SfB Server 2015: Pool Pairing with CMS and AlwaysON

We already publish guides to Deploying SQL Server AlwaysOn Availability Group for Skype for Business Server 2015 and also SfB Server: Moving Central Management to a pool with SQL Server AlwaysOn BackEnd.

However, we were asked to create another guide when we want to pair two SfB Enterprise Pools where the Primary Pool is hosting the Central Management Store (CMS).

Please note that in this scenario we use the SQL Server Defaults Paths.

Step 1 – Create CMS database in secondary pool back end

First, we need to take note of which SQL Server node is Primary in the SfB Backup Pool. In the following example, SQL01BCK is the active node:

Now in a Skype for Business PowerShell execute the following cmdlet:

Install-CsDatabase -CentralManagementDatabase -SqlServerFqdn SQL01BCK.recore.lab -SqlInstanceName SFBBEBCK -UseDefaultSqlPaths

Note: We need to specify the FQDN of the SQL Server active node and not the AlwaysOn SQL Listener.

The databases are created but not part of the AlwaysOn Availability Group:

Step 2 – Add the CMS databases to the AlwaysOn Availabilty Group

Open a PowerShell on the active SQL Server in the Backup Pool Back End, and set the Recovery to Full and Perform a Full Backup:


Backup-SqlDatabase -ServerInstance SQL01BCK\SFBBEBCK -Database xds
Backup-SqlDatabase -ServerInstance SQL01BCK\SFBBEBCK -Database lis

Since in this scenario we use the SQL Server Defaults Paths, we don’t need to copy the folder structures using RoboCopy.

Now in SQL Management Studio, right click in the existent AlwaysOn Availability Group and Add Database:

In the Wizard, select both CMS databases:

Like when we configured AlwaysOn we need to specify a temporary shared folder:

Make sure all check in the validation are successful:

And finally the CMS databases will be added to the AlwaysOn Availability Group:

Step 3 – Add the necessary permissions to the secondary SQL Server node

In the previous guides related to AlwaysOn it was suggested to change the topology builder, however, we can simplify this without republishing the topology.

In the SQL Management Studio failover the AlwaysOn Availability Group:

Select the New Primary Replica:

After connecting to replica, the failover should be successful:

Back in the Skype for Business PowerShell and we execute the following cmdlet:

Install-CsDatabase -Update -CentralManagementDatabase -SqlServerFqdn SQL02BCK.recore.lab -SqlInstanceName SFBBEBCK -UseDefaultSqlPaths

Step 4 – Configure Pool Pairing

In the Topology Builder, edit the Primary Pool and associate the Backup Pool:

Now we publish the topology but unchecked the CMS creation since we already manually created it:

Here is the to-do list:

Update Skype for Business Server with the changes defined in the topology by running local Setup on each server in the following list.
Important: Server changes made in Topology Builder must replicate to the servers in your topology. Please confirm that replication has been successful before proceeding setup.
Server FQDN: sfbfe01.recore.lab, Pool FQDN: sfbpool.recore.lab
Server FQDN: sfbfe02.recore.lab, Pool FQDN: sfbpool.recore.lab
Server FQDN: sfbfe03.recore.lab, Pool FQDN: sfbpool.recore.lab
Server FQDN: sfbfe01bck.recore.lab, Pool FQDN: sfbpoolbck.recore.lab
Server FQDN: sfbfe02bck.recore.lab, Pool FQDN: sfbpoolbck.recore.lab
Server FQDN: sfbfe03bck.recore.lab, Pool FQDN: sfbpoolbck.recore.lab

The databases listed are not part of an AlwaysOn Availability Group. You can use the New Availability Group Wizard in the SQL Server Management Studio to create an Availability Group. You should make sure that the databases are installed before running the ‘New Availability Group Wizard’.
SQL Server instance: sqlpoolbck.recore.lab\sfbbebck, Stores: CentralMgmt

Run the Invoke-CsBackupServiceSync cmdlet to ensure conferencing data is replicated.
Invoke-CsBackupServiceSync -PoolFqdn sfbpool.recore.lab
Invoke-CsBackupServiceSync -PoolFqdn sfbpoolbck.recore.lab

On all SfB Front End servers that are part of both pools we need to run SfB Deployment Wizard Step 2:

After Step 2, the Backup Service will be installed on the Front End Servers that belong to the Primary Pool:

And in the Front End Servers that are part of Backup Pool will have Backup, FTA and Master Replica Services:

Start the stopped services, invoke the backup sync and verify that it was successful:

Invoke-CsBackupServiceSync -PoolFqdn sfbpool.recore.lab
Invoke-CsBackupServiceSync -PoolFqdn sfbpoolbck.recore.lab

Get-CsBackupServiceStatus -PoolFqdn sfbpool.recore.lab | fl
Get-CsBackupServiceStatus -PoolFqdn sfbpoolbck.recore.lab | fl

SfB Server: Moving Central Management to a pool with SQL Server AlwaysOn BackEnd

In a previous post, we described how to configure AlwaysOn Availability Groups for Skype for Business Server 2015:

Deploying SQL Server AlwaysOn Availability Group for Skype for Business Server 2015

That same post covers a green field deployment, but in this one we are going to work on a scenario where the xds and lis aren’t initially added to the AlwaysOn Availability Group.

Step 1  Install the Database on one of the SQL nodes

First, we need to check the active node in the AlwaysOn Availability Group, as we should use the SQL node FQDN instead of the SQL pool FQDN. If we try to use the SQL pool FQDN, we get this error:

“Install-CsDatabase : An error occurred while creating or updating the database for feature CentralMgmtStore. (…)”

As we can see, the Install-CsDatabase cmdlet is trying to use the \\sqlpool.borderlands.lab\C$. However, since this is the listener FQDN, it doesn’t connect to the SQL node file share and the cmdlet fails.

To check the active node we can use the SQL Server Management Studio. Connect to one of the SQL nodes and then expand AlwaysOn High Availability > Availability Groups > Group Name > Availability Replicas:

In this case, the SQL01 is the primary. Now we go back to the Skype for Business Server PowerShell and we can install the Central Management Database:

Install-CsDatabase -CentralManagementDatabase -SqlServerFqdn sql01.borderlands.lab -SqlInstanceName S4B_BE

Step 2  Add the CMS databases to the AlwaysOn Availability Group

Before adding the database to the AlwaysOn Availability Group, we need to change the database recovery to full and also perform a full backup. This can be achieved by running the following PowerShell cmdlets on the SQL01 PowerShell:

Invoke-Sqlcmd -Query “ALTER DATABASE [xds] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BE”
Invoke-Sqlcmd -Query “ALTER DATABASE [lis] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BE”

Backup-SqlDatabase -ServerInstance SQL01\S4B_BE -Database xds
Backup-SqlDatabase -ServerInstance SQL01\S4B_BE -Database lis

We should also copy the directory structure to the second SQL node:

robocopy C:\CsData \\SQL02\C$\CsData /e /xf *

Now everything is ready to add xds and lis to the existing AlwaysOn Availability Group. To do this we need to right click on the Availability Group and select Add Database…:

In the first step, we click Next:

We select the two databases (xds and lis):

We will need a temp file share for the initial sync:

Then we need to connect to the other SQL node:

If successful connected, the Connected As should change to the user that we use:

And then the Wizard will perform a validation check:

In the Summary, we click Finish:

Now the Wizard will execute the tasks to add the databases to the Availability Group:

After the Wizard finishes, the databases are shown as part of the Availability Group:

Step 3  Move the Central Management Store

This will be the normal procedure to move the CMS. Before moving, it’s recommended to perform a backup:



Next, in one of the Skype for Business Server pool Front End run:


If the move is successful, we need to run Deployment Wizard > Step 2 on the remaining pool front ends and then start the newly added services: Master Replicator Agent and File Transfer Agent.

Finally, we should also run Deployment Wizard > Step 2 on the servers that previously had the Central Management role.


Lync/SfB: How to configure Internal Web Services Override FQDN

A common question while planning/deploying Lync Server and Skype for Business Server is:

When do we need to configure Internal Web Services Override FQDN?

The answer to this is quite simple — we only need it if we have to split SIP traffic from HTTP/HTTPS.

We know that this answer will raise more questions, so first we should start with a little story. The Internal Web Services Override FQDN settings was introduced in Lync Server 2010. This was also the first version to support DNS Load Balancing in an Enterprise Pool.

If we just use Lync/SfB Clients, they are aware of DNS Load Balancing. But what about a web browser? A web browser will try only the first IP Address returned by the DNS and, if this server is down, we will get a “This page can’t be displayed”. Supposing we configure Round Robin in the DNS Server, we will eventually have a different IP Address as the first result.

The Internal Web Services Override FQDN setting only makes sense in an Enterprise Pool. In addition, we can configure it in Topology Builder > Pool Properties:


However, in a Standard Pool this option is disabled:


In order to configure the Internal Web Services Override FQDN in a Enterprise Pool we need to follow a few steps. As some of them can cause service disruption, we should plan these changes accordantly:

Step 1 – Enable override

In the Topology Builder, we select the Enterprise Pool that we want to change and enable:


Note: This FQDN must be unique, we cannot use an existing pool FQDN or web services external FQDN.

We publish the new Topology and wait for all servers to receive the new change:


Next Steps


Get-CsManagementStoreReplicationStatus |ft


Step 2 – Configure the Front End Servers

On each Front End that belongs to the pool we configured, we need to re-run Deployment Wizard Step 2:


Request and assign certificates so as to include the new FQDN in the  SAN certificate of Front End:


After restarting the Services, the Front Ends will be ready.

Step 3 – Configure Load Balancer

For this we need to follow the vendor guidelines. A complete list of supported Load Balancers is available here:

Load balancer partner qualification requirements for Lync Server

Skype for Business Server – Load Balancers

Note: A common misconfiguration is to use port 443 to check if the server is able to handle requests, even though we should always use port 5061 to know if the server is working. Each Front End will only listen on port 5061 if the Front End Service is up and running.

Step 4 – Change the DNS Records

The final step is to make sure that the clients will use the newly configured Load Balancer. In order to achieve this, we need to create/modify the DNS Records as the examples in the following table:

FQDN Type IP/Destination
lyncwebint.gears.lab A Load Balancer IP Address assigned to the virtual service
lyncdiscoverinternal.gears.lab CNAME lyncwebint.gears.lab
meet.gears.lab CNAME lyncwebint.gears.lab
dialin.gears.lab CNAME lyncwebint.gears.lab
lyncadmin.gears.lab CNAME lyncwebint.gears.lab


We now have the HTTP/HTTPS configured to use the Load Balancer and the pool using DNS Load Balancing.

As a final note, we want to point out that in a full “balanced” pool the IP Address will be the Load Balancer. In this way, we don’t need to have a FQDN for SIP and another for HTTP/HTTPS.

Request/Renewing Skype for Business Server 2015 Certificates

Here are the steps to request or renew certificates in Skype for Business Server 2015.

Most of the steps are similar to Lync Server 2010/2013, so to start let’s go to the well-known Deployment Wizard Step 3 and click Run or Run Again (depending on if you are requesting for the first time or renewing the certificates).


Now, in Certificate Wizard, we select the proper certificate and then click Request:


The Certificate Request wizard will open and we can notice that this user interface changed from Lync Server 2010/2013. Now we have all the basic information to request a certificate consolidated in a single window:


Note: In the Edge Server, the certificate request is the same as in Lync Server 2010/2013, therefore we don’t have the new consolidated view.

We can use the Advanced mode (also known as old Lync Server 2013 mode), in case we need to specify one of the following settings:

  • Create an Offline Request


  • Specify another CA


  • Specify different CA credentials


  • Use a different Certificate Template


  • Change key bit length and/or Mark the certificate private key as exportable


  • Add additional SAN names


After that, we will return to the initial Certificate Request screen. Don’t forget to select the SIP Domains served by this server:


In the next screen, check if all the details are correct:


If the certificate request is successful, we get Task status: Completed:


Continuing with our request, select the Assign this certificate to Skype for Business Server certificate usages option:


Note: Before requesting a new certificate, we need to make sure that the Root CA certificate is installed in the Trusted Root Certification Authorities under the Local Computer Certificate Store:


The Certificate Assignment wizard will be launched, and we can view the details or continue:


Before assigning the certificate, we need to verify the details:


Task status: Completed confirms that the certificate was correctly assigned:


We have just assigned the new certificate, so all we need now is to restart the services on the Front End. In case we have a Front End Enterprise Pool, keep in mind that we need to check if there are enough Front End servers running before restarting the services. In order to do this, simply use the Get-CsUpdatePoolReadiness.

Finally, if there are enough Front End servers to keep the pool running, we can proceed and restart the services:


Deploying SQL Server AlwaysOn Availability Group for Skype for Business Server 2015

In Lync Server 2013, there were requests regarding an alternative to SQL Mirroring for SQL Server High Availability. This was related to the fact that SQL Mirroring was marked as a feature to be removed in future SQL Server versions:

This feature will be removed in a future version of Microsoft SQL Server. Avoid using this feature in new development work, and plan to modify applications that currently use this feature. Use AlwaysOn Availability Groups instead.
in SQL Server 2014 – Database Mirroring (SQL Server) – https://msdn.microsoft.com/en-us/library/ms189852.aspx

In Lync Server 2013, it was common to have SQL Server High Availability using SQL Mirroring. The reason for this was that Topology Builder did all the hard work for us. Another supported scenario was to use SQL failover clustering, but in this case we need to manually deploy it:

Database software support in Lync Server 2013

The good news is Skype for Business Server 2015 comes with AlwaysOn Availability Groups:

Note: AlwaysOn Availability Groups requires SQL Server 2012/2014 Enterprise Edition.

For other supported scenarios, check the following:

Back End Server high availability in Skype for Business Server

To deploy AlwaysOn Availability Groups for Skype for Business Server 2015, we need to follow specific steps. In this tutorial, we consider a lab environment with one Front End server and two SQL Server 2014 Enterprise Edition servers, which is a new environment without any previous Lync Server/OCS deployments.

Let’s start by installing and configuring the clustering service on both SQL Servers (SQL01 and SQL02). We can add new features by using the following PowerShell cmdlet:

Add-WindowsFeature Net-Framework-Core, Failover-Clustering, RSAT-Clustering-Mgmt,RSAT-Clustering-PowerShell -Source d:\sources\sxs
Note: The reason to use the source switch is that Windows Server 2012 R2 doesn’t install the source files. So, if your server doesn’t have internet access, you need to specify the path. In this case, the DVD is D:

Now that we have both servers with the necessary Windows Features, we can create the cluster. Before creating the cluster, we should test the configuration:

Test-Cluster -Node sql01,sql02

In a lab environment, these warnings can be ignored, but in a production environment we need to check them before continue.
The Test-Cluster cmdlet will generate a Failover Cluster Validation Report:

After the test, we can create the cluster. For that, we can also use a PowerShell cmdlet. Since we don’t have DHCP in our lab subnet, we need a valid IP Address in the SQL Servers subnet:

New-Cluster -Name sqlcluster -Node sql01,sql02 -NoStorage -StaticAddress

The New-Cluster will generate a Create Cluster report:

Before installing SQL Server we also need to configure the Cluster Quorum, we can use a File Share Witness:

Set-ClusterQuorum -Cluster sqlcluster -NodeAndFileShareMajority “\\dc01.gears.lab\SQLClusterWitness”

Note: For additional information please go to Configure and Manage the Quorum in a Windows Server 2012 Failover Cluster

Now that we have the cluster with basic configuration, we can proceed and install SQL Server 2014 on both servers:

In Instance Features select at least Database Engine Services:

We can use Default instance for both servers:

Or change it to a different name. If you change it to a Named Instance, make sure both servers use the same instance name:

In Service Accounts, change the Account Name to a custom service account and use it on both SQL Servers:

After completing the installation, we need to enable AlwaysOn Availability Groups. On each server, we need to open SQL Server Configuration Manager, then right click on SQL Server Service and open Properties:

Select the AlwaysOn High Availability tab and tick Enable AlwaysOn Availability Groups:

For the changes to be applied, we need to restart SQL Server Service:


Select SQL Server Service, then click on the Restart service icon:

An additional step is to create a DNS A record for sqlpool.halo.lab. This is our Availability Group Listener FQDN:

In the Skype for Business Server 2015 Topology Builder, we add a new SQL Server Store with the following configuration:

Notice that we use the SQL01 server FQDN. This is normal and we will change it later on.

Now we publish the topology:

In SQL Server Management Studio, we can check that the Skype for Business Server 2015 related databases were successfully created in SQL01:

To create a new Availability Group, right click AlwaysOn High Availability and open New Availability Group Wizard…:

Fill the Availability Group name:

The wizard will check for prerequisites and will let us know that, before we proceed, the database recovery needs to be changed to full and also perform a full backup:

To make things easier, we can use the following PowerShell SQL cmdlets:

Back End databases:

Invoke-Sqlcmd -Query “ALTER DATABASE [cpsdyn] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”
Invoke-Sqlcmd -Query “ALTER DATABASE [rgsconfig] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”
Invoke-Sqlcmd -Query “ALTER DATABASE [rgsdyn] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”
Invoke-Sqlcmd -Query “ALTER DATABASE [rtcab] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”
Invoke-Sqlcmd -Query “ALTER DATABASE [rtcshared] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”
Invoke-Sqlcmd -Query “ALTER DATABASE [rtcxds] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”

Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database cpsdyn
Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database rgsconfig
Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database rgsdyn
Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database rtcab
Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database rtcshared
Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database rtcxds

CMS Databases:

Invoke-Sqlcmd -Query “ALTER DATABASE [xds] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”
Invoke-Sqlcmd -Query “ALTER DATABASE [lis] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”

Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database xds
Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database lis

Monitoring Databases:

Invoke-Sqlcmd -Query “ALTER DATABASE [LcsCDR] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”
Invoke-Sqlcmd -Query “ALTER DATABASE [QoEMetrics] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”

Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database LcsCDR
Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database QoEMetrics

Archiving Database:

Invoke-Sqlcmd -Query “ALTER DATABASE [LcsLog] SET RECOVERY FULL WITH NO_WAIT;” -ServerInstance “SQL01\S4B_BackEnd”

Backup-SqlDatabase -ServerInstance SQL01\S4B_BackEnd -Database LcsLog

Another requirement is that we copy the directory structure to the second SQL server:

robocopy C:\CsData \\SQL02\C$\CsData /e /xf *

Go back to the wizard, click Refresh and select the databases:

On the next step, click Add Replica…:

Change the server name and connect to the second SQL Server:

Select both SQL Instances in the Replicas tab:

We also need to create a listener, thus select the Listener tab and then select Create an availability group listener:

Note: As mentioned before, we don’t have DHCP on this Lab subnet, so we use a static address (different from the cluster).

Click Next and specify a temporary file share:

The wizard will run additional availability group validation checks:

And if everything goes okay, we get the following messages:

In AlwaysOn High Availability, we can check if the selected databases were included in the group:

Almost done. If we compare Security Logins for both servers, we can notice that some logins are missing from SQL02:

To add all the necessary permissions, we need to change the Primary Replica to the second SQL Server, right click on Availability Group and select Failover:

In the wizard, click Next:

We need to connect to the server:

If Failover is successful, we get this:

We can see that the Primary Replica is now the second SQL Server:

Time to go back to Topology Builder, select SQL Server Store and Edit Properties… :

Change the SQL Server FQDN to the second SQL Server:

Publish the topology.

In the Skype for Business Server 2015 server, open the PowerShell and run:

Install-CsDatabase -Update -ConfiguredDatabases -SqlServerFqdn sqlpool.halo.lab -Verbose

After completion, the necessary logins are also added to the second SQL server:

Finally, let’s change SQL Server Store in Topology Builder to the final value:

After publishing the topology, we now have Skype for Business Server 2015 with an AlwaysOn Availability Group configured.

Additional resource:

Chris Lehr experienced a few errors during the deployment and published the notes on his blog:

Chris and Robin’s Technology blog – SQL 2014 AlwaysOn Deployment for Skype for Business Server 2015 http://blog.chrislehr.com/2015/06/sql-2014-alwayson-deployment-for-skype.html

Deploying Kemp Technologies Free LoadMaster as Load Balancer and Reverse Proxy

Update 2017/06/07 – Updated the screenshots with the new Kemp LoadMaster UI.

In a recent Lync deployment, we were installing a new Kemp Technologies LoadMaster and a new license type was shown:

This is great news since we can use it for test/lab environments without having the previous 30 days limitation. Also, in the End User Licence Agreement terms, the 18-i) states that we can deploy it in a production environment if we don’t get direct revenue from it:

18. ONLY APPLICABLE TO FREE LOADMASTER – The Free LoadMaster is a derivative of the LoadMaster product line with unique end user requirements.

i) The Free LoadMaster may be deployed in a production environment exclusively under the condition that no direct revenue is derived from its use.

ii) The Free LoadMaster will only continue to operate when able to Call Home to an internet-located KEMP server to provide non-personally identifiable data about the appliance configuration including usage statistics, enabled features and general configuration. KEMP expressly disclaims any liability for non-performance in the event that Call Home communication is disrupted. For more information on Call Home visit http://www.kemptechnologies.com/callhome

Although it’s free, there’s no such thing as a free lunch, and in this case to get a full core feature LoadMaster we must agree and enable the CallHome feature.

The CallHome requires internet access and it will send statistics and config information back to Kemp Technologies. In spite of that, it won’t send any personal or network traffic information.

Here is a summarized list of the limitations that we consider relevant:

  1. No Commercial use – It makes sense; if we want to use it for commercial purposes it’s only fair to buy a license;
  2. CallHome – A really “small price” for the features we get in return;
  3. 20Mbps throughput – It’s a good limit; if we need more we can upgrade it, for instance, to a Virtual LoadMaster VLM-200. This one allows up to 200 Mbps throughput;
  4. No in-place Upgrade – We can export the configuration and import it in an updated version;
  5. No High Availability – Lync deployments without any HA requirements; this would be more than enough.

For a complete list, please check the following links:

Free LoadMaster – About

Free LoadMaster – Key Load Balancer Features and Frequently Asked Questions

It’s also good to know that LoadMaster is qualified for Lync Server 2013:

October 13th, 2014 – KEMP LoadMaster Is Now Fully Validated for Microsoft Lync 2013

Infrastructure qualified for Microsoft Lync – Load Balancers

So let’s configure LoadMaster.

Step 1 – Download and Install

To download it, we need to create a Kemp ID (or use an existing one).

Download the Free LoadMaster

Then select the hypervisor, read the End User Licence Agreement terms and check the box if we agree with the terms:

After downloading, import the Virtual Machine. Alternatively, we can configure a new one (2x Virtual processors and 2GB RAM) and attach the VHD:


Note: The first network adapter will be the eth0 for LoadMaster. If we use a dual homed, this will be the interface with the default gateway.

Step 2 – LoadMaster Basic Configuration

When the LoadMaster boots, we will get the following screen:


The default login is:

Username: bal
Password: 1fourall

We need to configure eth0 IP address – in our Lab it’s


Then, the default gateway configuration:


Finally, the DNS server. Please use a valid DNS, since the CallHome feature will require DNS:


Now we can use the web interface to continue with the deployment. Simply click Yes:


Step 3 – Free LoadMaster Activation

Open the web browser and access (replace this with the IP address that was configured on LoadMaster eth0 network interface).

In the first page, we will need to sign in with the KEMP ID:

Now we select Free LoadMaster:

We also need to allow the Call Home:

And after a successful activation:

Now we need to change the password:


The next steps are also described in the Deployment Guides provided by Kemp Technologies:

Microsoft Lync 2010 – Deployment Guide

Microsoft Lync 2013 – Deployment Guide

Microsoft Skype For Business – Deployment Guide

Step 4 – Configuring the remaining settings

Internal Network eth1

To configure eth1, we need to access System Configuration > Interfaces > eth1:


In our Lab, the IP address is After that, click Set Address:

Now we need to connect to the internal IP and then go to System Configuration > Miscellaneous Options > Network Options:

There are some differences in the deployment guide, but the following settings are valid for most of the environments:

Subnet Originating Requests is really important when using dual homed configuration and the subnets aren’t routable between each other.
Additionally, we could enable Enable Non-Local Real Servers option. This will allow to add Real Servers that don’t belong to any of the subnets present in the LoadMaster network interfaces.

We also need to change the L7 Configuration (System Configuration > Miscellaneous Options > L7 Configuration):

Step 5 – Adding Lync 2013 Template

Kemp Technology also provides a complete set of templates. In this particular case, we are going to use the Lync/SfB Server Template because it will simplify the deployment. We can download the template here:

LoadMaster Load Balancer Documentation

To import a template, select Virtual Services > Manage Templates:

Then, select the downloaded file from Kemp Technologies website and use the Add New Template button:

In this example, even though 12 templates were loaded for Reverse Proxy and HTTP/HTTPS Load Balancer, we will need only Lync/SfB Reverse Proxy and Lync/SfB Internal DNS:

Step 6 – Adding the Virtual Services

To add a Virtual Service, go to Virtual Services > Add New:

For the Reverse Proxy, we will use the external IP address and select the Lync/SfB Reverse Proxy template:

And for the internal load balancing, and this time Lync/SfB Internal DNS template:

After adding both Lync/SfB Templates, we will have 4 Virtual Services:

The first two services are related to the Reverse Proxy and the other two to the internal Load Balancing.

Step 7 – Configuring Virtual Services

#1 Reverse Proxy HTTP

Modify the first Virtual Service and then expand the Real Servers:

The port 5061 is used for checking if the Real Servers are running, because if the Lync/SfB Front End Service is down, it doesn’t make sense to forward any request to it.

Click Add New… and then add the Front End servers, changing the port to 8080:

After adding all servers, they will be listed in the Virtual Service settings:

#2 Reverse Proxy HTTPS

Select the second Virtual Service, add new Real Servers and don’t forget to change the port to 4443:

#3 Internal LB HTTP

In the third Virtual Service make sure that 8080 is configured as additional port:

Now, as before, add the Real Servers but with the port 80, used for the internal load balancing:

#4 Internal LB HTTPS

In this Virtual Service, the certificate will be on the Real Servers and not on the LoadMaster:

Please make sure that an additional port (4443) is configured:

Add the Real Servers and use the port 443:

Step 8 – Adding Certificates

In order to manage certificates, we need to access Certificates & Security > SSL Certificates:

Then click Import Certificate:

Select the proper certificate, type the password and friendly name (without spaces or special characters):

After adding the certificate, select the Virtual Service and assign it with the >:

To submit, use the Save Changes and the certificate will be assigned:

Also, we need to make sure to install all Intermediate CA certificates – otherwise we will get this message:ge:


To install an Intermediate CA certificate, go to Certificates > Intermediate Certs:

Select the Intermediate CA certificate file and a friendly name:

All certificates will be listed:

Now the certificate chain will be displayed correctly:


Final notes

After all these steps, we should get this in the Virtual Service:

Using LoadMaster – or other Load Balancer as Reverse Proxy – is a good TMG/ARR alternative, especially because we need less resources to achieve the same. The LoadMaster disk, for instance, is configured to 16GB max.

In this case, we use the same LoadMaster for Reverse Proxy and the internal load balancing. However, since Kemp Technologies doesn’t limit the number of Free LoadMaster that we can activate, we can use 2 LoadMaster and split the roles.

Adding new SIP Domain to OCS 2007 R2

Here is a step by step tutorial how to add a new SIP Domain to OCS and then migrate all users to the new domain.
One thing that we don’t need to worry about is the Users Contact Lists,  since OCS stores contacts as Unique ID, rather as SIP Address. This allow us to change user SIP Address without messing up users Contact Lists.
Here are the steps necessary to add a new domain and “move” users:

Step 1 – Adding the New SIP Domain to our Organization

The first thing to do is add a new domain – this is achieved by using OCS 2007 R2 Management Console.
Right click on Forest, Properties -> Global Properties:


In the General tab, select Add… and write the new domain, then click OK.


Now we can notice that the new domain is shown there. If we want we can select the new domain as default. The ticked check box represents the default SIP Domain.


If we have a Edge Server, and want the new domain to be able to communicate using it, then we must configure it first. If not, you can skip the following steps and go to Renewing Certificates:


In Properties, select the Internal tab and add the new sip domain with the Add Domain… option:


After adding the domain and applying, refresh and go to Internal Interface Settings and check if the new sip domain is being shown there:


Step 2 – Renewing Certificates with Certificate Wizard

Front End Server

We need to renew certificates on all Front End Servers to additionally include FQDN sip.<new SIP Domain>.
In the OCS 2007 R2 Management console explore the tree and select one Front End server:


Then launch the Certificate Wizard — we can find this option on the right pane:


Or right click on the Front End and choose Certificates:


Select Create a new Certificate, then Send the request immediately to an online certification authority.
On the Name and Security Settings screen, change the Bit length to 2048 and then click Next. Make sure that the new SIP is included in Subject Alternate Name.


If all the requests were successful, we can assign the certificate immediately. Remember that the certificate will only be used by OCS server after restarting the services.


The OCS Certificate Wizard will not change the certificate associated with the OCS Web Services. To change this open IIS Management console  and then select Default Web Site -> Properties -> Directory Security:

Note: The following print screens were taken in IIS 6,0.


Select Server Certificate… to replace the certificate.


We don’t need to restart IIS for the new certificate to be assigned.

Edge Server

In the Edge Server we only need to update the Access Edge Public Interface certificate. First, open the Edge Computer Management (Administrative Tools -> Computer Management), then right click on Office Communications Server 2007 R2 and select Certificates:


In the wizard, change Bit Length to 2048 and confirm that the Subject Alternate Name includes the new sip domain.


Usually this will be an offline request, so save to a file, issue in the proper CA, import it on the OCS Edge and then assign it to the Access Edge Server Public Interface. You can use the Certificate Wizard All the previous steps. If we use the same certificate on all Public Interfaces, then assign the new certificate to all of them.

After assigning the certificate, restart OCS Edge Services.

Step 3 – Creating DNS Records

To ensure that users can log in with automatic discover, we add the following records:

DNS FQDN Type Port IP/Destination
Internal sip.<new SIP Domain> A N/A OCS Pool IP
(Enterprise Edition)
OCS Front End IP
(Standard Edition)
Internal _sipinternaltls._tcp.<new SIP Domain> SRV 5061  sip.<new SIP Domain>
External* sip.<new SIP Domain> A N/A OCS Access Edge Interface Public IP
External* _sip._tls.<new SIP Domain> SRV 443 sip.<new SIP Domain>
External** _sipfederationtls._tcp.<new SIP Domain> SRV 5061 sip.<new SIP Domain>

*Only needed if we want to enable external access to the new domain.
**Only needed if we want to enable federation access to the new domain.

Step 4 – Changing Users SIP Address

We can change users SIP Address with the following cmdlet in any Front End with PowerShell installed:

get-wmiobject -class msft_sipesusersetting |  where {$_.UserDN -like “*<OU>” -and $_.Enabled -eq $true}  | Foreach-object { $_.PrimaryURI = $_.PrimaryURI.Replace(“<Old SIP Domain>“, “<New SIP Domain>“); $_.put() | out-null }

Replace <Old SIP Domain>, <New SIP Domain> with the right values, and <OU> if you want to specify a OU. It’s highly recommended to test in a small group of users before changing all users.
To change all users that are enabled to OCS, run this:

get-wmiobject -class msft_sipesusersetting |  where {$_.Enabled -eq $true}  | Foreach-object { $_.PrimaryURI = $_.PrimaryURI.Replace(“<Old SIP Domain>“, “<New SIP Domain>“); $_.put() | out-null }

Step 5 – Changing primary SMTP Email Address (Optional)

If we need to ensure that Outlook and Communicator integration isn’t affected, we need to change all users’ primary SMTP Email Address to be the same as the new sip address.

Step 6 – Rebuild the Address Book

After all the changes performed in the previous steps, we need to rebuild the Address Book. To do this in OCS, we need to execute ABServer, which is located in “C:Program FilesMicrosoft Office Communications Server 2007 R2ServerCore”, with the following parameters:

ABServer.exe -RegenUR
ABServer.exe -SyncNow

Step 7 – Refresh Sign-in Address (Optional)

This step will prevent users from having to manually change Sign-in Address on Communicator (MOC).

After changing the user SIP Address, we can force Communicator Client to update Sign-in Address, by creating a Logon Script with the following command:

reg delete HKCUSoftwareMicrosoftSharedUcclient /f

Final notes

Changing SIP domains isn’t an easy decision, so think first if you really need to change the domain.

If we change it, we will make an impact on partner federation and PIC federation. As previously stated, the corporate user Contact List will not be affected by this change. Nonetheless, our federated partners will need to manually add the contacts to their contacts list, since they are stored in their contact list with sip address.

Partners with closed federation will need to configure their Edges Servers to allow the new domain.

Regarding PIC federation, we need to submit a new request by adding the new sip domain to our existing PIC Provisioning: