When installing the Lync monitoring role, if you receive an error like the following:

Running script: C:\Windows\system32\cscript.exe //Nologo "C:\Program Files\Common Files\Microsoft Lync Server 2010\DbSetup\RtcCdrDbSetup.wsf" /dbexists /sqlserver:thegid-lync.thegid.local\MONITORING /serveracct:thegid\RTCComponentUniversalServices /logsize:1024 /verbose
 ---------------
 Installed SQL Server 2005 Backward Compatibility version is 8.05.2312
 Connecting to SQL Server on thegid-lync.thegid.local\MONITORING
 Error connecting (
 name: Error
 description:
 number: -2147221504
 message:
 )
 Attempting to start SQL Server and connect...
 Error starting SQL Server on thegid-lync.thegid.local\MONITORING
 Error (
 name: Error
 description:
 number: -2147023840
 message:
 )
 Ensure that thegid-lync.thegid.local\MONITORING is a valid SQL instance.
 ---------------
 Exit code: ERROR_START_SQLSERVICE (-1)
 When running /dbexists, non-zero exit codes are not necessarily errors
 ---------------

Running script: C:\Windows\system32\cscript.exe //Nologo "C:\Program Files\Common Files\Microsoft Lync Server 2010\DbSetup\RtcCdrDbSetup.wsf" /sqlserver:thegid-lync.thegid.local\MONITORING /serveracct:thegid\RTCComponentUniversalServices;"RTC Component Local Group" /dbpath:C:\CsData\MonitoringStore\MONITORING\dbpath /logpath:C:\CsData\MonitoringStore\MONITORING\logpath /logsize:1024 /verbose
 ---------------
 Installed SQL Server 2005 Backward Compatibility version is 8.05.2312
 Connecting to SQL Server on thegid-lync.thegid.local\MONITORING
 Error connecting (
 name: Error
 description:
 number: -2147221504
 message:
 )
 Attempting to start SQL Server and connect...
 Error starting SQL Server on thegid-lync.thegid.local\MONITORING
 Error (
 name: Error
 description:
 number: -2147023840
 message:
 )
 Ensure that thegid-lync.thegid.local\MONITORING is a valid SQL instance.
 ---------------
 Exit code: ERROR_START_SQLSERVICE (-1)
 ---------------

Open SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for <SQL instance> and ensure that TCP/IP is enabled. Restart the SQL instance after enabling it.

Also if you have issues running the “Deploy Monitoring Server Reports” open Reporting Services Configuration Manager > Web Service URL and ensure that you are able to browse to the Report Server Web Service URL.

Lync server 2010 admin? Read on…

If you need to move a user from one Response Group to another you may well encounter the following error message….

Don’t worry, just check the event viewer on the Lync server for the following event:

Once you see that event you can add the user to the other response group.

That’s it.

The synchronisation service manager shows the users failing synchronisation. Here’s what it looks like. It’s the same for both users.

There’s 1 warning and 2 errors in the event viewer which I’ve pasted below.

Can anyone shed some light on this please?

————————————

Log Name:      Application
Source:        FIMSynchronizationService
Event ID:      6100
Task Category: Management Agent Run Profile
Level:         Warning
Keywords:      Classic
User:          N/A
Description:
The management agent “SourceAD” step execution completed on run profile “Export” with errors.

Additional Information
Discovery Errors       : “0″
Synchronization Errors : “0″
Metaverse Retry Errors : “0″
Export Errors          : “2″
Warnings               : “0″
User Action
View the management agent run history for details.

—————————————-

Log Name:      Application
Source:        Directory Synchronization
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Description:
The Management Agent ‘System.Management.PropertyData’ reported  errors on execution.

————————-

Log Name:      Application
Source:        Directory Synchronization
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Description:
Executing export run profile on source MA failed for System.Management.PropertyData. Failed to export objects:
dn=”CN=<User1>,OU=<OU>,DC=<domain>,DC=local”,error-type=permission-issue,error-code=8344,
dn=”CN=<User2>,OU=<OU>,DC=<domain>,DC=local”,error-type=permission-issue,error-code=8344,
—————————-

Here’s the fix in my case:

Open Active directory Users and Computers, enable the Advanced features in the View settings and open up the user object that can’t sync. Go to the security tab and then into advanced, check to make sure the box is checked to inherit permissions.

Before you do that you might want to check what permissions are currently assigned and what they will be assigned after inherit permissions is enabled. After all there might be permissions that you do not wish the particular user to have.

That’s all for now.

1. Download and install the following components

On Exchange 2010 CAS

• Unified Communications Managed API 2.0, Core Runtime (64-bit)

Note: If any other Unified Communications Managed API are installed uninstall before installing

• Microsoft Office Communications Server 2007 R2 Web Service Provider

Note: The installer has a limited GUI which does not confirm that the software was installed

• OCS 2007 R2 Web Service Provider Hotfix KB 981256

Note: The installer has a limited GUI which does not confirm that the software was installed

2. Check (and note) Exchange Certificate Thummbprint

On Exchange 2010 CAS

• Run the following command in the Exchange Management Shell and note the thumbprint and subject on the certificate you are using

# get-ExchangeCertificate | fl

3. Set Lync server used by Exchange for IM

On Exchange 2010 CAS

• Run the following command in the Exchange Management Shell

# Get-OwaVirtualDirectory | Set-OwaVirtualDirectory -InstantMessagingServerName <Lync server (or pool) FQDN> -InstantMessagingCertificateThumbprint <thumbprint from previous step> -InstantMessagingEnabled $true -InstantMessagingType 1

• Open an eleveated command prompt and run “iisreset /noforce” to apply the changes to OWA

4. Finally tell Lync about OWA

On Lync 2010 Server

• Run the following command in Lync Server Management Shell:

# Get-CsSite (make a note of the siteID)

# New-CsTrustedApplicationPool -Identity <SN of Exchange certificate from step 2> -Registrar <Lync server (or pool) FQDN> -Site <siteId from previous step> -RequiresReplication $false

# New-CsTrustedApplication -ApplicationId OutlookWebApp -TrustedApplicationPoolFqdn <SN of Exchange certificate from step 2>  -Port 9999

# Enable-CsTopology

Just a quick post this time on Lync Mobile client notifications.

Lync mobile app notifications on iOS and Windows Phone 7 devices will only work if you have dynamic federation.

The reason for this is because the app needs to be running to be able to receive notification and iOS and Win Phone 7 do not allow the app to run in the background to receive notifications. For other devices it just works.

Here’s what synamic federation is as explained by Lync Guy (@ 
http://ocsguy.com/2011/04/20/a-few-words-on-federation/
)

Dynamic federation is a method where a partner company’s edge server is discovered by looking up an SRV record (_sipfederationtls._tcp.domain.com).  Dynamic federation is perfect for an environment where users may need to add contacts from other companies quickly and without administrative intervention.  The firewall will have to allow inbound connections to the access edge server on port 5061 from any potential partners, but for most companies who use open federation, they allow traffic from everywhere on this port to prevent needing administrative assistance.

So with the above in mind, if the company who hosts your external DNS does not support SRV records then you will not have dynamic federation or notification on your mobile clients who run iOS or Windows Phone 7.

Lync Mobile App Downloads link (probably easier to just go to your respective app store on your device)

When lots of clients are connected at the same time e.g. in a school, the AP does not immediately start to load balance them as it waits 30 seconds to evaluate each time. The setting is Spectrum Load Balancing Update Interval. Set this at a low level such as 2 seconds and the hand off should be really fast.

This setting is in RF Management > Radio Profile

Secondly, a problem in some places is that by default ARM is client aware and will not change channel if a client is connected. If there’s a device that is always connected this can cause channel issues with APs interfering with each other as they were not allowed to change. I would recommend changing this setting unless you’re using VoIP over your wireless.

This setting is in the ARM profile:

Here’s a link to the Aruba ARM Collateral. It’s good stuff.

Here’s the scenario:

The customer wanted to provide wireless network access to 2 different groups of users, say sales and technical. The sales and technical user groups have their network privileges restricted by use of VLANs and the customer envisioned have 2 SSIDs, one per user VLAN. Wireless authentication was going to be via a pre-shared key (not my idea!!!).

Here’s the hardware:

2 x Cisco 5508 Wireless LAN Controller (Active & Backup)
130 x Cisco 3500 APs
5 x Cisco 3750 Switches (Core) 24 x Cisco 3650 Switches (Access)
2 x HP DL380 G7 (Server 2008 R2)

I work for an Aruba Networks partner and know that there’s a more elegant solution to what the customer is asking to do when using an Aruba wireless controller but wasn’t aware of a way to do this with a Cisco Wireless LAN Controller.

Solution:

I installed the Certificate Services role on one server and then installed Network Policy Server role on the other.
Created 1 SSID on the Cisco WLC and put it in a guest VLAN which only has Internet access. Configured the SSID to use 802.1x authentication and pointed it at the NPS server and enabled Allow AAA Override. This override setting is key! It allows you to send back RADIUS attributes from NPS which will specify which VLAN users will be put into upon authentication.

Next NPS was configured with 3 Network Policies. One for sales users, one for technical users and one for domain computers.

Now here’s the good bit:

By configuring the following 3 RADIUS standard attribute types in each Network Policy, NPS tells the Cisco WLC that users authenticated should be placed in a VLAN specified in the “Tunnel-Pvt-Group-ID” RADIUS attributes.

Here are the 3 attributes:

[64] Tunnel-Type (Set this to VLAN)
[65] Tunnel-Medium-Type (set this to 802)
[81] Tunnel-Pvt-Group-ID (Set this to the VLAN ID you wish to put the user in)

Next a wireless group policy was configured with the SSID, Encryption, Authentication and single sign on settings and applied to domain computers.

Note: The domain computers NPS Network Policy is essential so that machines can login before the user attempts to authenticate and therefore computer group policy applies and users can authenticate against the domain.

Sources:

Dynamic VLAN Assignment with RADIUS Server and Wireless LAN Controller Configuration Example
NPS RADIUS Attributes

Note: This post is mostly for my benefit so I don’t forget! The links above go into more detail on the topic.

I’ve set up enterprise voice on Lync and have configured it to route calls through a Trixbox (Asterisk-based software PBX) virtual machine.

Speaking of virtual machines, the Lync (standard edition) front end server and the Lync edge server are Hyper-V virtual machines.

I’ll move onto the purpose of this post now…

Whilst setting up the Lync Response Groups I noticed that the standard holiday lists are empty by default and must be entered via the Lync Server Management Shell (powershell).

You’ll need to use New-CsRgsHoliday command to create the holidays then add them to a “Holiday Set” using the New-CsRgsHolidaySet command. Here’s the TechNet page details this.

To save you some time here are the commands to create all the UK public holidays for 2011 and input them into a holiday set called “2011 Holidays”. (updated due to John’s comment below)

$a = New-CsRgsHoliday -Name "New Year's Day" -StartDate "1/1/2011" -EndDate "1/3/2011" $b = New-CsRgsHoliday -Name "Good Friday" -StartDate "22/4/2011" -EndDate "23/4/2011" $c = New-CsRgsHoliday -Name "Easter Monday" -StartDate "25/4/2011" -EndDate "26/4/2011" $d = New-CsRgsHoliday -Name "Royal Wedding Bank Holiday" -StartDate "29/4/2011" -EndDate "30/4/2011" $e = New-CsRgsHoliday -Name "Early May Bank Holiday" -StartDate "2/5/2011" -EndDate "3/5/2011" $f = New-CsRgsHoliday -Name "Spring Bank Holiday" -StartDate "30/5/2011" -EndDate "31/5/2011" $g = New-CsRgsHoliday -Name "Summer Bank Holiday" -StartDate "29/8/2011" -EndDate "30/8/2011" $h = New-CsRgsHoliday -Name "Boxing Day" -StartDate "26/12/2011" -EndDate "27/12/2011" $i = New-CsRgsHoliday -Name "Christmas Day Holiday" -StartDate "27/12/2011" -EndDate "28/12/2011" New-CsRgsHolidaySet -Parent "applicationserver:<your lync mediation server name>" -name "2011 Holidays" -holidaylist ($a, $b, $c, $d, $e, $f, $g, $h, $i)

Just modify the last line and replace <your lync mediation server name> with the FQDN of your Lync server.

Here’s the same for 2012:

$a = New-CsRgsHoliday -Name "New Year's Day 2012" -StartDate "2/1/2012" -EndDate "3/2/2012"
$b = New-CsRgsHoliday -Name "Good Friday 2012" -StartDate "6/4/2012" -EndDate "7/4/2012"
$c = New-CsRgsHoliday -Name "Easter Monday 2012" -StartDate "9/4/2012" -EndDate "10/4/2012"
$d = New-CsRgsHoliday -Name "Early May Bank Holiday 2012" -StartDate "7/5/2012" -EndDate "8/5/2012"
$e = New-CsRgsHoliday -Name "Spring Bank Holiday 2012" -StartDate "4/6/2012" -EndDate "5/6/2012"
$f = New-CsRgsHoliday -Name "Diamond Jubilee Holiday 2012" -StartDate "5/6/2012" -EndDate "6/6/2012"
$g = New-CsRgsHoliday -Name "Summer Bank Holiday 2012" -StartDate "27/8/2012" -EndDate "28/8/2012"
$h = New-CsRgsHoliday -Name "Christmas Day 2012" -StartDate "25/12/2012" -EndDate "26/12/2012"
$i = New-CsRgsHoliday -Name "Boxing Day 2012" -StartDate "26/12/2012" -EndDate "27/12/2012"
New-CsRgsHolidaySet -Parent "applicationserver:<your lync server name>" -name "2012 Holidays" -holidaylist ($a, $b, $c, $d, $e, $f, $g, $h, $i)

Just copy the whole lot into the Lync Server Management Shell and Bob’s your uncle. Now when you create a hunt or interactive response group you can choose the enable 2011 and 2012 Holidays.

Pretty much all of the installations that I do use 802.1x authentication for their corporate SSID and most of the clients use Windows server 2003 & Windows XP SP3.  The deployment of the wireless solution is usually pretty smooth as it’s all tried and tested.

Recently I’ve come across an issue with a deployment where the users struggle to authenticate.  The machines authenticated but once the user logged in they couldn’t authenticate.

The main difference in the deployment was the IAS server which was Windows server 2008 (so it’s NPS rather than IAS) but the client OS was Windows XP SP3 which is still pretty normal to see.

I double checked the configuration of NPS and it was all fine. The administrator could connect to the wireless and any new users I created could also connect.

I checked the existing user account and noticed that they all used the same mandatory profile which is stored on the server.  A bit of investigation via the power of the mighty google and a few minutes later I found a Microsoft KB titled “A Windows XP Service Pack 3-based client computer cannot use the IEEE 802.1x authentication when you use PEAP with PEAP-MSCHAPv2 in a domain“.

Looking at the title this seemed promising and while reading the KB (see below) this is exactly the configuration and what’s occuring.

• You configure a Windows Server 2008-based computer as the Network Policy Server (NPS).
• You enable IEEE 802.1x authentication in the network.
• You use Protected Extensible Authentication Protocol (PEAP) with Microsoft Challenge Handshake Authentication Protocol version 2 (PEAP-MSCHAPv2) in the network.

In this scenario, when a Windows XP Service Pack 3 (SP3)-based client computer tries to join the network by using the IEEE 802.1x authentication, the IEEE 802.1x authentication fails.

Notes

• This problem occurs when you use a user account that uses a mandatory user profile.
• This problem does not occur when you use a user account that uses a roaming user profile.

You’ll need to call Microsoft to get hold of the hotfix and make sure you don’t believe them if they say “This hotfix is included in XP SP3″ because it isn’t. They tried to fob be off with that.

The hotfix also comes with a disclaimer…

WARNING: This fix is not publicly available through the Microsoft website as it has not gone through full Microsoft regression testing.  If you would like confirmation that this fix is designed to address your specific problem, or if you would like to confirm whether there are any special compatibility or installation issues associated with this fix, you are encouraged to speak to a Support Professional in Product Support Services.

It worked just fine on my clients machines though which made me and them happy.

Here’s the link to the KB.
http://support.microsoft.com/kb/969111

Disclaimer: I know there are many things worse really but it’s pretty annoying nonetheless

Here are a couple of ways to reset passwords which you may otherwise find difficult to reset. I’ll try to update this from time to time with more applications.

CA ARCServe

1. Open a command prompt on the server where you want to change/reset the caroot password.
2. In the command prompt browse to the drive where you have ARCServe installed (e.g. C:\Program Files\CA\…)
3. Once in the ARCServe folder type in the following: cstop
4. This will stop the ARCServe services that are running.
5. When all services are stopped open the Windows Explorer and browse to the folder:

C:\Program Files\CA\BrightStor ARCserve Backup\Data\Discovery

Here you will find a folder that has the name of your server.

1. Rename this folder. (Don’t delete it as you can always change the name back if there are issues)
2. Back in the command prompt type in the following: cstart
3. This will start the ARCServe services that were stopped in item 4.
4. Still in the command prompt type in the following: Authsetup/p “password” where “password” is what you want the new password to be.
5. Close the command prompt and try to open ARCServe with the new password.

McAfee ePolicy Orchestrator 4.x

1. Login to your SQL server where your ePolicy Orchestrator DB is located.
2. Execute the following query to create a user called epoadmin with a password of epoadmin.

INSERT INTO [dbo].[OrionUsers]
(Name, AuthURI, Admin, Disabled, Visible, Interactive, Removable, Editable)
VALUES (‘epoadmin’,'auth:pwd?pwd=7LTSeirrzM8EjqttaozV4cSiPGQWi8w3′,1,0,1,1,1,1)