How to configure Lync 2013 QoS

This is the way that I did it. You may not want to use the same ports, but they’re the standard ones mentioned on Technet. Also I’m aware that you can push out the registry setting via GPO so I’ll leave you to sort that bit out.

Lets go…..

Configuring Port Ranges for Your Conferencing, Application, and Mediation Servers

To implement Quality of Service, you should setup the same port ranges for audio, video, and application sharing on your Conferencing, Application, and Mediation servers.

Property

Conferencing Server

Application Server

Mediation Server

AudioPortStart

49152

49152

49152

AudioPortCount

8348

8348

8348

VideoPortStart

57501

VideoPortCount

8034

ApplicationSharingPortStart

49152

ApplicationSharingPortCount

16383

 

Configuring a Quality of Service Policy for Your Conferencing, Application, and Mediation Servers

 

  1. In Group Policy Management, locate the container where the new policy should be created. For example, if all your Lync Server computers are located in an OU named Lync Server then the new policy should be created in the Lync Server OU.
  2. Right-click the appropriate container and then click Create a GPO in this domain, and Link it here.
  3. In the New GPO dialog box, type a name for the new Group Policy object in the Name box (for example, Lync Server QoS) and then click OK.
  4. Right-click the newly-created policy and then click Edit.
  5. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, right-click Policy-based QoS, and then clickCreate new policy.
  6. In the Policy-based QoS dialog box, on the opening page, type a name for the new policy (e.g., Lync Server QoS) in the Name box. Select Specify DSCP Value and set the value to 46. Leave Specify Outbound Throttle Rate unselected, and then click Next.
  7. On the next page, make sure that All applications is selected and then click Next. This simply ensures that all applications will match packets from the specified port range with the specified DSCP code.
  8. On the third page, make sure that both Any source IP address and Any destination IP address are selected and then click Next. These two settings ensure that packets will be managed regardless of which computer (IP address) sent those packets and which computer (IP address) will receive those packets.
  9. On page four, select TCP and UDP from the Select the protocol this QoS policy applies to dropdown list. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two networking protocols most-commonly used by Lync Server and its client applications.
  10. Under the heading Specify the source port number, select From this source port or range. In the accompanying text box, type the port range reserved for audio transmissions. For example, if you reserved ports 49152 through ports 57500 for audio traffic enter the port range using this format: 49152:57500. Click Finish.

 

Do the same for Video but set DSCP to 34 and use ports 57501:65535.

Again for Application sharing, DCSP 24 and ports 40803:49151.

Here’s what it should look like:

Apply the new GPO to your Lync 2013 servers and run gpupdate/force on the Lync servers to apply them or wait for them to apply automatically.

Apply this registry setting to ensure that Windows obeys the QoS settings.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS]

“Do not use NLA”=”1”

If your QoS is being applied correctly you will see the following entries in the Registry on your Lync servers.

 

Configuring Port Ranges for Your Edge Servers

 

Packet Type

Starting Port

Number of Ports Reserved

Application sharing

40803

8348

Audio

49152

8348

Video

57500

8034

Totals

24730

 

This will configure all Edge servers to use the above range of ports.

Get-CsService -EdgeServer | ForEach-Object {Set-CsEdgeServer -Identity $_.Identity -MediaCommunicationPortStart 40803 -MediaCommunicationPortCount 24730}

 

 

Configuring a Quality of Service Policy for Your A/V Edge Servers

  1. Click Start and then click Run.
  2. In the Run dialog box, type gpedit.msc and then press ENTER.
  3. In the Group Policy Management Editor or the Local Group Policy Editor, expand Computer Configuration, expand Policies, expand Windows Settings, right-clickPolicy-based QoS, and then click Create new policy.
  4. In the Policy-based QoS dialog box, on the opening page, type a name for the new policy (e.g., Lync Server Audio) in the Name box. Select Specify DSCP Value and set the value to 46. Leave Specify Outbound Throttle Rate unselected, and then click Next.
  5. On the next page, make sure that All applications is selected and then click Next. This setting instructs the network to look for all packets with a DSCP marking of 46, not just packets created by a specific application.
  6. On the third page, make sure that both Any source IP address and Any destination IP address are selected and then click Next. These two settings ensure that packets will be managed regardless of which computer (IP address) sent those packets and which computer (IP address) will receive those packets.
  7. On page four, select TCP and UDP from the Select the protocol this QoS policy applies to dropdown list. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two networking protocols most-commonly used by Lync Server and its client applications.
  8. Under the heading Specify the destination port number, select From this destination port or range. In the accompanying text box, type the port range reserved for audio transmissions. For example, if you reserved ports 49152 through ports 57500 for audio traffic then enter the port range using this format: 49152:57500. Click Finish.

Do the same for Video but set DSCP to 34 and use ports 57501:65535.

Again for Application sharing, DCSP 24 and ports 40803:49151.

Apply this registry setting to ensure that Windows obeys the QoS settings.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS]

“Do not use NLA”=”1”

 

Configuring Port Ranges for Your Microsoft Lync Clients

 

Client Traffic Type Port Start Port Range
Audio 50020 20
Video 58000 20
Application sharing 42000 20
File transfer 42020 20

 

Enabled client media ports and set them to the above:

Set-CsConferencingConfiguration -ClientMediaPortRangeEnabled $True -ClientAudioPort 50020 -ClientAudioPortRange 20 -ClientVideoPort 58000 -ClientVideoPortRange 20 -ClientAppSharingPort 42000 -ClientAppSharingPortRange 20 -ClientFileTransferPort 42020 -ClientFileTransferPortRange 20

 

Configuring Quality of Service Policies for Clients Running on Windows 7 or Windows 8

 

  1. In Group Policy Management, locate the container where the new policy should be created. For example, if all your client computers are located in an OU named Clients then the new policy should be created in the Client OU.
  2. Right-click the appropriate container and then click Create a GPO in this domain, and Link it here.
  3. In the New GPO dialog box, type a name for the new Group Policy object in the Name box (for example, Lync Audio) and then click OK.
  4. Right-click the newly-created policy and then click Edit.
  5. In the Group Policy Management Editor, expand Computer Configuration, expand Policies, expand Windows Settings, right-click Policy-based QoS, and then clickCreate new policy.
  6. In the Policy-based QoS dialog box, on the opening page, type a name for the new policy (e.g., Lync Audio) in the Name box. Select Specify DSCP Value and set the value to 46. Leave Specify Outbound Throttle Rate unselected, and then click Next.
  7. On the next page, make sure that All applications is selected and then click Next. This setting instructs the network to look for all packets with a DSCP marking of 46, not just packets created by a specific application.
  8. On the third page, make sure that both Any source IP address and Any destination IP address are selected and then click Next. These two settings ensure that packets will be managed regardless of which computer (IP address) sent those packets and which computer (IP address) will receive those packets.
  9. On page four, select TCP and UDP from the Select the protocol this QoS policy applies to dropdown list. TCP (Transmission Control Protocol) and UDP (User Datagram Protocol) are the two networking protocols most-commonly used by Lync Server and its client applications.
  10. Under the heading Specify the source port number, select From this source port or range. In the accompanying text box, type the port range reserved for audio transmissions. For example, if you reserved ports 50020 through ports 50039 for audio traffic enter the port range using this format: 50020:50039. Click Finish.

Do the same for Video but set DSCP to 34 and use ports 58000:58019.

Again for Application sharing, DCSP 24 and ports 42000:42019.

Finally for File Transfers, DCSP 14 and ports 42020:42039.

 

Apply this registry setting to ensure that Windows obeys the QoS settings.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\QoS]

“Do not use NLA”=”1”

 

Switch and Firewall QoS

There no use setting all this up if your switches and firewall aren’t configured in the same way, or at least to preserve and adhere to the settings you’ve set.

QoS & the Internet

Hah. Good luck with that.

Lync 2013 Front End Service Fails to Start

After installing Lync 2013 the front end service may fail to start. I got the following error:

Log Name: Lync Server
Source: LS User Services
Event ID: 32178
Task Category: (1006)
Level: Error
Keywords: Classic
User: N/A
Computer: lync.jrw.local
Description:
Failed to sync data for Routing group {5A65CDB2-3DB5-5C72-9E7D-416A09E3FB97} from backup store.

Cause: This may indicate a problem with connectivity to backup database or some unknown product issue.

Resolution:
Ensure that connectivity to backup database is proper. If the error persists, please contact product support with server traces.

This looked like the fix: http://support.microsoft.com/kb/2795828/en-us

Had to remove all non root certificates from the trusted root certificates store. However after removing them all and rebooting for good measure I was still unable to start the front end service.

Should have known really.. Run windows updates and install the Lync 2013 cumulative updates kb 2809243 package from here and you’ll be golden.

Lync 2013 Cumulative updates http://www.microsoft.com/en-us/download/details.aspx?id=36820

Clearpass Guest with Sponsor Confirmation

So you’ve got Clearpass Guest and you want to allow any guest users to connect and register for an account. To stop anyone from accessing the guest network you enable the “Require sponsor confirmation prior to enabling the account” setting. Then perhaps it would be nice to allow the sponsor to be able to extend guest account expiry time when they enable the account…

This is what I was thinking any way.

So I enabled it on my guest registration page:



Excellent! Or so I thought.

It transpires that when you enable sponsor confirmation and enter something into the “Extend Expiration” section any new guest accounts will be automatically enabled!

I had a quick word with Aruba TAC who informed me that this was not a bug and was in fact by design. Hmm. Strange design.

I really wanted this to work the way I assumed it should, so spent a little bit of time playing around with the form settings on the guest registration page.

I modified the “enabled” field as follows:

Set it to enabled, ensure the user interface option is Drop-down list, modify the description if necessary and remove the “1 | Enable visitor account” from the Options.

There we are. You’ll now get the expected behaviour.

Here’s what the Visitor registration page looks like after making this change.

You guest enters their details, clicks register and gets directed to the Visitor receipt page:

Your sponsor will receive the following email:

“Click here” takes you to this page where you can authorize the guest and extend the expiry time if desired.

Confirmed:

Your Visitor receipt page will now update to allow the new guest to login…

Note: I hard coded my sponsor email address as we always wanted it to go to the same distribution list.

“Basic” Aruba Wireless Issues?

The purpose of this post is help you understand what to do when certain basic “wireless issues” arise.

This is by no means a comprehensive list and you may have to tailor some things to your site.

This is basic 1st line support so I won’t be delving into the command line goodness.

If one access point is down:

  • Make a note of what lights on the Access Point are on/flashing/off and what colour they are.
    • If the AP is off check the cabling to the PoE switch
    • If the Power light is red, power cycle the AP but unplugging the network cable from it.
    • If the 11A/N and/or 11B/G/N lights are flashing green, it’s likely that they have not been provisioned. See how to provision an AP below.
    • If the 11A/N and/or 11B/G/N lights are green steady, this indicates it’s functioning correctly.
    • If the 11A/N and/or 11B/G/N lights are off, the AP cannot see its controller. See AP to controller connectivity below.

  • Power cycle the access point that has the issue

If all access points are down:

If the customer has Instant APs, this is likely a wired issue.

  • Check that the customers switches are all powered on

If the customer has a controller:

  • Check that the controller is accessible via it’s web console
  • Check that the controller is powered on
  • Check that the customers switches are all powered on
  • Check the cabling between the controller and the rest of the network is good
    • Unplug/plug back in
    • Swap cables

How to reset an AP

NOTE: to reset an AP you will need physical access to it.

Instant (controller less) APs

  • Find a paperclip!
  • Turn off the AP by unplugging the network cable from the Ethernet port on the back of the AP
  • Hold the reset button down with the paperclip (keep it held down!)
  • Plug the network cable back in
  • Wait 10 seconds
  • Release the reset button
  • That’s it. The AP will boot and find the master AP and get its config from there.

The image below shows the back of an AP 105

Thin AP (with controller)

  • Connect the serial console breakout adapter cable to the AP Ethernet port and your PC/Laptop
  • Use the default serial settings
  • Power on the AP and get into apboot mode. You’ll see the option to go into AP boot mode when the AP is booting. You will have to press Enter within a 1-2 second window so pay attention to console messages during bootup.
  • From the apboot prompt, enter the following commands
    apboot> purgeenv
    apboot> save
    apboot> print (To check that the setting were really purged! There should be no identifying IP addresses)
    apboot> boot

AP to controller connectivity

An AP will use 4 different method to connect to a controller:

  • AP Boot command (we don’t tend to do this)
  • DHCP option 43 (a DHCP option which contains the IP address of the controller can be configured)
  • ADP multicast & broadcast (If APs are on the same layer 2 subnet as the controller they can use this method)
  • DNS aruba-master (Create a DNS a record of aruba-master and the APs will use this to find the controller if other methods fail)

So if an AP is failing to connect to the controller it’s a good idea to pull the network cable out of the back of the AP and patch it into your laptop. Run ipconfig and check that you’ve got an IP address in the expected range. If you don’t get an IP address for the correct range or you get an APIPA address then you’ll need to start looking at the wired network.

Also it’s very important that the DHCP DNS Name is configured correctly. AP will try to connect to aruba-master.<DHCP DNS Domain>

Because of this you must ensure that the DNS Domain given out by DHCP matches one of the customers DNS zones and that the zone includes the DNS A record aruba-master that resolves to the IP address of the controller.

How to provision an AP

This is only applicable to thin APs (with a controller). Instant APs will self-provision.

  • Login to the controller
  • Go to Configuration > AP Installation
  • The AP that needs provisioning will likely have a U Flag. See below for details of an example of APs with different Flags.

    I’ve removed some identifying information from the image, hence the whitespace..

  • Select the AP using the tick box on the left and click Provision
  • Select the appropriate AP group from the dropdown lost (If not self-explanatory, ask someone who knows!)
  • Give the AP a name (copy the standard of the other APs.)
  • Click Apply and Reboot.
  • Wait a couple of minutes and you should see the AP re-appear in the AP Installation page with the new name you set.

Installing the Lync 2010 Monitoring Role

Quick and dirty post.. sorry.

When installing the Lync monitoring role, if you receive an error like the following:

Running script: C:\Windows\system32\cscript.exe //Nologo "C:\Program Files\Common Files\Microsoft Lync Server 2010\DbSetup\RtcCdrDbSetup.wsf" /dbexists /sqlserver:thegid-lync.thegid.local\MONITORING /serveracct:thegid\RTCComponentUniversalServices /logsize:1024 /verbose
 ---------------
 Installed SQL Server 2005 Backward Compatibility version is 8.05.2312
 Connecting to SQL Server on thegid-lync.thegid.local\MONITORING
 Error connecting (
 name: Error
 description:
 number: -2147221504
 message:
 )
 Attempting to start SQL Server and connect...
 Error starting SQL Server on thegid-lync.thegid.local\MONITORING
 Error (
 name: Error
 description:
 number: -2147023840
 message:
 )
 Ensure that thegid-lync.thegid.local\MONITORING is a valid SQL instance.
 ---------------
 Exit code: ERROR_START_SQLSERVICE (-1)
 When running /dbexists, non-zero exit codes are not necessarily errors
 ---------------
Running script: C:\Windows\system32\cscript.exe //Nologo "C:\Program Files\Common Files\Microsoft Lync Server 2010\DbSetup\RtcCdrDbSetup.wsf" /sqlserver:thegid-lync.thegid.local\MONITORING /serveracct:thegid\RTCComponentUniversalServices;"RTC Component Local Group" /dbpath:C:\CsData\MonitoringStore\MONITORING\dbpath /logpath:C:\CsData\MonitoringStore\MONITORING\logpath /logsize:1024 /verbose
 ---------------
 Installed SQL Server 2005 Backward Compatibility version is 8.05.2312
 Connecting to SQL Server on thegid-lync.thegid.local\MONITORING
 Error connecting (
 name: Error
 description:
 number: -2147221504
 message:
 )
 Attempting to start SQL Server and connect...
 Error starting SQL Server on thegid-lync.thegid.local\MONITORING
 Error (
 name: Error
 description:
 number: -2147023840
 message:
 )
 Ensure that thegid-lync.thegid.local\MONITORING is a valid SQL instance.
 ---------------
 Exit code: ERROR_START_SQLSERVICE (-1)
 ---------------

Open SQL Server Configuration Manager > SQL Server Network Configuration > Protocols for <SQL instance> and ensure that TCP/IP is enabled. Restart the SQL instance after enabling it.

Also if you have issues running the “Deploy Monitoring Server Reports” open Reporting Services Configuration Manager > Web Service URL and ensure that you are able to browse to the Report Server Web Service URL.

Cannot insert duplicate key row in object ‘dboAgents’ with unique index ‘IX_Agents_UserSid’

Capture

Lync server 2010 admin? Read on…

If you need to move a user from one Response Group to another you may well encounter the following error message….

lync 2010 response group

Don’t worry, just check the event viewer on the Lync server for the following event:

lync server event

Once you see that event you can add the user to the other response group.

That’s it.

Office 365 directory synchronisation failing for a couple of users (permission-issue)

When I deployed directory synchronisation for our Office 365 (Exchange online) migration I noticed that a couple of users did not sync. 

The synchronisation service manager shows the users failing synchronisation. Here’s what it looks like. It’s the same for both users.

There’s 1 warning and 2 errors in the event viewer which I’ve pasted below.

Can anyone shed some light on this please?

————————————

Log Name:      Application
Source:        FIMSynchronizationService
Event ID:      6100
Task Category: Management Agent Run Profile
Level:         Warning
Keywords:      Classic
User:          N/A
Description:
The management agent “SourceAD” step execution completed on run profile “Export” with errors.

Additional Information
Discovery Errors       : “0”
Synchronization Errors : “0”
Metaverse Retry Errors : “0”
Export Errors          : “2”
Warnings               : “0”
User Action
View the management agent run history for details.

—————————————-

Log Name:      Application
Source:        Directory Synchronization
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Description:
The Management Agent ‘System.Management.PropertyData’ reported  errors on execution.

————————-

Log Name:      Application
Source:        Directory Synchronization
Event ID:      0
Task Category: None
Level:         Error
Keywords:      Classic
User:          N/A
Description:
Executing export run profile on source MA failed for System.Management.PropertyData. Failed to export objects:
dn=”CN=<User1>,OU=<OU>,DC=<domain>,DC=local”,error-type=permission-issue,error-code=8344,
dn=”CN=<User2>,OU=<OU>,DC=<domain>,DC=local”,error-type=permission-issue,error-code=8344,

—————————-

Here’s the fix in my case:

Open Active directory Users and Computers, enable the Advanced features in the View settings and open up the user object that can’t sync. Go to the security tab and then into advanced, check to make sure the box is checked to inherit permissions.

Before you do that you might want to check what permissions are currently assigned and what they will be assigned after inherit permissions is enabled. After all there might be permissions that you do not wish the particular user to have.

That’s all for now.