At some time Lync edge server stopped replicating changes in configuration. Also a “get-csmanagementstorereplicationstatus” show False on Edge server.

Investigation shows that the firewall has not changed and you can telnet from frontend to edge on port 4443.

Alse got the same error in systemlog on edge server :

Description: When asking for client authentication, this server sends a list of trusted certification authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certification authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certification authorities trusted for client authentication and remove those that do not really need to be trusted. 

The reason for this is the http://support.microsoft.com/kb/931125 update. This resulted in a trusted root ca list of 357 items. Solution is to configure server to not send trusted ca list to client (in this case another server).

Value name: SendTrustedIssuerList
Value type: REG_DWORD
Value data: 0 (False)

Then I did a “invoke-csmanagementstorereplication” just to verify that replication now occurs.

After update to Root Sertificates ( KB931125) http://support.microsoft.com/kb/931125 You are constantly getting Warning in the eventlog. Also Lync Phones will be unable to sign in. The error message on the phone is that the “Registrar FQDN could not be resolved”.

UPDATED: On new Phones you will only get a message that login failed when trying to sign-in using extension and PIN.

On the Lync Frontend server:

Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36885
Date: date
Time: time
User:
Computer: COMPUTERNAME
Description: When asking for client authentication, this server sends a list of trusted certification authorities to the client. The client uses this list to choose a client certificate that is trusted by the server. Currently, this server trusts so many certification authorities that the list has grown too long. This list has thus been truncated. The administrator of this machine should review the certification authorities trusted for client authentication and remove those that do not really need to be trusted.

The solution to this is to make the Lync server to not send the trusted root certification authority list.

Value name: SendTrustedIssuerList
Value type: REG_DWORD
Value data: 0 (False)

This will be a problem for all services that requies client certificates thereby it could be a problem is you run NAC. 

Atle

Needed one AD group that contained all Lync enabled users. Here this  group is called “A-Lync” 

import-module lync
Import-Module activedirectory
$lu=get-csuser
$lu|ForEach-Object{
    $_.Samaccountname
    Add-ADPrincipalGroupMembership -MemberOf A-Lync -Identity $_.Samaccountname
}

Nice document from Microsoft about delegation on Lync Phone Device.

http://www.microsoft.com/en-us/download/details.aspx?id=34593

To enable HD Video:

Set-CsMediaConfiguration -Identity:Global -MaxVideoRateAllowed HD720p15m

(You can select one of 3 different resolutions : CIF250K, VGA600K (the default), and last the HD resolution Hd720p15M)

Enable-cstopology

Restart Lync frontend services.

When installing Lync server 2013 on a Windows server 2012 I got a missing prerequisite.

All you have to do is to install the “Windows Identity Foundation” feature.

Powershell: Add-WindowsFeature Windows-Identity-Foundation

To install all of required Windows features :

import-module servermanager
add-windowsfeature telnet-client,RSAT-ADDS,net-framework-45-core,windows-identity-foundation,Web-Static-Content,Web-Default-Doc,Web-Http-Errors,web-asp-net,web-asp-net45,Web-Net-Ext,Web-ISAPI-Ext,web-isapi-filter,Web-Http-Logging,Web-Log-Libraries,Web-Http-Tracing,Web-Windows-Auth,Web-Filtering,Web-Stat-Compression,Web-Dyn-Compression,Web-Mgmt-Console,Web-Scripting-Tools,Web-Client-Auth,server-media-foundation,MSMQ-Server,MSMQ-Directory,NET-WCF-HTTP-Activation45

 To add “add-windowsfeature Web-Asp-Net,Web-Net-Ext ” your computer needs access to internet.

After some time using Bing I have manged to do this. Thanks to :

http://ucken.blogspot.no/2012/02/re-routing-incoming-calls-to.html 

I wanted the caller that is blocked to get a announcment.

Step 1. Install Microsot Lync Server 2010/2013 SDK.

Step 2. Create a announcement using new-csannouncement.

New-CsAnnouncement -Identity “Applicationserver:server.contoso.com” -Name “NumberBlocked” -TextToSpeechPrompt “Sorry, Your call has been restricted” -Language “en-US” -whatif

Step 3. Create a unassigned number entry in Lync CP. I used +4787654321 as an example. assigning the announcement from step 2

Step 4. Create a BlockedNumbers.txt file on the Lync FE server share. Adding numbers and action ” +4712345678,block”, one on each line.

Step 5. Add the block/reroute script to “C:\Program Files\Microsoft Lync Server 2010\Server\Core”. Called my scripte CallerIDfilter.am (attached file) Remember to edit the file. Replace entries with your unassigned number,fileshare and domain in the manifest part and contact entry.

Step 6. You could run the “compilespl.exe  CallerIDFilter.am” to validate that it does not contain any compilatio errors.

Step 7. Register the CallerIDfilter.am with the lync pool. :

New-CsServerApplication -Identity “registrar:lyncpool.contoso.com/CallerIDFilter” -Uri http://www.contoso.com/CallerIDFilter  -ScriptName “CallerIDFilter.am” -Critical $False -Enabled $True -Priority 2

CallerIDFilter.am (2,22 kb)

When you have downloaded and extracted the phone update this is the command to import it into Lync server:

Import-CsDeviceUpdate -Identity “service:WebServer:lyncpool.test.local” -FileName C:\temp\ucupdates.cab

Step 2 is to either add test devices or aprove the update for deployment.

When calling some foreign numers Lync server CANCEL the call when it is in progress. Network sniff shows that the call is terminates after 10 sec.

This is a default value of the Lync Routing engine. The value is located in “c:\program files\Microsoft Lync Server 2010\Server\Core\OutboundRouting.exe.config”

SOLUTION:Replace value “FailOverTimeout” value 10000 with a value of 20000. Reboot server. Remember to do this on every frontend server that is involved. You will have to reboot involved servers for this to be activated

<configuration>
    <appSettings>
      <add key=”FailOverTimeout” value=”20000″/>
      <add key=”MinGwWaitingTime” value=”1″/>
      <add key=”MaxGwWaitingTime” value=”20″/>
      <add key=”FailuresForGatewayDown” value=”10″/>
      <add key=”FailuresForGatewayLessPreferred” value=”25″/>
      <!– Valid values are between 5 and 600 –>
      <add key=”HealthMonitoringInterval” value=”300″/>
      <!– Valid values are between 60 and 3600 –>
      <add key=”GatewayStateReportingInterval” value=”1800″ />
  </appSettings>
</configuration>

Copied a rule from my regex edit into Company_Phone_Number_Normalization_Rules.txt and it dit not work.

ABServer.exe -testphonenorm could not find any match even tho it told me it was using my rules (according to abserver.exe -dumprules).

Turned out there was one or more spaces at the end of the line. ARG!!!

“^(\d{8})$  ” <—— NO!

Passed Microsoft Exam 70-665 Lync Server,Administrator.

Set do not require encryption on media connections.

 Set-CsMediaConfiguration -EncryptionLevel supportencryption

Add registry dword reg key :

HKLM\Software\Policies\Microsoft\Communicator

GalDownloadInitialDelay DWORD 0

Will cause Lync client to download corporate addressbook on startup.

We had problems with CX600 devices not working properly if we did not enforce device PIN locking. This seems to have been fixed in the latest firmware update.

Atle