About Me

My photo
TsooRad is a blog for John Weber. John is a Skype for Business MVP (2015-2016) - before that, a Lync Server MVP (2010-2014). My day job is titled "Technical Lead, MS UC" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, Skype, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2015/07/23

Lync 2013 Edge Server Replication Failing

Background reading: http://tsoorad.blogspot.com/2015/07/windows-pki-sha-1-to-sha-2.html

Environment Outline:

Mixed Lync 2013 (Edge) with SfB user pools.  CMS on SfB SE. Operating systems:  All user pools are 2012R2, Edge servers are 2012 (no R2).  Windows updates are current.  PKI is public for Edge external land FE external; PKI is AD DS for FE internal and Edge internal.  Customer changed  AD certificate authority from sha-1 to sha-2.  New root cert pushed to all servers via active directory routines; edge server new trusted root manually imported.

The Issue:

Lync Edge server fails to pick up on the concept that the domain root cert had changed even after we manually imported the new root cert (sha-2) into the certificate store. The certs on both the CMS master and the Edge server all chained up properly, but the cmsreplication was failing. All the certificates assigned to all services in the Lync/SfB environment checked good, were all current, and all showed that they chained properly to either the internal PKI root or the Digicert root.  Basic connection testing using <telnet fqdn 4443> were successful both directions.

The Fix:

We had to reboot the Edge server to get it to recognize the trusted root cert chain.

Logic path:

The CMS master was presenting the edge server with changes, but the Edge server did not like the new cert on the CMS master. The Edge server had a copy of the new Root Cert, but would not accept the TLS from the CMS master until the Edge restarted. Restarting services on the Edge server did not resolve the issue; a reboot was needed.

Conclusion:

If you change the domain Root cert, Lync and SfB may or may not like the root certificate change AT THE OPERATING SYSTEM LEVEL, until a reboot, or even longer. <Sigh>

YMMV

No comments: