and PC via varieties of QD cords.
  • Maximum volume control protects your hearing under intensive usage.
  • Ultra lightweight design for all-day comfort.
  • Adjustable headband to be most suitable for your wearing.

Ok.  They are right comfortable. Lightweight. Noise cancellation was excellent also. Audio quality, to my un-metered ear, was very nice.


Controls worked as expected, Volume up/down, mute, end call, A very basic set of controls. Oddly, the headset shows up this way in SfB and Device Manager:


General Impression

As opposed to General Patton – build quality seems to be on par with the market.  That is to say, I found nothing wrong with connections, materials, button pushing, or cables.  Everything seems to be as good as anyone else.  For my gourd, this unit is more comfortable than others I have tried.

I plugged into an available USB port, my Windows 8.1 discovered and installed, and SfB started using the new device.  Can’t ask for more than that!  On a minor odd note, SfB calls, when using this headset, did not mute, or reduce the volume of other streams.  This could be just my setup though.

Crystal UC2822

Quoting the Addasound website:  “…ADDASOUND always keeps pace with the developments of the call center industry in order to provide headsets that meet the special requirements of professional users. With its strong R&D background, ADDASOUND made Crystal 2822 an ergonomic noice cancelling headset especially for call centers and noisy working environments. “


  • Advanced evaporation technology to display textured appearance
  • 180° horizontal adjustable ear cap and 270°-300° bendable boom to fit custom need of every user
  • Ergonomic design for an extremely comfortable wearing experience
  • Ultra lightweight design allows all-day wearing

This headset showed up in Device Manager much the same way that the 2702’s did.  Based on reading this, the 2822 model is more adjustable and does wide-band audio processing. And due to the adjustable ear cups, the 2822 was markedly more comfortable than the 2702 model.

And to save space, the comments made above regarding the 2702 can be applied to the 2822 as well.  Nice, solid, comfortable headsets. If I had to choose, I would pick the 2822 as it fit my aural device holder better than the 2702.

The only question I have after comparing the two models is the 2822 is touted as having “Classic Nordic Design” – please, someone explain to me what that is.



Logitech ConferenceCam Connect

Business conferencing is an excellent way to connect knowledge workers with others for collaboration.  Various vendors will be most happy to provide your company with seriously expensive solutions to getting full audio and video to the various meeting attendees.  The problem of course, is the size of the meeting room, or rooms.

Microsoft will happily provide you with metrics that show the average meeting size is in the 4-5 person range.  Yet the room systems are sized more for the 12-20 person room. What to do?

There are some options out there:  Logitech BCC950 is one; if you have a 5-10 person meeting room, this is a great choice.  If you want to get into the slightly bigger room, Logitech also has the CC3000e

However, one of the current trends in the corporate office space is towards open floors.  With conference rooms of various sizes – to include those little rooms where only 3-4 fit comfortably.  And they are usually just a table and chairs, no frills.  And with wireless becoming almost ubiquitous, they often don’t have Cat5 or a telephone, sometimes they don’t even have a power outlet on the wall.  Just a space with a door that can be closed for privacy.

So, you take your laptop into your meeting, but you have 2-3 others in the room with you – and your laptop video is not going to cut it.  Now what?

Logitech has a solution for your dilemma.  The ConferenceCam Connect.

What is it?

Well it is this right here!  .


Here is the support site, and there is a setup guide in PDF format on this page.  I doubt you will need it.  Even *I* figured it out all by myself..  The remote control stores on the device itself and covers up the onboard controls and the camera lens.  Pretty slick.  It comes OOBE with a USB cable that can charge it from your USB port and also a handy power outlet charger.  But, it can also run for an undermined length of time on an internal battery.  Testing continues here at the secret Tsoorad Test Lab, but I can tell you that several hours of use does not kill it. Because I am a lazy typist, the ConferenceCam Connect will hereafter be referred to as “CCC.”

A friendly Logitech representative offered up this market-speak regarding the CCC:  “…It offers full HD 1080p video calling with a 90 degree field of view.  It has a 4x zoom, also in full HD.  You are able to pan, tilt, and zoom with a remote control or downloadable app.  It is Bluetooth and NFC enabled.  The unit has 360 degree wideband audio.  Your meeting participants can hear and be heard within a 12 foot range. “

Oh really?  I did not measure the angle of the dangle, but it seems like something close to 90 degrees.  And it does in fact do the zoomy thing, It also pans lefty-righty and uppy-downy.  And the audio is “very good” to “excellent” in terms of sound quality.  Here is the field of view with the CCC about 30 inches from my right shoulder.  Note the excellent image quality.


About the zoom, tilt, and pan: you need to have camera zoomed IN to some degree before tilt and pan worked.  I don’t know if this was just my unit or because the tilt/pan is being done electronically by image manipulation.  The camera lens itself is not moving.  I guess I just sort of expected that the behavior of the BCC950 and the CC3000 would have carried forward – and their cameras definitely are mechanical zoom, tilt, and pan.

For those interested in the zoom, here is the same view angle, but at full zoom. Don’t I look good?


Build quality seems to be first rate.  Fit, finish, audio quality, image quality – all great.  Just what you would expect from Logitech business products.

You can read up on all the official Logitech market-speak here, as well as look at all the pertinent device specifications.Here is a riveting video on the CCC.  For those of us who need the kindergarten version of “how to use this thing?” here it is.

Skype for Business

But we are here because of Skype for Business, or Lync.  Right?  Ok, so how did that go?  Pretty well.  The box says it is “Optimized for Lync” while on this product datasheet PDF, if you zoom in, has a “Certified for Skype for Business” logo.  Right, but does it actually work?  BORING.  Power up, connect up; bing-bong, done.  I did have to actually select the unit as my default device.  The horrors of it all!

And then I find out that I can screen share my phone with this thing, and the CCC can HDMI up to my TV.  Oh nice.  Makes you think of turning your local small gathering room into your favorite hangout.  Basically, if you have an HDMI cable, you can (I tested this one) host the meeting on your phone using Lync Mobile, screen share to the CCC, and then put that up on the big screen for all to see.  Slick.

And if you have a semi-permanent office space with a desktop, the CCC makes a pretty nice external camera and speaker phone.  The laptop user who needs to run to the aforementioned small conference room doesn’t even need to bring the power brick.  Just a USB cable.  I am assuming that the reason the CCC does not work with my Logitech USB dongle is due to the bandwidth (or lack thereof) in the BT channel. 


If you are looking for a relatively inexpensive “something” to place into a smallish conference room for people to use in that room, this little gem just might your ticket.

If you desire to possess one of these paragons of meeting goodness, you can get one right here.



SfB Front End Prerequisite Install Script

In the SfB documentation, there are two separate references to installing operating system prerequisites before you can install Skype for Business Server 2015 Front ends.  In case you have not compared them, here are the two references:



For the analytical types, comparing the two versions of the PowerShell scripts reveals differences.  I spent a little time comparing the two and then combining them into one string.  Oh, and I tested the outcome by installing a SfB Standard Edition just to check my work.

Here is the script:

Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client, Server-Media-Foundation, BITS

I only did this for the Server 2012 R2 prerequisite installs, because, frankly, I cannot understand why anyone would install a new SfB server on anything but 2012 R2.



Deploy SfB Monitoring Reports on separate SSRS

Oy vay.  This should have been easy.  But no.


SfB EE pool.  I was operating from FE01.  In the same site as the “new” SSRS server.

Using NT Authentication\Network Service to run everything on the SQL install for the SSRS server.

Using an established SFBService account with known passwords.

Using Mixed Windows/SQL authentication.

Using a domain admin account for installs that is CSAdministrator and RTCUniversalServerAdmin as well as added explicitly to the SQL install perms. 

Much like fellow MVP Greig Sheridan, we got this error - to quote the install wizard explicitly:

Could not get objects from namespace root\Microsoft\SqlServer\ReportServer. The RPC server is unavailable. (Exception from HRESULT: 0x800706BA)The RPC server is unavailable. (Exception from HRESULT: 0x800706BA) Cannot get the ReportServerWebService URL. Verify that Reporting Services is deployed and configured properly on the target SQL instance:"fqdn.domain.com", and that WMI is included on the exception list of firewall setting on the server that is running Reporting Services.Invalid parameter

Fix It.

Unlike Greig, I had no option to use a server in the same site.  I was already using a server in the same site.  And before you ask the obvious question, yes, it was the same AD DS site and also the same SfB site (and no they do not necessarily line up, but why would they not?)(Why make life tough?)(and yes, there are times that one SfB site might serve several AD DS sites)

We then worked through the various permissions and the frustrations associated with looking at something that should be working but not. I also queried the local system admin team and determined that leaving the server firewall disabled would create strife between them and the local SecPol Gestapo.  So that option, which I was sure would fix it, was not a valid choice.

So, rather than dither and whine, I opened some firewall rules one at a time, and got success.  And now I know what allows this to work. 

Firewall Rules






SQL 2014 AlwaysOn and Skype for Business Server 2015

Let's do SQL AlwaysOn Availability Groups for Skype for Business Server 2015

If your SfB project is heading into the "I need SfB to be highly available" realm, then you need to start investigating what it is going to take to bring just ONE three node pool of SfB front end servers into being.  Beyond the obvious need for three servers to form the SfB Enterprise Pool, there is no point in doing an SFB EE Pool and have only one SQL server behind it - you will have created a single point of failure in a critical system component - to whit, the supporting backend SQL databases that the pool members use for re-hydration.

SfB is not totally different from Lync Server 2013 in this regard; however, one key difference is that now SfB officially supports using SQL Server AlwaysOn Availability Group (AG) as a supported SQL backend - this in addition to standalones, clusters, and mirrors.  If you have a SQL team that wants to use AG as the standard build, then that is what you wil do, eh?  The point to this article is to walk through a simple EE pool with AG installation into an existing Lync 2013 environment to highlight some of the lessons learned over the past month or so.

I am not including screen caps of every step, there are plenty of guides out there in blog-land to walk you through SQL and SfB installs.

Before cranking up some VM space and mounting the ISO's, you may want to consider some needed data points.  DNS, IP space, and construction details are always nice to know ahead of time. Aside from five host servers, their FQDN's and appropriate VM host space, here are a few items to ponder:
  • Identify the Windows Failover Cluster (WFC) cluster name and IP - do you need to read up on WFC before you start?
  • Identify FSW location - do you need to read up on File Share Witness before you start?
  • Identify a SQL file share for enabling the AG itself.  SQL is going to want a share that it can use to shuttle the initial database backups into so that it can copy them onto (into?) the target secondary node.  Why it just don't do it direct is beyond my ken; I just do what I'm told! 
  • Identify the SQL AG group listener FQDN and IP - maybe you should do some background on this subject too.  It certainly would have helped me a bit.
  • Identify the SQL service account - don't try this with "network services" or you will be assigning certificates to logins
  • Firewalls on the SQL servers need to opened for inbound traffic to flow properly.  1433 and 5022 TCP; 1434 UDP.
  • SQL Database location - these must be IDENTICAL between SQL AG nodes.
To quickly summarize, we are talking about:
  • 3 FQDNs and IP to match for the SfB EE pool (maybe more!)
  • 2 FQDNs and IP to match for our SQL 2014 Enterprise Edition nodes
  • 1 FQDN and IP for the WFC cluster
  • 1 FQDN and IP for the SQL AG listener
  • Service accounts
  • File locations
  • Firewalls
  • Database location

Prepare two servers for SQL.  I used 2 cores and 8GB RAM.  Because I am only hosting SfB databases on these servers, I used 200GB for drive C and will put everything on the same drive. You may wish to follow a more esoteric construction with separate drives, perhaps SAN-based, and you may need way more space than that especially if your database team is using these servers for other purposes.  You may even have to live with the database team telling you what and where, and by whom.  If you are having a SQL team provide you an instance and space, then make SURE of the instance name, your permissions to that instance, and the space your environment will need. Permissions will be important.
And of course, you will need three servers for your SfB pool.

Install SQLAlwaysOn-A operating system (I used server 2012 R2)
Install WFC via server manager
Install .net 3.5
Lather, rinse, repeat for SQLAlwaysOn-B

Patch and then patch again. Dang. You would think doing updates ONCE would be sufficient.  But...no.

Install SQL 2014 Enterprise  - use the SQL Service account for all services.  And you might as well make sure the SQL agent is running.  If you don't, the ensuing SfB install will complain about it.

FWIW, I also installed SSRS on both nodes.  No, SSRS cannot cluster or failover, but you CAN AG the databases, and install SfB templates to each node, and then, if needed, use the second node for your reports.

Configure WFC (see http://stevenpoitras.com/2014/02/microsoft-failover-cluster-configuration-nutanix/)
Configure FSW quorum - you will need FSW from above.

Configure WFC cluster listener with static IP.

Move resources (like change the active) between nodes - this verifies that both nodes can r/w both DNS and FSW and that either node can be listener.

Leave the WFC cluster active on whichever node you want to be the primary - I use SQLAlwaysOn-A for this.
Ensure that Windows firewall sql inbound rules are done:  tcp 1433, 5022, udp 1434

Some Lync 2013 work

Official Lync 2013 documentation on TechNet

From 2013:

Open topology builder from 2013 and save the tbxml, twice, just to be really sure.

Hey, we get to SfB yet?

In case you need to brush up on all of this…

Install SfB admin tools on something other than an existing Lync 2013 server
Open topology from SfB tools.  Save the tbxml.  Twice.  And not with the same file names you used for saving the 2013 version. No turning back now unless you have the tbxml files and the exports.
You've just upgraded the topology.  You did the 2013 tbxml saves and the configuration exports, right?

Configure topology.  In my case, a net new EE pool.
Make sure that your primary node SQL server has the database folder already defined, and that you remember what you called it; no point in having the Topology Builder choose defaults if you don't have to.  Or worse, use the SQL defaults and have your databases buried about 15 levels down.  I used c:\sfbdata.

What you need to do is ensure that the AG listener is defined up top, but the SQLAlwaysOn-A node is defined down below.  You go back and change this later... But here is the reason:  There is no AG yet, there cannot be an AG created until there are databases.  And the databases don’t get created until topology publishes.  So put the proposed listener at the top entry, and the specific first node down at the bottom.

Publish topology which will install the databases on sqlalwayson-A.tsoorad.net, which you need to do to get the AG to work - cannot make an AG without having a Database to work with!
When the topology publishes, it will flip up a SQL database configure screen.  I ALWAYS put my databases somewhere defined by my project. I NEVER let SQL just throw things around.  In this case, we are using c:\sfbdata for all SfB database work.  This will include the future CMS and the Persistent Chat.

At this point, I paused and did

"install-csdatabase -centralmanagementdatabase -sqlserverfqdn SQLAlwaysOn-A.tsoorad.net -databasepaths c:\sfbdata"

- because I know I am going to be moving the CMS to the new pool at some point and I want those two databases (xds and lis) to be part of the AG.  If you wait until later, you will be doing parts of this all over again. Then I paused again for persistent chat databases:

"Install-CsDatabase -DatabaseType persistentchat -SqlServerFqdn SQLAlwaysOn-A.tsoorad.net -DatabasePaths c:\sfbdata -v"


"Install-CsDatabase -DatabaseType persistentchatcompliance -SqlServerFqdn SQLAlwaysOn-A.tsoorad.net -DatabasePaths c:\sfbdata -v"

- same reasoning as before.  Tastes great, less filling.

Back to SQL...
OK, now we have SfB databases!

Set all SfB databases to FULL backup – some SQL BrightBoy probably has some zippy tsql to do this; being archaic, I do it onesy-twosy.

Backup all databases using SQL Management Studio - just accept the default location - these are not really your backups, this is just a step to ensure that the AG forms properly. AG requires the databases to be backed up first.  Yes, same comment here for the backups.  I am sure there is some zippy method that I have never bothered learning.

Robocopy the database file structure  - robocopy is your friend -  the file structure must be exact between servers
If you installed SSRS on both nodes, so go remove reportserver db and reportservertempdb from SQLAlwaysOn-B.tsoorad.net or you won't be able to add those databases to the AG as the database locations will have files in them and that is a no-no.  Luckily, you can just delete the databases from the Management Studio.
Configure AG (see http://stevenpoitras.com/2014/02/configure-sql-db-availability-group/)

You may need to add your cluster nodes by NETBIOS to sys.server by doing

sp_addlinkedserver @server=”serverNETBIOS’'

I don’t know that this is an absolute requirement, but adding my nodes before trying to create the AG seemed to make some errors go away.  At any rate, I have done it ever since as a matter of rote.  YMMV.

SQL Permissions on Node 2
I have the topology already published, so now go look at the databases that you have already made members of the AG.  The AG retains the security logins on the database when it establishes the secondary copy; however the same mechanism does NOT replicate the Master.do database logins;  Read this as your logins to the secondary (now primary) will fail for the various RTC and CS groups.  You will need to work out a method to get the security logins AND their respective SIDS along with lining up those SIDs to the respective database permissions.  One option to perform this work (and have it done right the first time) is to run a script such as this (http://www.sqlsoldier.com/wp/sqlserver/transferring-logins-to-a-database-mirror).

SfB Install
Initial install for the first EE pool members.
Had a nasty time with the prereq script.  Had to remount the original O/S ISO before the install-windowsfeature -source would work :(  I had a copy of the \sxs local to the machine, but the installer did not like it for some reason.  Do Windows updates until it don’t wupdate no mo!  Don’t forget kb2982006 is a "hotfix available" special. Until you run the script to install all the Skype for Business operating system prerequisites, the hotfix will refuse to install, so you need to run windows updates AFTER the prerequisite script.
Continued with install.  Started seeing issues across the new pool members of speech files not installing.    Nothing clears it out. Arbitrary reboot of all EE pool members fixed it.  (This install is starting to turn into a nightmare)(I never had these odd issues with Lync 2013, or with pre-GA SfB either!)
Finally have EE members installing as expected.  Why me? All three EE members acted differently during install.  Huh?  The servers are as close to identical as we can get them.  Installed from same source.  Used all default locations.  Patched from WSUS source.  Each server had the same number of updates in the same order.  WTFO.

Persistent Chat
We chose to install Pchat to a single server, but use the existing SQL BE and collocate with the FE Pool databases. See above, eh?

Go back to the topology builder and change the SQL definition for the EE pool  - remember up there where we set SQL to the AG AND the single node?  Now that we have the pool up we need to tell the pool to talk to the SQL AG listener, not just the one node...

Well, we got done. IMHO, way too much manual effort, but apparently with SQL being the way it is, the product group was forced into a corner.  Maybe the future holds an automated version of this, but until then,


Start-CSpool fails

Are you getting this nasty failure when you attempt to run Start-CsPool on your squeaky new SfB pool?

Did you create your topology and publish it before creating your pool’s host servers?

Did you get a little message about having to re-run Enable-CsTopology after creating the servers?

Did you ignore that little tidbit?

So, before you go much further, open a PowerShell session as administrator and run
and then, on each FE server:


Skype for Business Server 2015 Training

Do you have users clamoring for some training resources to help get them started?

Take a gander at this:  Skype for Business client awareness and readiness resources

672Mb of goodness.




CSAnalogDevice Dialing


Analog devices live on.  Face it. There are some states that REQUIRE analog circuits outside of the VOIP configuration.  New Jersey, for instance, requires that elevators be hardwired. 

So, I was doing this project that had a need for analog devices to do things like open gates, be a parking lot phone, and other nefarious duties.  Suffice it to say, we had to put in several 24 port FXS gateways. 

We got them all configured, ran through the requisite new-csanalogdevice and associated all the devices with their respective gateways, assigned (carefully) DIDs, contact objects, and Dial Plans.  You can see some background on how to setup csanalogdevices here.

The desired dialing action was to use a complete 10-digit dial pattern.  No four, no five, and none of that seven digit stuff.  10 digits was the plan moving forward.  During testing, we noticed that we had to dial 11 digits to get the call to complete. 


I immediately went to the configuration of the gateway (AudioCodes MP124) but I found that I already had the “Max Digits in Phone Num” set properly.


As I was performing that useless verification task, I BFO’d on the trace log from the gateway, where we noticed that Lync was refusing the call because there was no normalization!  Huh?

Uh oh

  1. The gateways were sending 10 digits as expected, but LYNC was not accepting them.
  2. The Get-CSAnalogDevice configuration showed that we had assigned a USER Dial Plan to the objects, which was the correct action.
  3. The User Dial Plan had a rule that accepted 10 digits and normalized to e.164.
  4. Therefore the CSAnalogDevice had the right set of rules, was sending the correct number of digits as it was told, but was not working.
  5. The CSAnalogDevice had the correct dial plan assigned, but the CSAnalogDevice did not like the dial plan scope, so the CSAnalogDevice fell back to using the Global Dial Plan ruleset, which did NOT include a 10 digit normalization rule
  6. It turns out that the CSAnalogDevice objects only respect DEFAULT dial plans, not user dial plans.  Our assigned Dial Plan is a user scope dial plan. CSAnalogDevice wants something that can be a default – so pool, site global. 

No, I don’t know why.  I assume it is coding issue, and there is SOME reason that makes no sense to you and me.  I know that you and I consider it a bug, but the developers might well come back with “by design.”  The Lync documentation indicates that a user-level policy will work.  (note that the same documentation indicates that a voice policy needs to be assigned, and I agree, but dang, you can’t make a call without normalization, and the documentation says squatoosh about the dial plan scope level.)

The Fix

The short term fix was to add a 10 digit normalization rule to the Global Dial Plan.  That fixed the analog devices not dialing out correctly. There was joy in Mudville.

For the future, create a site or pool dial plan that has all requisite rules for that site. SBA installations are considered a site for this purpose.

This is current as of the December 2014 Lync 2013 CU.  I hope the SfB release addresses this, but I am not going to hold my breath.  What I intend to do is make sure that every site or pool has a dial plan, and that a user level dial plan is never assigned to a generic device. 


That should hold the barbarians at the gate, eh?



SfB/Lync audio failures


Adios Audio!

The Issue

I don’t know about anyone else, but I have noticed that since I ran updates into my Windows 8.1 laptop the other week, my audio on my laptop has failed completely at least twice.  Today it quit very annoyingly right before I tried to make a Skype call.  Right off, I thought I had a device (headset) failure, or a mute button pushed, or something like that.  But no.

When this happens, ALL audio is gone.  Not just SfB/Lync.  System sounds, dings, dongs, and other helpful bleeps are simply not happening.  This is a Windows 8.1 operating system thing.

I have a Lenovo T530.  But, some google-fu and some University of Bing show that this is not just my Lenovo.



How to fix this? 

Well, rebooting did not seem to work.  But this did:

Start services.msc, go to Windows Audio Endpoint Builder, and restart it.  This will prompt you to accept a restart of the Windows Audio also.  Do that.  On restart, your audio will be back. 






And you should be good.

Keep in mind that I have now had to do this several times (or at least twice) and while this fixes the issue, the restart does not seem to completely fix the issue, as it has come back at me.



Upgrade Lync 2013 SE to SfB SE

So the magic time has arrived.  We have a new Skype for Business 2015 server release.  After downloading the new ISO from your licensing site, or if you have MSDN for your lab, you can upgrade your existing Lync 2013 servers directly!  What a great feature.  I have been waiting for this since … well, a long time.

What needs doing?

I am going to upgrade my Lync 2013 SE.  You may want to review this here first. Then, I think prudence will dictate that you read this next as this is the official documentation on upgrading an existing Lync 2013 server to Skype for Business 2015.

Before I started, I did the February 2015 Lync CU updates to the entire environment, and also, based on our reading, we need the Lync server to be at SQL2012 sp2.  You can get that little download here.

If you are doing an SE like I am, then you need these three commands to accomplish the task:


BTW, if you don’t see this window during the second and third command lines, the upgrade did not take… reboot and start with number two…I don’t know why this happens, and rather than burn time figuring it out, I just booted between steps. FWIW, I seem to have “issues” with doing service packs on SQL Express, so I just always reboot between steps.  I am sure there is some elegant way around this that smarter people have figured out, but not this guy.


You can check your success by running this little scriplet: (I got it here)

$inst = (get-itemproperty 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server').InstalledInstances
foreach ($i in $inst)
   $p = (Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\Instance Names\SQL').$i
   (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$p\Setup").Edition
   (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Microsoft SQL Server\$p\Setup").Version

Once you get done with that, you will need to pick a spot to install the SfB Admin tools.  We need to get the topology updated, and once you update topology, the Lync topology builder is going to useless to you; and there is no rolling back.  Unless you export-csconfiguration and save yourself a tbxml and then do a force restore.  I recommend that you take a pause and figure out those two steps and do them now before proceeding.  The last thing you want is to hang yourself out to dry.  A career limiting move to be sure.

OK, so choose a valid source onto which you will install the SfB admin tools.  The prerequisites for this are the same as Lync.  So you can read up on those requirements here. I don’t know about you, but I would pick a Server 2012 R2 instance or possibly an x64 Windows 8 or higher as the prerequisites will already be met.  YMMV.

With the SfB admin tools installed, and an export-csconfiguration and an export-cslisconfiguration AND a pre-SfB topology TBXML saved, we can proceed.

One of the things the official documentation mentions is to ensure that all the services are running on the pool you are upgrading.  You can see the status here (ignore the LYNCBACKUP you see here, I am doing something I am not supposed to…)


With that verified, we can now open Topology Builder using the SfB toolset. And here we are!


Note that the layout looks very similar, and in fact follows along with the 2010-2013 upgrade process – except this time we get to upgrade directly!  Yes!  At this point, Microsoft recommends making a copy of the TBXML you just saved and why you should do it…


If, like me, you have a SQL setup for Archiving and Monitoring that also supports the EE pool, you might want to be safe and update that SQL to SQL 2012 SP2 also.  I did, and had zero issues during this next part. I note this because the pool I am upgrading is doing Archiving and Monitoring, and those databases are being used for the EE pool, and I know that the upgrade process is going to touch those databases, and the minimum to get this done cleanly is SQL 2012 SP2….

Select the pool, select “Upgrade to Skype for Business Server 2015…”


Say yes to the nasty gram…keeping in mind that if you say yes, and things go sideway, you will be discovering the wonderfulness of restoring a topology from your backups…


Note that your ex-Lync 2013 pool is no longer there, but your topology now has a SE under the Skype for Business Server 2015 node…


Publish your new topology using the time-honored, traditional method…


Finally, the magic moment has arrived… we have worked down to Step 5 of the official guidance, and we are looking at this:


Being brave, we will select setup.exe and live with the consequences! Say yes to this first one..


Accept the license agreement…and no, I am not going to screen cap that thing.  Oddly enough, there were no updates to be found.


And voila!  A hidden requirement that is not listed anywhere.  Turns out you need 32 GB of uncompressed NTFS space.  Please wait while I go fix this.  Shouldn’t be too long.  OK, I am back with 25 more GB of virtual drive space…

Apparently there was a prerequisite that I missed (I swear I did them all), but!


As advertised, on reboot the installer just continued forward.


almost done… about 12 minutes…


es finite!


It don’t get easier than this.  Thank you Product Team!

Note that there is a new cmdlet to run to start the pool.  If you are doing EE pools, you should read up on this one.  For maintenance and CU work, you are going to have to change some of your process to include this new cmdlet.


And we are complete…I had a few scary-looking warnings go flying by, but I also understood that I was upgrading the CMS holder, and I sort of expected replication to be borked until the server was fully started.  In the end, patience!


The EE pool, still on 2013, thinks that the CMS is good to go!  Note the version difference between the EE and Edge pool members and the SE…


We even have a new SfB Control Panel!


As in-place upgrades go, this was fairly painless and very straightforward. All functions expecting to be functioning are in fact, working just fine.



Lync 2013 / SfB Client update updated

Referencing this previous post:  http://tsoorad.blogspot.com/2015/04/lync-2013-skype-for-business-client.html

Thanks to Elan Shudnow, here is a potential work-around for you… but you will need to have it in place prior to the blessed event…

Here is an applicable TechNet link:


To get around this first launch issue with the new patch, you’ll want to set EnableSkypeUI to $false and pre-define registry settings using a GPO so it immediately brings up the Lync 2013 client experience without first bringing up the Skype for Business UI and then having a user restart the client.

The link above provides the necessary settings to get the above working settings.  It’s important to specify the GPO as mentioned in the technet article as you want to add a new registry key (which will only do it if it doesn’t exist) instead of updating the registry key.

Specifically, the steps to get Lync 2013 UI displaying on first launch and subsequent launches are:

  1. Get-CSClientPolicy | Set-CSClientPolicy –EnableSkypeUI $false
  2. Create GPO as outlined in the article under the “Create a Group Policy to modify the registry on a domain joined computer”

Remember that when or if you do upgrade the servers or your environment to SfB, you will need to undo the GPO.  In theory, the in-band provisioning will override the GPO…

“You can specify the client experience the users in your organization will see by using the Set-CSClientPolicy cmdlet with the EnableSkypeUI parameter. The following command selects the Skype for Business client experience for all users in your organization affected by the Global policy (remember, site or user-specific policies override the Global policy): “ (my bold and italics added)

…but we all know how that goes, yes?


Lync 2013 / Skype for Business Client update


Hello, it is April 22, 2015.  Note the date…

If you run the latest Office 2013 updates into your environment, but, as expected, you still have Lync 2013 for the pool servers, you will see this when the client next opens Lync.  Normal, anticipated, but still a PITA for the user and likely to generate some help desk angst.


After a restart of the client by clicking on the “restart now” button, you will see this:


As in, back to “normal.”