So you recently deployed Lync Server 2013 and managed to deploy Office 2013 Web Apps (or also known as WAC) server that facilitates PowerPoint sharing. The users are happy because now they can share PowerPoint decks with animations and videos with Lync 2013.

The next day, one user reported that he is unable to share and view PowerPoint presentation with the following error message:

"There was a problem verifying the certificate from the server. Please contact your support team”.

This user is using a non-domain-joined (workgroup) machine and obviously he has imported the internal Root CA certificate to his machine since he is already able to sign in to Lync Server 2013 and start a conference.

A suggestion from Beta Support engineer was to disable “Check for server certificate revocation” in Internet Explorer and conveniently the problem is resolved.

Whilst the solution is deemed sufficient in this scenario since it is only affecting one user, in an environment with many non-domain-joined (workgroup) machines this solution is not acceptable.

Upon further investigation, it was found that when validating WAC server certificate using CERTUTIL –URLFETCH –VERIFY “WAC.cer” from the non-domain-joined (workgroup) machine, the result is the following:

The result of certificate verification shows that the certificate only contains LDAP target for its AIA and CDP extensions, and verification is failing because non-domain-joined (workgroup) machine does not have access to the LDAP target.

Digging deeper to this problem, it is found that the Root CA used within the organisation is an Enterprise Root CA (AD-integrated), and by default AIA and CDP extensions are set to LDAP target only. HTTP target is defined, however it is not enabled:

To provide non-domain-joined (workgroup) machines with alternative target to perform CRL check properly, then HTTP target must be enabled for the AIA and CDP extensions. This can be done by simply enabling the highlighted options (above). Note that by default the HTTP target depends on “Certificate Authority Web Enrollment” role services to be enabled as it is pointing a virtual directory that is created upon installation of Certificate Authority Web Enrollment.

After making the changes at Active Directory Certificate Services (ADCS) side, reissue the CRL by executing CERTUTIL –CRL from the ADCS server. Then, WAC server certificate must be re-issued (request a new certificate to be used for WAC server).

Validate the new WAC certificate from the non-domain-joined (workgroup) machine, and the result will look like the following:

Once verified, install and reconfigure WAC server to use the new certificate, and PowerPoint sharing will work without requiring changes to the Internet Explorer security setting.

Continuing the previous blog post (http://blogs.technet.com/b/lyncativity/archive/2012/06/14/preinstalling-sql-express-2008-r2-for-lync-server-2010-rtclocal-instance.aspx), the same method can also be applied for Lync Server 2013.

Lync Server 2013 RTM installation package comes with SQL Express 2012 RTM, thus preinstalling SQL Express 2012 SP1 will become a handy solution to avoid the need to patch the server after Lync Server 2013 installation.

The change with Lync Server 2013 however is that the Front End server now consists of two SQL Express 2012 instances, RTCLOCAL and LYNCLOCAL.

RTCLOCAL instance contains the rtc, rtcdyn, and xds databases, whilst LYNCLOCAL instance contains the lyss database.

The SQL Express 2012 SP1 x64 version can be downloaded from:

http://download.microsoft.com/download/5/2/9/529FEF7B-2EFB-439E-A2D1-A1533227CD69/SQLEXPR_x64_ENU.exe

And the following one liner can be used to preinstall SQL Express 2012 SP1 RTCLOCAL instance:

SQLEXPR_x64_ENU.EXE /QUIET /IACCEPTSQLSERVERLICENSETERMS /HIDECONSOLE /ACTION=Install
/FEATURES=SQLEngine,Tools /INSTANCENAME=RTCLOCAL /TCPENABLED=1 /SQLSVCACCOUNT="NT AUTHORITY\NetworkService"
/SQLSYSADMINACCOUNTS="Builtin\Administrators" /BROWSERSVCSTARTUPTYPE="Automatic"
/AGTSVCACCOUNT="NT AUTHORITY\NetworkService" /SQLSVCSTARTUPTYPE="Automatic"

The following one liner can be used to preinstall SQL Express 2012 SP1 LYNCLOCAL instance:

SQLEXPR_x64_ENU.EXE /QUIET /IACCEPTSQLSERVERLICENSETERMS /HIDECONSOLE /ACTION=Install
/FEATURES=SQLEngine,Tools /INSTANCENAME=LYNCLOCAL /TCPENABLED=1 /SQLSVCACCOUNT="NT AUTHORITY\NetworkService"
/SQLSYSADMINACCOUNTS="Builtin\Administrators" /BROWSERSVCSTARTUPTYPE="Automatic"
/AGTSVCACCOUNT="NT AUTHORITY\NetworkService" /SQLSVCSTARTUPTYPE="Automatic"

NOTE: If you happen to choose to install SQL Express 2012 SP1 using the GUI instead, please note that TCP/IP is not enabled by default and will cause Lync database installation to fail. This can be corrected easily by enabling TCP/IP on both RTCLOCAL and LYNCLOCAL instances using SQL Server Configuration Manager.

With the central management store and topology concepts introduced with Lync Server 2010, any instance of Lync Server 2010 will run Local Configuration Store that is hosted by an installation of SQL Express 2008 named instance called RTCLOCAL. The topology database is called XDS.

On servers runing as Front End server, the role of the SQL Express 2008 RTCLOCAL instance is more than just as a Local Configuration Store as it is hosting the local registrar databases (RTC and RTCDYN).

In a large pool, the local registrar databases can grow beyond the 4GB database size limit imposed by SQL Express 2008, therefore upgrading the RTCLOCAL instance to SQL Express 2008 R2 is recommended to avoid potential operational issues with the increase of database size limit in SQL Express 2008 R2 to 10GB.

Whilst it is possible to upgrade the RTCLOCAL instance after finishing the Install Local Configuration Store deployment step, it is also possible to preinstall SQL Express 2008 R2 as a shortcut to avoid having to run a separate time consuming upgrade process.

So before stepping into the deployment process, SQL Express 2008 R2 can be preinstalled and bootstrapper.exe will recognize the preinstalled RTCLOCAL instance and skip the installation of SQL Express 2008.

The latest SQL Express 2008 R2 x64 version can be downloaded from: http://download.microsoft.com/download/D/1/8/D1869DEC-2638-4854-81B7-0F37455F35EA/SQLEXPR_x64_ENU.exe

And the following one liner can be used to preinstall SQL Express 2008 R2 RTCLOCAL instance:

SQLEXPR_x64_ENU.EXE /IACCEPTSQLSERVERLICENSETERMS /ACTION=Install /FEATURES=SQLEngine,Tools /INSTANCENAME=RTCLOCAL /TCPENABLED=1 /SQLSVCACCOUNT="NT AUTHORITY\NetworkService" /SQLSYSADMINACCOUNTS="Builtin\Administrators" /BROWSERSVCSTARTUPTYPE="Automatic" /AGTSVCACCOUNT="NT AUTHORITY\NetworkService" /SQLSVCSTARTUPTYPE="Automatic" /INDICATEPROGRESS /Q

Note: for a Lync Server 2010 Standard Edition installation, the main backend database instance (RTC) is also hosted by SQL Express 2008, and can be preinstalled using SQL Express 2008 R2 as well by changing the instance name from the one liner above to /INSTANCENAME=RTC

Although the maximum database size increase is only beneficial to Front End servers, when deploying new Lync Server 2010 servers today, regardless the server roles, standardising the RTCLOCAL instance to SQL Express 2008 R2 will ensure that all Lync servers are running the latest supported SQL Express version.

- Agus Rachman, Senior Consultant, Microsoft Services (with special thanks to Ales Moskon, Senior Consultant, Microsoft Services for the collaboration as SQL SME).