About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2018/04/19

SfB Disabling TLS 1.0/1.1 Guidance

On October 31, 2018, Microsoft Office 365 will be disabling support for TLS 1.0 and 1.1. This means that, starting on October 31, 2018, all client-server and browser-server combinations must use TLS 1.2 or later protocol versions to be able to connect without issues to Office 365 services. This may require certain client-server and browser-server combinations to be updated.

https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

SfB impact?

At a high level, this requires installing Skype for Business Server 2015 CU6 HF2, applying pre-requisite updates to .Net and SQL, and finally another, separate round of OS configuration updates, i.e. disabling TLS 1.0 and 1.1 via registry file import. It is critically important that you complete installation of all prerequisites, including Skype for Business Server 2015 CU6 HF2, prior to disabling TLS 1.0 and 1.1 on any server in your environment. Every Skype for Business Server, including Edge role and SQL Backends, require the updates. Also ensure that all supported (in-scope) clients have been updated to the required minimum versions. Don’t forget to update management workstations as well.

Background reading:

https://blogs.technet.microsoft.com/cloudyhappypeople/2017/12/22/the-end-of-support-for-older-tls-versions-in-office-365/

And then read part 1 here for more background specific to SfB/Lync and the supportability statements

https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-1/

Part 2 here gets into the weeds a bit on “How To Achieve”.

https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-2/

Part 3 will be published at a later date. 

Woot!

Here is guidance for Lync Phone Edition (LPE):

https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Certified-Skype-for-Business-Online-Phones-and-what-this-means/ba-p/120035 

General TLS1.2 whitepaper:

https://cloudblogs.microsoft.com/microsoftsecure/2017/06/20/tls-1-2-support-at-microsoft/

Here is the Microsoft Exchange equivalent:

Part 1

https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/

Part 2

https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/

And big surprise, part 3 to be published later.

Summary

If you or your customer is doing anything with Office 365 hybrid, then you need to be reading all of this and figuring out your next steps.

2018/03/06

Consultant Marketing Plan

My team gets tired, I am sure, of hearing me urge them to get out in front of Sales. Sales needs to have something to sell; engineers need sales to sell them. But, there is no process to follow to tell the local sales types what is available. After all, my skill set does not map directly to some nifty SKU in a catalog.

I am reasonably certain that is true for almost all humans. If that is true, and there is no process or guidebook on how to “get in front of sales”, how can you expect the sales team to sell something they don’t know about?

The answer, of course, is found in your personal marketing plan. Let’s pause here while you do some light reading here, here, and here. What do I get out of that reading? That the definition is going to change from group to group. So, here is my take on this. Marketing is educating the consumer about why they need/want you or what you offer. In this case the consumer is the sales team. The sales team needs to know why their customer needs/wants you.

How do I do that?

Here is the rub: The answer to that question is going to change for each person. I can give you general guidance, but my personality (or lack thereof according to the SO) will make what I do work for me, but not necessarily for you. But, let’s give this a swing anyway, ok?

Preparation

Another thing my team is tired of hearing is goals, objectives, planning, focus, and accomplishing those goals and objectives. So, start there. Make yourself a backwards planning shell and pick a date in the future and set a goal of being able to approach the FSM in your market with the offer of at least one presentation to the local weekly sales huddle. You might need to make sure that this presentation also appears in PPT format so that you can contact your neighboring branch FSM’s also.

What is the content of this presentation?

A better question is: what is the delivery? The content of the presentation is your willingness to help with pre-sales. Delivery of the message/presentation will take many forms and need constant reinforcement. One FSM might not want to have a “presentation” but is totally willing to do email and other options. Your delivery in that case is more electronic and you’ll have to make a point to get face time with the branch staff. And a solid point here is: nothing replaces face time. I don’t care how good your video conference solution is, it is not face time.

You need to have an elevator pitch tailored to the sales team. Delivery of that pitch does require face time. But you need to be doing that anyway. Sales won’t sell what they don’t know. They need to know you.

Your resume needs attention at least once a quarter. Maybe all you do is read it aloud and decide it is still valid. But maybe you might want to update a significant achievement. Maybe you achieved another goal and passed a test or two. Added some more Mic, Key to your signature block. But, at least it is up to date. And have it in PDF format so that you can drop it into email on demand. Perhaps, if you are ultra-inventive, you will create a one-page marketing slick.

Send the resume and/or slick to the FSM, CEM, CSM, et cetera. Make sure the RC gets a copy also.

You will also want to get together with your SDM, CSM, CEM, FSM, and AE types and flat out ask them what they need/want. Make an appointment with the SDM, FSM, CEM, CSM, and be prepared to discuss the following question:

“What can I be doing to help sales be successful?”

Notice that I approached this not as “what do *I* get” but rather what does the sales person get. Appeal to their personal interests and structure. I market myself to the sales teams. I educate them on what I offer to their success.

Remember that you have a story to tell; but you need to keep it out of the techie weeds and relate your skills and accomplishments in business terms. Technical details should stay in the 150-175 level.

On actual pre-sales calls you may need to drive past the 300 stuff, but for this purpose, something less detailed is much better. Your friendly sales executive needs to be able to spin the story to their customers. You need to give the sales team the data needed to create the story, but the data needs to be in an understandable form for the receiver, not the sender.

Time Time Time

But all this takes time. Building a reputation and instilling confidence in both your abilities and the idea of approaching the sales team is not going to happen overnight. It will take a bit. Take the time to create the goal and then figure out how to achieve that goal within the next quarter. Be prepared to adjust your plan based on input from the previously noted acronyms. Then take that plan to your SDM. You need an IDP outline anyway, right? It might as well be something useful!

In the end…

Being a consultant is much more than successful project delivery. A consultant should be helping with the entire sales process. A consultant recognizes the need to market themselves to the sales team and takes appropriate actions to achieve that goal.

Do you want to expand your career but are struggling with getting started? I am here to help.

YMMV

2018/03/03

FastTrack Network Checking

You may not know but Microsoft is providing a fairly nice tool to check your network for SfB performance.  Free.  Free is a very good price, eh?

I am not going to extol the virtues and services offered by fastrack.microsoft.com, I just want to delve a little into the network checking tool.  And, this tool has been around for a bit.  So, I wanted to get a little updated review.

First off, I cannot even find this thing anywhere on the https://fasttrack.microsoft.com site.  Sorry.  Maybe I am blind,  but I am not seeing it anywhere.  There is probably some zippy button marked “tools” but I am just not groking.  Having said that, I know of

http://ap1-fasttrack.cloudapp.net/o365nwtest

http://em1-fasttrack.cloudapp.net/o365nwtest

http://na1-fasttrack.cloudapp.net/o365nwtest

Here I am checking my lab tenant against the ap1 site.

image

Note the two addresses given by the tool…

image

The 76 address is my laptop, currently operating from a hotel out in the middle of the Oregon Cascade mountain range.  So, this connection is going to be testing from my laptop to the AP1 site to see how things stack up. 

With a little imagination, you could bury a workstation in some remote spot on your network, and pretty much map out the entire path to the world – giving a glimpse into how things line up.  This could be useful, yes?

You can see that the lag from here to there is running about 170 ms, which might be so great in some circumstances. 

image

Overall, the tool produces a raft of great info… here is the summary tab.  Note that something is not quite right as the tool cannot simulate VOIP traffic.  Could be something you need to look into here?

Here is the same test run against the NA1 site.  Note the differences.  We also now have a MOS score.  3.2 is not as good as we want, but doable.  Not too bad for out of a hotel where I am sharing bandwidth with 200 other rooms.

image

image 

We also got some nice jitter measurements on this run…

image

And finally, if you drive into the route tab, you will get more data points.

image

What do you think you could do with information such as this?

image

If you have questions about any attribute/factor measured in these tests, there is also a handy glossary. 


If you or your organization is considering moving to Office 365 in any capacity, this is one of the first tools you should be working. I have been telling customers for a long time that if we do our job right, then any problems will be network, firewall, or load balancers.  This tool can help you prove that.  In a more complex internal net, you might even be able to tell the network team right where to look!


YMMV

2018/02/01

AudioCodes HRS 458 Firmware 3.04.1192

Dropped off an HRS 458 at a customer yesterday, OOBE.  Setup took about 5 minutes (have to hook up cables and whatnot), created an account for it, and powered it up.

A little access to the web interface, and I have a unit up and running, logged into on-premises Skype for Business pool, and dang! 

The HRS starts barfing on finding the calendar for the account.  This is not good.  Some quick checking shows that the environment has no Autodiscover.domain.com record internal, but it does have an SRV.  I know, but don’t ask me.  Not my slice of life at this customer.

However, this does show that an OOBE for the HRS, firmware 3.0.2.xxxx needs to have something other than just an SRV record.

A little judicious communication revealed a new firmware being available for the HRS.  My contact inside AC indicated that his notes showed that the “problem” was resolved with 3.04.1192 release.  What the heck, I tried it. 

image

Voila!  Problem solved.

Of course, now we have to ask why no A record (or CNAME), and why put in the SRV record, not know why it was done, and then never question the mechanics of it, or actually solve the original issue that resulted in the SRV record.  Well, I get to ask at any rate, not sure I will ever get the answers.

YMMV


2018/01/24

IP Phones in the Teams Road Maps

Hello all,

I got some good stuff from my friend Daryl over at AudioCodes the other day.  Daryl Hunter is a voice architect over there; he just knows stuff.  Good source.

At any rate, the important tidbit for our purposes is that Daryl/AudioCodes thinks that Microsoft has a solid chance of making good on it's 2Q2018 target for IP phones to be used in Microsoft Teams.

Note the "Calling Road Map"



This means that your existing SfB/Lync IP phones can be re-used with Teams.  Nice.  Hate to buy that stuff more than once.

FYI, here is the two road maps.  Note that they conflict to a small degree, but generally say the same thing. 

The “static roadmap” PDF is here: https://aka.ms/skype2teamsroadmap and using phones is road mapped for 2Q2018.  The “interactive roadmap” is here: https://products.office.com/en-US/business/office-365-roadmap?filters=%26freeformsearch=teams%20calling#abc and shows the same info (CY2018) but doesn’t specific 2Q.  It was refreshed last Friday.  



I also think that the casual reader could benefit from reading the FAQ - it gives some quasi-good answers to the "why" questions that are bound to come up.

YMMV


2018/01/22

SfB SE CMS Master failover success process

Background

You can start by reading this.  This is a tested path forward if you find yourself in the CMS split-brain scenario as described in that article.  After noodling through that process yesterday, and knowing that I have customers who need this to work so as to ETHICALLY meet their SLA/RTO/RTP type stuff, I got to thinking.  And then Josh Walters, a co-worker of mine, made the fateful comment “the server that gets failed over to is happy and functioning, why can’t we just leave it alone?”
In relative age terms, from the mouth of babes…I got to thinking – can I create a process that is repeatable, that comes before the Vale 19-step method, and allow me to confidently tell customers that “this works.”

Scenario

We are ignoring the RGS and the Edge changes necessary for the full site failovoer in this article.  We are totally focused on just the CMS, why it happens (theory on my part), and what to do to recover gracefully in a predictable manner (empirical on my part).
There is actually the option to not perform a CMS failover…I have had environments where the CMS was offline for extended periods of time with no ill effects.  Just don’t change anything.
Our environment is two SfB SE servers, pool paired.  Sfbse.tsoorad.net is the “old” master, sfbse2.tsoorad.net is the “new” master.
After making up the pool pair, we have simulated the datacenter outage by turning off sfbse.tsoorad.net, thereby making the surviving system components think that the CMS master is gone.  Power off is a state that pretty much assures that no-one is talking to that server anytime soon.










The initial CMS server failover goes just fine.  The problem comes up when the “old” master comes back online and thinks that IT is the master.  But the sfbse2 server, the “new” master is in charge, and suddenly, you cannot make changes.  Classic split-brain.  Replication is borked.  Attribute pointers don’t point.  See the blank in this example where the ActiveMasterFQDN might just be something we need to know about.




What is causing this

If my surmise/theory is correct, the split-brain starts when the second node assumes control of the CMS.  No problem.  As a domain member running with the proper authority/credentials, the AD gets changed, the topology gets changed, and the surviving servers in the environment start replicating from what they are told is the CMS.  At this point everything is fine; the split-brain has started, just not affecting us quite yet.
The split-brain posture really gets wound up when the failed server comes back online and it thinks that it is the CMS master.  Understandable.  Before whatever happened happened, that server was indeed the CMS master.  But another server is now designated, and the newly revived server never got re-written, and things are now just a tad stuck.  Again, see this article here, as well as the Mark Vale article here.

What to do about it

The obvious answer, of course, is the easiest.  We will wait right here as you locate your copy of last nights backup script and the ensuing copy of the export-csconfiguration and export-cslisconfiguration and carefully resolve NOT to use them. (they point to the OLD master, and the NEW master is up and running – and in the immortal words of  Josh Walters, “can’t we just leave it alone?)”.  Keep in mind that you don’t HAVE to move the CMS back.  To dovetail with the Savant Walters, we can further notice that the CMS has a failover cmdlet, but no failback cmdlet.
You will make new ones here in the next section and they will be better as they will not reference the original CMS master (pre failure) as the master or being “active”.

Fix me!

From the new master run:
  • export-csconfiguration (we are just being thorough, you should not need this file for this exercise)
  • export-csLISconfiguration (ditto)
  • Place your new exports where you can use them in case you don’t already have them, and then throw them away after the next time your backup captures that data.  If you get the end of all this, and invoke a failback to the “old” master, you can throw the exports away in that case also.  You do have a plan, right? 
  • stop services on “new” master:  FTA, LyncBackup, Master, Replica
Bring the “old” master back online.
  • From the “old” master, stop services:  FTA, LyncBackup, Master, Replica
From the “new” master:
    • install-csdatabase –centralmanagementdatabase –sqlserverfqdn sfbse.tsoorad.net –sqlinstancename RTC –clean –verbose
From the “old” master,
    • start the SfB deployment wizard
    • Run Step 1 (install Local Configuration Store)
    • Run Step 2 (Setup or Remove
    • Start the services stopped earlier BUT DO NOT START MASTER
From the “new” master:
  • invoke-csbackupservicesync –poolfqdn sfbse2.tsoorad.net
Wait a bit, then run through:
Get-CsManagementConnection (should show “new” master)
Get-CsService –CentralManagement
Get-CsManagementStoreReplicationStatus –CentralManagementStoreStatus
Here we are, fixed.  Note that the “new” master is still the master, but now the “old” master thinks it is no longer the master, but subordinate to the “new” master.  All this is just fine.  We don’t care WHERE or WHO holds CMS master, as long as we have a posture where we can read/write topology.




At this point, you could do another Invoke-CsmMnagementServerFailover and get the CMS back over to the “old” master…if you are into consistency like me, then that is what you will do.  If you are like others, you can leave the CMS on the “new” master, and everything will be fine.

Summary

Seeing as how there is no failback cmdlet, could it possibly be that this is all by design, and was never properly documented on the way out of Microsoft-land?
Empirically, as long as both SE pool pair members are up, the CMS failover process is just fine.  If the “old” master is down, things go bad quick and the prudent admin will be prepared to handle that scenario – however remote the possibility may be.
If your CMS fails, then you could be failing also.  Invoke-CsManagementServerFailover is wonderful, provided all the players are still running.  Not so hot when the the existing master is no longer available.  This process will get you in a posture of success; is repeatable, and is not too onerous.  Ergo, we have something i can feel somewhat good about taking to the customer.
YMMV

SfB Disabling TLS 1.0/1.1 Guidance

On October 31, 2018, Microsoft Office 365 will be disabling support for TLS 1.0 and 1.1. This means that, starting on October 31, 2018, all ...