Sunday, February 27, 2011

MVP Global Summit 2011


Today, I'm leaving for the Microsoft MVP Global Summit 2011 at the Microsoft campus in Redmond, WA.

This is one of the benefits of being an MVP and is held every year about this time.  This will be my first time attending the Summit, and I'm really looking forward to it.  Last year I was on vacation in Hawaii during the Summit, so I don't think I made out too bad.  MVPs from around the world will be flying in to meet with fellow MVPs, Microsoft product teams, and Steve Balmer and other Microsoft executives.

Most (all?) of the sessions that occur during the three day Summit are NDA, so I won't be able to talk, write, or tweet much (any?) about the information shared with us at the Summit.  I do expect to hear a lot about Microsoft's cloud vision and direction.

Let me know if you're attending and maybe we can meet up for drinks.

Thursday, February 24, 2011

Script to Force Download of the Lync 2010 Address Book

I wrote a script (batch file, really) that users can run to force a download of the Lync address book. 

The Lync address book is generated automatically on the Lync server every 24 hours at 1:30AM, local server time.  You can use the Update-CsAddressBook cmdlet on the Lync server to force the server to update the address book.  You will need to wait 5 minutes for the server to run the update.  Look for Lync Server event 21056 from LS Address Book Server to confirm that the address book update has completed, as shown below:


The address book is then downloaded locally by the Lync client in a randomized schedule from 1 to 60 minutes after the the user signs in.  Lync Server MVP Jeff Schertz wrote about this process in great detail in his post, Updating the Lync 2010 Address Book.

My script sets a GALDownloadInitialDelay key in the registry to force the Lync client to download the address book immediately after signing in.  It then enumerates all the SIP_* folders in the C:\Users\username\AppData\Local\Microsoft\Communicator folder and deletes the GalContacts.db and GalContacts.db.idx files which make up the Lync address book.
@echo off
echo Clearing Lync Address Books...
reg add HKCU\Software\Policies\Microsoft\Communicator /v GALDownloadInitialDelay /t REG_DWORD /d 0 /f
If %errorlevel%==1 goto Error
if "%LOCALAPPDATA%"=="" Set LOCALAPPDATA=%USERPROFILE%\Local Settings\Application Data
dir "%LOCALAPPDATA%\Microsoft\Communicator\sip_*" /b > list.txt
FOR /F "tokens=1" %%i in (list.txt) do del "%LOCALAPPDATA%\Microsoft\Communicator\%%i\gal*.*"
echo.
echo Sign out of Lync and sign back in to download the current address book.
goto End
:Error
echo You must run this command from an elevated Command Prompt.
echo.
:End
Save the script above as ClearLyncAddressBook.bat and run it from an elevated Command Prompt.  Then sign out and back into Lync and the address book will download immediately.


Tuesday, February 22, 2011

New Server Virtualization in Microsoft Lync Server 2010 Whitepaper

Microsoft has released a new whitepaper on Server Virtualization in Microsoft Lync Server 2010.  This document outlines a series of best practice recommendations for running Lync Server 2010 in a virtualized environment.

The document replaces the first virtualization support whitepaper with new sizing guidelines, as shown above.  Virtualization of Lync Server 2010 reduces the number of supported users by roughly half, primarily due to the fact that Hyper-V supports a maximum of 4 cores (half the number of recommended cores in a physical enviroment).

Thursday, February 17, 2011

The Lync Server 2010, Best Practices Analyzer


In the tradition of the Exchange Best Practices Analyzer tool, Microsoft has released the Microsoft Office Communications Server 2007 (and Lync) Best Practices Analyzer.

You can use Microsoft Lync Server 2010, Best Practices Analyzer to identify and resolve problems with your Lync Server deployment. The Lync Server 2010, Best Practices Analyzer gathers configuration information from Lync Server 2010 components.

With the proper network access, the Best Practices Analyzer can examine servers running Active Directory Domain Services, Exchange Server Unified Messaging (UM), and Lync Server. You can use Best Practices Analyzer to do the following:
  • Proactively perform checks, verifying that the configuration is set according to recommended best practices.
  • Automatically detect required updates to Lync Server 2010.
  • Generate a list of issues, such as suboptimal configuration settings, unsupported options, missing updates, or practices that we do not recommend.
  • Help you troubleshoot and fix specific problems.

Best Practices Analyzer provides the following features:
  • Minimal installation prerequisites.
  • Online documentation about reported issues, including troubleshooting tips.
  • Configuration information that you can save for later review.
  • State-of-the-art system analysis.
Download the Lync Server 2010 Best Practices Analyzer.

Wednesday, February 16, 2011

Installing Lync 2010 Without Domain Admin Rights

I recently installed Lync Server 2010 at a customer where I did not have Domain Admin rights.  This presents a challenge, since setting up Lync Server requires various updates to Active Directory.  The online documentation isn't very clear on on this, so that's the purpose of this article.

Before you get started installing Lync, you will need to update the schema and prepare both the forest and the domains.  The schema updates require Schema Admin rights, and the forest and domain preps require Enterprise Admin rights or Domain Admin rights in each domain.

In order to hand over the Lync Server installation to a non-Domain Admin, you will need to do a few more things.  First, add the Lync setup administrator account to the CS Administrator and RTCUniversalServerAdmins groups in AD.  These groups were created in the domainprep steps performed earlier.

Next, you will need to grant setup permissions to allow the Lync setup administrator to update AD as needed by the Lync Server Topology Builder tool.  This is done using the Grant-CsSetupPermission cmdlet.
  1. Logon to the server where Lync is going to be installed as a member of the Domain Admins group.
  2. Open the Lync Server Management Shell as an administrator and run the following cmdlet:
Grant-CsSetupPermission -ComputerOU <DN of the OU where the Lync server exists>
For example:
Grant-CsSetupPermission -ComputerOU “OU=Lync Servers,OU=Servers,DC=US,DC=companyabc,DC=local”
If this step is not run, it will fail to enable the topology in the Topology Builder and you will see the following error:
  • Error: An error occurred: “System.UnauthorizedAccessException” “Access is denied. (Exception from HRESULT: 0×80070005 (E_ACCESSDENIED))”
Finally, grant permissions to allow the Lync setup administrator to update objects in the Lync servers OU with necessary group memberships.  This is done using the Grant-CsOUPermission cmdlet.
  1. Logon to the server where Lync is going to be installed as a member of the Domain Admins group.
  2. Open the Lync Server Management Shell as an administrator and run the following cmdlet:
Grant-CsOUPermission -OU <DN of the OU where the Lync server exists> -ObjectType "user"
For example:
Grant-CsOUPermission -OU “OU=Lync Servers,OU=Servers,DC=US,DC=companyabc,DC=local” -ObjectType "user"
If this step is not run, you will see the following errors when publishing the Lync topology with Topology Builder:
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCHSUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCHSUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCUniversalConfigReplicator".
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
  • Error: An error occurred when add "lyncpool" to "RTCComponentUniversalServices".
You can now turn the setup over to the Lync setup administrator to complete the installation.

For a thorough explanation of what permissions the Enable-CsSetupPermission and Enable-CsOUPermission cmdlets grant, see the article Grant-CsSetupPermission and Grant-CsOuPermission by Jens Trier Rasmussen (Microsoft).

Wednesday, February 9, 2011

Windows Server 2008 R2 and Windows 7 SP1 Releases to Manufacturing Today


The Microsoft Windows Server Team announced today that Service Pack 1 for Windows Server 2008 R2 and Windows 7 was released to manufacturing (RTM) today.  Along with numerous bug fixes and security improvements, SP1 offers two significant new features: Dynamic Memory and RemoteFX.

Dynamic Memory pools all the memory available on a physical host and then dynamically distributes available memory, as it is needed, to virtual machines running on that host.  With Dynamic Memory Balancing, virtual machines will be able to receive new memory allocations, based on changes in workload, without a service interruption.  This is particularly useful in VDI implementations.

Fellow MVP Mark Wilson describes Dynamic Memory very well:

"Microsoft’s dynamic memory is not the same as VMware’s – it’s all about over-subscription vs. over commitment. Whereas VMware will overcommit memory and then de-duplicate to reclaim what it needs, Microsoft takes the approach of only providing each VM with enough memory to start up, monitoring performance and adding memory as required, and taking it back when applications are closed."
RemoteFX lets you virtualize the Graphical Processing Unit (GPU) on the server side and deliver rich media and 3D user experiences for VDI clients.

Service Pack 1 for Windows Server 2008 R2 and Windows 7 will be available to current customers of the Windows Volume Licensing program, as well as MSDN and TechNet subscribers on February 16, 2011.  On February 22, both will be available to all customers through Windows Update and will also come preinstalled on new servers ordered.

Lync 2010 Visio Stencils


Creating visual representations of your Microsoft Lync Server 2010 topology is a helpful way to communicate your Lync Server 2010 deployment. Using standard Microsoft Visio stencils helps those in your organization to better understand how you architect your Microsoft Lync 2010 by experiencing your deployment visually. Together, Lync Server and Lync 2010 can be powerfully represented by standard and expressive Visio artwork.
Download them here and save them in your My Shapes folder.

Thursday, February 3, 2011

Deploying the Lync 2010 Client to different architectures

The Lync Server 2010 client is a single unified communications client that replaces both the Office Communicator and Live Meeting clients.  This single client performs all the functions of the previous clients, including instant messaging (IM), web conferencing, white boarding, desktop sharing, and enterprise voice.

There are two versions of the Lync 2010 client, one for x86 and one for x64 operating systems.  The difference is the bootloader and the prerequisite software included in the client installer (Microsoft Visual C++ 2008 Redistributable - x86 or x64 and SilverLight).  Somewhat surprisingly, the Lync client itself is always 32-bit.  If you try to deploy the x86 version of the client on an x64 computer (or vice versa), you will get an error message.


This can be somewhat problematic if you are trying to automatically deploy the Lync client using Group Policy or some other automated scripting mechanism to mixed-architecture computers in your environment.

Note: The Outlook Online Meeting add-on will match the 32- or 64-bit version of Office 2007/2010 installed, regardless of the Lync client architecture installed.

The rest of this article discusses how to run the correct architecture Lync client using a single batch file.  This batch file can be called using a computer startup script or a user logon script in Group Policy, or any other automated process.

First, create a network share called Lync Clients for the Lync 2010 client installer packages, with subfolders called x86 and x64.  Then copy the x86 and x64 Lync client installers into the proper folder, as shown below.

Lync Client Share
This sample batch file will run the correct Lync client installer for the computer's given architecture. 
If Exist C:\Windows\LyncInstalled.txt Goto END
Set ARCHITECTURE=x86
If Exist "%SystemDrive%\Program Files (x86)" Set ARCHITECTURE=x64
"
\\server\Lync Clients\%ARCHITECTURE%\LyncSetupVolume.exe"
Echo Time > C:\Windows\LyncInstalled.txt
:END
As mentioned earlier, you can then deploy this script via Group Policy or your favorite deployment mechanism.  Note that the Lync installer must be run as a user with rights to install software.  For this reason, it may be easier to install as a computer startup script.

Adding users to local security groups using Group Policy

You may find that you need to add users to one or more local groups, such as Power Users or Administrators, on their computer.  While you can do this fairly easily on a case by case basis, it's a lot more difficult to do in a large distributed environment.  This can be accomplished much easier using the Restricted Groups GPO setting in Group Policy.

The Restricted Group setting allows you to configure membership in groups within Active Directory or in the local security accounts manager (SAM) of domain-joined computers. 

In this example, we will add all domain users to the local computers' Power Users group for all computers in the domain.
  • Open the Group Policy Management Console
  • Edit the Default Domain Policy
  • Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Restricted Groups
  • Right-click Restricted Groups and select Add Group...
  • The trick to adding a local group is to just type in the group name.  Do not browse to find the Power Users group, because this will resolve to the domain's Power Users group.  Type Power Users, as shown below, and click OK.

  • Another window will pop-up to let you configure the properties of the Power Users Restricted Group.  For Members of this group, click Add.
  • Click the Browse button and browse for the group in Active Directory that you want to add to the local Power Users group.  In this example, use Domain Users and click OK, as shown below.

  • Close the GPO Editor and the Group Policy Management Console
Wait a sufficient amount of time to allow the GPO to replicate throughout all the domain controllers in the domain, then restart the computers where the policy applies.  This is required because the GPO affects the Computer Policy which applies when the computer starts up.

When the policy is processed, the computer will attempt to resolve the Power Users name that you typed to a local group first, then a domain group if no local match is found.

You can do the same process above for any other OU to scope the GPO to a specific set of computers.  If you want to add users to the local Administrators group, simply type that name instead of Power Users.