Script to reset user policies in Lync on migrated OCS users

A while back I was migrating a pilot OCS 2007 R2 solution to a Lync production solution. After moving the users I found that they had inherited their policies regarding external access and voice from OCS. In this case I was utilizing global policies in Lync and removing the need for granting specific policies to the users.

To change this I created a simple little script to reset these policies. The script is used at your own risk.

Download it here: https://msunified.net/lyncdownloads/script-reset-userpolicies-ps1/

The Script Does the Following

  • Gets all users that have an external policy set to other than $null
  • For each user all policies are set to $null
  • Writes the users who are changed, can be exported to csv if wanted
  • Also checks if any users failed and prints their names

If you can’t change settings on some users it is probably because of permission issues on the user object in AD. To check if that is the case do the following:

  • Open Active Directory Users and Computers (dsa.msc) from the Lync Front End server or any other server with ADDS
  • Go to View and select Advanced Features

  • Now find the user with the permission issues and select Properties
  • Select the security pane and click on Advanced
  • Make sure that “include inheritable permissions from this object’s parents” are checked

  • If not check it and OK out of there
  • Wait for AD replication and try again

This is an old Exchange AvtiveSync and OWA issue where users could not access these features. The affected users where probably a member of the below groups or have been at some point.

Found a good description of what can make this occur at: http://alanhardisty.wordpress.com/2010/03/05/activesync-not-working-on-exchange-2010-when-inherit-permissions-not-set/

The reason this happens is because Active Directory uses something called the AdminSDHolder to define what permissions the default protected security groups receive. Whilst you can change the inherited permissions, a process called SDPROP will run, by default every 60 minutes on the domain controller that holds the PDCe role. It will check the ACL of the protected groups and reset their inherited permissions and the users within the groups, with what has been defined by the AdminSDHolder object.

Microsoft’s recommendation and best practice is that if you are a domain administrator that you have 2 accounts. One for your everyday user which is restricted in the same way that every other user is and a second for your administration role.

The built in groups that are affected with Windows 2008 are:
Account Operators
Administrators
Backup Operators
Domain Admins
Domain Controllers
Enterprise Admins
Print Operators
Read-only Domain Controllers
Replicator
Schema Admins
Server Operators

The built in users that are affected with Windows 2008 are:
Administrator
Krbtgt

Contacts vs Subscribers in OCS 2007 R2

In OCS 2007 R2 deployments where you have a large amount of users with large contact lists you may have users that experience the problem of seeing colleagues with unknown presence. Troubleshooting this may prove to be difficult because there is nothing wrong with the system, it is by design. The reason for this is that the Default Presence Policy has a set of limits and restrictions that affect presence. The following table describes the available presence policy settings:
By default, the Default Policy and Service: Medium presence policies are installed when you deploy Office Communications Server 2007 R2. The following table describes the specific settings of the two presence policies
So what does this mean?
  • CategorySubscriptions: Defines how many users are getting your presence information
    • Max: 3000 / 5 = 600. Additional users will see you as presence unknown
    • We divide by 5 because of each category that make up the presence document
      • contactCard
      • calendarData
      • Note
      • Services
      • State categories
    • The result of this is that 400 hundred out of thousand users how have you in their contact list will see presence unknown
    • Setting a large number here will have a significant impact on performance if the average user has a larger number of users subscribing to their presence
  • PromptedSubscribers: Maximum Number of Queued Presence Subscription Alerts
    • Max: 500
    • Determines the maximum number of prompts that can be queued up for a given user
      • An “acknowledgement prompt” is created when a subscriber subscribes to a users presence
      • Once the user acknowledges the subscription, the entry is moved
      • Most of the time there will only be a few entries in this table (assuming the user acknowledges the prompts and doesn’t just ignore them)
    • This table could get full in certain situations when users are imported into the system
    • Setting a larger number here has no real impact on performance
  • “Maximum contacts per user”: Maximum number of contacts per users contact list
    • Max 1000, default 200
    • If you have 1000 users and all those 1000 users have indeed 1000 contacts, then each user will get presence unknown for 400 contacts
Conclusion:
If you see users start getting presence unknown you should expand the numbers of CategorySubscriptions in the Default Policy for presence. If you still get issues with this you should help your customer reevaluate how they use the contact list in Communicator. One of the strengths with Communicator is that you don’t need to add the entire organization to you list because you are able to search up contacts you are not collaborating with on a daily basis and see their presence status.

As long as you have 1000 users and only a few have indeed 1000 contacts and the others have lots less so that no user gets more than 600 subscriptions, then nobody will get presence unknown. You could say to be on the safe side they should allow “Maximum contacts per user” only 600. But Microsoft decided to allow slightly more as the experience in practice is that not all users will indeed add contacts to the max but a few wants to, and that´s what they are making possible.

 
References:

Solved: OCS 2007 R2 integration with Exchange UM when mobile phone is primary number

I am proud to announce that we have solved a problem we had with Exchange UM integration with OCS 2007 R2 when the users mobile phone is the primary number.

Background information

In Norway and Scandinavia it is normal for end users to have a mobile phone as work and private phone. A lot of companies in Norway have adopted mobile phone number as their primary phone numbers and can only be reached using this types of numbers. Traditionally the operators have offered their customers net centric logic for their call handling and switchboards and using only mobile phones as terminals. Since the users use the same phone at work and privately they only have their mobile number and the numbers follow the users and not the company. When we started deploying OCS 2007 R2 for these companies they wanted the solution to be built with using mobile phone numbers as primary number when calling from Communicator. Operators in Norway such as Telenor and Netcom are therefore offering IP Trunks that can integrate with OCS 2007 R2. With these IP Trunks they can rewrite the callers number from a PSTN number to mobile phone number before the call reaches the PSTN network and by that realizing single number reach. And when the called party calls back to the mobile phone number the OCS PSTN number is called at the same time using Dual Forking provided by the operator. This is how single number reach is realized when mobile phone is the main number and it works great. The end user do not have a clue what their real number in OCS is.

The Problem

If you throw Exchange UM into this mix with single number reach and mobile phone as primary number you get an issue. The integration itself works fine and as expected. The problem occurs when the users log off their computers and go to meetings, drive home or are generally not logged in. What happens is that when you are not logged in to Communicator and someone calls you. OCS will answer the call after under a second, ignoring the users call forwarding settings in Communicator,  and forward it to Exchange UM resulting in users loosing the call on the mobile phone. Exchange UM therefore breaks the solution. This is by design and we have not been able to implement Exchange UM in the UC mix in these scenarios until now.

Why Exchange Unified Messaging in conjunction with OCS

So why are we so eager to implement Exchange UM in these scenarios? When using the operators own net centric voice mail features we loose some technology and integration. By default the users get an SMS telling them they have a new message, and they can call in and hear the message. A lot of users set up their voice mail settings so that it sends an email with a wav file of the message to their inbox. After listening to the wav file and archive it or delete it, they still get the sms with the unheard message and there is no integration with their inbox and that they have already possessed it. Resulting that the SMS can tell them they have several unheard messages and that not being true. That is why we want to have Exchange UM deployed to have a complete UC solution.

Exchange UM has a couple of advantages to name a few:

  • Integration with Exchange inbox, messages that are heard/read from Outlook, Outlook Web App or mobile phone through ActiveSync, are also read when calling the Exchange UM service
  • Call back functionality directly for outlook Web App, you can have Exchange UM call you and play the message on the phone of your choosing
  • Note field integrated in Outlook and Outlook Web App, gives you the ability take notes in outlook while listening to the message, save them and have them indexed
  • You can call Exchange UM and rearrange you calendar, a good thing when you are late for a meeting and in a car travelling
  • Read more about the Exchange UM server role here: http://technet.microsoft.com/en-us/library/bb125141.aspx

The solution

I have spent the most part of a year to find someone to help med with this. After some research I found out that it was possible to work around this using Front End Scripts and a program to put the call on hold for a given period of time. This summer I came in touch with a Scandinavian developer company called Competella. They develop application based on the UCMA (Unified Communications Managed API) and are currently developing an switchboard attendants that integrate call control with an advanced directory search tool, access to presence, calendar, e-mail and IM. The system adds attendant call control functionality to the Microsoft OCS beyond the level found in legacy PBXs. They developed a script and a program that checks the status of the user. If the user is offline it will put the call on hold for 20 seconds before forwarding it to the Exchange UM and by that solving the problem we have with single number reach using mobile phones and Exchange UM. This also works if the user has the status “in a mobile call” set by third party programs that get free/busy status from the operators on the users mobile phones.

Conclusion

By using the script and program from Competella we are now able to complete our UC deployments with Exchange UM when mobile phone is the primary number in a single number reach scenario. With this we can realise enterprise voice mail for mobile phones as well as OCS/Lync.

Gartner Magic Quadrant for Unified Communications 2010

[tweetmeme source=”stalehansen” only_single=false]Gartner updated their magic quadrant for Unified Communications July 2010. It is always interesting to see what Gartner has to say about the UC market. It is good to see that Microsoft still is in the lead followed closely by Cisco and Avaya. As we can se from 2009 to 2010 is that Microsoft is still in the lead while IBM has been reduced to a challenger. Cisco and Avaya has gotten a clearer UC message and are following Microsoft closely. I often use this in presentations at seminars to explain some of the reason why we promote Microsoft as the UC vendor of choice.

Here is what Gartner has to say about Microsoft in their article

Microsoft

Microsoft’s UC solution is based on Exchange Server, OCS and Active Directory. Microsoft has strategic partnerships with Aspect and HP, along with a large and growing set of partnerships for gateways, survivable branch appliances, IP phones, audioconferencing service providers and SIP trunking, along with major system integrators and channel partners. OCS also integrates with collaboration and business applications like SharePoint. The same OCS and Exchange application is also used for Microsoft’s online collaboration suite, Business Productivity Online Standard Suite (BPOS).

Strengths
  • Microsoft OCS 2010 R2 has seen year-over-year increased adoption for voice and audioconferencing, and now states that it has 100-plus deployments of over 2,000 telephony users. The next release of OCS, Microsoft Communication Server “14,” scheduled for this calendar year, will add several critical telephony functions.
  • Exchange UM continues to gain acceptance and maturity in the market. Deployments have expanded beyond smaller (fewer than 2,000 subscribers) into the midsize (2,000 to 5,000 subscribers), with a few deployments in the very large (10,000-plus subscribers) market. In Exchange Server 2010, calendar access is integrated with the UM telephone interface, as is text-to-speech rendering of audio messages.
  • Microsoft’s historic strength in collaboration and desktops, combined with promising, emerging real-time communications, results in significant potential. Emerging areas include increased visibility of SIP trunks from carriers and from IP-PBX providers, significant new end-to-end UC solution providers, such as HP, and increased presence in contact centers.
  • Enterprises looking into UC, particularly those with Microsoft applications already in place, should understand Microsoft’s broad UCC paradigm. When considering telephony specifically, OCS can be deployed in different configurations, depending on enterprise directions and requirements. It can be deployed with a PBX so that both are in parallel use for telephony, or it can be deployed to perform nontelephony functions, leaving telephony to the IP-PBX. As OCS matures in 2011, OCS may be able to perform complete stand-alone telephony services.


Cautions

  • The telephony functionality in OCS 2007 R2 remains in the early stage, and OCS has not yet been proved as a complete telephony displacement. Enterprise planners should understand that OCS 2007 R2 has limitations, and should carefully evaluate some critical newer features in the forthcoming version of OCS, such as call admission control and E911.
  • Microsoft’s OCS audioconferencing and videoconferencing product set has expanded its interoperability and endpoint support abilities this year, but these functions remain new and have not yet been proved in the market.
  • Many OCS communication functions, such as telephony, video and public switched telephone network (PSTN) integration, require solution integrators and employees with different skills than many firms presently have. Planners should ensure that their providers and internal staff have relevant experience in key areas.
  • Currently, OCS offers an attractive initial price point for bundled communications and collaboration; however, voice capabilities will be priced separately in subsequent releases. Although some users will be allowed grandfathered pricing, others may see the competitive price advantage of the OCS bundle disappear.

Link to the full article: http://www.gartner.com/technology/media-products/reprints/microsoft/vol10/article19/article19.html

How to check SRV records for OCS and Exchange

[tweetmeme source=”stalehansen” only_single=false]A critical part of an OCS deployment is SRV records for automatic sign in. It is critical that these are present and configured correct. An easy way to check them is using nslookup. Below are how to check SRV records and what SRV records need to be present.

  1. Open cmd
  2. Type: nslookup
  3. Type: set type=all
  4. Type the SRV record to list its content

For OCS 2007 R2

  • External
    • _sip._tls.domain.com
      • Usually points to Access EDGE FQDN on port 443 
    • _sipfederationtls._tcp.domain.com
      • Usually points to Access EDGE FQDN on port 5061
  • Internal
    • _sipinternaltls._tcp.domain.com
      • Usually points to Pool name with correct sip domain on port 5061

For Exchange 2007/2010

  • External autodiscover
    • _autodiscover._tcp.domain.com
      • Usually points to owa FQDN listener with NTLM negotiate on port 443

Exchange 2010 RTM and SP1 OWA Integration With OCS 2007 R2

[tweetmeme source=”stalehansen” only_single=false]I recently integrated Exchange 2010 RTM OWA with OCS 2007 R2 for chat and presence. Having read some blog posts about how to implement the feature I decided to blog how I got this feature working based on these blogs and my own findings. I will cover the steps for both the Exchange 2010 RTM and SP1 versions since the steps are different.

Prerequisites

  1. Download and install OCS 2007 R2 Web Trust Tool on the Exchange 2010 server
    1. http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=ca107ab1-63c8-4c6a-816d-17961393d2b8 
    2. Locate and install the following files in elevated mode by running cmd.exe as administrator
      • vc_redistx64
      • UCMAredist.msi
      • CWAOWASSP.msi
  2. If the Exchange 2010 server is running on Server 2008 R2 you also need to install the latest cumulative hotfix update for OCS 2007 R2 on the Exchange server
    1. http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=b3b02475-150c-41fa-844a-c10a517040f4
    2. Download and run ServerUpdateInstaller.exe
    3. Also download the latest update for UCMAredist that is not included in CU5
    4. Reboot the server

Configuring Exchange 2010 RTM

NOTE: The below steps need to be done on all Exchange 2010 CAS servers in you deployment

  1. Download and run the PowerShell Script found in the below link
    1. https://msunified.net/exchange-downloads/script-imexintegration-ps1/
    2. The script will not configure anything
    3. It takes backup of web.conf and  generates the configuration you manually need to add the web.conf file
    4. The script makes it easy to generate the correct syntax for populating the below keys 
  2. Navigate to the web.conf file
    1. C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess\Owa\web.conf
    2. Edit the file and search for the string IMPoolName
    3. Replace the three “add key” strings with the ones provided with the script
  3. In Exchange Management Shell run the following command to configure OWA Virtual Directory
    • Get-OwaVirtualDirectory -Server "CasServer" | Set-OwaVirtualDirectory -InstantMessagingType 1
      • NOTE: The RTM documentation states OCS, but that don’t work. Use 1 as InstantMessagingType
  4. Run IISreset in PowerShell

Configuring Exchange 2010 SP1

The Exchange 2010 SP1 guide is based on this great post written by Martin Sundström: http://msundis.wordpress.com/2010/06/21/integrate-ocs-2007-r2-with-exchange-server-2010-sp1-owa/ The configuration on Exchange is now moved from web.conf to the per server OWA Virtual Directory. I will definitely create a script automating the below process when I get more hands on :)

NOTE: The below steps need to be done on all Exchange 2010 CAS servers in you deployment 

  1. Get the active Exchange 2010 certificate using this command in Exchange Management Shell 
    • Get-ExchangeCertificate | Where-Object {$_.Services -match "IIS"} | Get-ExchangeCertificate | fl thumbprint,subject
      • This command gets the active certificate on the local server, because only one certificate can have IIS as service at a time
  2. Use the thumbprint and OCS pool FQDN in the command below
    • Get-OwaVirtualDirectory -Server "CasServer" | Set-OwaVirtualDirectory -InstantMessagingCertificateThumbprint 4DC1EE3506E06E971FF82AC8DD60015EAC11B21E -InstantMessagingServerName ocspool01.domain.local -InstantMessagingType OCS -InstantMessagingEnabled $true
      • NOTE: This time we use OCS as InstantMessagingType
  3. Run iisreset

Configuring OCS 2007 R2

In order to allow the Exchange 2010 server to communicate with OCS using SIP containing presence and chat you need to add every Exchange 2010 CAS servers as authorized hosts on OCS.

  1. On your OCS R2 Pool server configure authorized host
    • NOTE: Your user needs to be member of the RTCUniversalServerAdmins group
  2. Open Office Communications Server R2 under Administrative Tool
  3. Expand forest and Enterprise pool or Standard Edition Servers depending on you deployment
  4. Right click your pool and choose properties->Front End Properties
  5. On the Hosts Authorization tab
  6. You need to add the Client Access server FQDN and configure as the below image 
    • NOTE: This is the FQDN of your subject name (CN) on the certificate used on the CAS server

 

Troubleshooting the Installation (RTM)

Next are a few troubleshooting steps that can assist with some of the more common problems encountered with Exchange/OCS integration. I found these valid troubleshooting steps on Rand Morimoto’s post: http://www.networkworld.com/community/node/47348

Configuring the Firewall on the CAS Server

If the Client Access Server has the Windows Firewall enabled, it might need an exception to enable OCS 2007 R2 to communicate with it. To create the exception, perform the following steps:

  1. From the Control Panel, open Windows Firewall 
  2. On the left side of the Windows Firewall window, click .“Allow a Program Through Windows Firewall.
  3. Click Add Program; then click Browse.
  4. Browse to C:\Windows\System32\inetsrv and select w3wp.exe.
  5. Click Open and then click OK twice to apply changes and close the window. Be sure to perform this step on all CAS servers with IM integration enabled.

User Configuration

  • Before the user community can utilize the IM features, they must be “provisioned” for Office Communications Server R2 and must be enabled for Enhance Presence. When the user is initially enabled on OCS 2007 R2, he will automatically be enabled for Enhanced Presence.
  • Users must also have a valid SIP proxy address for the OWA IM integration component to enable the IM Integration UI.
  • When attempting to view the Instant Messaging contact list, a user might receive a notification that states
    • Instant Messaging Isn’t Available Right Now. The Contact List Will Appear When the Service Becomes Available.
  • If this occurs, perform the following steps:
    1. Using the same user account, confirm that you can access the IM services using the Office Communicator 2007 R2 client.
    2. If functional, confirm that the OCS Server name is properly entered in the Web.Config file of the CAS server.
    3. Also confirm the configuration of the Authorized Hosts option on the OCS pool contains all IM Integrated Client Access Servers.

OWA Certificate Error

If OWA cannot locate the certificate, an error stating The Local Certificate Specified Was Not Found in the Store for the Local Computer appears.

In this case, confirm that the value of the OCSCertificateIssuer and OCSCertificateSerialNumber fields in the Web.Config file are correct. Also ensure that there are blank spaces between every two characters in the serial number to separate octets in the string.

References

TechNet: http://technet.microsoft.com/en-us/library/ee633458%28EXCHG.140%29.aspx
Chris and Robin’s Technology blog: http://chrislehr.com/2009/11/implementing-integrated-ocs-in-owa-2010.htm
Martin Sundström: http://msundis.wordpress.com/2010/06/21/integrate-ocs-2007-r2-with-exchange-server-2010-sp1-owa/
Rand Morimoto: http://www.networkworld.com/community/node/47348

No Audio and Video with external clients when OCS R2 EDGE is behind NAT

[tweetmeme source=”stalehansen” only_single=false]I had a mind boggling troubleshooting session the other day where the problem was audio and video through consolidated OCS EDGE server behind NAT’ed in interfaces. After running Network Monitor and analyzing the SIPlogs on all involved machines:

  • Inside Client
  • Customer OCS Front End
  • Customer OCS EDGE
  • Outside Federated Client
  • Firewall

The Symptoms

  • SIP, Presence and IM working fine
  • The call gets connected but fails with no media connectivity after just a few seconds
  • No RTP traffic on any machine in Network Monitor
  • In the SIP log we could see that the client used NAT AV EDGE IP, not public IP
    • Therefore no media connectivity because the external client and external EDGE cant reach that IP
    • When Internal Client and Federated Client was on the same subnet audio and video worked fine

The Solution

Read Rick Varvel’s blog post up and down and studied all the fine print and found that the Internal Client has to be able to resolve the Public IP of the AV EDGE server. This is an issue when the internal DNS is authoritative for the external domain without all external entries. 

Below are the complete steps to set up OCS 2007 R2 EDGE when behind NAT

  1. Implement OCS 2007 R2 EDGE with at least two NIC’s
    • One Internal
    • One or more External
    • When you have more than one external NIC beware of the Strong Host Model feature in Server 2008 where NIC’s don’t share gateways and media flow works different
  2. Configure the firewall to perform DNAT inbound and SNAT outbound for the A/V Edge external interface
  3. Configure the Internal NIC with an IP address and FQDN that is resolvable from you internal subnets
  4. Configure the External NIC’s with NAT’ed IP addresses, not the public ones because you are behind NAT
  5. Make sure that the OCS 2007 R2 EDGE server can resolve all the external FQDN’s with the public IP addresses
    • Add them in the external DNS
    • Or add them in the local hosts file
  6. Make sure that the A/V EDGE public IP and FQDN is resolvable from the Internal Client subnets
  7. Make sure that the OCS 2007 R2 EDGE server knows it is behind NAT
    • On your edge server goto: start->run-> type in compmgmt.msc
    • Expand Services And Applications
    • Expand Office Communications Server
    • Right-click the OCS EDGE entry and choose properties
    • Under A/V EDGE server make sure that the “External IP address is translated by NAT” check mark is checked
    • Press apply and exit
    • Restart the OCS EDGE services

Resources

Rick Varvel: http://blogs.technet.com/rickva/archive/2009/04/03/Configuring-A_2F00_V-Edge-Service-for-NAT.aspx
Mino – The UC Guy: http://theucguy.wordpress.com/2009/03/04/the-ocs-2007-r2-edge-and-nat/
Elan Shudnow – Audio/Media Negotiation: https://msunified.net/2009/08/30/office-communications-server-2007-r2-audiomedia-negotiation/
Inside OCS – Ports required for OCS 2007 R2 EDGE: http://blog.insideocs.com/2008/08/20/what-ports-do-i-need-to-open-on-my-firewall/
msunified.net – Single consolidated EDGE server clarified: https://msunified.net/2009/07/01/single-consolidated-edge-server-clarified/

Installing OCS 2007 R2 Prerequisites on Windows Server 2008 R2

[tweetmeme source=”stalehansen” only_single=false]Server 2008 R2 is now supported by OCS 2007 R2. As a follow-up to my post on Installing OCS 2007 R2 Prerequisites on Windows Server 2008 I will in this post describe how you can install OCS 2007 R2 prerequisites on Server 2008 R2. While you need to install the same prerequisites on both OS’ there is a change in what commands you use and you also need to prepare the server in a different way when you are installing on Server 2008 R2

Part one – Before you install OCS 2007 R2 binaries

  • Open powershell as administrator and run the following commands
    • Import-Module ServerManager
    • Add-WindowsFeature as-net-framework,desktop-experience,telnet-client
      • This installs the following features
        • [As-Net-Framework] – .Net Framework 3.5 SP1
        • [Desktop-Experience] – Desktop Experience
        • [Telnet-Client] – Telnet Client (recommended not required)
  • Request the Hotfix that is described in KB975858 for Windows Server 2008 R2
    • You need to request it, then you recieve a link by email, from there you can download and install it
  • Install the prerequisites for the specific role as described in part three
  • Run Windows Update untill everything is updated
  • Install the OCS 2007 binaries for the role you are installing

Part two – After you install OCS 2007 R2 binaries

  • When you try to activate OCS 2007 R2 Standard Edition, Enterprise Edition or Edge Server role when all windows updates are installed it fails
    • Download and install OCSASNFix.exe
    • Re-run the activation wizard
  • Download and install the latest cumulative updates for OCS 2007 R2
  • If you have XP or Vista clients in your enterprise change the default NTLM security settings from 128-bit encryption to “no minimum”
    • Start secpol.msc on a Windows Server 2008 R2 operating system server.
    • Click to select Local Policies and then click Security Options node.
    • Make sure that the following values of the policies are set to “No Minimum.”

Part three – Commands to install the necessary prerequisites for OCS 2007 R2 on Windows Server 2008 R2

Front End on Windows Server 2008 R2

  • Import-Module ServerManager
  • Add-WindowsFeature web-windows-auth,web-mgmt-compat,web-mgmt-console,web-http-logging,msmq-server,msmq-directory,was-process-model,was-config-apis, web-static-content,rsat-adds

Installs the following components:

  • [Web-Windows-Auth] – Windows Authentication
  • [Web-Mgmt-Compat] – IIS 6 Management Compatibility
  • [MSMQ-Server] – Message Queuing Server
  • [MSMQ-Directory] – Directory Service Integration
  • [RSAT-ADDS] – Active Directory Domain Services Tools
  • [WAS-Process-Model] – Process Model
  • [WAS-Config-APIs] – Configuration APIs
  • [Web-Mgmt-Console] – IIS Management Console
  • [Web-Http-Logging] – HTTP Logging
  • [Web-Static-Content] – Static Content

NOTE: If you are to run the create pool wizard from the Front End server against SQL 2008, you also need the MS SQL Native Client: X64 Package (sqlncli.msi) – 7963 KB
Also check out this post of mine whether to run create pool on OCS Front End or Back End SQL server: https://msunified.net/2009/08/11/create-pool-%e2%80%93-run-on-ocs-or-sql-server/

Office Communicator Phone Edition deployment on Windows Server 2008

  • Import-Module ServerManager
  • Add-WindowsFeature Web-Static-Content

Installs the following components in addition to Front End prerequisites:

[Web-Static-Content] – Static Content

NOTE: It exists default MIME types for both the .xml and the .cat extensions that is used by the updater. There is however no default for the .nbt extension and you need to configure it manually. See this post on how to do it http://www.codesalot.com/2010/communicator-phone-edition-update-issues/

Monitoring Server on Windows Server 2008

  • Import-Module ServerManager
  • Add-WindowsFeature msmq-server,msmq-directory

Installs the following components:

  • [MSMQ-Server] – Message Queuing Server
  • [MSMQ-Directory] – Directory Service Integration

CWA Server on Windows Server 2008

  • Import-Module ServerManager
  • Add-WindowsFeature web-windows-auth,web-digest-auth,web-basic-auth,web-mgmt-compat,web-mgmt-console,web-common-http,web-ISAPI-ext,web-ISAPI-filter,web-request-monitor,web-http-redirect,web-http-logging

Installs the following components:

  • [Web-Windows-Auth] – Windows Authentication
  • [Web-Digest-Auth] – Digest Authentication
  • [Web-Basic-Auth] – Basic Authentication
  • [Web-Mgmt-Compat] – IIS 6 Management Compatibility
  • [Web-Mgmt-Console] – IIS Management Console
  • [Web-Common-Http] – Common-http-features
  • [Web-ISAPI-Ext] – ISAPI Extensions
  • [Web-ISAPI-Filter] – ISAPI Filters
  • [Web-Request-Monitor] – Request Monitor
  • [Web-Http-Redirect] – HTTP Redirection
  • [Web-Http-Logging] – HTTP Logging

Mediation Server on Windows Server 2008

  • Import-Module ServerManager
  • Add-WindowsFeature rsat-adds

Installs the following components:

  • [RSAT-ADDS] – Active Directory Domain Services Tools

References:
For base OS prerequisites: http://support.microsoft.com/kb/982021
For supporting OCS 2007 R2 after raising the domain functional level: http://support.microsoft.com/kb/982020

After installing the latest cumulative updates to OCS 2007 R2 some services don’t start

[tweetmeme source=”stalehansen” only_single=false]I have experienced this issue in my latest OCS deployments now and want to share this information. This issue happens after installing the january cumulative updates server-side. This issue is not related to the CryptoAPI issue described here: https://msunified.net/2009/10/14/for-now-hold-off-on-installing-kb-974571-on-ocs-2007-r2-servers-and-possibly-r1/

The Problem 

  • I have experienced this issue on Enterprise Front End servers and Mediation servers
  • The after reboot it takes for ages to be able to connect through RDP, ping works fine
  • When you finally log in you find that the Front End or Mediation service has not started
  • When you start the services everything works fine

The Solution 

  • Set the services below to automatic start
    • [Winmgmt] – Windows Management Instrumentation
    • [Keyiso] – CNG Key Isolation
    • [WMIapsrv] – WMI Performance Server
    • [Rasman] – Remote Access Connection Manager
  • On the Enterprise Front End server set the rtcsvr dependent on the above services
    • Open Command Prompt as administrator and run the below command
    • sc config rtcsrv depend= WinMgmt/KeyIso/WmiApsrv/rasman 
  • On the Mediation server set the rtcmedsrv dependent on the above services
    • Open Command Prompt as administrator and run the below command
    • sc config rtcmedsrv depend= WinMgmt/KeyIso/WmiApsrv/rasman 

I have seen similiar problems talked about in the below blogposts:
by Mino – The UC Guy: http://theucguy.wordpress.com/2009/05/13/ocs-2007-r2-server-loses-network-connection-on-server-startup/
by Aaron Tiensivu: http://blog.tiensivu.com/aaron/archives/1909-OCS-2007-R2-services-hang-at-Starting-on-reboot-with-Server-2008.html

New trojan on MSN March 2010

[tweetmeme source=”stalehansen” only_single=false] March first 2010 Telenor TSOC discovered that a new worm was on the loose on Windows Live Messenger. This time it is in your native language and therefor the probability of users actually clicking on the link is much greater. The worm sends a link from one of your contacts in MSN and if you click it a trojan will be downloaded to your PC and install itself. This is a huge risk for businesses that allow users to use Windows Live Messenger in their company network. If one PC get compromised in the internal network the possibility for it infecting other PC’s is even greater. This is one of the main reasons to implement OCS 2007 R2 as the only business solution for chat. Some arguments are:

  • Encrypted internal chat solution
  • All traffic stay inside you organization
  • Can federate and chat with other organizations in a secure manner
  • Can add global rules for blocking links, file transfers and unpatched clients
  • Can add MSN contacts and be sure that messages with links is blocked server-side

In addition to secure chat OCS gives the businesses the ability to implement Unified Communications and is therefore way more than just a chat client.

About this trojan

First you get a message from one of you contacts saying, seen this?? :D  and it links to hxxp://www.facebook-c.com/image.php?Photo023girl.JPG. The trojan adapts to the language on the computer and will display the text in you native language. In norwegian it will be se på dette bildet :D with the link following. The link points to a site at Yahoo and so the links was live for a day or two. It still was a huge security risk. The trojan is written in Visual Basic and executes a C++ program. It installed itself as c:\windows\winmbu.exe and granted itself access through the local firewall. The program gave the owner of the trojan access to

  • Communication with C&C over the IRC protocol
  • Sending of messages over MSN and Yahoo messenger
  • Download and run files on the infected computer

At release date only 13 of 41 antivirus products detected this file. So even with an updated antivirus on the local computer 69% of the antivirus solutions would not have detected it.

Link to official article in norwegian: http://telenorsoc.blogspot.com/2010/03/trojaner-spres-via-msn-messenger.html
Link to the antivirus protection overview: http://www.virustotal.com/analisis/89c677bc0044864d80244aee8201661e79f431f33c3b164aa778f363fe1cf9da-1267474859