Updates: Office Communications Server 2007 R2 (Nov 2009)

MVP Lee Desmond posted a great post about the November updates for Office Communications Server 2007 R2. Check it out here: http://www.leedesmond.com/weblog/?p=607

Check out the latest Nov 2009 updates released for the different Office Communications Server 2007 R2 server roles as described in KB968802. This applies to both the Standard and Enterprise Editions.

A very important and welcome addition to assist the patch management process is the “Cumulative Server Update Installer” (ServerUpdateInstaller.exe) delivered as part of this release. Instead of having to determine and manually applying the relevant patches to the various R2 server roles, this tool relieves the administrator from those tedious chores by applying all updates for the appropriate server role in just one click. You can also use this tool on the command line with the switches /silent, /forcereboot and /extractall.

If not already present, you shoud also apply the update* for the Office Communications Server 2007 R2 Back-end Database (KB969834).

Download for the updates (.msp), executable (.exe) and installer (.msi) can be obtained here.
Here is a good guide on how to install the updates: http://blogs.technet.com/ucspotting/archive/2009/11/26/3296447.aspx

OCS DNS Automatic Configuration when Split DNS is not an Option

Doug over at DMTF has written an excellent article about what do for OCS single sign on when internal domain and sip domain does not match. When split brain DNS is no option you can create two dns zones for the SRV records only. Here is an excerpt from his blog. View the full blog post here: http://blogs.technet.com/dougl/archive/2009/06/12/communicator-automatic-configuration-and-split-brain-dns.aspx

To implement this for Contoso, we would create a zone “_sipinternaltls._tcp.contoso.com” and zone “sip.contoso.com.” Notice that these are two zones – not two records in one “contoso.com” zone. A zone is a name resolution boundary in the hierarchical DNS namespace. By configuring the internal DNS server to be authoritative only for these two names, clients will continue resolving other names in the contoso.com domain as they always have.

Coincidentally, over on his blog, Geoff Clark has just suggested the same thing. He describes the problem and suggests the same solution but shows a method of creating the zone on a Windows DNS server via the DNS management console. Unfortunately, there is a limitation in the management console that is not present in the underlying Windows DNS implementation. This limitation required Geoff to create the zone as “_tcp.contoso.com” when what we would really like is a zone named “_sipinternaltls._tcp.contoso.com.”

This limitation in the user interface can be resolved by creating the zones and the records using the Dnscmd command line tool. For Contoso, here are the required commands:

dnscmd . /zoneadd _sipinternaltls._tcp.contoso.com. /dsprimary
dnscmd . /recordadd _sipinternaltls._tcp.contoso.com. @ SRV 0 0 5061 sip.contoso.com.
dnscmd . /zoneadd sip.contoso.com. /dsprimary
dnscmd . /recordadd sip.contoso.com. @ A

Of course, you’ll need to make the appropriate changes for your environment. If you are not running the command on your Windows DNS server, you will need to replace the first dot with your server name. You may also prefer a different zone type than “dsprimary.” If so, change the zoneadd commands appropriately. I doubt that your pool’s IP address is the same as my example but, if you have followed me this far, you already know what to change there.

For now, hold off on installing KB 974571 on OCS 2007 R2 servers (and possibly R1)

October 24 Update – The MS09-56: Vulnerabilities in CryptoAPI could allow spoofing article has been updated with a Known Issues section and FIX for the LCS and OCS product. That article is the authorized content as it requires the proper groups to coordinate and confirm the data published.

Microsoft has released  official information that is indeed a problem with OCS and LCS systems. Check out the updated article with known issues here: MS09-56: Vulnerabilities in CryptoAPI could allow spoofing

I didn’t discover this one, so I’m just the messenger passing word on – KB 974571 (part of Patch Tuesday today – specifically related to Crypto-API/ASN1) will make OCS think it is an evaluation version that has expired. Uninstall KB 974571 and OCS works again. You will want to apply the KB once an updated patch, or an updated patch for OCS becomes available. Originally documented here.

The issue is currently being escalated, but until a fix can be found, delaying the install of KB974571 is recommended. Check here for updates: http://communicationsserverteam.com/archive/2009/10/14/632.aspx

Thanks to Aaron Tiensivu for the heads up: http://blog.tiensivu.com/aaron/archives/1905-For-now,-hold-off-on-installing-KB-974571-on-OCS-2007-R2-servers-and-possibly-R1.html

Script – to create users in AD and enable them for Office Communications server

Whenever you install OCS 2007 in a lab domain you need to generate users for your environment. Ram Ojha har created a cscript that does the following:

  • It’ll read the csv file you create
  • It will create the user.
  • It’ll read display name from the file and write FirstName, LastName and DisplayName of the user.
  • It’ll set the TelephoneNumber of the user.
  • It’ll enable the user for Office Communications server
  • It’ll set the SIP address (msRTCSIP-PrimaryUserAddress)
  • It’ll assign the user to a pool (msRTCSIP-PrimaryHomeServer)
  • It’ll enable the user for Enterprise Voice (msRTCSIP-OptionFlags)
  • It’ll assign the Line URI (msRTCSIP-Line)

Head over to his post to download the script and see how to modify it to support your needs: http://blogs.technet.com/ramo/archive/2009/08/20/script-to-create-users-in-ad-and-enable-it-for-office-communications-server.aspx

OCS Communicator Web Access Listening Port

Jeff Schertz has a great discussion about what ports to use when deploying the CWA server role in this post: http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=80

Here’s a summary

During the deployment of an OCS Communicator Web Access Server there is a setting that is not covered in much detail in the documentation: the Communication Server Listening Port.  No default or suggested value is given. This port is used by the Communicator Web Access Server to listen for inbound communications from other OCS servers.  When an additional Virtual Web Server is added to the same host, as is common when both Internal and External types are setup on the same server, the new virtual site’s listening port must be on a different port then what the initial site is configured for. The post goes on to discuss how to alter the ports. Head over to see the full post.

There is no requirement on what port is used, except that it can’t already be in use on the host server. Therefore an idea might be to use 6051 and 6052 as suggested in a comment in the post.

Error message when you try to install a certificate by using IIS 7.0 Manager

When you try to install a certificate from a PKCS#7 file by using Internet Information Services (IIS) 7.0 Manager, you may receive one of the following error messages:    

Error message 1
Cannot find the certificate request associated with this certificate file. A certificate request must be completed on the computer where it was created.

Error message 2
There was an error while performing this operation
Details: CertEnroll::CX509Enrollment::p_InstallResponse: ASN1 bad tag value met. 0x8009310b (ASN:276)
This issue occurs because IIS Manager performs a lookup operation to look for a friendly name of the certificate during the installation. However, the code that performs this lookup operation misses this specific case, and it does not know how to retrieve the friendly name of a certificate in a PKCS#7 file. Therefore, the lookup operation fails, and you receive the error message. This issue is scheduled to be resolved in the next Windows Server 2008 service pack.
Note:  The certificate is installed correctly despite the error message
Thanks to Karsten Palmvig who pointed me in the right direction in this post: http://blogs.technet.com/kpalmvig/archive/2009/09/22/troubleshoot-cannot-complete-certificate-request-in-iis-7.aspx

Office Communications Server 2007 R2 Audio/Media Negotiation

MVP Elan Shudnow wrote a thorough post on Audio/Media Negotiation.

There are several ways in which we can utilize Audio/Video streams in Office Communications Server. While this article is based off of R2, the same “should… but not verified” work the same in OCS 2007 R1. There aren’t really any places out there that describe how the media session works in different circumstances. For example, what servers and ports are utilized when doing Audio/Video through the Live Meeting 2007 client when connected to the On-Premise Web Conferencing feature in OCS 2007 R2? How about when you do a peer to peer with both users being internal to the network? How about both users being external to the environment and connecting through the Edge? How about when you do a peer to peer with one user being internal and one user being external?

Want to know? Read his post at: http://www.shudnow.net/2009/08/29/office-communications-server-2007-r2-audiomedia-negotiation/

OCS Monitoring Server Report Pack fail to install

I encountered a problem where I could not install Monitoring Server Report Pack. I was running the install from the Monitoring Server against a back-end SQL 2008 server. The error message I got was like this: 

Could not connect to server:
Failure [0xC3EC7A20] Failed to install the QoE Monitoring Server report pack

I found that there are three possible resolutions: 

  1. Make sure you are using https:// for the reportserver URL
  2. Check that you are not behind a proxy server
    • Double check that “Automatically detect settings” is not selected under Internet Options->Connections->Lan Settings i IE
  3. Add the account that is being used for Office Communications Server 2007 QoE Monitoring Server installation as a system administrator on the SQL Server report server.
    • To do this, follow these steps:
      1. Start Report Manager.
      2. Open Microsoft Internet Explorer 6 or a later version of Internet Explorer.
      3. In the Internet Explorer address bar, type the Report Manager URL. By default, the URL is https://ComputerName/reportserver
      4. Click Site Settings.
      5. Click Configure site wide security.
      6. Click New Role Assignment.
      7. In Group or user, type the account in the following format: domain\account
        • If you are using forms authentication or custom security, specify the user or group account in the format that is correct for your deployment. Assign the System Administrator role to the account, and then click OK to apply changes.
      8. After the account is added to the report server as a system administrator, restart Office Communications Server 2007 QoE Monitoring Server setup to complete the installation. 

The resolution for me was that I was behind a proxy without knowing it. Therefore it is wise to double check proxy settings. 

I have also encountered this error when the reporting services resides on a server with Server 2003. Apparently the max request bytes allowed was set to low to allow OCS to install the report pack. Here is how you resolve that. 

  1. Add the following registry key with the following value:
    • Key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters
    • Value: DWORD “MaxRequestBytes”
    • set it to 1048576 (1MB). (This number can be raised or lowered depending on the situation)
  2. Stop the SRS Windows Service. (SQL Reporting Services Service)
    • From a cmd prompt run “net stop http” then “net start http”
    • You may have to start the www publishing service manually
  3. Try the OCS installation again.

OCS 2007 R2 Training Material

[tweetmeme source=”stalehansen” only_single=false]Found a post by Mark Fugatt about some great material on UC and OCS. “UC How To” is a great tool that I find useful for pilot users in my deployments. Since the tool is in Englishit will not suffice as the training tool in a production deployment for my Norwegian customers, but it is a great resource. The Unified Communications Adoption and Training Kit 2007 R2 is a great resource for deploying an UC solution in production and gives tips about how to go about and inform the users etc.

Heres the original post by Mark Fugatt: http://blogs.technet.com/mfugatt/archive/2009/08/26/some-useful-uc-training-material.aspx

  • UC How To The Microsoft Unified Communications “How-To” training tool is a Microsoft Silverlight™ 2 application that provides step-by-step instructions for common UC tasks. You can customize the How-To application to your company’s needs based on the UC features you’ve installed. For example, if you have installed all UC features except Communicator Mobile and Communicator Group Chat, you can modify the XML file so that those features and topics do not appear in the interface. Web version can be found here: http://stage.xcarab.com/microsoft/rolodex/


  • Unified Communications Adoption and Training Kit 2007 R2 The Unified Communications Adoption and Training Kit for 2007 R2 provides guidance and resources for IT Pros, Helpdesk, and Trainers to speed adoption and usage of Unified Communications technologies in the enterprise. The kit includes Planning Checklists, Awareness materials, including Poster, Door Hangers, and E-mail samples, and User Education Materials such as Quick Reference Cards, Flash Cards, and links to Web-based Training.

Forwarding OCS Response Group Calls to an External Number

Any Post starting with this disclaimer means that this post was not written by me however I liked it and added to my blog so that I can easily find it later. I will also include the link to the original or similar post to provide credit to the original author.


Just wanted to point out another blog article that is very useful. Kevin Peters blogged about an issue regarding OCS Response Groups where the Response Group could not forward a call to an external number. In his original blog article, Kevin described a work-around to enable forwarding calls to external numbers. Now, it seems that the issue has been solved by Doug Lawty and some logging of the OutboundRouting component using OCSLogger. It turns out that when you create a Response Group Contact Object with OGSCOT.EXE, it will always assign the enterprise voice Default Policy. If you choose to not use the Default Policy and don’t assign any Usages or Routes to it, then calls forwarded to external numbers from the Response Group will fail because no routes can be found for the external number. There are two fixes for this issue: either populate your Default Policy with Usages and Routes or manually assign a new Policy to the Response Group Contact Object. See Doug’s Blog Post for the complete details on manually changing the Contact’s Policy with PowerShell here: http://blogs.technet.com/dougl/archive/2009/08/12/outbound-pstn-calling-from-response-groups.aspx