Wednesday, May 20, 2015

S4B Lesson Learned - ensure you have ample time between FE update and Edge update on any certificates!

One of the risks of being an always on environment that plays with new software with engineers worldwide is that sometimes you have unsuspected outages.

Scenario:
  1. You are in the middle of a Lync to S4B migration with in place upgrades planned.
  2. You update the FE pool (upgrade in S4B topology builder) and run the in place upgrade (IPU thanks to Keif for this TLA)
  3. The associated Lync 2013 Edge pool is upgraded to S4B in topology builder with the paired pool.
  4. You have not yet taken the outage on your edge servers to IPU them.
  5. Any of your certificates expire!!!
 So what would normally be a rapid cert replacement becomes SQL patching and S4B in place
upgrades!

Troubleshooting:

If you try to do certificates in the Lync 2013 deployment wizard you will see this:
"There are no Lync Server certificate requirements for this computer."



On MVP Adam Ball's recommendation, I re-ran step two and watched all Lync 2013 Edge roles uninstall.

Mount your S4B ISO and run setup.  Once you deal with S4B prerequisites and reboot the server, you will eventually hit this error:
"Error encountered: Internal/External: Assigned certificate not found or is untrusted.  Check that the certificate exists in the certificate store, that it is not expired and that the certificate chain is valid." 

 

The only real choice is to cancel, as you need to deal with certs before services will start.  So launch the Skype for Business Deployment wizard and you will see a warning that says:
"It looks like you started an upgrade using the In-place upgrade tool but it isn't complete.  If you continue to install the upgrade with the Deployment Wizard, it will end the upgrade you already started with the In-place Upgrade tool. 

To resume the In-place upgrade instead, close the Deployment Wizard  by selecting Exit and launch Setup.exe."



Now you can select Step 3: Certificates and choose to reissue the expired certificate.



Another important point, after a successful Edge update you will see the S4B Edge servers have a Windows Fabric service that won't start.  Documented here, no known fix/issue/risk.
https://greiginsydney.com/flip-your-lync-2013-edge-to-sfb/

Tuesday, May 12, 2015

Azure AD licensing with O365 PowerShell

I won't go into the depths of Azure AD licensing or the powershell licensing as already provided serveral places on the Internet, but I have not seen the Azure AD MSOLAccountSku for the new Azure AD products published much. These are:


AAD_BASIC
Azure Active Directory Basic
AAD_PREMIUM
Azure Active Directory Premium
MFA_PREMIUM
Azure Multi Factor Premium

Wednesday, May 06, 2015

Exchange On Premises Script - Build-EXOReceiveConnectorRemoteRange.ps1 - Configure Exchange Online Transport connectors to only allow connections from EXO

If you are a Hybrid organization with Exchange ON Premises and Exchange Online, and you chose to implement centralized Transport to ensure all Internet SMTP traffic went through your on premises, one of the steps has been to update your Hybrid receive connectors to only allow connections from Exchange Online servers and IP addresses as listed here.

After multiple times polling this list and writing a macro in a text editor or in Microsoft Excel, I decided to write a PowerShell script to provide this code by downloading the content live from the above site and parsing it into a PowerShell friendly format for use with set-ReceiveConnector

Build-EXOReceiveConnectorRemoteRange.ps1 - Version 1.0

Does NOT make changes, just converts their web site into the powershell code you would need.  Exchange Management Shell (EMS) is not required!



If this saved you 5 minutes of time, please tweet/share/comment and let me know!