Similar to past articles this series of basic deployment articles will be used to capture a specific environment to also be used as the foundation for many Skype for Business (SfB) Server 2015 specific deployment articles. Starting with a single Standard Edition Skype for Business Server in a fresh Active Directory forest future articles will build on this deployment with additional component installation like Edge Services, Exchange Server integration, etc.
Throughout this series of articles the same basic instructional flow is used as for previous releases. Although it may not have been obvious the usage of bulleted items is intentionally specific. Steps starting with a bullet are mandatory to reach the same level of installation completion as the article intends to provide at the end. Yet normal paragraphs without bullets may include optional steps intended to provide a deeper understanding of a previous action or cover the installation of optional tools or components used to aid in knowledge transfer of the topic at hand. This format aids in skimming through the article for repeated installations.
Environment
For these articles specific to Skype for Business Server 2015 a new lab environment has been created which is slightly different to environments used in the Lync Server articles. An important change from the past is that a single, flat internal Active Directory and SMTP/SIP domain namespace is now being utilized. This decision was made based on two factors: that a single namespace is easier to deal with when performing fresh lab installations and also that this reflects more common best practices today. Because many corporate networks still utilize disparate namespaces the difference between them may be specifically called out in these articles when prudent for educational reasons.
As was also done in the previous Lync Server 2013 deployment articles a valid Top Level Domain (TLD) name was selected for the single namespaces to allow for the use of public certificates where desired, as described in this previous article. A joint Active Directory and primary SIP/SMTP namespace of jdskype.net is used throughout this new series of articles.
- Physical Host: VMware ESXi 6.0 server running on an HP ProLiant DL380 with 96GB of RAM and 12 physical CPU cores.
- Domain Controller: A single Windows Server 2012 R2 x64 guest promoted to a domain controller for the new Active Directory forest root domain of jdskype.net.
- Skype for Business Front End Server: A second virtual guest running Windows Server 2012 R2 x64 Standard Edition and joined to the jdskype.net domain.
- The default domain administrator account used to perform all steps is a member of the Domain Admins, Enterprise Admins, and Schema Admins domain security groups.
- The Forest and Domain functional levels were set to Windows Server 2012 R2.
- A Windows Enterprise Certificate Authority was deployed on the domain controller to provide SSL certificates for internal services. The CA configuration was updated to provide access to the Certificate Revocation List via HTTP, as explained in this article. The Root CA certificate was created with a hash algorithm of SHA256 and a 2048 bit key length.
- While optional, an Exchange Server 2013 deployment was also previously completed in this environment which will be utilized in future integration articles for features like Unified Messaging or Outlook Web Access integration.
Deployment
This article will begin with the installation of a single Standard Edition Skype for Business Front End Server. For the purposes of test or educational lab environments it is more efficient to use this option than to deploy Enterprise Edition servers which requires at least one additional backend SQL Server. For details specific to deploying Enterprise Edition pools the Skype For Business Server installation documentation should be used to accomplish this as it covers an Enterprise Edition deployment as the primary example.
The first article in this series will address the following preparation steps:
- Creating a File Share
- Configuring DNS Records
- Installing the Server Prerequisites
- Installing the Administration Tools
- Preparing Active Directory
- Preparing the Central Management Store
Before performing any of these steps though the following actions were already completed in the environment:
- Windows Server 2102 R2 installed with a static IP address on a new server.
- Renamed the server and joined it to the Active Directory domain (e.g.fe.jdskype.net).
- Signed into the server using the default domain administrator account (e.g. JDSKYPE\administrator).
Create File Share
As this will be a Standard Edition server then it is supported to collocate the required file share on the same server, unlike Enterprise Edition server which must use a separate server to host this.
- Create a new folder on the server (e.g. SFBShare) anywhere on the server. The following path was used in this lab deployment:
C:\SFBShare
- Verify that the local Administrators group is already granted Full Control at the NTFS file permission level and then enable sharing for this folder. Provide a name for the new share (e.g. SFBShare) and then assign Full Control share permissions to the local Administrators group . The permissions on this share will be more granularly defined when the Topology is published in a later step, so this step is just to ensure that the later installation process will have sufficient rights to this directory to perform the required changes.
- Verify that the newly created directory is now available as a shared directory.
Configure DNS Records
The next step is to manually create a few DNS records to support various client lookup requests.
The following table lists the various Fully Qualified Domain Names (FQDN) which must be manually created for a Standard Edition server deployment . Many guides will instruct that these records are all created as a standard Host (A) record but most of these records are also supported as an Alias (CNAME) record. Utilizing Alias records when supported is generally a better practice in DNS than managing multiple Host records, but either approach is acceptable.
FQDN | Record Type | Resolves To | Description |
meet.jdskype.net | CNAME | fe.jdskype.net | Meeting Simple URL |
dialin.jdskype.net | CNAME | fe.jdskype.net | Dial-In Simple URL |
admin.jdskype.net | CNAME | fe.jdskype.net | Administration URL |
lyncdiscoverinternal.jdskype.net | CNAME | fe.jdskype.net | Internal SfB Client Auto Discovery |
sip.jdskype.net | A | 192.168.0.102 | Legacy Client Discovery |
_sipinternaltls._tcp.jdskype.net | SRV | sip.jdskype.net | Legacy Client Discovery |
Note that with a Standard Edition server the server’s hostname is the same as the Front End Pool name which will already be defined in DNS as all domain member servers will dynamically create and manage their own DNS record. The only records which need to be created manually in this step are for client auto-discovery and the various web URLs.
Also be aware that to fully support older Lync clients, especially Lync Phone Edition devices, it is still a best practice to define a ‘sip.<sipdomain>’ DNS record as well as the associated Service Location Record (SRV) in the environment.
- In the appropriate DNS Forward Lookup Zone create a new Alias (CNAME) record for the ‘meet‘ FQDN, selecting the desired SfB Front End server’s FQDN as the target host. Repeat this step for the ‘dialin’ and ‘admin’ FQDNs as well.
- Repeat the previous step for the ‘dialin’ and ‘admin’ FQDNs.
- Create a new Alias (CNAME) record for the ‘lyncdiscoverinternal’ record, selecting the same FQDN as the target host.
- Create a new Host (A) record for the legacy ‘sip’ hostname, entering the desired SfB Front End server’s IP address as the target host.
Verify the new records were successfully created and test them against the ping or nslookup command from a server or workstation in the environment.
- Create a new Service Location (SRV) record from the Other New Records menu option in the Microsoft DNS Manager, entering the following details.
Service: _sipinternaltls
Protocol: _tcp
Port Number: 5061
Host: sip.jdskype.net
Verify that the new SRV record has been successfully created and is resolvable using the following command in either Windows Command Prompt or Windows PowerShell.
nslookup -q=srv _sipinternaltls._tcp.jdskype.net
Install Server Prerequisites
Prior to running any Skype for Business Server installation tasks a number of Windows Server components need to be installed.
- If the server does not have Internet connectivity then mount the Windows Server 2012 installation media on the server to an available drive letter as some of the components to be installed will need to be read from the installation media as provided by the Source parameter in the following cmdlet (e.g. D:\sources\sxs).
- Launch Windows PowerShell by selecting ‘Run As Administrator’ and enter the following cmdlet to quickly install the .NET Framework package, the Remote Server Administrative Tools, and all additional prerequisites followed immediately by a required server reboot.
Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS -Source D:\sources\sxs -Restart
- After the server finishes rebooting disconnect the Windows Server media and mount the Skype for Business Server 2015 installation media.
These newly installed Windows Server components may have one or more applicable pending Windows Updates.
- Run Windows Update on the server, install any pending recommended updates, and reboot the server if requested.
- Open Windows Update again and perform another check to verify there are no additional pending recommended updates.
Additionally there is at least one critical hotfix which if not detected by the deployment wizard will block the installation of the SfB server components. While the required hotfix has already been included as part of the December 2014 Update Rollup for Windows Server 2012 R2 the SfB deployment wizard will still fail to locate the prerequisite and fail. It is recommended to install both the update rollup and the individual prerequisite hotfix.
- Return to Windows Update on the server to install the Optional Update for Windows Server 2012 R2 (KB3013769). Sort the list by file size and this large rollup package should be listed near the top of the Server 2010 R2 updates. If this update does not appear in Windows Update it can be downloaded and installed directly from the Microsoft Download Center.
- Also download and install the available hotfix for KB2982006 and then reboot the server.
Install Admin Tools
In order to configure the Topology in a later step the Topology Builder application needs to be installed, which is part of the SfB administration tools package.
- Open the mounted DVD drive and the deployment wizard should autoplay and (if required) begin the installation of Visual C++ 2013 Runtime package.
- Confirm the default Installation Location or change the path to a different directory if desired.
C:\Program Files\Skype for Business Server 2015
The Core Components package will automatically be installed.
- When the Deployment Wizard loads the main page select the Install Administrative Tools option on the right-hand side to launch the Install Administrative Tools wizard. Advance through the wizard and when both the prerequisite component check and the tools installation is successful the task status will be reported as Completed.
To see the list of newly installed application search for ‘skype’ in the server.
Prepare Active Directory
As this is the first Skype for Business Server 2015 installation in the Active Directory forest then the AD Schema, Forest, and Domain will need to be extended to include the various configuration objects utilized by Skype for Business Server 2015.
- Return to the main menu of the deployment wizard and select Prepare Active Directory and then click Run on Step 1: Prepare Schema.
To confirm some of the changes applied by this step open adsiedit.msc and connect to the Schema container to verify that the various ‘ms-RTC-SIP…’ schema attributes have been created.
If deploying in an environment with a single domain controller there is no need to run the replication verification processes.
- Select Run on Step 3: Prepare Current Forest and select the Local Domain as the Universal Group Location if desired. If SfB is being installed into a multiple domain forest and the universal groups need to be stored in a domain other than the domain that the current server is a member of then enter the desired domain FQDN.
Run dsa.msc to open Active Directory Users and Computers and then browse to the default Users container. Look for a number of groups starting with ‘CS’ and ‘RTC’ in their names. These groups were created during the Forest preparation step in the chosen domain.
- Advance to Step 5: Prepare Current Domain to complete the Active Directory preparation steps.
Prepare Central Management Service
The final preparation step is to install SQL on the first Front End server in the forest so that the topology configuration can be published to it.
This process will install the SQL Native Client and SQL Server Express components as well as configure Windows Firewall exceptions for remote SQL connectivity. Mostly importantly it also deploys a SQL Server Express named instance, simply called RTC. This instance will be the default location for the Central Management Store which is where Lync will store the majority of the global (forest-wide) configuration data. The RTC Service container shown above in the AD Configuration partition is still used to store some data, but mainly for coexistence with previous releases.
- Return to the main menu of the deployment wizard and select Prepare First Standard Edition server. It is normal for this process to take a few minutes to complete as the SQL Server Express components are installed.
A quick glance at the Programs and Features control panel shows all of the components which were installed on the server once this process is completed.
- Before moving further the domain Administrator account used throughout this process should be added as a member to the domain security groups CsAdministrator and RTCUniversalServerAdmins.
- This user account should then logoff and back on to the Windows Server where Skype for Business Server is being installed to update the associated security token.
Once logged back on use the following whoami commands in the Windows Command Prompt to verify the new group membership.
whoami /groups /fo list | findstr /i CsAdmin
whoami /groups /fo list | findstr /i RTC
This concludes the preparation of the environment and the next article in this series will address defining a new topology and installing the SfB Front End server components.
[…] from a previous post this article moves into the installation and configuration of the Skype for Business Server […]
We get core information from your article of Lync.
Thanks Jeff
HI Jeff ,
I am running through problem of sfb2015 inplace grade. I have successfully done front end sfb2015, but when trying the edge sever its giving the error of “Uninstalling local management server failed “.
Any help would be appreciated..
Tx
Anu
How to do skype for business sign polycom cx 700 on intranet and internet ?
I am running through problem of sfb2015 inplace grade. I have successfully done front end sfb2015, but when trying the edge sever its giving the error of “Installing local management services…Failed“. with error: (Error encountered: Unrecognized command line parameter “/SkipDatabaseInstall”.)
Any help would be appreciated..
Thanx
sagir.
hy guys should we change meet. , dialin. , into something like skypemeet. , skypedialin. URLS addresses?
is it ok for external urls
does anyone run IIS ARR used for EXC13 and LYNC13/Skype4Business at the same server ?
regards,
Thiago
Hi, we deployed Lync 2010 as both physical and virtual as MS would not support some services as virtual. Can we completely virtual a Skype for Business 2015 environment or do MS support requirements mean we still need physical servers for 1100 users?
Physical servers are still recommended when dealing with lots of media but all server components are supported virtualized now. For that size deployment virtual servers should be fine, but obviously there are a lot of factors involved in what constitutes ‘fine’.
Jeff,
Is there a “manual” way to “Prepare First Standard Edition Server”? Our security has a requirement that no software be installed on the system drive unless it’s unavoidable. This was possible for Lync 2010 (batch file to run the commands), I was hoping it was also available for Skype for Business 2015. Yes, it’s not streamlined but it works and keeps them off my butt hehe.
Thank you for all the time you take preparing these blogs and answering these questions from everyone. I, at least, appreciate your efforts. My Lync 2010 install went MUCH smoother after I found your blog (smile)
Hi,
Is it possible to add additional standard front and edge server? Currently I have only one FE and one Edge server in my SBB environment.
You can add other SE servers and assign them with a primary/backup failover relationship. Edge servers can be expanded into an Edge Pool, which requires some reconfiguration/redeployment.
Hi Jeff
I need some help with SFB2015 implementation, I’ve completed setup and configured Sonus SBC1k as per SIP providers instructions and started doing some test calls, somewhere from within Lync environment all external call are preceded with additional 2 digits 64 of a calling DDI or Mobile. unable to figure out where this is generated from, Sonus and SIP provider have indicated no issues found at their end. your help will be much appreciated.
xx
Jonathan
Quick question for you, what part is install on what machine? I read though your guide however after the DNS records what server should the different steps being carried out?
The DNS records are created on your DNS server, which in a small lab is typically installed on the Windows Domain Controller.
Hi Jeff,
I have a question about SFBShare. I understand local administrator requires to have Full Access permission. But does everyone need to have READ permission?
Thank you.
Akiko
Yes, the minimum permissions outlined here and in Microsoft’s articles are accurate.
i am facing an issue with skype for business mobility service any help please ??? is there anybody still checking this blog
Yes, but for community support I support heading over to https://techcommunity.microsoft.com
We have LYNC server 2013 currently using by users and would like to use Skype for Business Server 2016 in parallel.. Single Active Directory can host two different versions at the same time?
Yes, you can have several different versions deployed at one time in the same Active Directory Forest.
Jeff: I was wondering if you knew the time increment on the log files that are generated when you move a user from Lync to Skype (i.e. “timeTaken”, “TimeTakenForMoveUserPrep”. Thanks BK
Sorry I haven’t had to dive into that one before.
I have deployed a S4B 2015 pool. I have a Lync 2013 pool in place. Users moved to the S4B pool are unable to expand groups. I get Inner Exception:Could not establish trust relationship for the SSL/TLS secure channel with authority error when running Get-CSGroupExpansion. If I create a host file pointing the pool name to the local server it works. Any ideas where I need to look?
Thanks.
Please where can I download Skype for business 2015 server or purchase?
Hello,
Could any one answer on question, is it possible to connect Skype for businesses client from home computer (not in domain) to internal corporate Skype for Business server (with public IP)?
Any help would be appreciated.
Thanks.
In short, not really. The supported method is to deploy an Edge Server and use a Reverse Proxy to publish web services from the internal server. http://blog.schertz.name/tag/edge/
In theory I guess it might be possible but would be complicated. If you deploy Front-End servers on the public Internet then you’d have to use a non-standard lyncdiscover DNS configuration or utilize the manual configuration option in the client as the primary communications port would be TCP 5061 instead of TCP 443. That might be blocked or filtered though depending on several factors though.
Hi Jeff,
I have Deployed SFB 2019. and published services via reverse proxy server .all services are accessible on internet. Users can sign in by Skype client. but Mobility Users (i tested samsung for eaxm) receive this message:
“We can’t sign you in. Please Check your account info and any updates you made in Advanced options”
when i set Autodetect Server on manual ,No message appears but no connection is made!!!
The user can even enter the meeting as a guest via the Internet
Thank you very much for your help
I look forward to receiving your guidance
Thank You So Much.