Wednesday, May 20, 2015

S4B Lesson Learned - ensure you have ample time between FE update and Edge update on any certificates!

One of the risks of being an always on environment that plays with new software with engineers worldwide is that sometimes you have unsuspected outages.

  1. You are in the middle of a Lync to S4B migration with in place upgrades planned.
  2. You update the FE pool (upgrade in S4B topology builder) and run the in place upgrade (IPU thanks to Keif for this TLA)
  3. The associated Lync 2013 Edge pool is upgraded to S4B in topology builder with the paired pool.
  4. You have not yet taken the outage on your edge servers to IPU them.
  5. Any of your certificates expire!!!
 So what would normally be a rapid cert replacement becomes SQL patching and S4B in place


If you try to do certificates in the Lync 2013 deployment wizard you will see this:
"There are no Lync Server certificate requirements for this computer."

On MVP Adam Ball's recommendation, I re-ran step two and watched all Lync 2013 Edge roles uninstall.

Mount your S4B ISO and run setup.  Once you deal with S4B prerequisites and reboot the server, you will eventually hit this error:
"Error encountered: Internal/External: Assigned certificate not found or is untrusted.  Check that the certificate exists in the certificate store, that it is not expired and that the certificate chain is valid." 


The only real choice is to cancel, as you need to deal with certs before services will start.  So launch the Skype for Business Deployment wizard and you will see a warning that says:
"It looks like you started an upgrade using the In-place upgrade tool but it isn't complete.  If you continue to install the upgrade with the Deployment Wizard, it will end the upgrade you already started with the In-place Upgrade tool. 

To resume the In-place upgrade instead, close the Deployment Wizard  by selecting Exit and launch Setup.exe."

Now you can select Step 3: Certificates and choose to reissue the expired certificate.

Another important point, after a successful Edge update you will see the S4B Edge servers have a Windows Fabric service that won't start.  Documented here, no known fix/issue/risk.

No comments: