Wednesday, September 30, 2015

You can't record in Skype for Business (and Lync 2013), when you click button "Start Recording" nothing happens

Consider the following scenario:
  • You install security update (KB3085500) that is documented in security bulletin MS15-097 Security Update for Lync 2013 (Skype for Business) that was released on September 8, 2015. 
  • You will have this update installed automatically as a part of Office 365 application package.
  • You join a meeting by using the Skype for Business client (version: 15.0.4753.1000).
  • You click the More Options button, and then you click Start Recording.

In this scenario, nothing happens. You don't see any notification or visual indication that recording has started. Additionally, when you open the recording manager, you don't see any file or progress status. Microsoft confirmed this is a bug (KB3099414) and will be fixed on 13 October 2015

Workarounds for Office 365 2013 based users:

Workaround 1 
You can download the latest release version of office 2016 – from the portal and make use of it. Skype for business recording will work on this client.

Workaround 2 

You can revert back to old version of Skype for Business / Lync client which will have the recording option https://support.microsoft.com/en-us/kb/2770432

1. At the command prompt (run as Administrator), run one of the following commands:
For an Office installation in a 32-bit version of Windows:
cd %programfiles%\Microsoft Office 15\ClientX86
For an Office installation in a 64-bit version of Windows:
cd %programfiles%\Microsoft Office 15\ClientX64
2. Run the following command:
officec2rclient.exe /update user updatetoversion=15.0.4745.1002

Workaround for Office 2013 based users:
Remove security update KB3085500 from your PC.

#Update. October 13, 2015.
Issue fixed with 
15.0.4763.1002 Office 365 release.
Issue fixed for MS Office Lync 2013 (Skype for Business 2015) with KB3085581


#Update. December 23, 2015.
They've broken it again. 
Recording Issue is present with 15.0.4779.1002 again
When you play recorded desktop session you see blank screen and message:
"At this point in the meeting, no one was presenting or sharing video"

Thursday, September 24, 2015

Skype for Business Server (formely Lync) and Skype Connectivity provisioning request failed

Since the release of Skype for Business, Microsoft has changed the way you connect to Skype accounts.
Previously, Skype users were required to associate the Skype ID with a Microsoft account. This was quite cumbersome because all Skype users would have to update their account, and if someone didn’t complete the association, he couldn’t connect from Lync/Skype for Business to the Skype Account.
When Skype for Business was released to the general public (GA), Microsoft made a welcome change to the way connectivity works. The new connectivity is based around Skype IDs and does not require the association with a Microsoft account. The new “@skypeids.net” domain is added to the Skype ID to create a valid SIP Address SkypeID@skypeids.net.
Previous part was just introduction how cool "Skype for Business to Skype" Connectivity is now.
Back to our problem. Assume following situation now:
- You have started to use Lync Online (then Skype for Business 2015 Online)

- You let S4B Online users communicate with external S4B or Skype contacts per following article 
- At some point your organization decided to have Enterprise Voice (at this moment Cloud PBX with PSTN is in Preview) and you had to move back On Premise to Skype for Business Server 2015 (or Hybrid) with the same sip domain.
- You deploy Skype connectivity per technet article and go to https://pic.lync.com to make a provisioning request to MS. You see in "Activation and Provisioning Details" that it's first time you ever requested it.
You fails with following error:
This Access Edge service FQDN or domain is registered to another organization: <your sip domain name>


Solution is easy but can be time consuming. Just go back to Skype for Business Online and deactivate "Public IM Connectivity" feature.
Wait for a couple of days and try provisioning request again via https://pic.lync.com (maybe you will have to wait longer).
Good luck!

How do I stay on Office 365 ProPlus 2013/Office 365 Business 2013/Office 365 Business Premium 2013

Microsoft is rolling out automatic upgrade of Office 365 ProPlus from 2013 to 2016. 
Be aware that new minimum system requirements for Office 2016 are now 2 GB RAM and 1280 x 800 screen resolution. But always remember minimum doesn't mean comfortable. Operating systems: Windows 10, Windows 8.1, Windows 8, Windows 7 Service Pack 1, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, or Windows Server 2008 R2. Note that Skype for Business 2016 requires minimum 1.6 GHz and minimum of 128 megabytes (MB) graphics memory while the rest of Office 2016 package requires just only 1GHz (or faster). Another important change to be aware of is that Outlook 2016 doesn’t support connecting to Exchange Server 2007. So if you are still with Exchange 2007 (or even Exchange 2003) your O365 migration process will become more painful now.
You will be probably the one who wants to delay this process because of obvious reasons. Microsoft support provided kb3097292.

There are three ways we can delay the migration to Office 2016 ProPlus.
Note: These methods also work for Office 365 Business, which is the version of Office that comes with the Office 365 Business and Office 365 Business Premium plans.
1. GPO setting that blocks the update (kb3097292)

2. You can push out a registry key manually that will do the same (kb3097292)
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\office\15.0\common\officeupdate]
"enableautomaticupgrade"=dword:00000000
3. Use the Office Deployment Tool (ODT) and the configuration.xml file to prevent the migration as well.
In the configuration.xml file we will add the AutoUpgrade attribute and set it to "FALSE" like in this example configuration.xml file here:
<Configuration>
<Add SourcePath="\\server\office" OfficeClientEdition="32”>
<Product ID="O365ProPlusRetail" >
<Language ID="en-us" />
</Product>
</Add>
<Updates Enabled=”TRUE” AutoUpgrade=”FALSE”/>
</Configuration>
Time to prepare money for new hardware/OS and move forward ;)

Wednesday, September 23, 2015

How to display the contents of a Certificate Revocation List in Windows

Recently I've worked with the customer on migration his On Premise Exchange 2003 to Exchange Online in staged migration scenario. RPC over HTTPS (Outlook Anywhere) is prerequisite for such kind of migration. In the middle of migration process I've suddenly started to get messages that SSL certificate has been revoked (easy check in browser to goto: https://rpcproxyserverfqdn/rpc). Customer stated he didn't make any changes to certificate and so I have to dig around.
When a certificate is considered untrustworthy it is listed in the issuing CA’s Certificate Revocation List (CRL). This is just a small file located somewhere accessible by URL, and is frequently hosted on Internet-facing web servers. This file is not in plaintext, so just dropping it into Notepad isn’t going to do you much good.
Step 1. Obtain the Certificate Serial Number (SN)
For example, here’s a GoDaddy certificate
Open "Details" tab, look for "Serial Number" field and copy it to notepad.

Step 2. Obtain the Certificate Revocation List from the CRL Distribution Point (CDP)
Open up almost any certificate issued from a CA and look for the CDP field. 


On the Details tab, the CRL Distribution Point field should always contain at least one URL that we can access from anywhere we are expected to trust the certificate.
So the CDP is on a public http server.
Copy URL http://crl.godaddy.com/gdig2s1-119.crl 
into browser and choose Save Attachment to put the CRL file "gdig2s1-119.crl" on my local computer.
Step 3. Decode the Certificate Revocation List With Certutil

Now open a Command Prompt, change to the folder directory that contains downloaded CRL file, and use the certutil –dump command. 

In this case, I typed:
certutil –dump gdig2s1-119.crl > crldump.txt
 Step 4. Open result file "crldump.txt" and search for SN you noted in Step 1.
You may have situation like I had when you have to remove "00" from SN
You will see the serial number of each recently revoked certificate and the date/time of revocation along with appropriate crypto information including the issuer, date of issuance, and CRL signature. That’s pretty much all the information that’s in a CRL.

How to configure SQL Database mail so send emails using Office 365 (Exchange Online)

SQL Server has a feature called database mail. This feature allows the database server to send emails to any external entity using external SMTP server. So how can you use Exchange Online to send database emails without On Premise smtp relay server?
This blog post provides a complete walkthrough on how to configure this (which is basically option 1 from technet article)
1. Open the SQL management studio and connect to your MSSQL Instance
2. Expand the "Management node" and then right click the "Database Mail" node and click "Configure Database Mail"

3. Follow the wizard and the critical part is to configure the access account as per the below screen:
4. Once you configured it you can go ahead and test it
Works great without any On Premise smtp relay!

Saturday, September 19, 2015

Skype for Business Server 2015 (formely Lync) Watcher Node Synthetic Transactions failed

Recently I've got issue when I worked on deployment of Skype for Business Server 2015 and SCOM monitoring for this deployment.
Assume following config:

  • Skype for Business Server 2015;
  • System Center Operations Manager 2012R2;
  • Skype for Business Server 2015 SCOM Management pack installed;
  • S4B watcher node in a "Trusted Server authentication method" mode

After configuration (using ms technet) I've got issues with basic synthetic transactions (I can assume some extended tests are also affected): Presence, AvConference, P2PAV, IM, GroupIM.
SCOM reported failed transactions and following messages:

Presence:
Presence Synthetic Transaction failed.
The following error message was returned by the Synthetic Transaction test commandlet: Presence notification is not received within 240 seconds. 
AvConference:

Audio Video Conferencing Synthetic Transaction failed.

The following error message was returned by the Synthetic Transaction test commandlet: This operation has timed out.

IM:
Instant Messaging Synthetic Transaction failed.
The following error message was returned by the Synthetic Transaction test commandlet: 504, Server time-out
P2PAV:
Peer To Peer Audio Video Synthetic Transaction failed.
The following error message was returned by the Synthetic Transaction test commandlet: 480, Temporarily Unavailable 
GroupIM: 
Instant Message Conferencing Synthetic Transaction failed.
The following error message was returned by the Synthetic Transaction test commandlet: This operation has timed out.
These errors are typically due to firewall problems. When a synthetic transaction is executed, that transaction runs under the MonitoringHost.exe process; in turn, MonitoringHost.exe starts an instance of the PowerShell.exe process. If either MonitoringHost.exe or PowerShell.exe is blocked by your firewall then the synthetic transaction will fail and will generate mentioned errors. To resolve this issue, you should manually create inbound firewall rules for both MonitoringHost.exe and PowerShell.exe: 
netsh advfirewall firewall add rule name="Watcher Node PowerShell" dir=in action=allow program="%SystemRoot%\System32\WindowsPowershell\V1.0\powershell.exe" enable=yes
netsh advfirewall firewall add rule name="Watcher Node SCOM agent" dir=in action=allow program="%ProgramFiles%\Microsoft Monitoring Agent\Agent\MonitoringHost.exe" enable=yes
So basically by default this rule is not created and you most likely will get this issue. Hope this helps you guys to monitor your S4B servers.