Windows 2008 R2 Server Windows update unknown error

I’m putting this out there for anyone else. For the last 3 months I had a windows 2008 R2 server that would not apply windows updates. “An unknown error has occurred” is all I would get.

This was fixed today. The cause seemed to be an Disk Filter applied to the Local System Disk. I had never heard of this before today.

The command FLTMC lists out the Filter names on the disk. This is from a working server. I don’t know if yours will match exactly.

C:Usersadministrator.server>fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
VirtFile                                0       429999.280700    0
msnfsflt                                0       364000         0
luafv                                   1       135000         0

Now when my server was in an error condition, this listing had an additional entry with the highest ‘Altitude’ value.

C:Usersadministrator.server>fltmc

Filter Name                     Num Instances    Altitude    Frame
------------------------------  -------------  ------------  -----
CpsFsJnl                                0       429999.999999    0
VirtFile                                0       429999.280700    0
msnfsflt                                0       364000         0
luafv                                   1       135000         0

This filter was the cause of my issue. This was a remnant of a Symantec CPS (continuous protection server) installation that was supposedly uninstalled years ago. It apparently left this filter installed and active on the server. It must have been dormant there for years until a windows update or something caused the error condition.

The filer is an system file called cpsfsjnl.sys and a quick search found it buried in the Program Files Directory. I deleted the file (after making a backup just in case). I also exported then deleted the following registry entries:

[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesCpsFsJnl]
[HKEY_LOCAL_MACHINESYSTEMCurrentControlSetservicesCpsFsJnlEnum]

I rebooted the server, checked FLTMC to be sure the CpsFsJnl was no longer listed, and then ran the Windows updates.

So, bottom line, in my case, Symantec CPS left a Virtual Disk Filter on the server that caused the error condition. Removing it fixed Windows updates.

Exchange 2007 Outlook Web Access Error The Password does not meet the minimum security requirements

In Microsoft Exchange OWA (outlook web access) a user will attempt to change the account password and encounter an error “The password supplied does not meet the minimum security requirements”. This error happens even though the GPO Policy has password complexity disabled.

OWA error message

The cause of the error is the minimum password age in one or more of the applied GPOs on the OWA host.

Change the Policy for Minimum password age to 0. Then either run GPUPDATE /FORCE or just reboot the host.

GPO for Min Password Age

Installing SCEP using Microsoft NDES

SCEP (Simple Certificate Enrollment Protocol) is a standard solution for admins wishing to deploy certificates to devices with little interaction and no manual uploading/downloading of cert files between systems. NDES (Network Device Enrollment Service) is Microsoft’s implementation of SCEP. NDES and SCEP are essentially 2 labels for the same service. This is really just my braindump from working with SCEP over the last few months.

Alot of this page is derived from the the Microsoft Whitepaper Microsoft SCEP Implementation.

To begin, you will need a few things.
1) A working MS Domain with healthy AD.

2) A Microsoft Certificate Authority.
You can setup either a Standalone or Enterprise CA. Since most of my work was with MS, this example is for an Enterprise CA.

3) A 2008 or 2012 Enterprise or DataCenter Server.
This is for the install of NDES. NDES will not install on a Standard Server. Also, Ndes can not be installed to the same server that holds a Certificate authority.

With those ready to go, here’s how to get NDES installed.

Setup NDES Accounts in AD
NDES needs 2 accounts on the Domain. You need an Admin account for installation and interaction with the GUI. You need a service account to run the service and request/enroll certificates.

1) Create NDES_Admin. Assign it to the Enterprise Admin Group in the Domain (this membership can be removed after installation). Assign it to the local Adminstrator Group on the NDES host.
2) Create NDES_ServiceAccount. Assign it to the IIS_IUSRS group on the NDES host.

Duplicate the Certificate Templates
In the Certificate Authority(CA) we need to create the Certificate templates that will be used by NDES.

  • Open the Certificate Authority MMC
  • On the left, expand the CA. Right click on the Templates Folder and select Manage. This will open the Template Mgmt folder.
  • Locate the Exchange Enrollment Agent (Offline Request), right click and Duplicate the template.
  • When prompted, select the server level. I used 2008 Enterprise on a 2008 host and 2012 on a 2012 host. Both worked fine, I don’t know the differences between the 2.
  • In the Template Dialogue, Make the name NDES Exchange Enrollment Agent (Offline Request)
  • In the Template Security Tab, Assign Permissions for the NDES_Admin Account and grant it Read and Enroll rights.
  • Click OK to save and exit this Template.
  • We need to do the same thing for CEP Encryption Template (Duplicate, name it NDES CEP Encryption, and assign NDES_Admin the Read and Enroll Rights.
  • Last, we need to do the same thing for the IPSEC (Offline Request), name it NDES IPSEC (Offline Request), assign NDES_Admin AND NDES_ServiceAccount the Read and Enroll Rights.
  • Close the Templates MMC

Publish The Certificates
Back at the CA, we need to publish the new Templates we just created into the CA for use.

  • Right click the Tempates folder in the CA.
  • Pick New then Certificate Template to Issue.
  • Select the 3 NDES… certificates we just created and click OK to publish.

Once done, the 3 NDES certs should appear in the list of usable certificate templates in the CA windows.

Assign Permissions on the CA
Next we need to add Read and Request permissions for the NDES_Service Account to the CA

  • From the left side panel in Certificate Authority MMC, right click the CA name, and select Properties
  • Click on the security tab.
  • Add NDES_Service Account and assign it Read and Request Certificate rights.
  • Hit ok and close it

Install NDES
Now we are done with the CA and certificate work, we can move on to the installation of NDES on the ndes host.

  • Log in to the NDES box using the NDES_Admin account created earlier.
  • Open Server Manager from the Start menu.
  • In the left pane of Server Manager, right-click Roles and select Add Roles from the menu.
  • Click Next on the Before You Begin screen in the Add Roles Wizard.
  • Select Active Directory Certificate Services on the Select Server Roles screen and click Next.
  • Click Next on the Introduction screen.
  • On the Select Role Services screen, clear Certification Authority and select Network Device Enrollment Service. As I mentioned previously, NDES can’t be installed on the same machine as a CA.
  • In the Add Roles Wizard dialog box, click Add Required Role Services to install the necessary IIS and Remote Server Administration Tool components.
  • On the Specify User Account screen click Select User. In the Windows Security dialog box, enter the username and password for the NDES_ServiceAccount and click Next.
  • Click Browse in the Specify CA for Network Device Enrollment Service dialog box.
  • In the Select Certification Authority dialog box, select the issuing CA, click OK and Next to continue.
  • On the Specify Registration Authority Information screen, modify the Country/Region field as necessary and click Next.
  • On the Configure Cryptography for Registration Authority screen, accept the default settings, which you can see in Figure 3, and click Next.
  • Click Next on the Web Server (IIS) introduction screen.
  • Accept the defaults on the Select Role Services screen by clicking Next.
  • Click Install on the Confirm Installation Selections screen.
  • Click Close on the Installation Results screen.

Modify the NDES Registry
Before we can request a password from NDES to start the certificate request process, we need to set some registry keys on the NDES server to point to our NDES IPsec (Offline Request) certificate, then restart IIS.

  • Open regedit from the Search programs and files box on the Start menu.
  • In the left pane of Registry Editor, navigate to the following registry key: HKLMSoftwareMicrosoftCryptographyMSCEP.
  • You’ll find three REG_SZ values: EncryptionTemplate, GeneralPurposeTemplate and SignatureTemplate. Set all three values to NDESIPSECIntermediateOffline, then close Registry Editor.
  • Type cmd into the Search programs and files box on the Start menu and click Ctrl+Shift+Enter to start the command prompt with administrative privileges.
  • Type the following two commands to restart IIS:
  • net stop w3svc net start w3svc

  • Close the command prompt.

Replace Outlook Mail, Contacts, and Calendar with Thunderbird

My company uses MS Exchange 2013 for mail, contacts, calendars, and tasks. However, we have a lot of users on LInux desktops that can’t run Outlook. For others, the new Outlook 2013 is a horrible monstrosity of Flat icons on all all white background that burns your eyes after a few hours in front of the monitor. So I was after a complete replacement for Outlook to access email, contacts, and calendar on Exchange. Well, Email is easy. Calendar not so much. Contacts are deliberately making the task complicated on purpose. But here is a working solution using Thunderbird with some available plugins. These examples were taken from a machine running Mint 17 64bit but the same tasks should work well on Windows.

 

Install Thunderbird

Thunderbird is the mozilla based mail client. It comes installed on many Linux distros. IF you need to install it for any reason you can find it in the repos or directly from the thunderbird website. https://www.mozilla.org/en-US/thunderbird/

 

Configure Thunderbird for Exchange Mail

  1. Add a new Mail account (Edit > Account Settings > Account Actions Button > Add Email Account)
  2. Note if you get prompted to add a new email at some 3rd party service, select “Skip this and use my existing Mail”
  3. Enter You Name to be displayed, email address, and password.setupTB1
  4. Thunderbird will most likely fail to autodetect the settings for Exchange.     An expanded window will appear prompting for settings for your Exchange.   These settings can be provided by the email admin.   You need the IMAP settings, SMTP settings, and note that the Username usually takes the form of DOMAINUsername.setupTB2
  5. Hit DONE when complete

 

Install Lightning for Thunderbird

Lightning is a Thunderbord Add-on that provides the calendar and task list services.   Installation is done from Thunderbird.

  1. Click Tooks > Add-ons (or use the menu button on the right and pick add-ons.  BTW to get the menu bar back, click to the right of the tabs and select Menu Bar).
  2. In the Search box, enter ‘lightning’
  3. Select the Lightning Plug-in.   Install it and Restart.

 

Install Exchange connector

The real trick here is getting the calendar, contacts, and tasks to sync with Exchange.   The only plug-in that I’ve found that does this is located at http://www.1st-setup.nl/wordpress/?page_id=551

  1. Access that link and download the lastest version of the plugin.
  2. Save the xpi file on your machine.
  3. From Thunderbird, Access the add-on manager (Tools > Add-ons)
  4. Click the box next to the search window and select “Install add-on From File”
  5. Select the xpi plug in you just downloaded.
  6. Restart Thunderbird

 

Configure Calendar

  1. Click the Calendar button to open the calendar tab.
  2. Right click on the blank space under calendar and select “New Calendar”
  3. Select “On the Network” and click next
  4. Select “Microsoft Exchange 2007/2010/2013” and click nextcalendar-pick_msexch
  5. Give the Calendar a name like “Exchange Calendar” and pick the email associated with the Exchange account (this should match the one you just setup on IMAP above).  Hit next when done.calendar_calendaroptions
  6. Click the Autodiscover (any good admin has this setup). Fill in the username and the domain.  Leave the Folder id field empty.   Click “Perform Autodiscovery” when ready.calendar-Perform_autodiscovery
  7. You will probably get a prompt to enter your Email account password.   Enter the Password and continue.
  8. You will probably get the option to Pick an EWS server.   You’ll probably only have 1 in the list, otherwise, ask your admin.  Continue when ready.
  9. You will get a final window showing the calendar root.   make edits as needed, but most can just accept the default and hit Next.calendar_final
  10. In the list of calendars, you should now see an entry for your calendar on Exchange.

 

Configure Contacts

  1. In Thunderbird’s inbox tab, select Address Book.AddressBook-1
  2. In the Address Book window, select the “Add Exchange Contact Folder”AddressBook-2
  3. Enter a Descriptive Name
  4. Check the Add Global Address List to Serch results.
  5. Check the Use Exchange’s Autodiscovery function.
  6. Enter your email, username and Domain in the correct fields and perform the autodiscovery when ready.AddressBook-3
  7. Once again, enter password if prompted and pick the correct EWS server if prompted.
  8. Make edits to the contact root folder as needed.  Most can leave it at default.   If your company uses a Public Folder for contacts, you can change the root to Public Folders and browse to the correct folder.

 

That’s it.   You can add as many calendars and address book entries as you need.  I did this and now don’t have very good solution to replace Outlook in any desktop.

Exchange 2010 List ActiveSync Devices removed from Quarantine and other States

Exchange 2010 has this feature in active sync where the admin can setup rules to allow certain devices to connect via ActiveSync Access Rules. Device Access Rules can be setup so that only certain devices can connect and all other devices will be quarantined until an admin can act on it.

This works well for companies that only issue certain devices (i.e. blackberries) and want to block all android/iPhones from using Active sync. However, there are always exceptions. Especially when the CEO wants to use his iPhone. So the Admin can explicitly allow the CEO’s iPhone to connect. However, the GUI interface does not report on what devices are allowed, which met policy, which are given individual exemptions.

Here’s how I discovered how to get that info using Exchange PowerShell:

This command will list all active ActiveSync devices that have been issued an individual examption.

Get-ActiveSyncDevice -filter {DeviceAccessStateReason -eq 'Individual'}

The DeviceAccessStateReason can also include:

DeviceAccessStateReason

The reason for the device’s access state. Available values include:

  • Global   Caused by to the global access setting
  • DeviceRule   Caused by a device access rule
  • Individual   Caused by an individual exemption.
  • Policy   Caused by Exchange ActiveSync security policies
  • Upgrade   Caused by the upgrade of the user’s mailbox. This is a temporary state that is designed to give the device a chance to upgrade prior to being controlled by the rules and access settings.

 

 

The same Cmdlet can be used to filter on any of the attributes of the Active Sync Item:

Attribute Description
FriendlyName The name that the user called their mobile device
DeviceId A unique identifier used by Exchange ActiveSync to identify each device’s partnership
DeviceImei  The International Mobile Equipment Identity (IMEI) number of the mobile device
DeviceMobileOperator The mobile operator to which the mobile device was last connected
DeviceOS    The name and version number of the operating system that is running on the mobile device
DeviceOSLanguage    The language used by the operating system
DeviceTelephoneNumber The last four digits of the phone number
DeviceType    The device family. If you want to control access for all device models in a device family, you can create a device access rule for that device family. See Create a New Device Access Rule.
DeviceUserAgent    The device’s network protocol name, which characterizes the client to the server
DeviceModel    The device model. If you want to control access for a specific device model, you can create a device access rule for that device model only. See Create a New Device Access Rule.
FirstSyncTime    The date and time the device first requested to connect with Exchange ActiveSync. This field provides an idea of how old the device partnership is. If you want to get more information about the latest device connections, you can view the mobile device information from the user’s mailbox or user settings, or use the Get-ActiveSyncDeviceStatistics cmdlet. For more information, see Get-ActiveSyncDeviceStatistics.
UserDisplayName    The name of the person who is using the device
DeviceAccessState The access state of the device: Allowed, Blocked, Quarantined, or DeviceDiscovery. The last value indicated the device is temporarily quarantined while it is being identified by Exchange ActiveSync.
DeviceAccessStateReason The reason for the device’s access state. Available values include:

  • Global   Caused by to the global access setting
  • DeviceRule   Caused by a device access rule
  • Individual   Caused by an individual exemption.
  • Policy   Caused by Exchange ActiveSync security policies
  • Upgrade   Caused by the upgrade of the user’s mailbox. This is a temporary state that is designed to give the device a chance to upgrade prior to being controlled by the rules and access settings.
DeviceAccessControlRule   The name of the rule that is affecting the device’s current access state, if any
DeviceActiveSyncVersion  The version of the Exchange ActiveSync protocol used by the given device

For a Summary of the Active Sync Devices, try the following command:

Get-ActiveSyncDevice | Group-Object -property DeviceType

To view a count of devices of each device model, run the following command:

Get-ActiveSyncDevice | Group-Object -property DeviceModel

All these values are stored in AD and could also be queried via an LDAP search or a well-formed dsquery|dsget command.

AD attribute for MSAccessState

AD attribute for MSAccessState

Check for 32 bit vs 64 bit Microsoft OS in Windows Batch File

This is a usable example showing how to check for a 32 bit OS vs a 64 bit OS in MS windows within a batch file.

This is very useful when deploying certain applications through MS Group Policy.

Example from a .bat file:

@echo off
Set RegQry=HKLMHardwareDescriptionSystemCentralProcessor
REG.exe Query %RegQry% > checkOS.txt
Find /i "x86" < CheckOS.txt > StringCheck.txt
If %ERRORLEVEL% == 0 (
   CALL --32bit install goes here--
) ELSE (
   CALL --64bit install goes here--
)

The code simple checks the contents of the Registry entry then looks for the entry ‘x86’ indicating a 32 bit installation.
The batch file will leave the checkOS.txt in place on the end user machine.

Contents of the checkOS.txt file would look something like this:

HKEY_LOCAL_MACHINEHardwareDescriptionSystemCentralProcessor
    Component Information    REG_BINARY    00000000000000000000000000000000
    Identifier    REG_SZ    Intel64 Family 6 Model 37 Stepping 2
    Configuration Data    REG_FULL_RESOURCE_DESCRIPTOR    FFFFFFFFFFFFFFFF0000000000000000
    ProcessorNameString    REG_SZ    Intel(R) Core(TM) i7 CPU       M 620  @ 2.67GHz
    VendorIdentifier    REG_SZ    GenuineIntel
    FeatureSet    REG_DWORD    0x21193ffe
    ~MHz    REG_DWORD    0xa64
    Update Signature    REG_BINARY    000000000D000000
    Update Status    REG_DWORD    0x7
    Previous Update Signature    REG_BINARY    000000000D000000
    Platform ID    REG_DWORD    0x10

Loading MS Certificate Server CRL to F5 BIGIP 11.3

I was asked to manually load a Certificate Revocation List (CRL) from an MS Server 2008 R2 Certificate Server to a F5 BIPIP appliance for use when authenticating client certificates.

Having a CRL loaded as a local file into the BIGIP is probably the easiest way to get it to check a CRL since you are avoiding the use of MS Enterprise/Datacenter Servers with OCSP. I also had various issues that the F5 tech support could not explain with CRLDP and MS cert services. So the CRL is an easy fix for a lab environment. I also could not find the proper method to do this in the online knowledge-base for F5’s product either.

For starters, you need to get a copy of the CRL from your MS Certificate Server.

Download CRL

1) Browse to http://SERVERNAME/CertSrv Sign in if needed.
2) Click on Download a CA certificate, certificate chain, or CRL.
3) Select DER format and click on Download Latest Base CRL
4) Save the file to your machine.

Load the CRL to the BIGIP
1) Open up your BIGIP Admin Gui
2) Navigate to Sytem -> File Management -> SSL Certificate List -> Import
3) From the Import Type PullDown, Select ‘Certificate Revocation List’
4) Enter in the Name you want use when referencing this File in BIGIP. Select Create New or Overwrite as needed.
5) Use the Browse Button to select the cert file called ‘certcrl.crl’
6) Click Import to finish the Process.
Import CRL to F5 BIGIP

Now that the CRL is imported, it can be used in any SSL Client Profile in the Certificate Revocation List (CRL) Dropdown.

This CRL is static. Any newly revoked certs on the MS Server will, of course, not be seen by the F5 until the CRL file is updated.

MS Windows 2008 r2 Server and OCSP Online Certificate Status Protocol

I’ve been using a F5 BIG IP in a test lab as a VPN concentrator using client certs as part of the Authentication of the client. We have a windows 2008 r2 domain controller on the inside LAN running MS Certificate Services. The 2008r2 host is running as the Certificate Authority (CA) and is used to issue the client certs that are used in the Auth process.

The key here is that the BIG IP must have access to the Certificate Revocation List (CRL) from that 2008 r2 CA. So I started looking into Online Certificate Status Protocol (OCSP) and with a little research was able to find the bits needed to get the 2008 r2 server to operate as a OCSP Responder so that the BIG IP could query and list revoked client certs thus preventing those bad certs from being used by clients to establish a VPN Session.

The steps here are to:
1) Setup the MS Certificate Services with an OCSP Certificate Template.
2) Allow the CA to support OCSP responder services.
3) Setup an OCSP Responder
4) Create a Revocation Configuration

So, I started with a working 2008 r2 host.

Setup the MS Certificate Services with an OCSP Certificate Template.
1) Open the Certificate Templates snap-in.
2) Right-click the OCSP Response Signing template, and then click Properties.
3) Click the Security tab. Under Group or user name, click Add.
4) Click Object Types, select the Computers check box, and then click OK.
5) Type the name of or browse to select the computer hosting the Online Responder or OCSP responder services, and click OK.
6) In the Group or user names dialog box, click the computer name, and in the Permissions dialog box, select the Read and Enroll check boxes. Then click OK.

Allow the CA to support OSCP responder services.
Note that the Online Responder must be running 2008 R2 Enterprise or 2008 R2 Datacenter

1) Open the Certification Authority snap-in.
2) In the console tree, click the name of the CA.
3) On the Action menu, click Properties.
4) Click the Extensions tab.
5) In the Select extension list, click Authority Information Access (AIA), and then click Add.
6) Specify the locations from which users can obtain certificate revocation data, such as http://computername/ocsp.
7) Select the Include in the online certificate status protocol (OCSP) extension check box.
8) In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue.
9) In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK.
10) Double-click Certificate Templates, and verify that the modified certificate templates appear in the list.

Setup an OCSP Responder
An OCSP responder is basically a 2008 r2 Enterprise or Datacenter server Running the Online Responder role service in the Active Directory Certificate Services.

1) Open the Certification Authority snap-in.
2) In the console tree, click the name of the CA.
3) On the Action menu, click Properties.
4) Click the Extensions tab.
5) In the Select extension list, click Authority Information Access (AIA), and then click Add.
6) Specify the locations from which users can obtain certificate revocation data, such as http://computername/ocsp.
7) Select the Include in the online certificate status protocol (OCSP) extension check box.
8) In the console tree of the Certification Authority snap-in, right-click Certificate Templates, and then click New Certificate Templates to Issue.
9) In Enable Certificate Templates, select the OCSP Response Signing template and any other certificate templates that you configured previously, and then click OK.
10) Double-click Certificate Templates, and verify that the modified certificate templates appear in the list.

And Finally, Create a Revocation Configuration
Microsoft has this information available here.

 

If you plan on using this Online Responder to answer requests from non-MS sources, you may need to set a few additional options for NONCE support and ‘allow all valid requests’.

1) Open Server manager
2) Navigate to Roles -> Active Directory Certificate Services -> Online Responder
3) Highlight Revocation Configuration
4) Right click on the Revocation Entry From the center column and select ‘Edit Properties’
5) In the Properties Window, click the Signing Tab
6) Here you can enable NONCE Support if needed.
7) ‘Use any valid OCSP signing

Additional MS OCSP Options

MS OCSP Options to allow all valid OCSP requests and to enable NONCE support

certificate’ will allow non-MS hosts to use this responder for lookups.

Lync 2013 Error “Failed while updating destination pool” migrating a user from Lync 2010 to Lync 2013

So, lets say you’ve built up a Lync 2013 installation in parallel to your existing Lync 2010.    It’s time to migrate users from Lync 2010 registrar pool to the Lync 2013 pool.

Lync 2013 Migrate User

Select User – Action – Move Selected Users to pool

 

But when you do this, you get the following error “Failed while updating destination pool”

Lync 2013 Error

Lync Error Failed while updating destination pool

 

The issue seems to be caused by a problem with the inheritable permissions on the user account. To fix it, use ADSIEdit. Find the user account that you are trying to move, pull up it’s Properties click the Security Tab then Advanced. Check the box that says Include inheritable permissions from the object’s parent.

ADSIEdit Include permissions

Check Include inheritable permissions

Save the changes to the user. Return to Lync and migrate the user.

How to Install Lync 2013

Today I was given an Evaluation of Lync 2013 and asked to install it in a Lab setting to have a look at it.

So to get started, I spun up a Virtual 2008 R2 SP1 server, got it patched, assigned a static IP, and joined it to the lab domain. I spun up a 2nd 2008 R2 server and assigned it to the DMZ with a static 1 to 1 NAT to an external IP (this will become the Lync Edge Server).

I’m using the Technet Evaluation DVD for office 2013. Lync 2013 is found on the CD in the LyncServerStandard Folder, or you can grab the Eval right from the MS website. However you get it, place it somewhere your server can get to it. Mine went right onto the desktop.

Some Prereqs for this install.

    • Install the .Net 4.5 Framework. You need to Download this from MS website here
    • Powershell V3.0. You need to download this from the MS website here
    • Windows Identity Foundation. You need to download this from the MS website here
    • You need Patch from KB 2646886. You need to download this from the MS website here
    • IIS 7 Server role must be enabled
    • Install MS Visual c++ 2012 x64 Runtime. This will be done by the setup if you don’t already have it.
    • For 1st installs, you need AD administrative tools (to extend the Schema). It’s installed from Server Manager -> Features -> Add Feature -> Remote Server Administration Tools
    • You will need a shared folder on a host to use during the Front End Pool Setup. i.e. \servershare should be available.
    • Serveral features are needed as well, these can be installed from the PowerShell using the following command

Add-WindowsFeature RSAT-ADDS, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Desktop-Experience, Telnet-Client

 

Now the Installer begins:
Pick your Location and hit install
Lync 2013 Installer

Agree to the EULA
Lync 2013 EULA

Lync 2013 has a required AD Schema extensions to the AD must be prepped. Click on Prepare Active Directory to start.
Lync 2013 Installation

This will run the Deployment wizard. These are several steps you must take to prepare the domain for the Lync 2013 install. If you have used Lync 2010, this should look very familiar.
Lync 2013 Deployment Wizard

Once the Wizard is complete, you will find a new AD group called CSAdministrator. Members of this group get administrative access to the Lync Server.

Hit BACK when complete.

On the right hand side, you will see install items for additional components.

If this is the 1st server, then click on the Prepare First Standard Edition Server
Lync 2013 Prepare Single Server

Click Next through the info screen and wait for it to complete.

Lync 2013 Prepare Single Server - 1
Lync 2013 Prepare Single Server - 2

Set up Lync Server Components

Next you will want to install the Admin tools. These tools will include the Topology builder which you need to use before installing the Server System components. The tools will install withour any additional input.
Lync 2013 Install Admin Tools

Launch the Topology Builder that was installed with the admin tools.
Lync 2013 Topology Builder Menu

When you launch, the Topology builder will ask if you want to Import, Load, or Create a New Topology. Make the appropriate selection based on your situation. If this is your 1st Lync server, you will, of course, want to pick a New Topology.
Lync 2013 Topology Builder start

For this basic setup, we will use the single server as the Front-End Server, A/V Conference, and mediation pool servers. In a production environment, you could install these roles onto different servers or into pools as needed.

  • Right click on Standard Edition Front End Server -> New Front End Pool.
  • Click Next Past the Welcome screenhyrule
  • Enter the FQDN of the server you will use for the install. For 1st Timers, it will probably be the same server you are on now.
  • Select the Features for this install. IM and presense are included by default, but you can select additional features as needed. With enterprise voice, you can integrate Lync with other 3rd party VOIP providers like Cisco CUCM, but I’ll cover those integrations in a future post.
  • For this lab install and most small installs you can Collocate the Mediation Server on the Front End Server.
  • Select Enable an Edge Pool. Later on we will use a 2nd host in the DMZ to enable external IM and features.
  • For this Standard Install, local SQL is used, so hit Next.
  • Define the file Store. Here you enter the shared folder info that we created earlier in the pre-reqs.
  • Web Services – Internal and External URLs should be defined here. You can leave this as the default if you are unsure.
  • If you have an Office Web Apps Server, you can associate it with Lync here, otherwise, clear the checkbox.
  • Front End Edge Pool. The Edge Servers sit in the DMZ and accept traffic from the public internet. Here we are pausing the front end server config and will define the edge server config. Click NEW and and then follow these steps below to setup the edge host. We will continue with the Front end pool when the Edge is completed.

We need to sidetrack here and create the Front Edge Server Pool. This server will sit in the DMZ and listen for traffic from the public internet.

  • Right click on Edge Pool -> Select New Edge Pool
  • Define the FQDN. Something like sipedge.company.com or lyncedge.company.com would be a good choice. Select whether it’s single or multiple. For this setup, we use single.
  • Select 1st option to use a single FQDN and IP so that 1 edge pool server will handle all traffic.
  • IP Options – leave these at ipv4. If the edge pool is behind a NAT, check that box. You will need to provide the Public IP info for that NAT later.
  • External FQDN – Here you will specify the FQDN’s for the services. sip.company.com or lync.company.com are good choices. Later on, we will tie all the FQDNs together with DNS.
  • Internal IP – Enter the internal IP of the edge server.
  • External IP – Enter the external NAT IP of the edge Server
  • External AV IP – Enter the external NAT IP of the edge Server again. WE are using a single server/ip for all services.
  • Select the Next Hop – This will be the Front end Pool Server that we are creating.
  • Done

… Continuing with the Front End Pool

  • Select the Edge Server we just created
  • Done.

Last thing you will want to do is take the topology you just defined and Publish it to the domain.
Right Click on Lync Server -> Publish Topology

Now that the topology is created we can begin the server installations.

Next step is to Install the Lync Server. Select that option back at the Deployment window:
Lync 2013 Deploy Lync

You should see another Deployment Wizard for the Server Installation.

Lync 2013 Server Deployment

Install Local Config Store
Select the option to retrieve the information from the Central Management Store that you need. Most should be able to leave this at the default for this setup. Hit Next and let it complete.
Lync 2013 Server install Step 1

Setup Lync Server Components
This step pulls in the topology from the topology builder and installs the needed components to this host based on how you built the topology. Just hit Next and the server components will be installed. This might take a while….. Hit Finish when complete.
Lync 2013 Server Components Complete

Request, Install, Assign Certificates
Lync requires a certificate for the server and the web services. Highlight and select the certs you want to request and hit the Request Button. This will generate the cert req to an online authority, or create the request file you can send via email or post to a form of an offline request.
Once you get, or if you already have a cert, click the Import button and browse to the location of the PFX or CER file.
After the Cert is Imported, you use the Assign button to assign a cert to each service, Default Cert and OAuthTokenIssuer. Select the Cert from the list, inspect the cert, then assign it.
Lync 2013 Assigning certs

Start Services
Finally, start the services to launch the Lync Server.

This should complete the Front End Pool Server.
You will need to run the same deployment wizard on the Edge Server as well before you are finished. Copy the setup folders to the edge server or have it access the setups somehow. Have the Edge host run through the same deployment wizard that we just ran through for the Front End host.