Rereleased: Exchange 2010 SP1 Update Rollup 4 (v2) Available

The Update Rollup 4 for Exchange 2010 SP1 has been rereleased and can be downloaded at: Exchange 2010 SP1 Update Rollup 4 (v2) Download. This will take you Exchange version up to 14.1.323.6

For a description of all the included fixes, see KB 2579150

For those of you running DAGs, please see the following article: Applying Updates to Exchange 2010 SP1

If you are running Forefront, it is important to disable Forefront protection during the update:

• Before running patch: fscutility /disable
• After running patch: fscutility /enable

Lync July 2011 Server and Client Updates Released

The Lync team has released server and client updates for July 2011. Here are all the details:

Server Updates (7577.166) – Download – KB2493736

• Core Components
• Conferencing Attendant
• Conferencing Server
• Web Components Server
• Standard/Enterprise Edition Server
• Web Conferencing Server
• UCMA 3.0 Runtime

Note: Use the cumulative LyncServerUpdateInstaller.exe to install the updates to make sure all needed updates are applied.

Phone Edition Updates

• Polycom CX700 and LG-Nortel 8540 (7577.296) – Download – KB2577593
• Aastra 6721ip/6725ip (7577.296) – Download – KB2577595
• Polycom CX500, CX600, CX3000 (7577.296) – Download – KB2577594

Clients

• Lync 2010 (32-bit) (7577.314) – Download – KB2571543
• Lync 2010 (64-bit) (7577.314) – Download – KB2571543

Group Chat

• Server (7577.314) – Download – KB2571550

Completely Disable IM Archiving and Outlook Conversation History in Lync

Compliance in the enterprise is a funny thing.  Some companies take the approach that they have to save everything forever.  Some take the opposite approach that they only keep limited backups, control what the user can save, and purge everything else.  This post will describe how to control and prohibit users from saving IM’s to Outlook or their local folder structure.

There are three major ways to archive/save IM conversations for Lync:

1. Install and configure the Lync Archiving Role
2. Allow client side “Conversation History” through the Outlook client
3. Allow users to save an IM to a file

We will not go into #1 since if you do not install or configure the Archiving role, then IM’s will not be centrally saved within a SQL database.

Disable Conversation History in Outlook

By default when Lync is installed, Lync integrates with Exchange/Outlook and creates a Conversation History folder to save all conversations including IMs, audio, video, and web conferences.  Also by default, all conversation logs are set to save in this folder.

These options can be set in the client by the user:

The administrator can disable these settings from user control by setting a Lync client policy which gets applied to the client through in-band provisioning.  There are two parameters that can be set here, one for IM conversations and one for call logs.  The following command disables the automatic saving of both options:

Set-CsClientPolicy –Identity Test –EnableIMAutoArchiving $false –EnableCallLogAutoArchiving $false

Note that I am setting a specific policy which is already granted to my users.  You could easily set these parameters on the Global Client Policy to apply to everyone.

After applying the policy, the options are now unchecked and disabled from user control:

With these policies configured, a user still has the option of saving IM conversation manually.

Disable the Ability to Save IM Conversations Manually

When in an IM conversation, a user has the option to save an IM to Outlook or as a separate file:

The administrator can disable this option by setting a Lync client policy which gets applied to the client through in-band provisioning. The following command disables the ability to manually save IM conversations:

Set-CsClientPolicy –Identity Test –DisableSavingIM $true

Note that I am setting a specific policy which is already granted to my users. You could easily set these parameters on the Global Client Policy to apply to everyone.

Now the option is no longer available within the IM conversation:

This post described how to disable IM conversation logging and saving.  Hope this helps.

Kerberos Web Authentication for Lync Web Services

I know that everyone runs the Lync Best Practices Analyzer (BPA) on a regular basis…right?  After running the BPA, you might see the following warning:

Pool fully qualified domain name (FQDN) “fqdn” is not found as a http service principal name (SPN) on any user or computer.  Kerberos web authentication is not configured..

The warning pops up due to the fact that Lync uses NetworkService to run the Web Services and NetworkService cannot have SPNs assigned to it (this is a change from how OCS handled it).

I am not going to address the “why use kerberos authentication?” because there is already a great article written by Jens Trier Rasmussen.  I suggest reading it before proceeding.

The rest of this post will describe the process of enabling Kerberos authentication for the Lync Web Services.

1) Create a Kerberos account

Pre-req: member of Domain Admins and computer running Lync Management Shell (LMS)

From the LMS, run:  New-CsKerberosAccount –UserAccount “Domain\UserAccount” –ContainerDN “CN=Users,DC=DomainName,DC=DomainExtenstion”

My command:  New-CsKerberosAccount –UserAccount “Homelab\LyncKerbAcct” –ContainerDN “OU=UC Objects,DC=homelab,DC=local”

Note that the –UserAccount parameter is used even though we are creating a computer account with this command.

2) Assign the Kerberos account to a site

Pre-req: member of RTCUniversalServerAdmins and computer running Lync Management Shell (LMS)

To use the Kerberos account, you must assign it to a site.  While you can create multiple Kerberos accounts for your environment, you can only assign one account per Lync site.

From the LMS run: New-CsKerberosAccountAssignment –UserAccount “Domain\UserAccount” –Identity “site:SiteName”

My command: New-CsKerberosAccountAssignment –UserAccount “Homelab\LyncKerbAcct” –Identity “site:Datacenter”

Then run Enable-CsTopology

3) Set Kerberos account password and Synchronize to IIS

Pre-req: member of RTCUniversalServerAdmins and computer running Lync Management Shell (LMS)

From the LMS run: Set-CsKerberosAccountPassword –UserAccount “Domain\UserAccount”

My command: Set-CsKerberosAccountPassword –UserAccount “Homelab\LyncKerbAcct”

If any servers are added to the topology in the site (like Front-ends and Directors) you will need to synchronize the Kerberos account password to IIS of the new server.

From LMS run: Set-CsKerberosAccountPassword –FromComputer SourceComputer –ToComputer DestinationComputer

My command: Set-CsKerberosAccountPassword –FromComputer lablyncfe01.homelab.local –ToComputer lablyncfe02.homelab.local

4) Testing to make sure Kerberos is working properly

To test for full functional readiness of Kerberos within a site, the following command can be run to create a report:

From LMS run: Test-CsKerberosAccountAssignment –Identity “site:SiteName” –Report “C:\reportpath\reportname.htm” –Verbose

My command: Test-CsKerberosAccountAssignment –Identity “site:Datacenter” –Report “C:\Temp\KerbTest.htm”

Report generated:

Hope this helps!

Lync Topology Validator

I wish that the Lync Resource Kit tools were part of the core Lync install, but it is not.  You can download it HERE. There is a great tool part of the resource kit called Topology Validator.  This tool uses synthetic transactions and combines a multitude of testing cmdlets into a single tool that can test the health of the following:

• Service installation check
• Register
• Peer to peer IM
• Group IM
• Presence
• Peer to peer A/V
• A/V conference
• Peer to peer PSTN call
• PSTN outbound call
• Address book
• Location policy
• Location information service configuration
• Dial-in conferencing
• Address book web query
• Client authentication
• Federation
• Phone bootstrap

To run the Topology Validator, first install the Lync Resource Kit tools downloaded above on your Lync server.  The Topology Validator is a command-line only tool and can be run by launching command prompt and running:

C:\Program Files\Microsoft Lync Server 2010\Reskit\TopologyValidator\> TopologyValidator.exe

You can also run TopologyValidator.exe /? to see other options.

When the tool starts, it will ask what FQDN to test against.  I will choose my Front-End pool: pool.twhlab.com

The tool will then ask for sip addresses and credentials of two users.  If you have outbound PSTN connectivity, you can also enter that information:

After all information is entered, all test will be run and reported on the screen.  You can easily see what tests passed and failed.

The Topology Validator also stores all output files and an HTML report in the \%temp%\TopologyValidator folder:

Opening the HTML report gives all results and details behind each test:

 

You can expand each test, see the commands used and also the logs of the test run. 

This is a great troubleshooting and validation tool to use in your environment. I highly encourage it!

Exchange 2007 SP3 Update Rollup 4 Available

An update for Exchange 2007 SP3 has just released and can be downloaded at: Exchange 2007 SP3 Update Rollup 4 Download

This brings the build number to: 8.3.192.1

• For a description of all the included fixes, see KB 2509911

If you have a clustered environment, please see this article: Applying Exchange 2007 Update Rollups to Clustered Mailbox Servers

If you are running Forefront, it is important to disable Forefront protection during the update:

• Before running patch: fscutility /disable
• After running patch: fscutility /enable

Also remember to disable or remove all third party software during the upgrade (like antivirus, backup agents, disclaimers, etc.)

NOTE: Update Rollup 5 for Exchange 2007 SP3 is scheduled for August 2011.  More info from the Exchange Team