Skype for Business Server 2015 Deployment – Part 1
Similar to past articles this series of basic deployment articles will be used to capture a specific environment to also be used as the foundation for many Skype for Business (SfB) Server 2015 specific deployment articles. Starting with a single Standard Edition Skype for Business Server in a fresh Active Directory forest future articles will build on this deployment with additional component installation like Edge Services, Exchange Server integration, etc.
Throughout this series of articles the same basic instructional flow is used as for previous releases. Although it may not have been obvious the usage of bulleted items is intentionally specific. Steps starting with a bullet are mandatory to reach the same level of installation completion as the article intends to provide at the end. Yet normal paragraphs without bullets may include optional steps intended to provide a deeper understanding of a previous action or cover the installation of optional tools or components used to aid in knowledge transfer of the topic at hand. This format aids in skimming through the article for repeated installations.
For these articles specific to Skype for Business Server 2015 a new lab environment has been created which is slightly different to environments used in the Lync Server articles. An important change from the past is that a single, flat internal Active Directory and SMTP/SIP domain namespace is now being utilized. This decision was made based on two factors: that a single namespace is easier to deal with when performing fresh lab installations and also that this reflects more common best practices today. Because many corporate networks still utilize disparate namespaces the difference between them may be specifically called out in these articles when prudent for educational reasons.
As was also done in the previous Lync Server 2013 deployment articles a valid Top Level Domain (TLD) name was selected for the single namespaces to allow for the use of public certificates where desired, as described in this previous article. A joint Active Directory and primary SIP/SMTP namespace of jdskype.net is used throughout this new series of articles.
- Physical Host: VMware ESXi 6.0 server running on an HP ProLiant DL380 with 96GB of RAM and 12 physical CPU cores.
- Domain Controller: A single Windows Server 2012 R2 x64 guest promoted to a domain controller for the new Active Directory forest root domain of jdskype.net.
- Skype for Business Front End Server: A second virtual guest running Windows Server 2012 R2 x64 Standard Edition and joined to the jdskype.net domain.
- The default domain administrator account used to perform all steps is a member of the Domain Admins, Enterprise Admins, and Schema Admins domain security groups.
- The Forest and Domain functional levels were set to Windows Server 2012 R2.
- A Windows Enterprise Certificate Authority was deployed on the domain controller to provide SSL certificates for internal services. The CA configuration was updated to provide access to the Certificate Revocation List via HTTP, as explained in this article. The Root CA certificate was created with a hash algorithm of SHA256 and a 2048 bit key length.
- While optional, an Exchange Server 2013 deployment was also previously completed in this environment which will be utilized in future integration articles for features like Unified Messaging or Outlook Web Access integration.
This article will begin with the installation of a single Standard Edition Skype for Business Front End Server. For the purposes of test or educational lab environments it is more efficient to use this option than to deploy Enterprise Edition servers which requires at least one additional backend SQL Server. For details specific to deploying Enterprise Edition pools the Skype For Business Server installation documentation should be used to accomplish this as it covers an Enterprise Edition deployment as the primary example.
The first article in this series will address the following preparation steps:
- Creating a File Share
- Configuring DNS Records
- Installing the Server Prerequisites
- Installing the Administration Tools
- Preparing Active Directory
- Preparing the Central Management Store
Before performing any of these steps though the following actions were already completed in the environment:
- Windows Server 2102 R2 installed with a static IP address on a new server.
- Renamed the server and joined it to the Active Directory domain (e.g.fe.jdskype.net).
- Signed into the server using the default domain administrator account (e.g. JDSKYPE\administrator).
Create File Share
As this will be a Standard Edition server then it is supported to collocate the required file share on the same server, unlike Enterprise Edition server which must use a separate server to host this.
- Create a new folder on the server (e.g. SFBShare) anywhere on the server. The following path was used in this lab deployment:
- Verify that the local Administrators group is already granted Full Control at the NTFS file permission level and then enable sharing for this folder. Provide a name for the new share (e.g. SFBShare) and then assign Full Control share permissions to the local Administrators group . The permissions on this share will be more granularly defined when the Topology is published in a later step, so this step is just to ensure that the later installation process will have sufficient rights to this directory to perform the required changes.
- Verify that the newly created directory is now available as a shared directory.
Configure DNS Records
The next step is to manually create a few DNS records to support various client lookup requests.
The following table lists the various Fully Qualified Domain Names (FQDN) which must be manually created for a Standard Edition server deployment . Many guides will instruct that these records are all created as a standard Host (A) record but most of these records are also supported as an Alias (CNAME) record. Utilizing Alias records when supported is generally a better practice in DNS than managing multiple Host records, but either approach is acceptable.
|FQDN||Record Type||Resolves To||Description|
|meet.jdskype.net||CNAME||fe.jdskype.net||Meeting Simple URL|
|dialin.jdskype.net||CNAME||fe.jdskype.net||Dial-In Simple URL|
|lyncdiscoverinternal.jdskype.net||CNAME||fe.jdskype.net||Internal SfB Client Auto Discovery|
|sip.jdskype.net||A||192.168.0.102||Legacy Client Discovery|
|_sipinternaltls._tcp.jdskype.net||SRV||sip.jdskype.net||Legacy Client Discovery|
Note that with a Standard Edition server the server’s hostname is the same as the Front End Pool name which will already be defined in DNS as all domain member servers will dynamically create and manage their own DNS record. The only records which need to be created manually in this step are for client auto-discovery and the various web URLs.
Also be aware that to fully support older Lync clients, especially Lync Phone Edition devices, it is still a best practice to define a ‘sip.<sipdomain>’ DNS record as well as the associated Service Location Record (SRV) in the environment.
- In the appropriate DNS Forward Lookup Zone create a new Alias (CNAME) record for the ‘meet‘ FQDN, selecting the desired SfB Front End server’s FQDN as the target host. Repeat this step for the ‘dialin’ and ‘admin’ FQDNs as well.
- Repeat the previous step for the ‘dialin’ and ‘admin’ FQDNs.
- Create a new Alias (CNAME) record for the ‘lyncdiscoverinternal’ record, selecting the same FQDN as the target host.
- Create a new Host (A) record for the legacy ‘sip’ hostname, entering the desired SfB Front End server’s IP address as the target host.
Verify the new records were successfully created and test them against the ping or nslookup command from a server or workstation in the environment.
- Create a new Service Location (SRV) record from the Other New Records menu option in the Microsoft DNS Manager, entering the following details.
Port Number: 5061
Verify that the new SRV record has been successfully created and is resolvable using the following command in either Windows Command Prompt or Windows PowerShell.
nslookup -q=srv _sipinternaltls._tcp.jdskype.net
Install Server Prerequisites
Prior to running any Skype for Business Server installation tasks a number of Windows Server components need to be installed.
- If the server does not have Internet connectivity then mount the Windows Server 2012 installation media on the server to an available drive letter as some of the components to be installed will need to be read from the installation media as provided by the Source parameter in the following cmdlet (e.g. D:\sources\sxs).
- Launch Windows PowerShell by selecting ‘Run As Administrator’ and enter the following cmdlet to quickly install the .NET Framework package, the Remote Server Administrative Tools, and all additional prerequisites followed immediately by a required server reboot.
Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS -Source D:\sources\sxs -Restart
- After the server finishes rebooting disconnect the Windows Server media and mount the Skype for Business Server 2015 installation media.
These newly installed Windows Server components may have one or more applicable pending Windows Updates.
- Run Windows Update on the server, install any pending recommended updates, and reboot the server if requested.
- Open Windows Update again and perform another check to verify there are no additional pending recommended updates.
Additionally there is at least one critical hotfix which if not detected by the deployment wizard will block the installation of the SfB server components. While the required hotfix has already been included as part of the December 2014 Update Rollup for Windows Server 2012 R2 the SfB deployment wizard will still fail to locate the prerequisite and fail. It is recommended to install both the update rollup and the individual prerequisite hotfix.
- Return to Windows Update on the server to install the Optional Update for Windows Server 2012 R2 (KB3013769). Sort the list by file size and this large rollup package should be listed near the top of the Server 2010 R2 updates. If this update does not appear in Windows Update it can be downloaded and installed directly from the Microsoft Download Center.
- Also download and install the available hotfix for KB2982006 and then reboot the server.
Install Admin Tools
In order to configure the Topology in a later step the Topology Builder application needs to be installed, which is part of the SfB administration tools package.
- Open the mounted DVD drive and the deployment wizard should autoplay and (if required) begin the installation of Visual C++ 2013 Runtime package.
- Confirm the default Installation Location or change the path to a different directory if desired.
C:\Program Files\Skype for Business Server 2015
The Core Components package will automatically be installed.
- When the Deployment Wizard loads the main page select the Install Administrative Tools option on the right-hand side to launch the Install Administrative Tools wizard. Advance through the wizard and when both the prerequisite component check and the tools installation is successful the task status will be reported as Completed.
To see the list of newly installed application search for ‘skype’ in the server.
Prepare Active Directory
As this is the first Skype for Business Server 2015 installation in the Active Directory forest then the AD Schema, Forest, and Domain will need to be extended to include the various configuration objects utilized by Skype for Business Server 2015.
- Return to the main menu of the deployment wizard and select Prepare Active Directory and then click Run on Step 1: Prepare Schema.
To confirm some of the changes applied by this step open adsiedit.msc and connect to the Schema container to verify that the various ‘ms-RTC-SIP…’ schema attributes have been created.
If deploying in an environment with a single domain controller there is no need to run the replication verification processes.
- Select Run on Step 3: Prepare Current Forest and select the Local Domain as the Universal Group Location if desired. If SfB is being installed into a multiple domain forest and the universal groups need to be stored in a domain other than the domain that the current server is a member of then enter the desired domain FQDN.
Run dsa.msc to open Active Directory Users and Computers and then browse to the default Users container. Look for a number of groups starting with ‘CS’ and ‘RTC’ in their names. These groups were created during the Forest preparation step in the chosen domain.
- Advance to Step 5: Prepare Current Domain to complete the Active Directory preparation steps.
Prepare Central Management Service
The final preparation step is to install SQL on the first Front End server in the forest so that the topology configuration can be published to it.
This process will install the SQL Native Client and SQL Server Express components as well as configure Windows Firewall exceptions for remote SQL connectivity. Mostly importantly it also deploys a SQL Server Express named instance, simply called RTC. This instance will be the default location for the Central Management Store which is where Lync will store the majority of the global (forest-wide) configuration data. The RTC Service container shown above in the AD Configuration partition is still used to store some data, but mainly for coexistence with previous releases.
- Return to the main menu of the deployment wizard and select Prepare First Standard Edition server. It is normal for this process to take a few minutes to complete as the SQL Server Express components are installed.
A quick glance at the Programs and Features control panel shows all of the components which were installed on the server once this process is completed.
- Before moving further the domain Administrator account used throughout this process should be added as a member to the domain security groups CsAdministrator and RTCUniversalServerAdmins.
- This user account should then logoff and back on to the Windows Server where Skype for Business Server is being installed to update the associated security token.
Once logged back on use the following whoami commands in the Windows Command Prompt to verify the new group membership.
whoami /groups /fo list | findstr /i CsAdmin
whoami /groups /fo list | findstr /i RTC
This concludes the preparation of the environment and the next article in this series will address defining a new topology and installing the SfB Front End server components.