Validate your Lync Server 2013 or Skype for Business 2015 Hybrid Configuration

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Skype for Business Blog articles.

First published on TECHNET on Sep 27, 2016

Ever wondered if your Skype for Business 2015 or Lync Server 2013 Hybrid Configuration is setup properly? Tony Quintanilla and I have developed a script to help customers troubleshoot their hybrid environments. While the script can diagnose every problem, this one does touch on the main problems that are seen by Microsoft Skype for Business Support Engineers. We hope this script will save you time when trying to troubleshoot issues with your hybrid environment and look forward to hearing your feedback!

NOTE Special Thanks to TonyQ for coming up with the concept and initial design of this script.  I simply took what he had and added some additional logic and reporting.  This was truly a collaborative effort.  I could not have done it on my own

First things First.  You need to meet the following criteria in order to run the script :

Prerequisites and requirements:

  • Needs to have Skype Online Connector installed
  • User needs to be a member of the RTCUniversalServerAdmins, CsServerAdministrator, or CsHelpdesk domain group
    • This is required by the Lync/Skype Cmdlets to gather the correct information without throwing access errors.
  • User needs tenant admin credentials that have permissions to administer Skype for Business Online
    • This is needed to allow access to the Skype for Business Online session
  • TCP Port 5985 needs to be open from the Front End server to the Federated Edge servers for remote PowerShell
  • The script needs to be run in a PowerShell window opened as an Administrator
    • This is required by the script Cmdlets to gather the correct information without throwing access errors.
  • Internet Access to allow the Online Connector to sign into the Remote PowerShell Session.
  • Active Directory PowerShell Module ( RSAT-ADDS Feature )
    • This is required on a Front End server, but if you run this from another computer with the Lync/Skype admin tools, you will have to add this feature so that it can verify group membership for the Admin running the script.
  • PowerShell 3.0+

If you meet all of these requirements then let’s get going!.  Here is a list of the items the script checks:

  • On-Prem Settings
    • Sip Hosting Provider
      • ProxyFqdn
      • Enabled
      • VerificationLevel
      • SharedAddressSpace
      • AutodiscoverURL
    • Exchange Hosting Provider (UM)
      • ProxyFqdn
      • Enabled
      • SharedAddressSpace
    • Access Edge Configuration
      • AllowedFederatedUsers
      • RoutingMethod
    • Federated Edge
      • CMS Replication State
      • External Certificate SANs
      • SRV Records for _sipfederationtls._tcp.domain.com and returning A Record
        • Validates Strict DNS for SRV records
      • HOSTS file for Next Hop inbound server(s)
  • Online Settings
    • AllowFederatedUsers
    • SharedSipAddressSpace
  • Compare On-Prem and Online Settings
    • Open/Closed Federation
    • Allowed/Blocked Domains

Download the script here:

https://gallery.technet.microsoft.com/Validate-your-Lync-Server-017ed501

NOTE: The output files will be saved in the folder they run the script from, so make sure to change to a folder that has rights to.  If your PowerShell opens in C:\Windows\System32, it will save the files to your profile’s Documents folder.

When you execute: Validate-CsHybridConfiguration.ps1 you will be prompted for the Tenant credentials and the Edge Credentials.  Here is the expected output:

Validate-CsHybridConfiguration_Log

As you can see in the above output, the last two lines show you the path to the output files.  One is the log file that simply shows you the same items that are in the screenshot and the second is an HTML report that will show you Pass/Fail information for the given checks.

Validate-CsHybridConfiguration_HTML

Available Script Parameters:

OverrideAdminDomain [Optional]
Use the parameter to pass the onmicrosoft.com tenant domain if you are signing in with your vanity domain
i.e. ContosoTentant.onmicrosoft.com when signing in with cloudadmin@contoso.com

DomainController [Optional]
Use this parameter if the RTCUniversalServerAdmins group is in a different domain than the domain the Front End server is located

BypassAdminGroupCheck [Optional]
Use this switch to skip the RTCUniversalServerAdmins group check. ONLY use this if you have already validated membership and
you continue to get a failure on the group check.  If you use this bypass and you don't have the proper rights, you will get
unknown error responses throughout the running of the script.

Examples:

Standard execution:

.\Validate-CsHybridConfiguration.ps1

Using the OverrideAdminDomain which allows you to use your vanity domain credentials instead of having to use an Onmicrosoft.com login.

.\Validate-CsHybridConfiguration.ps1 -OverrideAdminDomain ContosoTentant.onmicrosoft.com

Using the DomainController gives you the ability to tell the script which domain the RTCUniversalServerAdmins group is located in comparison to which domain you are running the script from.  This happens when your Front End servers are in a different domain than your RTC Groups.

.\Validate-CsHybridConfiguration.ps1 -DomainController DC.contoso.com

Using the BypassAdminGroupCheck should only be used if DomainController parameter fails and you MANUALLY validated the membership in the RTCUniversalServerAdmins group.

.\Validate-CsHybridConfiguration.ps1 –BypassAdminGroupCheck

We hope this helps you in troubleshooting your Skype or Lync Hybrid Configuration

Your feedback is welcome

CHANGE LOG:

  1. 09/25/2016 Original script
  2. 09/26/2016 Added SRV Lookup information to the log and report
  3. 09/28/2016 Added the ability for the Domain Allowed Lists for On-Premises and Online to be empty
  4. 09/29/2016 Added some failure count logic in the Get Credential Functions and Gathering of System and IE proxy values
  5. 09/29/2016 Added CMS replication fail note to HTML Report
  6. 10/06/2016 Check to see if you are in the System32 directory and change to Userprofile\Documents if you are
  7. 10/06/2016 Added the AutodiscoverURL NOTE if you AutodiscoverURL for the LyncOnline Hosting provider fails
  8. 10/06/2016 Added the ability to use the -OverrideAdminDomain switch for logging into the tenant.
  9. 10/06/2016 Changed the methodology of the RTCUniversalServerAdmins group validation to handle Multi Domains
  10. 10/14/2016 Added the check to see if PowerShell is running in the context of an Administrator
  11. 10/14/2016 Changed the method of prompting for credentials to keep the credential information more secure
  12. 10/19/2016 Added VerificationLevel Validation for the Lync Online Hosting Provider
  13. 10/31/2013 Added logic to handle the inability to validate the RTCUniversalServerAdmins group by trying one of the Cmdlets
  14. 10/31/2013 Removed the need to be run from a Front-End server
  15. 11/13/2016 Added Edge HOSTS file entry checking
  16. 11/13/2016 Fixed SRV Lookup reporting for more than one Edge Pool
  17. 12/08/2016 Added Strict DNS Checking and added warning messages if it fails.
  18. 01/25/2017 Added BypassAdminGroupCheck switch

Disclaimer -

The sample scripts are not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.