About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2016) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2013/10/16

Lync 2013 Remote Admin with PowerShell

Scenario

You would like to use your desktop/laptop to administer your Lync 2013 environment, or you need to supply some RBAC access to a specific administrative group – i.e., voice admins.  Additionally, you don’t want to give remote server access to everyone.  In this article, we will take a look at what is needed to accomplish this.  But, before you begin, read this, which is a TechNet blog on how to do this with Lync 2010.  Then read MVP Curtis Johnstone’s blog on this, and then this other blog from TechNet.  Maybe I am a bit dense, but it took me all three to put this together.  If you are looking to do this for Lync Online, read this. and then this.

Requirements:

Lync 2013 is 64-bit.  No getting around this.  What this means is that you cannot deploy the Lync 2013 Administrative tools to an x86 machine.  If you have a squeaky new Windows 8 x64 machine, you are all set.  But if you have an x86 or x64 Windows 7 machine (probably the vast majority) – you will need to do some preparation. 

At any rate, you need to ensure that your Win7 is at SP1.  Then you need to install .Net 4.0 – the entire thing, not just the client side.  You can get the .net 4.0 here. You may also attempt to use .net 4.5; but for this exercise, I used the 4.0.  After you get done with these installs, you will of course want to think about re-running Windows Update to pick up the myriad patches that will ensue.  Next, you are going to need PowerShell V3.  You can get that here.  In my little world, I had a heck of a time getting PowerShell v3 to install on my Win7 x86 VM.  I ended up having to throw it (the VM) away and start from a fresh install.  YMMV.

Once we have that in place, you can proceed with setting up for one of two scenarios:  x64 or x86.

If you have x64, then you can simply open the Lync 2013 Deployment wizard (in my lab the Lync setup is located on a mounted ISO: d:\setup\amd64\setup.exe ) and install the admin tools.

image

If you have x86, you are going to be limited to running just PowerShell in remote mode.  Which is the whole point to this article, eh?  Let’s take a look at what needs to be done so that you can bask in the goodness that is remote PowerShell and Lync 2013 administration.  Remember that using credentials that equate to a RBAC role of, say, CSUserAdministrator, will result in only those cmdlets that support that functionality.  You can read up on Lync RBAC here.

If your servers are on your network, fine.  If you are really remote, you will need a VPN of some sort so that you can connect yourself to the network subnet in question. Once you have the network connection part figured out (and no, I cannot help you with that), you are ready for this:

# get creds for remote environment

$credential = get-credential "domain\johnw"

# set session options to bypass the PKI checks - I trust the far side

$sessionoption = New-PSSessionOption -SkipCACheck -SkipCNCheck -SkipRevocationCheck

#create new session

$session = New-PSSession -ConnectionUri https://somelyncfrontendserverFQDN.domain.com/ocspowershell -Credential  $credential -SessionOption $sessionOption

# assuming the above line worked, import the cmdlets needed for Lync

import-pssession $session

A few notes:  You are going to have to have some credentials – no getting around that.  I also tend to go straight at an FE, not to the Load Balancer.  The $sessionoption line causes the Front End server IIS internal services certificate to be basically ignored, so if you connect to a domain server from a non-domain workstation, you should be OK.  The actual script line for my connection was:

$session = New-PSSession -ConnectionUri https://ls2013e2.tsoorad.net/ocspowershell -Credential  $credential -SessionOption $sessionOption

Don’t overlook the “https”  - http will not work.

Operations

Here is the script in action on an non-domain member, x86, Windows 7 SP1 workstation:

image

Asking for credentials

image

Credentials accepted, session established, and fetching the Lync cmdlets from the server

image

Just to show we have what we really want, here is the CS* cmdlets…

 image

Remember that from your reading through the references I give you up above, not ALL of the Lync cmdlets will work.  Synthetic transactions, for instance, need to run directly on the server.  For a refresher on that information, see this.

But, to prove that we can control Lync Server remotely, a quick list of my lab CS users:

image

YMMV

No comments: