When Split-Brain DNS Just Isn’t Possible

Clever post by Geoff Clark on a workaround for OCS when split-brain DNS isn’t an option: http://blogs.technet.com/gclark/archive/2009/05/02/ocs-dns-automatic-configuration-when-split-dns-is-not-an-option.aspx

This could be useful for other applications as well, but I would still push to get split-brain DNS configured if at all possible before falling back to this option as a last resort. While it’s attractive consider the overhead of maintaining and documenting additional DNS zones. Probably not an issue for the admin doing this, but for someone else taking a look at your environment you’ll probably raise some “WTF?” eyebrows.

Doug Lawty expands on Geoff’s idea a bit and uses Dnscmd.exe to work around a GUI limitation to create the exact zone you need: http://blogs.technet.com/dougl/archive/2009/06/12/communicator-automatic-configuration-and-split-brain-dns.aspx

Tags: DNS, OCS
Posted in Collaboration | No Comments »

The OCS 2007 R2 Client Auto Update Feature

Last month Aaron Tiensivu cleared up a little mystery about how to set up the automatic updating feature in MOC 2007 R2.  I finally got around to trying it myself and I noticed that he updated the post to include mention of a Resource Kit tool called CvcMsiUploader.exe which provides some automation for the manual process he described.  I figured I’d try and show how that utility can be used as an alternative means of providing the automatic updates.

1. First, I downloaded the latest Communicator.msp hotfix from May 19th which brings Communicator to version 6907.22. I placed this patch in the root of the C: temporarily.
2. Open a command prompt and CD to %Program Files%\Microsoft Office Communications Server 2007 R2\ResKit.
3. Run the following command to see the options and switches used with this utility:

   CvcMsiUploader.exe /?

4. You’ll see the full syntax we need to upload a a patch.  I’m not up on my Microsoft licensing abbreviations, but I believe the build type you’ll more than likely specify is Fre. I think the Chk builds are for debugging purposes.  I’m also not aware of an x64 Communicator yet, so you’ll be specifying x32 for your architecture. The language code has to be in LCID format so if you’re using English specify 1033.

   

5. Now construct your command. Here’s a full example, using my Standard Edition. After completion you’ll get a simple line that says “Uploaded msi file successfully.”

   CvcMsiUploader.exe /Mode:upload /Folder:OC /Arch:x32 /Build:Chk /Lang:1033 /SE:ocs-r2-fe.ptown.local C:\communicator.msp

6. At this point open the OCS 2007 R2 management console.
7. Right-click on your pool object and select Filtering Tools | Client Version Filter.
8. Press the Add button to begin creating a new filter.

9. Use the following settings to force an upgrade for users running the RTM version of Communicator 2007 R2.

   • User Agent Header: OC
   • Major version number: 3
   • Minor version number: 5
   • Build number: 6907
   • Qfe number: 0
   • Select comparison operation to perform: =
   • Select the action to apply to this version: Block and Upgrade
   • Folder that contains the upgrade images: OC
10. Press OK twice to save the filter.
11. The filter might take up to 15 minutes to take effect. You can expedite this refresh by restarting the OCS services.

From a client perspective, the next time you login you’ll see the update begin to download.

Once the download completes the progress bar turns green and you’ll be prompted to install the update immediately or cancel the installation.  If you don’t take any action, the update will install when the 2 minute countdown expires.

At that point Communicator will exit and you’ll see the MSP being applied with a Windows Installer dialog.  No user interaction required. 

When complete, Communicator will restart and sign in again.  You can verify the update has been applied by checking the version number in the About dialog.

An important note here is that this process doesn’t run with system credentials on the user’s machine, so if they are not an administrator they won’t be able to complete the upgrade. The automatic updating feature is nice, but it’s really limited to organizations that grant local admin privileges their users.

Tags: 2007, OCS, R2
Posted in Office Communications Server 2007 R2 | 2 Comments »

Agent Communications Panel for OCS 2007 R2 and CRM 4.0

The Agent Communications Panel (ACP) is a link between OCS 2007 R2 and Dynamics CRM 4.0 that Microsoft released awhile back.  I’ve seen plenty of posts and mentions of the product, but not so much yet that shows how to install it and what it actually does.

First, some notes that I feel have been a little overlooked, or not made terribly clear in the documentation thus far.

• I’ve seen conflicting information around support for the add-in.  A lot of posts indicate it’s fully supported by the OCS team, but according to this post, the ACP is not supported in any way from Microsoft. It really sounds like it’s more of a proof-of-concept application to show what you can do with the UC APIs and the ability to link to other platforms. Anyone know what the official story is? I’m hesitant to mention this to clients because of the ambiguous support policy.
• CRM natively has presence, IM, and click-to-call functionality as long as Communicator is running on the user’s PC. This is true of both the Outlook version and the web-based access to CRM.  The ACP application differs by providing the Communicator functionality through the browser without actually using Communicator.  However, there is no link or dependency on Communicator Web Access for the ACP.
• Because this is an XAML browser application (XBAP) it provides a lot more functionality than Communicator Web Access. Specifically, audio traffic can be played through the browser, so you have the Enterprise Voice features similar to a full Communicator experience.

To get started, download all the material found here: http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=0d689f13-4953-40ea-995e-49469dae559e

I used an x86 Server 2003 CRM machine, but read the install guide for some notes regarding installation on Server 2008 and UAC.

The installation is very easy. On your CRM server, launch the AgentCommunicationsPanelServer<Architecture Type>.msi setup, accept the license agreement and press Next.

The install should be fairly quick. Press Finish once it completes.

Now, make sure you have a client machine with Internet Explorer 7 and the .NET 3.5 SP1 framework installed.

On your client, add your “https://<CRM Server Name>” site to the Intranet Zone in Internet Explorer to allow automatic logon.

Also, take the contents of MicrosoftCodeSigningPCA.zip and MicrosoftCorporation.zip files and install both certificates to the Trusted Root Certification Authorities and Trusted Publishers stores.

Now if you visit https://<CRM Server Name>/AgentCommunications/Microsoft.AgentCommunicationsPanel.xbap and you’ll see the application begin to download. It’s about 60 MB in size.

If you forgot to install the two certificates to both the Trusted Root Certification Authorities and Trusted Publishers store you’ll probably see this error: “Trust Not Granted. The application cannot be deployed because it is not trusted and possibly unsafe.”

If you followed everything correctly you’ll be presented with the ACP. Your presence and note can be set at the top of the screen. You can also now click on Set up A/V to configure your audio device for VoIP.

The screenshot below shows an incoming call from Roger Daltrey to an Enterprise Voice enabled user, Mick Jagger. You can see that Roger’s information was immediately pulled up in front of the agent when the call came in to provide easy access to the contact.

This second screenshot shows the ability for the agent to consult with another agent or contact while in a call.

I hope this was helpful to those wondering what the ACP actually looks like and what the installation process entails. There is obviously some great potential using the Response Group Service here to accommodate a small call center. Supported or not, it’s a great way to show off how you can build UC voice into applications.

Tags: 2007, 4, acp, crm, OCS, R2
Posted in Collaboration | 1 Comment »

OCS 2007 R2 Front-End Server 2008 Requirements Made Easy

The OCS Resource Kit team, aka DrRez, posted a link on Twitter this morning to a blog post detailing ServerManagerCmd.exe lines you could throw in a batch file to install the prereqs for OCS 2007 R2. That post reminded me of an .XML file I had created awhile back that I had forgotten to share which offers similar functionality.

My file differs a bit from the components John Weber suggested in that it’s a little more restrictive about what IIS components actually get installed. I take the basic IIS install and add only Windows Authentication and the IIS 6 management features. I’ve been using this file for a number of deployments and haven’t run into issues yet with a component being missing so I feel comfortable posting this. There are also two components you’ll see here that are not in John’s post.  The first is MSMQ with directory service integration to make sure your QoE agent service doesn’t fail to start all the time. The second is the Telnet client, which I find useful for basic troubleshooting.

If you don’t want either of these, it’s easy enough to edit the .XML file and remove them. You can download the file below. Just right-click and save-as.

Keep in mind this is for a Front-End server only. A role like Communicator Web Access requires different components to be installed.

Rather than using a batch file just save this XML to your server and run the following command to install all your Front-End prerequisites.

Command

 XML File Download

OCS2007R2-FE.xml

XML File Contents

This is what your server will report as the installed roles and features after installation.

Roles

Features

I’m planning on posting these files for the other roles when I get a chance.

I apologize for the poor readability here – I’ve been working on cranking out a new blog design for quite some time and just haven’t gotten around to publishing it. It should improve on any kind of code viewing.

Tags: 2007, OCS, R2
Posted in Office Communications Server 2007 R2 | 3 Comments »

Communicator Phone Edition Update to 3.5.6907.9

I think this went largely unnoticed in many of the blogs I follow in the wake of the Exchange 2010 newsapolooza last week, but there was an update released for Communicator Phone Edition bringing the device version to 3.5.6907.9.  The first thing I noticed was the fact that my phone number is now displayed at the top of the screen which is a nice touch.  There is also a high-contrast option for those who have trouble seeing the screen.

Phone number display:

High-contrast enabled:

Issues and Fixes:

• This change is applicable if there is a call log entry created for a call from someone who is a contact in the signed-in user’s Outlook contact list, the GAL, or the OCS contact list. For that call log entry, an icon indicates which device (work, home, mobile, or Communicator call) was used to make the call. This enables the user to call the remote party back directly by using the call log entry "Call" function. The call log now stores the actual number that was used to make the call.
• Issue: This package enables accessibility support for vision impaired users. High Contrast color schemes can increase readability by using higher contrast color combinations on the screen. With this change, user can operate the telephone in high-contrast mode. We have now included the High Contrast setting. You can enable this setting from the Settings menu.
• This package enables accessibility support for hearing or speech impaired users. Before this release, the user could not connect a telephone typewriter device into the headset port on the back of the telephone and enable the setting so that they can communicate with a remote party that supports text telephony.  A TTY setting on the Settings menu has been added to let the user connect a TTY device to the telephone.
• This package enables the display of the user’s own telephone number on the main screen. With this change, the work number for the user, as entered in the corporate directory, will always be displayed at the top of the display.

The official document and download can be found here: http://support.microsoft.com/?kbid=967820

Tags: 2007, Communicator, OCS, tanjay
Posted in Office Communications Server 2007, Office Communications Server 2007 R2 | No Comments »

OCS 2007 R2 Capacity Planning Tool

An interesting page just showed up on the Microsoft download site – Microsoft Office Communications Server 2007 R2 Capacity Planning Tool. I haven’t had a chance to try it out yet, but appears to be a toolkit for stress testing an OCS server and validating your hardware.

The Office Communications Server 2007 R2 Capacity Planning Toolkit provides a set of tools and documentation to simplify capacity planning for Office Communications Server 2007 R2. The Capacity Planning Toolkit can be used as a complement to the Microsoft Office Communications Server 2007 R2 Planning Guide.

This release of the Office Communications Server 2007 R2 Capacity Planning Toolkit contains tools and documentation to simplify your hardware planning, provide you with increased knowledge and best practices for performance tuning, and improve your ability to verify the performance of your intended Office Communications Server 2007 R2 deployments.
The Capacity Planning Toolkit is intended for use by IT professionals in a test environment prior to production deployment. These tools should never be used against a live production environment.

The tools in this Toolkit are designed to be used with Office Communications Server 2007 R2 only. If you are searching for tools that work with Live Communications Server 2005, please download the Live Communications Server 2005 Capacity Planning Toolkit from http://www.microsoft.com/downloads/details.aspx?familyid=107a5e83-ca59-4bcb-a3bc-27efd97a477d&displaylang=en

Tags: 2007, OCS, ocsstress, R2
Posted in Office Communications Server 2007 | 1 Comment »

Updating your Tanjay Firmware from 1.0.199 (1.23)

Right after we finished decommissioning our entire OCS 2007 R1 setup we received a batch of Communicator Phone Edition (Tanjay) devices from Microsoft that had a pre-R1 version of the firmware loaded – 1.0.199 (1.23).  Initially they wouldn’t even sign in to an R2 pool and when I changed the client version filter they were able to sign in, but then immediately generated a failure “Application DoMo.exe has performed an illegal operation and will be shut down”. The device would then exit DoMo.exe and dump you into the Windows CE desktop. Fun.

I found some references that the only way to get these suckers updated was to use an R1 pool and Update Server so I started building up a lab of R1 servers again and the joys (read: excruciating agony) of the update service.  Even still, no matter what I did I couldn’t get these phones to even sign in to an R1 pool. They never downloaded the certificate from AD using an Integrated Enterprise CA, and never picked up the time correctly from the time server. All my DNS entries and DHCP options were configured correctly, so what the heck, right?

Thankfully, I ran across a post in the OCS forums where someone detailed this ridiculous process of setting the time and date and installing the certificate manually so the Tanjay could sign in. Amazingly, it works. I’m reposting it here with a few notes of my own so it’s easier to find for anyone else that is so lucky to receive a device with this firmware.

I used VMware workstation with 3 VMs – A DC/CA/DNS/DHCP server, an OCS 2007 Standard Edition Front End, and a SharePoint Services 3.0 (not SP1) sever. I bridged the NIC on all of the VMs to my wired NIC and then plugged my wired NIC into a switch with the Tanjays on it. Be careful that you don’t bridge your VM with a live network that already has DHCP on it if you go this route.

1. Connect the Tanjay phone to a network with a DHCP server.
2. Ensure that you can ping the IP address assigned to the Tanjay phone. You can check the address leased from the DHCP server. The Tanjay’s MAC address should begin with 0016e3f1xxxx
3. When booted up for the first time, it would launch the Communicator 07 phone edition and it would attempt to sign in but the sign in would fail. Exit it by touching the relevant screen button.
4. There are two things we need to do, install the Root CA cert and change the system time. If you can’t see the screen properly, you can adjust the desktop theme by going into the display properties. (Tab and hold on the desktop - properties).
5. On the Win CE desktop, double tap on My Device. Go into the Control Panel and change the system time. WARNING: The time and date wwill reset to March 07 after every reboot. You will have to change the system time again if you need to power off the device.
6. Export your CA’s root certificate to a .cer format file. Place it in a file share. Give the file share Everyone read permissions and Everyone read ability on the security settings.
7. Next, on the Tanjay phone Control Panel, double tap "Owner" and go to the "Network ID" tab. Enter the username, password and domain to access the file share. The input panel tends to block the field you’re trying to type in, but you can drag the window slightly up or down to see what you’re entering.
8. Go back to the root of the device and select the "Network" folder.
9. Expose the address bar if it is not shown (View | Address bar)
10. On the address bar, type the UNC name of the file share where the root CA cert is stored.
11. After a while the share should open up. If it doesn’t double check your UNC name and also the password entered in the previous step. (Blank password is not allowed by default)
12. Highlight the .cer and choose File | Send To | My Documents.
13. Go back to Control Panel and open the Certificates panel. Under "Trusted Authorities", click on Import. Choose From a File and just browse to the cer file in the My Documents folder. You should now see it listed in the trusted root list.
14. To launch Office Communicator Phone Edition again go to the Windows directory and find a file/shortcut call DoMo.exe. Double tap on this to launch the OCPE software.
15. Now you should be able to sign in to your R1 pool.  Assuming your update server is properly working and you have the latest R1 ucupdates.cab files approved wait the phone should update in about 15 minutes.
16. Ok, so now you’ve got a phone at version 1.0.522.101 (1.23) which will be able to sign in to R2.
17. After you sign in to an R2 pool the phone should grab an interim update version 1.0.522.103 (1.23) and restart again.
18. Sign in one more time and the phone will now pick up the latest Tanjay bits which puts your device at 3.5.6907.0 (1.23).

Rui Silva has an awesome post on the R2 update process if you’re having trouble at that point: http://blogs.technet.com/ucspotting/archive/2009/03/11/troubleshooting-ocs-2007-r2-device-update-service-for-communicator-phone-edition.aspx

Tags: 2007, ce, ocpe, OCS, R2, tanjay, Windows Mobile
Posted in Office Communications Server 2007, Office Communications Server 2007 R2 | No Comments »

Why You Can’t Use a Wildcard Certificate for CWA 2007 R2

A few weeks ago I had posted an issue we were seeing internally after deploying Communicator Web Access R2 where we saw a certificate error only when IE was the user’s browser, even when going through a reverse proxy. After a lot of searching, debugging and help requests I finally got an answer back from someone at Microsoft as to why this was happening.

The problem occurs because Internet Explorer only recognizes 1 level of a wildcard certificate. So, my initial logon and connection were completely valid to im.confusedamused.com using a wildcard certificate of *.confusedamused.com. The problem manifested itself whenever I would try and initiate a chat session with someone and the information bar would drop in complaining of a certificate mismatch. Doing some logging shows that the as.im.confusedamused.com and download.im.confusedamused.com URLs are contacted when you open a chat. Since IE won’t consider  the *.confusedamused.com certificate valid for either of those URLs because they are technically 1 level deeper than my wildcard certificate is issued for, it generates a certificate warning.

I didn’t bother testing, but I imagine if you generated a SAN certificate with a subject name of *.confusedamused.com and a SAN of *.im.confusedamused.com IE would have allowed the connection with no warning. We ended up just going with a named SAN cert of the following:

Subject Name: im.confusedamused.com

Subject Alternative Names: im.confusedamused.com, as.im.confusedamused.com, download.im.confusedamused.com

For what it’s worth Firefox and Safari seem to accept multiple levels of a wildcard certificate just fine so the issue seems to be constrained to just IE. It would be great to say that CWA was just for other browsers anyway, but the desktop sharing features makes a strong case to include support for IE in your deployment.

For the next wave of OCS I’d hope the product team does away with the domain prefixes and just key off of suffixes instead using something like im.confusedamused.com/as or im.confusedamused.com/download so this is isn’t an issue. They did this for the /join and /dialin pieces, so I would think it’s possible. Oh well, maybe in 2010.

Tags: 2007, cwa, OCS, R2, SAN, wildcard
Posted in Office Communications Server 2007 R2 | 2 Comments »

OAB Never Downloads for Outlook 2007 Clients with Exchange 2007 on Server 2008

This one killed me today. Exchange 2007 SP1, with Rollup Update 6 on Server 2008. Everything working perfectly with one exception – the offline address book (OAB) never downloads from the file distribution point for Outlook 2007 clients. Works fine via public folders, but not web-based. No error, no timeout, no progress indicator, no login prompt, Outlook just looks like it’s endlessly trying to download the OAB. I double-checked all the URLs, flipped around SSL settings, but still couldn’t figure out why it wouldn’t download. I would have been happy to see an error so I had something to search on. There were actually 2 problems here that made the situation a real pain in the ass.

First – the same bug that affects Outlook Anywhere on Server 2008 apparently does a number on the OAB too. The solution is to turn off kernel-mode authentication in IIS. Run this command to fix that issue and you’re halfway there. I ran across some blog that mentioned Rollup Update 7 may include this change by default.

C:\Windows\system32\inetsrv\appcmd.exe set config /section:system.webServer/security/authentication/windowsAuthentication /useKernelMode:false

Second – I had enabled a redirect at the Default Web Site root to dump clients to the /owa folder gracefully using the Microsoft methodology at Technet. If you read the procedure you’ll notice setting the redirect at the root sets the same redirect on every single virtual directory. So, you need to go in to each virtual directory and undo the change you made for the root. This works fine, or appears to until your Outlook 2007 client tries to download the OAB and hangs forever.

I brightly plugged the URL to the OAB.XML file into IE and was greeted with a 500 – Internal Server Error message without an authentication prompt. That didn’t seem right. After some searching I realized the reason why Outlook hangs forever is that it tries to hit this URL, gets denied, uses some back-off logic, and tries again. I believe the back-off gets longer and longer each time it fails.

What happens is that when you disable that redirect for the OAB virtual directory IIS 7 generates a web.config file in the C:\Program Files\Microsoft\Exchange Server\ClientAccess\OAB folder. This seems logical, as it overrides the redirect at the root level, and is necessary. Unlike every other web.config that is generated in the other folders like Autodiscover and OWA, Authenticated Users do not have read access to the file. This is why Outlook and IE can’t even access the /OAB virtual directory.

The fix is pretty easy. Open the web.config in the OAB folder, and give Authenticated Users both the read and read and execute permissions. Run a iisreset /noforce on the CAS server to bounce IIS. Just for good measure, on the client side I wiped out the Outlook profile, and the contents of the %USERPROFILE%\Local Settings\Application Data\Microsoft\Outlook folder. Once I recreated the profile the OAB downloaded just fine. All in a day’s fun…

Tags: 2007, 2008, Exchange, iis, kernel, oab, server
Posted in Exchange Server 2007 | 7 Comments »

Redirecting CWA 2007 R2 from HTTP to HTTPS in IIS 7

This task has always been more of a pain that it ever should have, regardless of application. After trying a few of the usual hacks like requiring SSL and using a custom error page or an HTTP to HTTPS module I found I still wasn’t having any luck. From what I can tell this is because there actually isn’t any kind of default web page in the CWA virtual directory so when you browse to the HTTP version of the site you actually get a 404 “Page not Found” error before anything else happens.

I ended up keying off that idea and changed the 404 error page to be a redirect to the HTTPS page. I’m still testing this out, but I haven’t run into any issues yet with this approach. To change your site the same way:

1. Open IIS 7 Manager.
2. Click on the CWA virtual web site you want to redirect.
3. Double-click on Error Pages.
4. Highlight 404 and press Edit in the right pane.
5. Select the Respond with a 302 redirect, enter https://My-CWA-URL and click OK.
6. Run a iisreset /noforce for good measure.

I’m curious how this works for everyone and if you see any issues with this method.

Tags: 2007, 7, cwa, http, https, iis, OCS, R2
Posted in Office Communications Server 2007 R2 | 3 Comments »