CMS install fails SfB 2015 Jan 2019 CU

Details:

We are upgrading/migrating from Lync 2010 to SfB 2015 (not 2019)( cannot do three levels at once).

New host servers are 2016 Standard.

SQL BE is 2016 SP2.

EE 2015 pool installed, patched to Jan 2019.

Updated databases on BE SQL.

Prepare for CMS move to new EE pool failed on install-csdatabase -centralmanagementdatabase ---- specifically it fails to find the SQL instance.

After much tshooting, we determined that any management workstation or SfB 2015 server with the Jan 2019 CU refused to take this action.

Process ran just fine with SfB2015 July 2018 CU, or from a management workstation running RTM bits.

This error appears on screen to be a SQL issue, but it’s not. There is something “different” with the install-csdatabase server when invoked as -centralmanagementdatabase that is preventing this action. While this error was present, a normal install-csdatabase -update -configureddatabases -excludecollocatedstores (which is needed for the jump from RTM to any CU past CU5) ran perfectly as did test-csdatabase -configureddatabases

YMMV

Logitech Meetup ConferenceCam

In the past, I have used a Logitech cs3000, I had a furious love affair with a bc950, and then I settled down to just using my laptop camera when needed.  Except that did not give me some speaker phone features, no zoom, no pan, no “see the whole room” stuff.

For the last month or so, I have been wringing out a Logitech Meetup.

I threw the box away today, because the Meetup now has a permanent spot in the Tsoorad Test Lab.  I find myself using it as a speaker phone AND a video provider on a regular basis.

Here is the Logitech market-speak.

MEETUP

All-in-One ConferenceCam with 120° field of view and integrated audio, perfect for small conference and huddle rooms

• See everyone, even those close to the camera
• Works with your video conferencing applications
• Compact design minimizes cabling and clutter

Furthermore, Logitech claims that:

MeetUp is Logitech’s premier ConferenceCam designed for small conference rooms and huddle rooms. Stop crowding around laptops. With a super-wide 120-degree field of view plus a pan/tilt lens, MeetUp makes every seat at the table clearly visible. With integrated audio optimized for huddle room acoustics, everyone can be heard as well as seen.

The question, of course, is how well are these claims delivered?  Let’s find out.

OOBE

You also get a 16-foot USB cable, power supply, wall mount hardware, and user documentation. The system is certified for use with Skype for Business and Cisco Jabber and offers enhanced integration with BlueJeans, Broadsoft, LifeSize Cloud, Vidyo, and Zoom. That support includes the ability for remote participants to control the camera.

How long are cables?  Dang.  Break out the zip ties if you don’t need all that cable length.  Still, very nice to have.  Sit it on a windows sill, table, shelf, or other flat surface.  Or, mount it to the wall or something like that.  The mount will do both.

I had to put the batteries in the remote control module.  Oh! The horror of it all!

But, let’s be somewhat careful and do some reading.  At which point I discover that the included cables won’t do 4k.  You will need an aftermarket cable to get the full bazillion square foot display that some folks want.  Good luck finding a USB 3.x A to USB C cable longer than 1 meter.  I just did 1/2 hour of google-fu and did not come up with anything longer than 10 feet.  And that was $92.  Be that as it may, my myopic senses probably cannot tell you the difference in 1080p and 4K coming out of this camera into a web-based video room.

SfB/Teams

Here is the bottom line.  My use of the Meetup device in both SfB and Teams was totally seamless (I also have used the Meetup with Webex Teams, and meetings on Bluejeans and Zoom.  Seamless).  The Meetup is an extension of your local host – a Lenovo T530 running Windows 10 in my case.  Operated perfectly.

Zoom/Pan/Tilt

Here’s a problem!  I spent too much time playing with the controls.  Addicting.  In and out. Left, right, up, down.  Fun!  And works well.  There is also a button smack-dab in the middle of the control module that returns the camera to dead center. And there is software for download that works pretty much as advertised.  You can also pair this thing with your BYOD to get access to the speaker phone and control the entire unit if wanted.

No zoom:

Zoom

Audio Quality

*I* thought the audio quality was quite good.  Volume, minimal distortion (if any) even at high volume levels; good timbre, overall, a solid 9.5 on the Tsoorad Goodness Scale.

Video Quality

I wish it had optical zoom instead of digital.  I mean, it sure looks like digital zoom.  Having said that, it did everything I wanted it to do in video terms.  I am a not possessing the requisite USB 3 cable to enable the 4K, but the 1080p sure looked pretty good to me…zooming in did result in some blurry stuff – I bet the 4K would fix that.  Impressive it is.  9.0 on the Goodness Scale.

Conclusions

Do you have a 6-10 person room?  Are you wanting to park something in there that participants can just walk up to and plug in and voila! they are in a meeting or can start hosting one?  Are you tired of the laptop camera restrictions on that scenario?  Don’t want to spend a large amount of cheddar on a dedicated wall unit like a Surface or other expe$ive system?  Then this Logitech Meetup is probably just right for you!  Typical great build quality, nice feature set, good controls, integration with just about everything, and with great audio/video quality.  What are you waiting for?

You can get one right here.

YMMV

audiocodes IPP firmware 3.1

A bit ago, I was the recipient of some new Audiocodes firmware for the 405, 440, 445, and 450.  There is an HRS version as well. 420 is not in this cycle.

Happy to report that based on rigorous Tsoorad Lab testing, all seems to be pretty good with this update.  Numerous new features (especially on the 445)  that bear looking at.  In my testing, I did not discover anything wrong – no devices bricked, they all came back working as expected, new features were there, everything worked as before (always a plus).

You can get yours right here. After 3.1 reaches GA, AC will  (I am somewhat convinced as they have in the past)  create and publish the necessary CAB files to enable pushing this update via SfB/Lync webserver methodology.  If you use the IPP Manager (either express or full) the IMG files work for updating – in my environment, it just works.

IPP Manager view of the new goodness:

SfB CSCP view of the old goodness – but you get the idea, right?  Just noticed that the HRS image cab is not showing.  I have asked my AC contacts about that.  Time will tell.

Either way, YMMV

Official SfB 2015 Server Disable TLS 1.0 and 1.1 part 3 guidance

updated 20181107


Microsoft update to what they think they are doing, how they are going to do it, and basically, another waffle episode on their part.


https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365




As you may be aware, we have covered the upcoming 31 October 2018 TLS 1.0/1.1 support being removed from O365.  You can find that guidance here.  As promised, Microsoft has finally published the last pieces of the series.
You can find part 3 here.
As usual, I strongly recommend that you start looking at this now – some of this might take a bit of planning and coordination on your part to accomplish in a clean fashion.

Now is the time to get your sales types contacting existing customers and offering to help.  This will not be a clean thing; rest assured that there will be “issues” and IMHO there is significant potential for unintended consequences.

YMMV

IPP Manager Express Redux

A while back, I did a little write-up of Audiocodes IP Phone Manager Express.  You can read that right here.  A few days ago I installed a newer version and there is enough difference to warrant a redux.  Specifically, I would like to record for my own purposes a configuration that works (so I don’t forget) and maybe you can use it also.

Pre-Conclusion Statement

If you read no further, know this, I like the IPP Manager, I really do.

What are we doing here?

What we need to do is support a number of Audiocodes IP phones – a bunch of 405HD and 450HD models. We want some very basic changes made to the default OOBE configuration, nothing major, but we do want to be able to hand the phone to the user and have it just work.  Audiocodes calls this “Zero Touch” – which was enough of an attraction to get me to try it.  But, I ran into some “difficulties” when I attempted to interpret what somebody thinks is really outstanding documentation into a workable configuration.  After several emails, and several configuration sessions, I managed to achieve parity with the configuration genie. 

Diving In

Installation went as easily as before.  I did not understand the need for a clean server before and I don’t now.  Fuzzy logic on that one.  But, OK, I am in a freebie lab situation.  While the install is happening, let’s verify DHCP Option 160.  And right there we started having issues.  Which option to choose seems to be an ambiguous question as both seem to to work equally well, with ONE of them being preferred, but not required, and no clear (to me) guidance of which is which for my needs.  What I thought would work did not.  I had to use plan B.

Plan A: http://1.1.1.76/firmwarefiles;ipp/dhcpoption160.cfg

Plan B: http://1.1.1.76/firmwarefiles;ipp/tenant/Default

This did not jive with MY reading of the docs.  However, I am sure that I was doing something wrong, so I tried plan B.  At that point I was in Tshooting mode, and I don’t really know if the DHCP Option 160 choice fixed it or if it was the other part I did.  Either way, I found the documentation a smidge confusing.

At any rate

The install churns along, and before too long, we have this lovely “modern” “more visually attractive” “metro” site open on our local machine. You will note the devices already registered – so nice.

One of the things I neglected on my first pass through on the config of the tool, was the tenant.  Because the documentation said there was already one there… and so there was!  But it needed a touch of configuring itself, and that was a bit fuzzy as well. This version of the IPP Manager Express requires a “tenant” which is loosely equated to subnets, but could be a separate fiscal entity.  Clearly this line of management tool is meant for something much larger than my little slice of life.  OK, I can work with that.  A few more emails and a few guesses worked out the kinks in that one.

If you are doing the “see if the picture matches” thing, here is where you will find the mismatch.  My default tenant picture there is of my lab, where only have one subnet in my lab.  It is just me and my 8 favorite cartoon characters.  254 addresses is more than enough.  But, I have this customer.  You know those pesky customers.  They always seem to expect some sort of defined success.  And don’t you know these folks expected this tool to provision their phones when they have at least 12-15 subnets in the 172.xx.xx.xx/16 range, and the potential for having  SfB clients or a SfB-hosted phone on any of those segments to include the VPN segment.  Yes, Jimmy, I told them not to run the audio/video across the VPN.  You may sit now.

Defining the “tenant” with the proper subnet mask is REQUIRED.  Now, I suppose you could do something dogmatic and create a tenant for each subnet.  You could.  But I did not have a business requirement (see above) for that.  And notice that the subnet in the pic is a MASK not an actual IPv4 address.  We will wait while that runs through a digest cycle.

What we did was define the client subnet as 255.0.0.0 or, /8 which is actually a huge supernet.  But works for the simplicity angle we were also looking for.  We know it is not technically correct to address it that way; but what it did was allow the one IPP Manager to handle ANY address needed.  According to the default tenant in this configuration of  IPP Phone Manager Express, any address that can talk to the server is on a valid subnet.

Moving On

The next thing was the need for a blank template per IPP model (the 405HD and 450HD) and then each needed a customization file.  Included in the install distribution is firmware from about April 2018, and the phones will make use of those firmware files that are newer than the phone. The point here is that I needed to create my own templates before things worked.  I may have (almost certainly) done something wrong in my initial setup.  I know I expected it to be more like my old version – so there is no telling what I did wrong.  I just know that what I have now works. 

Templates

I am not going to go through the tenant template file – yours won’t be like mine, but you can clearly see where I have a default tenant configuration template for each phone type and they are tagged (the green/white check mark) as the default.

Once you get this far, you still have a dead stock phone.  Let’s take a look at the edit from here out.  Navigate through the various options and see what is what.   Then click on the button indicated.

That gets you to this:  Fill things out to suit your needs:

Make sure that you select the “default” button or not depending on your needs.  You can always go back and make a new one if needed. I know that was needed in my case. Now, you would think that would do it, right?  Well, unless I was making a lot of bad choices, no, now you need to EDIT the entire thing. 

“Ah saved it.”  Huh?  Did I not already do that?  I guess not.

Let’s select “Edit” on our new template.

And you get this:

Scroll your badself down to the bottom – and there are multiple panes here – confusing as all get out when you work remote…. get to here:

Generate your Global Configuration Template for this ONE PHONE MODEL.

Woot!

Now, not done yet, we want to edit the template:

Select this “Features” button:

In my case I needed the Daylight Savings Time and the Pin Lock.

Here is one, you can figure out the other I think.  But know that when you “SAVE” at the bottom, it will write a secondary config file that the global template will read and enforce.  And that file IS created when you click save.  Don’t ask me, the inconsistency killed me too.

Save it…this file is actually located on the ACPhoneMgr drive.

 

Why the different file saving scheme I have no idea.  But you need both for this to work.  At this point, power cycling a phone does the trick. Phone installs new firmware; reboots, then changes configuration as we want.  So nice.

Conclusion

There is some disconnect between the versions, perhaps due to my lack of mental agility.  This version seems to have some fuzzy documentation – again it could be me.  This is nice piece of kit once you get it cranked. 

PS

I bricked a 450HD while testing this. Phone recovery did not go so well.  Have you ever wondered why a phone with a USB port doesn’t read that port for firmware and as part of the phone bootstrap routine install whatever it finds there?

As always, YMMV

SfB Disabling TLS 1.0/1.1 Guidance

Update 20181107
Microsoft waffles yet again.
https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365








On October 31, 2018, Microsoft Office 365 will be disabling support for TLS 1.0 and 1.1. This means that, starting on October 31, 2018, all client-server and browser-server combinations must use TLS 1.2 or later protocol versions to be able to connect without issues to Office 365 services. This may require certain client-server and browser-server combinations to be updated.
https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

SfB impact?

At a high level, this requires installing Skype for Business Server 2015 CU6 HF2, applying pre-requisite updates to .Net and SQL, and finally another, separate round of OS configuration updates, i.e. disabling TLS 1.0 and 1.1 via registry file import. It is critically important that you complete installation of all prerequisites, including Skype for Business Server 2015 CU6 HF2, prior to disabling TLS 1.0 and 1.1 on any server in your environment. Every Skype for Business Server, including Edge role and SQL Backends, require the updates. Also ensure that all supported (in-scope) clients have been updated to the required minimum versions. Don’t forget to update management workstations as well.

Background reading:

https://blogs.technet.microsoft.com/cloudyhappypeople/2017/12/22/the-end-of-support-for-older-tls-versions-in-office-365/
And then read part 1 here for more background specific to SfB/Lync and the supportability statements
https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-1/
Part 2 here gets into the weeds a bit on “How To Achieve”.https://blogs.technet.microsoft.com/nexthop/2018/04/18/disabling-tls-1-01-1-in-skype-for-business-server-2015-part-2/Part 3 will be published at a later date.  Woot!

Here is guidance for Lync Phone Edition (LPE):

https://techcommunity.microsoft.com/t5/Skype-for-Business-Blog/Certified-Skype-for-Business-Online-Phones-and-what-this-means/ba-p/120035 

General TLS1.2 whitepaper:

https://cloudblogs.microsoft.com/microsoftsecure/2017/06/20/tls-1-2-support-at-microsoft/

Here is the Microsoft Exchange equivalent:

Part 1https://blogs.technet.microsoft.com/exchange/2018/01/26/exchange-server-tls-guidance-part-1-getting-ready-for-tls-1-2/Part 2https://blogs.technet.microsoft.com/exchange/2018/04/02/exchange-server-tls-guidance-part-2-enabling-tls-1-2-and-identifying-clients-not-using-it/And big surprise, part 3 to be published later.

Summary

If you or your customer is doing anything with Office 365 hybrid, then you need to be reading all of this and figuring out your next steps.

SfB SE CMS Master failover success process

Background

You can start by reading this.  This is a tested path forward if you find yourself in the CMS split-brain scenario as described in that article.  After noodling through that process yesterday, and knowing that I have customers who need this to work so as to ETHICALLY meet their SLA/RTO/RTP type stuff, I got to thinking.  And then Josh Walters, a co-worker of mine, made the fateful comment “the server that gets failed over to is happy and functioning, why can’t we just leave it alone?”
In relative age terms, from the mouth of babes…I got to thinking – can I create a process that is repeatable, that comes before the Vale 19-step method, and allow me to confidently tell customers that “this works.”

Scenario

We are ignoring the RGS and the Edge changes necessary for the full site failovoer in this article.  We are totally focused on just the CMS, why it happens (theory on my part), and what to do to recover gracefully in a predictable manner (empirical on my part).

There is actually the option to not perform a CMS failover…I have had environments where the CMS was offline for extended periods of time with no ill effects.  Just don’t change anything.

Our environment is two SfB SE servers, pool paired.  Sfbse.tsoorad.net is the “old” master, sfbse2.tsoorad.net is the “new” master.

After making up the pool pair, we have simulated the datacenter outage by turning off sfbse.tsoorad.net, thereby making the surviving system components think that the CMS master is gone.  Power off is a state that pretty much assures that no-one is talking to that server anytime soon.










The initial CMS server failover goes just fine.  The problem comes up when the “old” master comes back online and thinks that IT is the master.  But the sfbse2 server, the “new” master is in charge, and suddenly, you cannot make changes.  Classic split-brain.  Replication is borked.  Attribute pointers don’t point.  See the blank in this example where the ActiveMasterFQDN might just be something we need to know about.



What is causing this

If my surmise/theory is correct, the split-brain starts when the second node assumes control of the CMS.  No problem.  As a domain member running with the proper authority/credentials, the AD gets changed, the topology gets changed, and the surviving servers in the environment start replicating from what they are told is the CMS.  At this point everything is fine; the split-brain has started, just not affecting us quite yet.
The split-brain posture really gets wound up when the failed server comes back online and it thinks that it is the CMS master.  Understandable.  Before whatever happened happened, that server was indeed the CMS master.  But another server is now designated, and the newly revived server never got re-written, and things are now just a tad stuck.  Again, see this article here, as well as the Mark Vale article here.

What to do about it

The obvious answer, of course, is the easiest.  We will wait right here as you locate your copy of last nights backup script and the ensuing copy of the export-csconfiguration and export-cslisconfiguration and carefully resolve NOT to use them. (they point to the OLD master, and the NEW master is up and running – and in the immortal words of  Josh Walters, “can’t we just leave it alone?)”.  Keep in mind that you don’t HAVE to move the CMS back.  To dovetail with the Savant Walters, we can further notice that the CMS has a failover cmdlet, but no failback cmdlet.
You will make new ones here in the next section and they will be better as they will not reference the original CMS master (pre failure) as the master or being “active”.

Fix me!

From the new master run:

• export-csconfiguration (we are just being thorough, you should not need this file for this exercise)
• export-csLISconfiguration (ditto)
• Place your new exports where you can use them in case you don’t already have them, and then throw them away after the next time your backup captures that data.  If you get the end of all this, and invoke a failback to the “old” master, you can throw the exports away in that case also.  You do have a plan, right? 
• stop services on “new” master:  FTA, LyncBackup, Master, Replica

Bring the “old” master back online.

• From the “old” master, stop services:  FTA, LyncBackup, Master, Replica

From the “new” master:

• install-csdatabase –centralmanagementdatabase –sqlserverfqdn sfbse.tsoorad.net –sqlinstancename RTC –clean –verbose

From the “old” master,

• start the SfB deployment wizard
• Run Step 1 (install Local Configuration Store)
• Run Step 2 (Setup or Remove
• Start the services stopped earlier BUT DO NOT START MASTER

From the “new” master:

• invoke-csbackupservicesync –poolfqdn sfbse2.tsoorad.net

Wait a bit, then run through:
Get-CsManagementConnection (should show “new” master)
Get-CsService –CentralManagement
Get-CsManagementStoreReplicationStatus –CentralManagementStoreStatus
Here we are, fixed.  Note that the “new” master is still the master, but now the “old” master thinks it is no longer the master, but subordinate to the “new” master.  All this is just fine.  We don’t care WHERE or WHO holds CMS master, as long as we have a posture where we can read/write topology.

At this point, you could do another Invoke-CsmMnagementServerFailover and get the CMS back over to the “old” master…if you are into consistency like me, then that is what you will do.  If you are like others, you can leave the CMS on the “new” master, and everything will be fine.

Summary

Seeing as how there is no failback cmdlet, could it possibly be that this is all by design, and was never properly documented on the way out of Microsoft-land?
Empirically, as long as both SE pool pair members are up, the CMS failover process is just fine.  If the “old” master is down, things go bad quick and the prudent admin will be prepared to handle that scenario – however remote the possibility may be.
If your CMS fails, then you could be failing also.  Invoke-CsManagementServerFailover is wonderful, provided all the players are still running.  Not so hot when the the existing master is no longer available.  This process will get you in a posture of success; is repeatable, and is not too onerous.  Ergo, we have something i can feel somewhat good about taking to the customer.

YMMV