The reason why the pool exhibits this behavior is because the configured vCenter settings no longer match the vCenter currently hosting the virtual desktops. A common issue I’ve come across in environments is when the Datacenter or the Cluster object has been renamed and no longer matches what was originally configured and reference within VMware Horizon View. Logging onto the vCenter hosting the virtual desktops show the following:
Putting the vCenter and View configuration tab side by side shows how the vCenter Datacenter object is now named Wellesley House while the one in View is named Wesley House:
The quickest way to resolve this issue is to rename the object in vCenter to match VMware Horizon View’s configuration but if this is going to be a permanent change then the alternative is to edit the VMware Horizon View ADAM database to correct the issue as demonstrated in the following KB:
Provisioning a pool on VMware View generates error: Resource Cluster 'vcenter/host/clustername/Resources' not found for pool (2127993)
Next, manually type in the correct string mapping to the objects in vCenter (do not simply clear them as you will not be able to load any of the settings for the pool):
You attempt to use the Exchange Admin Center (EAC) to activate a mailbox database in a DAG cluster but noticed that one of the nodes fails with the error:
Mailbox G to L An Active Manager operation failed. Error: The database action failed. Error: An error occurred while trying to validate the specified database copy for possible activation. Error:
exchdr01: Server 'exchdr01.contoso.com' is not up according to the Windows Failover Cluster service. [Database: Mailbox G to L, Server: exchprod01.contoso.com]
You log onto the server exhibiting this problem and notice that the services console indicate the Cluster Service is Disabled and not started.
This error through me off for a bit of time as the node was added to the cluster for a few days and the process did not throw any errors. It was not until I decided to make modifications to the DAG configuration when I received the following error message that made me realize the node wasn’t added to the DAG properly:
[PS] C:\>Set-DatabaseAvailabilityGroup -Identity DAG15 -DatacenterActivationMode DagOnly The following servers have been added to the database availability group but not to the cluster: drexch01. This is usually the result of an error during membership change. Removing and re-adding the servers can correct the issue. + CategoryInfo : InvalidArgument: (:) [Set-DatabaseAvailabilityGroup], DagTaskServersInAdNotInCluster + FullyQualifiedErrorId : [Server=exchprod01,RequestId=f9520afa-3fce-4cd2-9e22-648339c8eca5,TimeStamp=3/17/2019 8:05 :23 PM] [FailureCategory=Cmdlet-DagTaskServersInAdNotInCluster] 86538C81,Microsoft.Exchange.Management.SystemConfi gurationTasks.SetDatabaseAvailabilityGroup + PSComputerName : exchprod01.contoso.com
Simply removing the mailbox database copies on the problematic node, remove the node from the DAG and re-adding it corrected the problem of the cluster service as well as database activation.
I received a call from a client a few weeks ago to look at an issue he had with all the computers in the domain where the security tab for Internet Explorer 11 displayed a lock key icon for Internet, Local intranet, Trusted sites, and Restricted sites zones.
He indicated that he had recently implemented a GPO policy to adjust the settings for each site and had reverted back but noticed the settings were still persistent. Reviewing the icons showed that each zone was completely locked preventing the user from clicking on the Sites or Custom level icon:
After going through all the policies in the domain and unable to locate any reference to the configuration causing this, I navigated to the registry key that contains the settings for each zones and noticed that the keys appear to be missing values:
It is a bit labour intensive to create all of these keys manually so I would suggest creating a .reg file to import into the user’s profile when they log in.
I recently had to assist a client with configuring a GPO to add sites in Internet Explorer 11’s trusted zones and disabling "Require server verification (https:) for all sites in this zone" so I thought I’d write this blog post to outline the registry keys required for the settings.
Note that this post will only demonstrate configuring the registry for HKEY_CURRENT_USER and it is also possible to apply the changes HKEY_LOCAL_MACHINE.
Enabling or Disabling "Require server verification (https:) for all sites in this zone"
The registry key that controls the Require server verification (https:) for all sites in this zone setting is the REG_DWORD setting named Flags located in the following registry + the # representing the zone (we’ll use zone 2 which represents Trusted Sites):
Persistent Chat rooms are no longer accessible but all other functionality appears to be functioning.
Reviewing the Lync Server event logs on the front-end server reveals the following error logged:
Log Name: Lync Server
Source: LS Protocol Stack
Event ID: 14428
Level: Error
User: N/A
TLS outgoing connection failures.
Over the past 359 minutes, Skype for Business Server has experienced TLS outgoing connection failures 15 time(s). The error code of the last failure is 0x800B0101(CERT_E_EXPIRED) while trying to connect to the server "contbmlyncpc.contoso.com" at address [10.34.30.79:5041], and the display name in the peer certificate is "contbmlyncpc.contoso.com". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine. Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.SendPreamble(IConnection connection, ArraySegment`1 preamble, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.DuplexConnectionPoolHelper.AcceptPooledConnection(IConnection connection, TimeoutHelper& timeoutHelper)
at System.ServiceModel.Channels.ConnectionPoolHelper.EstablishConnection(TimeSpan timeout)
at System.ServiceModel.Channels.ClientFramingDuplexSessionChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.OnOpen(TimeSpan timeout)
at System.ServiceModel.Channels.CommunicationObject.Open(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOpenOnce.System.ServiceModel.Channels.ServiceChannel.ICallOnce.Call(ServiceChannel channel, TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannel.CallOnceManager.CallOnce(TimeSpan timeout, CallOnceManager cascade)
at System.ServiceModel.Channels.ServiceChannel.EnsureOpened(TimeSpan timeout)
at System.ServiceModel.Channels.ServiceChannelProxy.InvokeService(IMethodCallMessage methodCall, ProxyOperationRuntime operation)
at System.ServiceModel.Channels.ServiceChannelProxy.Invoke(IMessage message)
Exception rethrown at [0]:
at System.Runtime.Remoting.Proxies.RealProxy.HandleReturnMessage(IMessage reqMsg, IMessage retMsg)
at System.Runtime.Remoting.Proxies.RealProxy.PrivateInvoke(MessageData& msgData, Int32 type)
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.IPublisher.IsAlive()
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.PeerWrapper.ExecuteWithRetry(Action action)
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.WCFService.CreatePeerWrapper(Int32 peerId, Uri peerServiceUri)
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.WCFService.GetPeerWrapper(Int32 peerId, PeerWrapper& peerWrapper)
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.WCFService.SubscribeToPeerImpl(Int32 peerId)
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.WCFService.SubcribeToPeers()
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.PeerTransport.Connect(IWCFService service)
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.PeerTransport.PeerServerManager.Connect(IPeerFinder peerFinder, ReceiveConduitMessageCallback callback)
at Microsoft.Rtc.Internal.Chat.Server.Channel.Server.ChannelServer.OnStart()
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.ServerBase.Start()
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.MgcServiceBase.startServer()
at Microsoft.Rtc.Internal.Chat.Server.ServerCommon.MgcServiceBase.createAndStartServer().
One of the common reasons why the Persistent Chat server would exhibit this behavior is if there is a second Persistent Chat server in the environment, which also has the certificate used for the service expired. This environment in this example had a second persistent chat server for disaster recovery purposes so proceeding to reissue a valid certificate on the server then restarting the services corrected the issue:
You attempt to use the SEFAUtil.exe executable in the Lync Server Resource Kit Tools to configure call forwarding on a Lync Server 2013 server but it immediately fails with:
SEFAUtil.exe has stopped working
Description:
Stopped working
Problem signature:
Problem Event Name: CLR20r3
Problem Signature 01: sefautil.exe
Problem Signature 02: 4.0.0.0
Problem Signature 03: 4cc149b9
Problem Signature 04: SEFAUtil
Problem Signature 05: 4.0.0.0
Problem Signature 06: 4cc149b9
Problem Signature 07: 1
Problem Signature 08: 7
Problem Signature 09: System.IO.FileNotFoundException
OS Version: 6.3.9600.2.0.0.272.7
Locale ID: 2057
Read our privacy statement online:
http://go.microsoft.com/fwlink/?linkid=280262
If the online privacy statement is not available, please read our privacy statement offline:
You document the Trusted Application and Trusted Application Pool, remove and recreate it but the error still persists.
Solution
One of the things I noticed for this environment was that the ResKit was installed in the Microsoft Lync Server 2010\ResKit directory so I initially reran the ResKit install (https://www.microsoft.com/en-us/download/details.aspx?id=36821) to see if it would upgrade it but the window I was presented with was to either repair or remove. I ended up choosing repair but this did not correct the issue. After not having any luck with other troubleshooting steps, I went ahead and uninstalled the 2010 tools and reinstalled into the Microsoft Lync Server 2013\ResKit and this corrected the issue. It appears the ResKit installer does not identify whether the existing install was for 2010 or 2013.
I’ve recently had the opportunity to deploy Skype for Business Server 2019 on Windows Server 2019 in a Skype for Business Server 2015 environment and decided to capture the process so I can write this blog post demonstrating what the deployment process looks like.
Before I proceed, the deployment guide I will be using can be found here:
I could not find any documentation identifying which CU a legacy SfB 2015 environment needs to be in order for coexistence to work properly as the following article is the only section I found in the document:
As there is already a Skype for Business Server 2015 deployment in the environment, I would not need to run the Prepare first Standard Edition server. I’ve also noticed that the Prepare Active Directory step already had a Complete check mark beside it, which most likely because there hasn’t been any changes from SfB 2015.
Launch the Topology Builder from the start menu and download the existing topology:
Image may be NSFW. Clik here to view.
Begin by defining a file store for the new Skype for Business Server 2019 environment by navigate to Shared Components> File stores then right click and select New File Store…:
With the file store defined, proceed to create the new standard front-end server by navigating to Skype for Business Server 2019> Standard Edition Front End Servers then right click and select New Front End Pool..:
Review the warnings to ensure that they are not deployment impacting.
For those who are interested, the required security permissions for the file store that was defined earlier are automatically configured after publishing the topology:
Note that the OAuthTokenIssuer already had a certificate issued because there is an existing SfB 2015 deployment in the environment.
Depending on the way you’ll be publishing the Web services external service, you may want to assign a certificate issued by a public Certificate Authority but for the purpose of this demonstration, we’ll create a certificate for all 3 services from an internal Microsoft Enterprise CA:
You’ve just completed deploying a new Skype for Business Server 2019 server into an environment but noticed that the Skype for Business Server Front-End service remains stuck at the Starting status and never completes to Running or stops:
Reviewing the Lync Server logs show the following entries:
Log Name: Lync Server
Source: LS User Services
Event ID: 32174
Level: Warning
Server startup is being delayed because fabric pool manager has not finished initial placement of users.
Currently waiting for routing group: {63BB8586-A9D8-5AF2-83FF-B5CE680594C0}.
Number of groups potentially not yet placed: 1.
Total number of groups: 1.
Cause: This is normal during cold-start of a Pool and during server startup.
If you continue to see this message many times, it indicates that insufficient number of Front-Ends are available in the Pool.
Resolution:
During a cold-start of a large Pool it can take up to an hour for the placement process to finish as it needs to populate all the Front-End databases with data from the Backup Store. If the Pool is running and the Front-End is just started, this is normal for some time. If this repeats for a long time, ensure that all the Front-Ends configured for this Pool are up and running. If multiple Front-Ends have been recently decommissioned, run Reset-CsPoolRegistrarState -ResetType QuorumLossRecovery to enable the Pool to recover from Quorum Loss and make progress.
Scrolling upwards from the warning displays the following error:
Log Name: Lync Server
Source: LS MCU Infrastructure
Event ID: 61029
Level: Error
In the past 30.0093507983333 minutes the process RtcHost(6756) received 1 invalid certificates. The last one was from server: contsfbstd01.contoso.com, IP Address: 10.198.40.152:60873, with subject: CN=contsfbstd01.contoso.com, OU=IT, O=contoso Re, L=Hamilton, S=Hamilton, C=BM, issued by: CN=contoso-CA, DC=contoso, DC=com. Validation error code was: 800B0109.
Resolution:
Please check the remote server and ensure that the certificate is valid. Also ensure that the full certificate chain of the Issuer is present in the local machine. If the remote certificate and chain appear to be valid and error code is 0x800B0109 (CERT_E_UNTRUSTEDROOT), check that the ROOT certificate store on the local machine does not contain any intermediate certificates (certificates with different values in 'Issued To' and 'Issued By' fields do not belong to the ROOT store and cause client certificate validation errors in HTTP.SYS)
In the past 30.0093507983333 minutes the process RtcHost(6756) received 1 invalid certificates. The last one was from server: contsfbstd01.contoso.com, IP Address: 10.198.40.152:60873, with subject: CN=contsfbstd01.contoso.com, OU=IT, O=contoso Re, L=Hamilton, S=Hamilton, C=BM, issued by: CN=contoso-CA, DC=contoso, DC=com. Validation error code was: 800B0109.
Resolution:
Please check the remote server and ensure that the certificate is valid. Also ensure that the full certificate chain of the Issuer is present in the local machine. If the remote certificate and chain appear to be valid and error code is 0x800B0109 (CERT_E_UNTRUSTEDROOT), check that the ROOT certificate store on the local machine does not contain any intermediate certificates (certificates with different values in 'Issued To' and 'Issued By' fields do not belong to the ROOT store and cause client certificate validation errors in HTTP.SYS)
The reason why the front-end service is unable to start is because there is a certificate stored in the Trusted Root Certification Authority that isn’t actually a Root certificate. To check this, load the local computer’s certificate store (certlm.msc) and review the certificates in the Trusted Root Certification Authority ensuring that the Issued To matches the Issued By word for work.
The following is a screenshot of the offending certificate I found in the Trusted Root Certification Authority where the Issued To is arersa01.domain.com while the Issued By is RSA root CA for arersa01.domain.com:
Note that having improperly placed certificates in certificate stores are known to cause service start and replication issues. The following are a few of my older posts of Skype for Business / Lync Server environments:
I’ve recently been tasked to create a script that would remotely uninstall Adobe Flash on all desktops on the network and after not having any luck with PowerShell, I reverted to the wmic (Windows Management Interface Command) command I have used in the past. While this isn’t the best way to guarantee the removal of the application in any environment it can be used in situations where you need a method that requires very little time.
The first step in the process is to obtain a list of computer names that you would like to remotely uninstall the application from and put it into a txt file with each name on a separate line. If you intend on running it against all the computers in Active Directory then you can use the following PowerShell cmdlet to export the list in CSV format:
2019-03-14 07:29:46, Error [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f
One of the first items to check is that the rearm limit has not been reached by executing slmgr.vbs /dlv to review the Remaining Windows rearm count (the desktop I was working on has not reached 0):
You attempt to configure a new VMware SRM protection group but receive the following error:
ERROR
Operation Failed Task completed with error CompositeException Unable to protect VM '<virtualMachineName>' due to unresolved devices Unable to protect VM '<virtualMachineName>’ due to unresolved devices Unable to protect VM '<virtualMachineName>' due to unresolved devices
There will be times when the administrator has configured the mappings the configuration in the mapping may not be correct and the best way to identify exactly what is preventing the protection group from being configured is to navigate to the Virtual Machines tab and review the Protection Status output, which would explicitly display the problem. In the case of this example, the network mappings were configured but various port groups and cluster mapping for these VMs were not configured:
I was recently asked by a client to troubleshoot an issue with their Lync Server 2013 environment where users connecting remotely via the Edge server are unable to establish voice calls. A user would be able to successfully authenticate as well as see the call come in but when they pick up with their handset, they would not hear any audio and the call would disconnect within 10 seconds. Using the Skype for Business client would show the call in the Connecting call… status then disconnect:
#2 – The DNS record of the Edge server’s internal interface was not correct
The Edge server for this environment was recently moved with the internal interface’s IP address was changed and since the server is not joined to the domain, the internal DNS A record which servers such as the front-end server uses to reach the Edge server was not updated.
#3 – Port 5062 was not opened between the Edge server and FE / SBA servers
The internal interface of the Edge server was in a secured network and TCP port 5062 used for authentication of A/V users was not opened. The following TechNet article provides more detail about the purpose of this port:
Note that other than discovering audio does not work, the Remote Connectivity Analyzer tool that Microsoft provides can help with identifying such an issue: https://testconnectivity.microsoft.com
The following is the output from a test ran against the environment:
Testing remote connectivity for user tluk@domain.com to the Microsoft Lync server. Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons. Tell me more about this issue and how to resolve it
Additional Details Couldn't sign in. Error: User failed to get response from MRAS server. SIP service request to MRAS server failed. Error Message: A 504 (Server time-out) response was received from the network and the operation failed. See the exception details for more information.. Error Type: PublishSubscribeException. Fault Code: . Response Code: 504. Response Text: Server time-out. Diagnostic Header: ErrorCode=1038,Source=UKSBA03.contoso.COM,Reason=Failed to connect to a peer server,fqdn=ukles03.contoso.com:5062,peer-type=InternalServer,winsock-code=10060,ip-address=192.168.34.10,winsock-info=The peer did not respond to the connection attempt Microsoft.Rtc.Signaling.DiagnosticHeader
" was run: "Microsoft.PowerShell.Commands.ProcessCommandException: Cannot stop process "fms (1428)" because of the following error: Access is denied ---> System.ComponentModel.Win32Exception: Access is denied
at System.Diagnostics.ProcessManager.OpenProcess(Int32 processId, Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.GetProcessHandle(Int32 access, Boolean throwIfExited)
at System.Diagnostics.Process.get_HasExited()
at Microsoft.PowerShell.Commands.StopProcessCommand.ProcessRecord()
This error is typically caused by the account used for running the install does not have Debug programs permission. To verify this, launch the Local Computer Policy with GPEDIT.msc, navigate to Computer Configuration> Windows Settings> Security Settings> Local Policies > User Rights Assignment> Debug program:
The environment this error was thrown had a group policy that defined accounts with permissions to Debug programs and therefore overwrote the default local computer Administrators group which any administrative account would have been a part of:
A workaround I typically do is simply put the Exchange server computer object in the sub OU of the OU it is currently in and block the group policy inheritance allowing me to temporarily move the Exchange server that is being patched into an OU that reverts back to the default settings as shown in the screenshot below:
Another alternative is to add the user into a group or directly into the GPO that defines the permissions for Debug programs but I prefer the previous workaround as the latter potentially affects many other computer objects.
You may also notice that the installer may not work properly even after the chances where you’ll see the following Check for Updates page:
You’re attempting to patch an Exchange Server 2016 CU8 environment to the latest CU12 and one of the prerequisites is to install .NET Framework 4.7.1 so you proceed to download the offline installer executable, run the install but notice that it remains stuck at:
You’ll notice that even attempting to hit the Cancel button to cancel the install would present the rollback status indefinitely. What I ended up doing was restart the server to stop the installer and the solution to upgrading the .NET Framework 4.6 to the required 4.7.1 is to download the MSU packages at the following URL:
You’re attempting to patch an Exchange Server 2016 CU8 environment to the latest CU12 and one of the prerequisites is to install .NET Framework 4.7.1 so you proceed to download the offline installer executable but notice that it never completes.
I was recently involved in an Exchange 2013 to 2019 migration where the client had a KEMP load balancer providing load balancing services for the Exchange services. The KEMP configuration was handled by another engineer and all the internal and Test Remote Connectivity tests appeared to be in good working order after the configuration but then users started noticing certificate warnings on their smartphones:
iPhones:
Connection Warning
Your mail server certificate is invalid.
Would you like to log in anyways?
Androids:
Certificate not secure
The certificate isn’t from a trusted authority.
If you continue with this certificate, your emails and account may be at risk.
I was reluctant to reach out to the engineer who configured the KEMP load balancer since it was a weekend and I had a hunch that perhaps the intermediate certificate wasn’t installed so I logged on to the load balancer to check the configuration. The KEMP interface is much simpler than the Citrix NetScalers I’m used to and I immediately located the menu for Intermediate Certificates confirming that intermediate issuing certificate was not installed:
This has been a common issue in the previous SfB and Lync environments where a user’s user object has Inheritance disabled. If this is the case, enabling it will correct the issue.
You’ve just completed deploying a new Skype for Business 2019 Edge but notice that when you review the replication status with the cmdlet Get-CsManagementStoreReplicationStatus, the UpToDate field never changes to True. Executing the cmdlet Invoke-CsManagementStoreReplication to initiate replication doesn’t change this either.
Image may be NSFW. Clik here to view.
Reviewing the System logs on the Edge server reveal several Schannel errors:
Log Name: System
Source: Schannel
Event ID: 36882
Level: Error
User: NETWORK SERVICE
The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate.
The following errors are also found in the Lync Server logs:
Log Name: Lync Server
Source: LS Protocol Stack
Event ID: 14366
Level: Error
User: N/A
Multiple invalid incoming certificates.
In the past 1 minutes the server received 1 invalid incoming certificates. The last one was from host 10.198.40.152.
Cause: This can happen if a remote server presents an invalid certificate due to an incorrect configuration or an attacker.
Resolution:
No action needed unless the number of failures is large. Contact the administrator of the host sending the invalid certificate and resolve this problem.
Image may be NSFW. Clik here to view.
Log Name: Lync Server
Source: LS Protocol Stack
Event ID: 14366
Level: Error
User: N/A
TLS outgoing connection failures.
Over the past 1 minutes, Skype for Business Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0x800B0109(CERT_E_UNTRUSTEDROOT) while trying to connect to the server "contsfbstd01.contoso.com" at address [10.198.40.152:5061], and the display name in the peer certificate is "contsfbstd01.contoso.com". Cause: Most often a problem with the peer certificate or perhaps the host name (DNS) record used to reach the peer server. Target principal name is incorrect means that the peer certificate does not contain the name that the local server used to connect. Certificate root not trusted error means that the peer certificate was issued by a remote CA that is not trusted by the local machine. Resolution: Check that the address and port matches the FQDN used to connect, and that the peer certificate contains this FQDN somewhere in its subject or SAN fields. If the FQDN refers to a DNS load balanced pool then check that all addresses returned by DNS refer to a server in the same pool. For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the local machine.
Web Conferencing Server connection failed to establish.
Over the past 1 minutes Skype for Business Server has experienced incoming TLS connection failures 1 time(s). The error code of the last failure is 0x80090325(SEC_E_UNTRUSTED_ROOT) and the last connection was from the host "".
Cause: This can occur if this box is not properly configured for TLS communications with remote Web Conferencing Server.
Resolution:
Check your topology configuration to ensure that both this host and remote Web Conferencing Server can validate each other TLS certificates and are otherwise trusted for communications.
This error is typically associated with the Edge server not trusting the certificate presented by the Front-End server because the internal services is using a certificate generated by an internal Microsoft Certificate Authority and since the Edge server is not joined to the domain, it does not trusted the issuing authority by default. To correct the problem, simply export the CA that issued the certificate for the front-end server and import it into the Trusted Root Certification Authorities store on the Edge server:
As some of you may know, the Office Online Server is the updated replacement for Office Web Apps Server to enable PowerPoint presentation sharing and I’ve recently had the opportunity to deploy Skype for Business Server 2019 and thought I’d write a quick post demonstrating the deployment process.
The following is the guide I used for the deployment:
One of the common questions I’ve been asked in the past for the Office Web Apps server was where do you actually download it because it was once publicly available but Microsoft changed that and now requires it to be obtain from portals such as the Microsoft Volume Licensing Service Center under, where most people probably would never look, the OfficeProfessional Plus product.
With the Office Online Server installation package downloaded, begin with installing the server roles and features with the following PowerShell cmdlet:
Proceed by importing the certificate that will be used for the Office Online Server and make a note of the friendly name as you will need to reference that later:
Image may be NSFW. Clik here to view.
Create Office Online Server (Office Web Apps) Farm
The command for creating the Office Online Server farm is the same as the one previously used for Office Web Apps. Execute the following cmdlet while customizing the appropriate parameters:
Creating and Assigning Office Web Apps Server in Skype for Business Server 2019
Launch the Skype for Business Server 2019 Topology builder, navigate to SharedComponents> Office Web Apps Server then right click and select New Office Web AppsServer…:
You should see the following event logged on the Skype for Business server’s Lync Server logs after a few minutes:
Log Name: Lync Server
Source: LS Data MCU
Event ID: 41032
Level: Information
Web Conferencing Server Office Web Apps Server (WAC) discovery has succeeded
Office Web Apps Server internal presenter page: _https://oos.contoso.com/m/Presenter.aspx?a=0&e=true& Office Web Apps Server internal attendee page: _https://oos.contoso.com/m/ParticipantFrame.aspx?a=0&e=true& Office Web Apps Server external presenter page: _https://oos.contoso.com/m/Presenter.aspx?a=0&e=true& Office Web Apps Server external attendee page: _https://oos.contoso.com/m/ParticipantFrame.aspx?a=0&e=true&
I was recently involved with building a base image for a Dell Wyse 7020 Windows 10 IoT device that was non-domain joined and used a customized VMware Horizon View shell without access to the desktop for users to log into their virtual desktops. The build is not quite complete in the way I want it to be due to the time constraint I had to work with but the steps outlined in this blog post should provide a good set of steps as a start.
Base Operating System Image
Windows 10 IoT Maintenance Release
Download the latest Dell provided Windows 10 IoT Enterprise Maintenance Release at the following URL:
Remove the pre-installed Ericom Connect Client software with the following command:
wmic product where name="Ericom Connect Client" call uninstall
Ericom PowerTerm InterConnect for Thin Clients
Remove the pre-installed Ericom PowerTerm InterConnect for Thin Clients software with the following command:
wmic product where name="Ericom PowerTerm InterConnect for Thin Clients" call uninstall
Lync VDI Plugin
VMware Horizon View now utilizes a gen 2 Skype for Business Server integration that is built directly into the Horizon View Client so there is no need to have the Lync VDI plug-in installed onto the thin client. Remove the plug-in by creating the follow XML file:
Enable the Windows firewall on the Windows 10 IoT operating system.
Disable Display Last User Name
Disable remember credentials for Windows which would also cause the Horizon View client to not remember the previous login via the registry key:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System] "dontdisplaylastusername"=dword:00000001
**Note that this is added to the local user account’s HKCU. The HKCM configuration never worked during my testing.
Force Num Lock On
Create the following registry key file (.reg) and import the configuration to force Num Lock on for all profiles.
Windows Registry Editor Version 5.00 [HKEY_USERS\.DEFAULT\Control Panel\Keyboard] "InitialKeyboardIndicators"="2" "KeyboardDelay"="1" "KeyboardSpeed"="31"
Configure Power Plan
The preparation of the image for capture does not retain the Power Plan settings but it is still good to configure it in case future versions of the script does.
Set Power Plan to High Performance
Execute the following command to configure the power plan as High performance:
Fill in the appropriate settings and select the Enable local account credential changes under the Configure local account credentials heading to configure the password for the admin and user account.
Configure and reconfigure the following customizations that does not get retained after customization.
Configure Computer Name
Configure a unique name for the Windows 10 IoT operating system.
Set Power Plan to High Performance
Execute the following command to configure the power plan as High performance: powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
Turn off Display
Execute the following command to configure the high performance power plan to turn off the display after 15 minutes:
powercfg -x -monitor-timeout-ac 15
Computer Sleep Mode
Execute the following command to configure the high performance power plan to never put the computer to sleep:
powercfg -x -standby-timeout-ac 0
Prevent User from launching Internet Explorer
Configure the following AppLock rules for the local computer policy to prevent the user from launching Internet Explorer. Note that this may be able to be bundled into the prebuild but I was not able to test to see if this is retained after the image prep process.
Launch GPEdit.msc and navigate to Computer Configuration > Windows Settings > Security Settings > Application Control Policies > AppLocker > Executable Rules > Create New Rule…:
Force the Application Identity service to automatically start by editing the following registry key (if this isn’t started then AppLocker will not work:
Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AppIDSvc] "Start"=dword:00000002
The following are items that need to be highlighted as the build can be improved on but were left out due to the amount of time available for the initial build.
Host name generation
The feature Host Name calculation is supposed to generate a new name for the Windows 10 IoT OS but it does not:
It should be possible to place the power scheme commands in the scripts that are executed at the end of the preparation but this requires time to identify and test.
Preparation Finalization
The initial build of the image does not complete automatically because the final steps requires the Windows shell but the customization of the User account to be shell-less means the administrator needs to manually log into the thin client as the admin account so the finalization can complete.
AppLocker Configuration
The AppLocker configuration can be included into the base image but due to time constraints, it was not added in.
Further Security Lockdown
AppLocker can be further configured to disable other applications that may be able to be launched within the shell but will require additional time.
