The Three UC Amigos

Tanjay (LG-Nortel IP8540 or Polycom CX700) phone and other end user questions

These questions came from a school district in California replacing their entire legacy voicemail and PBX system with 2,000+ seats of OCS 2007 R2 voice. They are in pilot phase right now.

 

LG-Nortel IP8540 or Polycom CX700 (Tanjay) questions:

          

 

Can you dial 911 with a locked Tanjay phone? – Yes, you can dial any number you just can’t see contacts on the LCD.

 

Do you have to log in every morning with password and AD account? – No, your AD credentials and password should be cached and you can use the biometric reader to login. You will only have to enter a new password when it expires or is changed. You can also use the USB option and, new with R2, the phone will unlock when you login into the R2 Communicator client.

 

Can you control the Tanjay phone with the R2 Communicator softphone features (RCC)? – Yes, only via the USB connection however. You can click to call from Communicator or Outlook, answer toast pops from PC and have Tanjay pick up the call, add more parties to the call via Communicator client, etc., You can also log into Communicator client to unlock the phone (no pin or biometic needed).

Check the check box above inside of the Communicator client to have remote call control of the Tanjay.

 

Here is a summary of pairing the Tanjay with Communicator/Conferencing with OCS R2:

 

What version of Tanjay should we have to work with R2?

There is an updated Tanjay R2 version required to work properly: VERSION:  3.5.6907 (1.23)

 

Another other Tanjay fixes I should know about?:

You need to make you are deploying the latest OCS R2 communicator client VERSION 6907.34 (updated June 2009): – This update has some Tanjay fixes in them. Grab it here.

 

 

Can I ring more than one phone at once such as my whole department

Yes, with Team Ring feature in new in R2.  You can ring up to 10 phones at the same time when your phone is called.

To enable:

Click ‘Phone’ icon in Communicator, then ‘Call Forwarding settings’. Select ‘Ring me and my team-call group’. Add in the numbers on your team you want to ring.

 

 

How do you setup calls for my administrative assistant?

The Call Delegation feature in R2 is for delegating your calls to administrative assistants, receptionists, etc. They will require the use of R2 Communicator Attendant to manage your calls, contacts, transfers, etc.

To enable Call Delegation:

Click Phone icon in Communicator, then Call Forwarding settings. Select ‘Ring me and my delegates’ drop down. Specify the delegates to ring.

 

Happy 4th of July everyone!

Windows Live/MSN/Hotmail PIC licensing no longer needed for federation

Big licensing news effective today, if you have OCS 2007 R2 Standard CALs or OCS 2007/LCS CALs with Software Assurance and want to federate with MSN/Hotmail/Live no additional PIC license is required.  Yahoo and AOL federation still require a PIC license per OCS user who require it  however.

 

This is a nice win for Education customers who have OCS on premises and want to federate with their students hosted on Live@Edu and Outlook Live.

 

Here is the official product team announcement:

 

Effective July 1, 2009:

· The Live Communications Sever Public IM Connectivity (LCS PIC) license will be renamed Office Communications Server Public IM Connectivity (OCS PIC) license.

· Customers with Office Communications Server 2007 R2 Standard CAL or Office Communications Server 2007/Live Communications Server 2005 SP1 Standard CAL with Software Assurance will no longer require an additional license to federate with Windows Live.  (A license will still be required for federation with AOL & Yahoo!.)

· With Windows Live federation, customers will be able to add Windows Live contacts to their Office Communicator contact list, view presence and send and receive instant messages.

How do I actually provision this new PIC change? (updated post with this info July 3rd)

See this newly released OCS R2 PIC provisioning guide here to begin the process.

 

From what I have read here are the steps:

1.    Contact your account manager to request provisioning as it varies depending on your licensing.

2.    Your account manager provides you with the URL of the Web site to be used to initiate the process (the new Windows Live PIC federation provisioning web site is slated to be active on July 20th).

3.    On the Web site, provide the information required for provisioning.

 

Here is more general PIC info here.

High level Exchange 2010 architecture

Here are some questions I had from a college in Ohio wanting to plan for Exchange Server 2010:

 

What does the Exchange 2010 architecture look like?

The 5 Exchange 2010 roles are the same but there are some major changes in the way things work:

Outlook 2007+ MAPI clients now connect through CAS rather than directly to the mail server. CAS also provides access to directories for any Outlook needs.

Plan on scaling out CAS arrays with NLB or HWLB based on the core ratio below.

 

Hub transport now has a shadow redundancy feature and new dumpster changes.

The shadow redundancy feature would be where a shadow copy of each sent email is retained on the hub and until the hub received a ack of successful delivery. In the example above if Edge1 has a failure after the message has left the hub, the hub would not receive a discard ack and after 3 retries (15 min) the hub transport would then resend the shadow copy of the message to Edge2. It can also work with some downstream MTAs (Exchange, SMTP, etc) where the hub transport can wait for a specified interval for an Ack and resubmit.

 

The hub also has a new dumpster feature where the hub communicates with the mailbox server around replication and availability status. This communication determines whether or not to purge older messages in the dumpster until all logs have been replicated and communication has been re-established.

 

What are the beta HW recommendations for ballpark HW estimation? (note: this is with beta and subject to change) :

Client Access Server (CAS)

CAS to Mailbox ratio = 3 : 4 processor cores

8 cores recommended, 2GB RAM per core

Hub Transport server

Hub to Mailbox ratio : 1 : 7 (no A/V on Hub) or 1 : 5 (with A/V Hub) processor cores

4 cores recommended, 1GB RAM per core

 

Mailbox

4-8 cores, 4GB RAM base + 2-8MB per mailbox based on mail profile

UM

4 cores, 4-8GB RAM total

Edge guidance expected to be very similar to Exchange Server 2007

2 to 4 cores

Global catalog to Mailbox ratio 1 : 4 (32–bit GC) or 1 : 8 (64-bit GC) processor cores

 

What storage do I need?

Since the IOPS per user is proposed to be another estimated 70% reduction, this translates to several new storage options in Exchange Sever 2010 where you can use cheaper SATA direct attach storage or even JBOD SATA with DAG.  See our storage post here.

Geneva, Exchange Online

What a way to start a blog. Geneva. It sounds important and it is. Geneva is the code name for our next generation identity services. At PDC we announced our new identity platform and that Microsoft IT (MSIT) is rolling this out for software corporate wide. Geneva will support 59 identity applications in the cloud with 29 different business partners.

Geneva went into public beta last month. This is the platform we are moving our hosted services to. Today connectivity to Exchange Online is accomplished by using a SSO client that can be used on Windows and Mac clients. This client needs to be installed and configured on each client. The reason for this is that the Exchange Online uses a separate identity system than our customers and you need to authenticate to it via the SSO client. I believe this was a great start to introduce Exchange Online but one that will be shortlived. Geneva is next.

Geneva is made up of a Geneva Server, Geneva Cardspace client, and the Geneva Framework. Also part of the platform is the Microsoft Service Connector, the Microsoft Federation Gateway and the .NET Access Control Service which provide our infrastructure for our cloud services.

How does it work?

1. User clicks link for service

2. User taken to Microsoft Services Connector for authentication

3. Connector validates credentials with Active Directory

4. Microsoft Service Connector issues a login token and redirects to the Microsoft Federation Gateway

5. Gateway validates token and transform claims

6. Federation issues service token a directs to the service

7. user accesses the service.

 

 

 

 

One of the great things about the use of Geneva is that we have an opportunity to look at Active Directory Federation as well as other identity systems because of our support of WS-* and SAML. Some great documentation on Geneva is posted here on MSDN: http://msdn.microsoft.com/en-us/library/cc287610.aspx

So I look forward to having federation for Exchange Online and other Microsoft cloud services. Stay tuned for more.

Download Free UC e-books from Microsoft Press

Microsoft Press 25th Anniversary "Free E-Book of the Month" Offers
This will be our last month to celebrate the 25th anniversary of Microsoft Press with a free e-book offer. This monthly offer can be found in the top right corner of this monthly newsletter. It expires on June 24, 2009, so download the e-books today:

Programming for Unified Communications with Microsoft Office Communications Server 2007 R2
By Rui Maximo, Kurt De Ding, Vishwa Ranjan, Chris Mayo, Oscar Newkerk, and the Microsoft Office Communications Server team

 

Microsoft Office Communications Server 2007 R2 Resource Kit
By Rui Maximo, Rick Kingslan, Rajesh Ramanathan, and Nirav Kamdar with the Microsoft Office Communications Server Team
Note: You will need to temporarily allow pop-ups in order to download the free e-book offer.

Troubleshooting Exchange 2007 Unified Messaging whitepaper

There is nicely written whitepaper to help you troubleshoot and understand how Exchange 2007 Unified Messaging works. I pasted in a few whitepaper highlights below:

 

Exchange UM architecture:

Shows a nice breakdown of the UM services and worker processes and what they do and how they talk.

 

UM Call flows:

Has a nice inbound call flow showing the call from either an IP PBX (direct SIP) or legacy PBX (TDM) which requires a SIP gateway to translate TDM to SIP, etc. UM server than does a directory lookup and hands off to the hub server which then routes the voicemail/fax to the inbox.

 

Here are the basics of a simple Unified Messaging call flow:

1. Caller A places a call to B.
2. B doesn't answer the phone.
3. Call gets forwarded to voice mail. In this example, it's forwarded to the VoIP gateway first.
4. The VoIP gateway sends this call to the Unified Messaging server.
5. At this point, caller A should hear the personal greeting of B.

 

Some nice UM troubleshooting basics for example:

 

When an incoming call to voice mail fails, the problem usually happens at one of the following stages of the call flow:

• Call isn't routed from the PBX to the IP gateway, so the call doesn't reach the Unified Messaging server.
• Call isn't accepted by the Unified Messaging server.
• Voice mail isn't delivered to the user's mailbox.

Troubleshooting Play on Phone:

• Play on Phone requests first go to the Client Access server. The Client Access server sends a SIP INVITE request to the Unified Messaging server, and Unified Messaging proxies the request to the IP gateway. The best way to troubleshoot these issues is to perform a network trace on the Unified Messaging server. Note the following:
  • Which Client Access server is servicing this request?
  • Does the Client Access server send a request to the Unified Messaging server?
  • Does the Unified Messaging server send a SIP INVITE request to the gateway?
  • Does the gateway accept the SIP INVITE request?

  Important:

  The Unified Messaging server and Client Access server use mutual TLS to establish the session. For mutual TLS negotiation, both the Unified Messaging server and the Client Access server must have a certificate that has the corresponding FQDN as the Subject Name or the Subject Alternate Name.

• For calls from a directory, Unified Messaging sends a REFER request to the IP gateway. The IP gateway should be able to handle REFER requests. Network trace is the best resource to troubleshoot this issue.
• Outbound calls are restricted by dialing rules. Enable diagnostics logging and review the application log to see if dialing rules are causing any issues.

 

Backing Up a Unified Messaging Server

A backup plan for any organization is critical for maintenance and successful recovery. With the introduction of a Unified Messaging server, you need to incorporate new strategies for backing up that server. This section discusses specific files and data that are relevant only to the Unified Messaging environment. In addition, some disaster recovery techniques are described.

To successfully recover a Unified Messaging server, certain files must be backed up. These files aren't Exchange database files, so they aren't automatically selected if you choose an Exchange-aware backup and use the Exchange option only. You need to do a file-level backup of these files. These files don't need to be backed up every day because they are mostly configuration related. The following files need to be backed up from a Unified Messaging server:

• Custom prompt files
• Configuration files
• Grammar files

 

 

Useful UM PowerShell commands:

Test-UMConnectivity -ListenPort 5060

Get-UMActiveCalls -Server ServerName | export-csv c:\temp\activecalls.csv

 

UM Diagnostic event logging:

 

Logging level
Value

Expert 7

High 5

Medium 3

Low 1

Lowest 0

Set the following categories to a value of 7 to indicate Expert level logging:

• UMWorkerProcess
• UMCore
• UMManagement
• UMService
• UMClientAccess
• UMCallData

Start Registry Editor (regedit). Scroll to the following keys and then set the value of each key to 7:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange Unified Messaging\Diagnostics

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange Unified Messaging\UMWorkerProcess

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange Unified Messaging\UMCore

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange Unified Messaging\UMManagement

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange Unified Messaging\UMService

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange Unified Messaging\UMClientAccess

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchange Unified Messaging\UMCallData

Value: Lowest – 0x00000000 (0), Expert – 0x00000007 (7)

How to analyze a UM sniff trace:

 

INVITE sip:2501@65.53.2.181;transport=tcp SIP/2.0Via: SIP/2.0/TCP 65.53.0.18;branch=z9hG4bKac791424417;aliasMax-Forwards: 70From: <sip:2510@ACGWMP118.req150587.local>;tag=1c741078876To: <sip:2501@65.53.0.18;user=phone>Call-ID: 74107850232200073840@65.53.0.18CSeq: 3 INVITEDiversion: <tel:2501>;reason=no-answerContact: <sip:2510@65.53.0.18;transport=tcp>Supported: em,100rel,timer,replaces,path,resource-priorityAllow:REGISTER,OPTIONS,INVITE,ACK,CANCEL,BYE,NOTIFY,PRACK,REFER,INFO,SUBSCRIBE,UPDATEUser-Agent: Audiocodes-Sip-Gateway-MP-118 FXS_FXO/v.5.00A.035.003Content-Type: application/sdpContent-Length: 227v=0o=AudiocodesGW 741070197 741070070 IN IP4 65.53.0.18s=Phone-Callc=IN IP4 65.53.0.18t=0 0m=audio 6010 RTP/AVP 0 101a=rtpmap:0 PCMU/8000a=rtpmap:101 telephone-event/8000a=fmtp:101 0-15a=ptime:20a=sendrecv

 

 

Most of the Unified Messaging call answering issues can be resolved by analyzing the first SIP INVITE request from the IP gateway. The first SIP INVITE request gives you a good idea about the rest of the call flow. Consider the following:

• Make sure the request Uniform Resource Identifier (URI) has the IP address of the Unified Messaging server and a valid SIP extension. Also note the transport mechanism.
• The IP address of the To header must match the UM IP Gateway object, and the extension must match a pilot number in a UM hunt group.
• The user's UM dial plan is determined by the UM dial plan linked to the UM hunt group determined in the previous step.
• The From header is used for caller ID resolution.
• The SDP header contains the media endpoint and supported media codec information.

 

 

For the full Exchange 2007 UM troubleshooting whitepaper download it here.

How to Evaluate OCS + Blackboard Client

Please contact Enabling Technolgies Corporation for evaluations and pricing for OCS- Blackboard Client.

Enabling Technologies Corp.
12226 Long Green Pike | Glen Arm, MD 21057
info@enablingtechcorp.com

http://www.enablingtechcorp.com/dnn490/

 

OCS + Blackboard Integration

OCS For Blackboard consists of the following:

·         Rich Web Client

The Web Client was built using Microsoft  .NET and is a sophisticated client that allows users to access many of the OCS features and have relevant information from BB.

·         Powerlink Connector to the BlackBoard system
The BB system has an API that is used to access the core data such as Coarse, Users, Teachers, and Institution. This data is utilized to populate the OCS for BB Web Client with relevant information based on the user's personal information.

In addition this connection to BB allows the OCS for BB to write data and statistics to enable reporting.

Courses  and Admin Tabs automatically populate with Teachers from BlackBoard:

 

I need to support Rim’s COMO client in OCS 2007 R2

When we launched OCS 2007 Rim shipped a client for OCS 2007. This client requires that the customer have a BES Server and a CWA server and used UC AJAX. Since we launched OCS 2007 R2 RIM hasn’t released an update for the software yet. So how do I support Blackberry users in OCS R2?

This has been posted elsewhere but wanted to get info to our education customers.

The Unified Communications (UC) AJAX SDK that is avail for CWA R1 will not be re-released for CWA R2. Therefore customers with UC AJAX apps need to deploy a CWA R1 server.

Migrating from OCS 2007 to OCS 2007 R2:

---------------------------------------------------------

Customers who have CWA 2007 successfully deployed against an OCS 2007 server and who want to upgrade to OCS 2007 R2 but want to keep the CWA 2007 server setup to use with their UC AJAX applications must install OCS 2007 R2 into the existing domain. For more information, refer to the OCS deployment guide. Make sure that you leave the existing CWA 2007 server in place. Users should automatically sign in through CWA 2007 to OCS 2007 R2 without any further configuration that is required.

New customers who is installing OCS 2007 R2 for the first time:

--------------------------------------------------------------------------------------

Customers who want to set up CWA 2007 against OCS 2007 R2 starting from a clean environment should follow these steps:

1. Before you install OCS 2007 R2, prepare Active Directory by using OCS 2007 Setup.

2. Install CWA 2007 into the domain.

3. Install OCS 2007 R2. Note For more information, refer to the OCS 2007 R2

Deployment guide. Users should automatically sign in through CWA 2007 to OCS 2007 R2 without any further configuration.

Already have OCS 2007 R2 installed but want to now install CWA 2007:

-------------------------------------------------------------------------------------------------

New customers (did not have OCS 2007 deployment prior) who have already installed OCS 2007 R2 but now want to deploy CWA 2007 within the environment must follow these steps:

1. You need to perform a Forest Prep and a Domain Prep with the 2007 (R1) RTM Setup, not the command line.

2. You just need to add the OCS 2007 CWA (R1) to an existing R2 pool. No need to create a 2007 (R1) pool.

Done! Hopefully we will see updated guidance on RIM’s site soon. In the meantime enjoy. :)

UC R2 Adoption and Training Kit

The Goal of this UC kit is to distribute UC materials and support for 3 key end user groups: IT Professionals, Help Desk teams, and Trainers.

•       Training & Adoption Materials for IT Pros, Helpdesk, and Trainers

•       Scales Training and Adoption materials to all UC customers

Download the kit here: http://office.microsoft.com/en-us/communicationsserver/HA103624691033.aspx

Please provide feedback and ways to improve this kit to bhagen@microsoft.com

Content includes:

o    IT Pro - Planning Checklist, Benefit Statements, E-Mail Campaign Samples, Success Metrics Examples, and User Education Materials

o    Helpdesk - Planning Checklist, Frequently Asked Questions, and Troubleshooting Guides.

o    Trainer - Planning Checklist, Quick Reference Cards, Tips and Tricks Flash Cards. How-to's, Getting Started Tours, and Web-based Tutorials and Training

 

 

What is new with Exchange Server 2010 ActiveSync and Outlook Mobile?

Some great new changes coming with Exchange 2010 Active Sync.

 

We have many more partners beyond Windows Mobile that have licensed the ActiveSync protocol for syncing email to your mobile device. Here are just a few:

What has changed for the Exchange 2010 architecture?

ActiveSync has same connectivity flow as Exchange 2007.

What are some new Exchange Server 2010 ActiveSync features?

Block/Allow/Quarantine list

You can setup a single list to block/allow mobile devices as needed. You can also quarantine devices such as new untested devices, etc.

Over the Air Update Mode

You can now push new Outlook Mobile updates/new versions to Windows Mobile 6.1 and above. This is really nice since you no longer have to wait for a new Windows Mobile OS version to obtain a new version of Outlook Mobile.

SMS Sync

The ability to send SMS text messages through Exchange and EAS is used to sync SMS message with user’s mobile device.

Benefits of SMS sync:

•User can use OWA, Outlook, and Outlook Mobile to respond

•SMS messages are backed up on the server

•Recipients can respond to messages

•User can switch “screens” while still seeing all their messages

IMAP/POP3 service discovery

You can now autodiscover/autoconfigure the IMAP/POP3 settings from your mobile device by just specifying your email address.

 

What are some new Outlook Mobile features?

Conversation view

Conversation view is invaluable. This really allows you to have a nicer mobile email experience when trying to skim through your onslaught of emails.

As you can see on the left, the new Outlook Mobile allow for threaded conversations (see highlighted conversation with 18 messages condensed). The view on the right is the current Outlook Mobile experience with the deluge of 18 additional emails in the inbox.

 

Reply state

You can now see which emails you have replied to or forwarded.

Conversation actions

You can now ignore threads, move always threads to folders, etc from your mobile device. Ignore thread may become quite a popular feature. :)

Nickname cache

Very nice that your nicknames follow you now. Especially useful for external recipients you email often.

 

Voice Card

You no longer have to download the voicemail attached like before (right). You just hit play and hear the VM. The other feature that I really like is the ability to see a transcription of the voice mail in the body of the message. Very useful for meetings, noisy airports, where you can’t play the VM.

 

Get Free/Busy

I love this feature. It is awesome since you can now at a quick glance from your phone see the Free/busy info vs. breaking out the laptop, etc.

 

As you can see, there are some very useful features coming to Exchange Server 2010 ActiveSync and the new Outlook Mobile.

Exchange 2010 – Management Tools

The largest percentage of helpdesk calls incurred by an organization include DL management, message tracking, changes to personal address book, etc. The annual cost of helpdesk support staff for email for 7500 mailboxes is approx. $20/mailbox according to a Survey from Ferris Research, June 2008.

Our goals with Exchange 2010 are to reduce these cost considerably by introducing new management tools including Exchange Control Panel, a new authorization model based on role with Role Based Access Control (RBAC), and Remote Powershell.

EMC and Exchange Powershell are still major tools for management of Exchange 2010. The Exchange Management Console (EMC) is built on Remote PowerShell (Windows PowerShell V2). EMC also honors all RBAC authorizations made and assigns RBAC roles and Scopes. EMC supports multi-forest and cross-premise support with our on-premise and Online offerings. EMC also supports bulk editing of recipients.

Exchange Control Panel (ECP) is a new browser based management client for end users, admins, and specialists. It’s accessible from URL, OWA, and Outlook 2010. It’s deployed as part of the CAS role and it’s also RBAC aware.

ECP is an AJAX-based application and shares some code with OWA but they are two separate applications. It also supports IE, Firefox, and Safari.

ECP honors RBAC permissions and will modify the interface for users to show only functions they have access to. For Example:

• If the user doesn’t have the ability to do Message tracking it would remove it from ECP.
• If a user can edit mailboxes but not create new mailboxes then that option is hidden.
• If an end-user has the rights to change information such as display name but not department than Department is visible but read-only format like below.

RBAC. Access is based on what you do not what you have access to. Within the school, roles are created for various job functions. The permissions to perform certain operations are assigned to specific roles. RBAC is different than ACLs in traditional discretionary access control in that it assigns permissions to specific operations vs. assigning access to low level data objects.

 

The RBAC authorization model is centered on the concept of Role Assignment. A role assignment defines exactly who (a user or a group) can do what, and where (what objects) they can do it to.

•This is a far different model from the AD ACL Model which hinged around the Where.

•In the AD ACL Model the focal point was the AD Object, each object has an ACL and the ACL describes both the What and the Who. While this has proven to be an extremely flexible and well accepted model, it present some challenges.

There is no central object that ties a user to the underlying permissions, permissions are defined as the aggregate of all of the objects a user has access to.

RoleGroup and Role Assignment Policy will be RTM features, and are not currently available in the Beta release. RoleAssignment in the Beta is directly from a role to a user or USG.

Custom Management Roles

These roles can be added for specific delegation requirements.

1. Create the management role
2. Change the new role's management role entries
   (by removing role entries)
3. Create a management scope (if required)
4. Assign the new management role

Some examples:

New-ManagementRole -Name “eDiscovery-Sales” –Parent DiscoveryManagement

New-ManagementScope –Name “Sales Mailboxes” –DomainRestrictionFilter “(RecipientType –eq ‘UserMailbox’)” –DomainRoot “OU=Sales,DC=contoso,DC=Com”

New-ManagementRoleAssignment –Name “RA-Sales eDiscovery Administrators” –User “USG-Sales eDiscovery Admins” -Role “eDiscovery-Sales” –DomainScopeRestriction “Sales Mailboxes

Permission reporting on role delegation.

Remote Powershell allows the admin to run commands and cmdlets against remote computers. Exchange 2010 users Remote Powershell for all server access, even the local server. This provides firewall friendly management access.

Above shows the process of accessing Exchange through Remote Powershell. A great introduction to Remote Powershell can be reviewed on the Exchange Labs website. http://technet.microsoft.com/en-us/exchangelabshelp/cc546278.aspx 

$UserCredential = Get-Credential

$rs = New-PSSession
-ConfigurationName Microsoft.Exchange
-ConnectionUri
https://<Exchange 2010 servername>/powershell
–Credential $UserCredential

Import-PSSession $RS

One of my colleagues, Jonny Chambers, has done a few blogs on how to navigate through Remote Powershell for some common operations within Outlook Live:

http://liveatedu.spaces.live.com/default.aspx?wa=wsignin1.0&sa=502925703

I am having problems getting Group Chat Administrator Console working

This was a question coming from an education customer in Minnesota deploying OCS R2 Group Chat Server:

 

Their Group Chat client was working but the Group Chat administrator console was not. It was getting this error:

“Cannot sign in because of a problem with the chat room service….” 

Server 2 received error while subscribing to peer 1, <1> <net.tcp://ocsgroupchat.campus.xxx.edu:8011/MGC/PeerService> <ChannelServer>. Details: Identity check failed for outgoing message. The expected DNS identity of the remote endpoint was 'ocsgroupchat.campus.xxx.edu' but the remote endpoint provided DNS claim 'ocscontent.xxx.edu'. If this is a legitimate remote endpoint, you can fix the problem by explicitly specifying DNS identity 'ocscontent.xxx.edu' as the Identity property of EndpointAddress when creating channel proxy.

 

Here are some support steps I found to check on your Group Chat Server installation that can relate to this error:

 

1. Verify the certificate assigned to the group chat server it should have both Server and Client Authentication. If you have only server authentication, sign in to admin console will fail with above error.

2. Above service accounts must be part of RTCUniversalServerAdmins group and also Administrators group of the group chat server. Also add the user name (admin account) with which you are going to sign in to group chat.

3. Enable the admin account along with the above five service accounts for SIP communication on OCS 2007 server R2. Configure them for Federation,PIC,Remote User Access and Enhanced presence.

4. From SQL server management studio ->Security->Logins, Make sure all the above service accounts and admin account, are there. Then here Login properties, General-> default database for each of the account should be "GCDB", Under user mapping->check db_owner for all the service accounts.

5. Under GC admin sign in console->Edit Accounts Settings->Automatic
Configuration->Uncheck "Use my Windows credentials to log in automatically" , then under Office communications Server leave Host "blank", select encrypted radio button, under Group Chat Server Settings leave Use default server address box
unchecked and server address as "OCSchat service account uri"

6. C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys re-add the Lookup Service account and the Channel Service account and give them full control to this folder and re-apply full control to all the files in it and try to restart the services.

 

In their case, Step 6 resolved the Group Chat Admin Console error above.

 

For more on what is OCS R2 Group Chat Server read my other post here.

What is new with archiving and Exchange 2010?

Here is a summary of the new Exchange 2010 archiving/retention features:

What is Personal Archive?

•A secondary mailbox that is configured by the administrator

•Appears alongside a user’s primary mailbox in Outlook or Outlook Web Access.

•PSTs can be dragged and dropped to the Personal Archive

•Mail in primary mailbox can be moved automatically using Retention Policies

•Archive quota can be set separately from primary mailbox

Can I have my personal archive on a secondary server?

For the best performance (search, retrieve, copy, etc), it was determined it would be best to be on the same server.

 

What is the user experience in a personal archive?

Can I search both my local mailbox and personal archive at once?

Yes, you can both search all subfolders or advanced search.

 

What are retention policies?

Retention policies in Exchange 2010 are the ability to expire emails either in folders or at the item level.

Are there e-discovery tools available now?

Yes, with Role Based Access Control (RBAC) and this new tool you can perform a legal search across mailboxes if needed and delegate this role to compliance officers, legal, etc.

 

Can I search archives and current mailboxes?

Yes and you can also search different content types.

Do I need a director with OCS R2?

I was asked this from a school district in Southern California who was rolling out OCS R2 and enterprise voice for the all their faculty and staff.

The answer depends on your OCS R2 architecture and whether your access is from internal or external networks.  For most schools, a single pool would apply and therefore a director would be optional depending on your external access security requirements.

 

Here is some information gathered from our product team to think about when considering a director:

 

Director traffic flow with External user access:

• Remote user initiates SIP registration with Access Edge. Access Edge validates some SIP headers, determines that the registration should be sent to its next internal hop -- the Director. 
• The Director authenticates the registration and performs an AD lookup to find the user's home pool. (Authentication here must be via NTLM because the client cannot contact a domain controller to acquire a Kerberos ticket.)
• The Director proxies the traffic to the user's home pool. (Redirecting an external user makes no sense since the external Communicator client cannot contact the pool directly.)
• Traffic proxied to the pool from the director does not require additional authentication. (The client performed NTLM authentication at the director, each SIP message is now correctly signed, and the traffic to the pool is coming from a trusted server--the director--not the client.)

Director traffic flow with Internal user access:

• Internal user initiates SIP registration with Director.
• The Director authenticates the registration and performs an AD lookup to find the user's home pool. (Kerberos can be used here because the client is internal.)
• The Director redirects the client to the user's home pool. (Redirecting, in this case, simply means that it sends a 301 SIP response to the registration request. The response contains the FQDN of the user's home pool.)
• The user now follows the regular registration process with their home pool (discovered via the 301 response). This requires authenticating to the pool. (The second authentication is necessary because of the challenge/response authentication nature of client-to-server communications. No information from the original authentication request will be contained (nor would it make sense) in these requests.)

What are the benefits of directors?

Security:  In an environment with an access edge and no director, unauthenticated traffic will be sent to your production pool for authentication.  The director lets you isolate that unauthenticated traffic to a server that is less critical (Director). Some schools will find this very critical even in single pool deployments. Other schools more than likely won't care.

Performance: For remote users, the director will proxy all SIP traffic. Without directors and with multiple pools, you have to pick a pool that will proxy the traffic. This could potentially have a performance impact to the users homed on that pool.

 

When I should I use a director server?

• Environments with multiple pools and remote access: The director serves a critical role as the "next hop" inbound from the edge and proxies traffic from remote users to the appropriate pool. A director should always be used when the customer has multiple pools and remote users.

• Environments with multiple pools and no remote access: The only supported solution that provides automatic configuration of Communicator involves configuring the internal DNS records to point the client to the director. Some customers will be uncomfortable requiring the use of a remote director to sign into a local pool and may prefer an unsupported solution that involves configuring DNS differently (or use manual or group policy-based configuration).

• Environments with one pool and remote access: The benefit of preventing unauthenticated SIP traffic from reaching the user pool may be sufficient to justify a director.

• Environments with one pool and no remote access: Even if the customer is not currently planning multiple pools, during migrations or for piloting different versions or configurations, it will be required to establish multiple pools. Start the design with no director but add it as part of the project that installs the second pool.

Other notes:

The director or the pool doesn't really know if the user is external or internal. All it knows is whether it is the first hop or not (based on VIA headers). The default behavior of every OCS front end (whether in a director pool or a user pool) is to redirect traffic to the correct home server if it is the first hop and proxy the traffic if it is not.