In part I, I showed you how to change the logo for the meeting landing page. In this part, we’ll go through adding options to the page for various types of clients.

By default, when entering a meeting, a machine with the Lync client will open up and automatically join. But what if the person attending the meeting doesn’t have the Lync client? A machine without the Lync client will open a popup browser window and use Silverlight, but that doesn’t support all Lync features.

silverlight client

We can allow users with the OCS 2007 R2 legacy Communicator client to use that to join the meeting. We simply open Lync Management Shell and use the Set-CsWebServiceConfiguration cmdlet on our Front-End servers:

Set-CsWebServiceConfiguration -ShowJoinUsingLegacyClientLink $true

And the web page looks like this when opened:

Join using legacy client

We can also provide a link for attendees to download the Lync 2010 Attendee client, which provides a better client experience. We can do this by using the same cmdlet in Lync Management Shell, but with a different switch:

Set-CsWebServiceConfiguration -ShowDownloadCommunicatorAttendeeLink $true

Combining the two together allows all possible options:

Set-CsWebServiceConfiguration -ShowDownloadCommunicatorAttendeeLink $true -ShowJoinUsingLegacyClientLink $true

At this point, attendees can join the meeting with the OCS Communicator, Lync, Lync Attendee, or web browser clients. The user would see this (assuming no Lync client installed):

Allow legacy and attendee clients

Combine that with the custom logo configuration from part 1, and we now have a much more personal and flexible Meet page.

In this scenario, IM & Presence would work for some users to federated contacts, but wouldn’t work for others.

Federated User Access was enabled in the Global External Access Policy and in the Global Access Edge Configuration policy. The target domain was in the Federated Domains list as an allowed domain. There was no discernable pattern as to what users could communicate with federated contacts, and what users could not. They were spread across various Front End servers, OUs, etc. Various clients on the workstation made no difference.

When looking at logs in Snooper on the front end that the user connects to, “Federation is disabled” would appear when the user attempted to send a message out: 

09/16/2011|13:09:13.108 FB8:109C INFO :: SIP/2.0 504 Server time-out
Proxy-Authentication-Info: Kerberos qop=”auth”, opaque=”59715D13″, srand=”DF93B1E9″, snum=”16″, rspauth=”040401ffffffffff0000000000000000450a1d9cc165348ae016ee91″, targetname=”sip/USSFA1L14POOL2.global.mydomain.net”, realm=”SIP Communications Service”, version=4
From: “user, test”<sip:test.user@mydomain.com>;tag=94a0d94c10;epid=67fd7944cb
To: <sip:prichard@federateddomain.com>;tag=6E14486DE28A93804279A401E6E7A4CF
Call-ID: db3c59b759ef4065adb458d54d03a687
CSeq: 1 SUBSCRIBE
Via: SIP/2.0/TLS 10.1.1.98:58376;ms-received-port=58376;ms-received-cid=63500
ms-diagnostics: 1065;reason=”Federation is disabled“;domain=”federateddomain.com”;source=”sip.mydomain.com”
Server: RTC/4.0
Content-Length: 0

And traffic for this user would never get to the Access Edge servers. This was the case for ANY federated contacts the “broken” users would attempt to communicate with. Yet, other workers wouldn’t have ANY problem communicating to these same federated contacts. In fact, a “good” user could log onto a test workstation, launch Communicator, and it would work – but then close Communicator and launch Communicator as a “broken” user and not be able to communicate – even from the same Windows session. There was no pattern other than “broken” users would always be broken, and working users would always work.

Many things were inspected, and I tried doing things such as disabling the users in Lync and then re-enabling them. I drain stopped the Front End server that was the user’s preferred server to force them onto another server – no luck.

PSS spent several weeks on this one. Everything was configured correctly. What we decided to try was to set the Minimum session security for NTLM SSP based clients & servers. By default, a Windows 2008 R2 server has both settings set to 128-bit minimum. But Windows XP and earlier clients default to only 40-bit. It didn’t make much sense that this would work since we could duplicate both working and broken users on the same machine. But it was worth a shot. Here’s what we did.

Open the Local Security Policy and navigate to Local Policies>Security Options. Find the Network security: Minimum session security for NTLM SSP based (including secre RPC) clients & servers settings, as shown below:

Minimum session security for NTLM SSP based (including secure RPC) clients

Double click on each and clear the Require 128-bit encrytion checkbox as shown below:

Minimum session security for NTLM SSP based (including secure RPC) clients

The settings should now show “No minimum” in the Local Security Policy as shown below:

Minimum session security for NTLM SSP based (including secure RPC) clients

The settings don’t take effect until the server is rebooted. We performed this process on all of the Lync servers in the environment. Incidentally, the settings just change some registry keys. So we can instead change the values using the following PowerShell lines, which will make their way into my server build scripts:

Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NtlmMinClientSec" -Value 0 Set-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\MSV1_0" -Name "NtlmMinServerSec" -Value 0

After the servers were rebooted, and user connections reestablished (which took some time), the problem disappeared. All users were able to communicate with federated contacts.

Posters

Microsoft Lync Server 2010 Protocol Workloads Poster

This poster shows each workload in Microsoft Lync Server 2010 communications software, describing relationships, dependencies, flow of information, and certificate requirements.

http://go.microsoft.com/fwlink/?LinkId=204599

Visio templates

Lync Server 2010

This stencil provides over 125 shapes to help you create a visual presentation of your Lync Server architecture.

http://www.microsoft.com/downloads/en/details.aspx?FamilyID=65b5a396-2c87-445d-be23-d324727d19cb

Office Communications Server 2007 and 2007 R2

The Office Communications Server 2007 and 2007 R2 Visio stencils contain icons for Office Communications Server 2007 and 2007 R2 server roles and components.

http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=9194

Cheat Sheets

Lync Server 2010 PowerShell Cheat Sheet

A quick reference card for PowerShell use with Lync Server 2010.

http://www.powergui.org/entry.jspa?externalID=3091

Microsoft Lync 2010 Quick Reference Cards

This zipped file contains the quick reference cards for Microsoft Lync 2010. They are all in Microsoft Word, and can be edited as needed. The download contains the following Quick Reference Cards, which are also available separately:

• Microsoft Lync 2010 Attendant Quick Reference Card
• Microsoft Lync 2010 Attendee Quick Reference Card
• Microsoft Lync 2010 Instant Messaging and Presence Quick Reference Card
• Microsoft Lync 2010 Conferencing Quick Reference Card
• Microsoft Lync 2010 Sharing and Collaboration Quick Reference Card
• Microsoft Lync 2010 Voice and Video Quick Reference Card

http://www.microsoft.com/download/en/details.aspx?id=2324

I found these links and thought I’d share. Here are all of the Exchange and Lync videos from this year’s various Tech-Ed conferences. Some really good content (as usual).

Tech-Ed North America 2011

http://channel9.msdn.com/Events/TechEd/NorthAmerica/2011?sort=sequential&direction=desc&term=&t=exchange%2B-and-%2Blync

Tech-Ed Australia 2011

http://channel9.msdn.com/Events/TechEd/Australia/Tech-Ed-Australia-2011?sort=sequential&direction=desc&term=&t=exchange%2Band%2Blync%2Bexl

Tech-Ed New Zealand 2011

Exchange http://channel9.msdn.com/Events/TechEd/NewZealand/2011?sort=sequential&direction=desc&term=Exchange

Lync http://channel9.msdn.com/Events/TechEd/NewZealand/2011?sort=sequential&direction=desc&term=Lync

Sometimes, you need to do some Lync logging to investigate a problem with a user. If you have multiple servers in a pool, you sometimes have to enable logging on each until you figure out which one the client is actually connecting to. We can find out which servers the user is associated with and the preferred order that the client will connect using the following in the Lync Management Shell:

Get-CsUserPoolInfo <sip address>

Such as:

Get-CsUserPoolInfo sip:prichard@contoso.com

The output shows us the primary and backup pool FQDNs, and the order in which it will connect to servers in each pool.

PrimaryPoolFqdn                     : lyncpool01.contoso.local
BackupPoolFqdn                      : lyncpool02.contoso.local
UserServicesPoolFqdn                : lyncpool01.contoso.local
PrimaryPoolMachinesInPreferredOrder : {1:2-2, 1:2-1}
BackupPoolMachinesInPreferredOrder  : {1:3-2, 1:3-1}

But what that doesn’t tell us, is the actual names of the servers in the pool, and which one is 1:2-2, and 1:2-1, etc. So we expand a little further and use:

Get-CsUserPoolInfo –Identity "user" | Select-Object –ExpandProperty PrimaryPoolMachinesInPreferredOrder

For example,

Get-CsUserPoolInfo –Identity "prichard" | Select-Object –ExpandProperty PrimaryPoolMachinesInPreferredOrder

This will show the registrar pools and their respective servers in the preferred order the user will connect:

MachineId         : 1:2-2
Cluster           : 1:2
Fqdn              : lyncpoolserver03.contoso.local
PrimaryMacAddress : 000000
Topology          : Microsoft.Rtc.Management.Deploy.Internal.DefaultTopology
MachineId         : 1:2-1
Cluster           : 1:2
Fqdn              : lyncpoolserver02.contoso.local
PrimaryMacAddress : 000000
Topology          : Microsoft.Rtc.Management.Deploy.Internal.DefaultTopology

We see that this user will connect to lyncpoolserver03 first, since it’s listed first. If that server is not available, then the user would be redirected to lyncpoolserver02. Note that this only shows the information for the primary pool. If you have a backup pool, the information for those servers is not shown here (but is shown if you use BackupPoolMachinesInPrefferedOrder as the ExpandedPropery). However, if you do have a backup registrar pool, and want to use it as a backup  pool for users homed on the first, you should have Director servers, as mentioned in Another Reason to Include a Director in Your Lync Server 2010 Deployment.

We can then wrap this in a function:

function Get-CsUserConnectionInfo {
 param (
  [parameter(ValueFromPipeline=$true, ValueFromPipelineByPropertyName=$true, Mandatory=$true, HelpMessage="No username specified")]
  [string]$user
 )
 Get-CsUserPoolInfo –Identity $user | Select-Object –ExpandProperty PrimaryPoolMachinesInPreferredOrder
} # end function Get-CsUserConnectionInfo

For easy access. Toss it into your PowerShell profile and acces it using

Get-CsUserConnectionInfo <username>

Also, the Get-CsConnections.ps1 script will show you the current connections on a per-user basis if needed.

Recently, Tracy A. Cerise and Mahmoud Badran came up with a script to show Lync connections, and the users connected. This was quite informative as it could be used to show load balance distribution, client versions being used, and more.

I took the script and updated it a little, including:

1. Removed the help function and the header block and inserted comment based help. So a user can run get-help Get-CsConnections.ps1 and get the help, just like any other script and cmdlet.
2. Added a parameter to display the user list. My needs didn’t require the user list – just the statistics at the beginning. So I added the feature to show the user list by running Get-CsConnections.ps1 –IncludeUsers.
3. Added a couple of functions, including one that cleans up some variables when exiting.
4. Adjusted some of the formatting. I noticed things didn’t always line up when the server FQDNs were really long, like those in child domains.
5. Did a prereq check to verify the Lync module is loaded. If not, it gets loaded. That way, the script will still run fine if it’s run from an ordinary PowerShell console.
6. Accounted for the pool parameter being just a NetBIOS name by adding the $env:userdnsdomain to the NetBIOS name to create the FQDN. This appears to work fine if the Lync servers and user running the script are both in the same domain. If not, then an FQDN would be required.
7. Renamed the script to Get-CsConnections.ps1 and some of the functions to the normal verb-noun format.

Get-CsConnections.ps1 -pool [pool FQDN]

Will show you unique client versions, their user agent, and the number of connections for each:

Distribution of connections across frontend servers (load balancing):

The number of unique users and clients connected:

And, adding the -IncludeUsers switch, such as:

Get-CsConnections.ps1 -pool [pool FQDN] -IncludeUsers

will also show the users who are connected, and the number of connections they have:

Get-CsConnections.ps1 -SipAddr [sip address] -pool [pool FQDN]

Will show you the information for a single user:

Get-CsConnections.ps1 -FilePath [path to csv file]

Will export the data to a .csv file for viewing/manipulation in Excel.

In order for the script to work, port 1434 on the frontend servers must be not be blocked at the server’s firewall, but that’s a minor issue.

Download

v1.4 Get-CsConnections.v1.4.zip

v1.3 Get-CsConnections.zip

v1.0 Get-CsConnections.zip

Changelog

See the changelog for a complete list of features added in each release

Fellow MVP Jeff Guillet wrote an article about the fact that disabling a user’s Active Directory account doesn’t mean they can’t log into Lync. This is due to the way Lync uses certificates and authentication based on them. I highly recommend you read the article.

I recently was writing some documentation for a customer and wanted to include this important information, including methods for resolving the problem after the fact.

If you’ve not been disabling users in Lync while disabling them in AD, here’s a one liner to find those users:

Get-CsAdUser | ?{$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled -eq $true} | ft Name,Enabled,SipAddress -auto

You can get a count of the users using:

Get-CsAdUser | ?{$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled -eq $true} | Measure-Object

and, if you want, can disable them in one line using

Get-CsAdUser | ?{$_.UserAccountControl -match "AccountDisabled" -and $_.Enabled -eq $true} | Disable-CsUser

1.4 – 04-19-2012

• cleaned up some of the param() block and added some validation
• streamlined some of the code
• tweaked the displayed results a little to better handle longer agent strings

1.3 – 12-27-2011

• tweaked the formatting a little to account for longer agent strings due to mobile clients
• ignore the RtcApplication-[guid] account when calculating users and displaying userlist
• added error if pool doesn’t have any servers
• added UserHighConnectionFlag in parameter block to support pipeline entry

1.1 – 08/09/2011

• added comment based help
• added option to display user list
• updated formatting
• added code so it will run in a normal PowerShell session

1.0 – 07/01/2011

• original version

:v5.3 – 12-23-2011
Added requirements for Front End and Director servers to support Mobility. This includes the Dynamic Compression Windows 2008 feature.

: v5.2 – 08-17-2011
Added option (& related Get-Webpage function) to download trial version of Lync (just opens a browser to the site)
Added option to restrict feature availability to Standard CAL

: v5.1 – 07-26-2011
Detect if Lync is installed before installing some utilities and tools
DSR loopback adapter option added
Lync Server Updates option was updated to represent the 07-25-2011 release per KB 2493736
Menu was split into pre/post install tasks, with post install tasks only visible if Lync Server is detected on the box

: v5.0 – 07-25-2011
added “Find Lync Versions” and related .Net 4 installer
added functions for creating shortcuts and unzipping files
added function for “Windows Media Format Runtime” (per http://support.microsoft.com/kb/2522454)
some variable cleanup
some error checking
added function to run installation routines. This makes it easier to do consistent screen output (menu)
cleaned up variable removal when exiting
Installation of Silverlight
Updated installation of Visual C++ Redistributable to latest version (per MS11-025)
added option to enable federation with Office365

: v4.2 – 05-26-2011
updated function to allow downloading files to different folders and different names
added OWA / Lync integration feature

: v4.1 – 05-01-2011
added group membership check (checks for local admin, CSAdmin* and RTCUniv* only)
added 04-20-2011 “Lync Server update download”
added chm file download and install & shortcut
added standalone AV server prereq option
added PowerShell transcript
added backup current config

: v4.0 – 04-06-2011
added Visual C++ option
added Stress and Performance Tool
added Disable IPv6
added “IM an Expert”
added Windows Update
lots of code cleanup

: v3.0 – 02-2011 by Ståle Hansen (http://msunified.net)

: v1.0 – 11/27/2009 – initial version