Continuing from a previous post this article moves into the installation and configuration of the Skype for Business Server components for a Standard Edition Front End server. As with the previous article any mandatory steps are identified by bulleted paragraphs while non-indented steps for validation and educational purposes are optional.
Deployment
The second article in this series will cover the following deployment steps:
-
Defining the Topology
-
Deploying the Server Components
-
Verifying the Installation
Before performing these steps in this article make sure to successfully complete all of the prerequisite actions covered in Part 1 of this series.
Define Topology
Before installing any additional server components the Skype for Business topology must be defined.
Create New Topology
- Launch the Skype for Business Server 2015 Topology Builder and then select New Topology.
- Save a new .tbxml file with any desired name (e.g. 06072015.tbxml).
- For the Primary SIP domain enter the desired domain namespace (e.g. jdskype.net).
Add any additional desired SIP domains at this point , but a single SIP domain is sufficient for most deployments as well as this series of articles.
- Select a Name for the first site to be created in the topology (e.g. Lab) and enter a Description if desired.
- Specify the locality information associated with the first site and then complete the wizard.
At this point the Define New Front End Pool wizard should be automatically launched.
- On the Define Front End Pool FQDN page select Standard Edition Server and then enter the Fully Qualified Domain Name (FQDN) of the Windows domain member server where the SFB prerequisites were installed (e.g. fe.jdskype.net).
- Select the features which should be installed and enabled on this Front End server. Later articles will cover the deployment of some of these additional features.
- Retain the default enabled setting of Collocate Mediation Server on the Select Collocated Server Roles page.
- On the Associate Server Roles with this Front End Pool page leave the option blank as an Edge Server does not yet exist. This setting will be addressed when an Edge Server is deployed in a later article.
- As this is a Standard Edition server then there will be no configurable options available on the Define the SQL Store page. Take note of the automatically defined SQL Server store which is comprised of the server’s FQDN (fe.jdskype.net) followed by the previously installed SQL Express instance name (RTC).
- On the Define a File Store page enter the name of the Windows file share created in the previous section (e.g. SFBShare).
-
On the Specify the Web Services URL page the External Base URL will automatically be set to the same FQDN as the internal Front End server (e.g. fe.jdskype.net). For the purposes of this article the default setting will be retained and in the future when external services are published this will be updated to reflect the external namespace.
-
The next page Select an Office Web Apps Server is used to either define a new OWAS pool FQDN or associate this server with an existing OWAS pool. The next article will cover deploying this server role so simply uncheck this option and then click Finish to complete the wizard. (Note that until this server is deployed that PowerPoint content sharing will be unavailable as this service is not handled by the Skype for Business Front End server role.)
Upon completion the Topology Builder window should refresh and the defined settings will be populated as shown.
- Back at the main Topology Builder window select Edit Properties on the Lync Server root-level object. Highlight the Simple URLs section and enter the desired Administrative Access URL (e.g. https://admin.jdskype.net). Technically his is an optional step as the administrative access URL is not required, but is a convenient way to access the Server Control Panel via a web browser internally.
- Move down to the Central Management Server section and select the new Front End server (e.g. fe.jdskype.net) as the location to install the CMS component on.
Publish Topology
The final process is to publish the changes made to the topology into the Central Management Server database which also updates information in the RTC services container in Active Directory and sets up the folder structure and permissions on the file share.
-
From the Action menu select Publish Topology. The local server FQDN for the Central Management Store location should already be populated in the drop-down menu due to the previous step. If all configuration steps were performed correctly then the wizard should complete without any errors or warnings.
Deploy Server
Unlike most other Microsoft server platform products were installation of the actual server components is one of the very first steps, the Communications Server family has historically been different. The server installation itself is quite hands-off and can be automated to a large degree. The fair amount of activity up until this point has been geared around providing the backend components to store the overall configuration of the environment, which is now available for use by the server installation steps.
Install Skype for Business Server Components
The next step is to install a second SQL Express named instance called RTCLOCAL on the local server which will contain a replica of the existing RTC named instance.
Only the first Standard Edition server in the organization would contain the authoritative RTC instance installed in the previous article, while all other Front End Servers (and even Edge Servers) would contain their own RTCLOCAL instance to replicate the Central Management Store data.
As the Administrative Tools have already been installed on the server then the Skype for Business Server Deployment Wizard can be found in the Start Menu on the local server. The installation media is no longer required as the installation files have been copied to the server.
- On the Windows Start Menu search for ‘Deploy’ to locate and launch the Skype for Business Server Deployment Wizard. From the main menu select Install or Update Skype for Business Server System.
- On Step 1: Install Local Configuration Store select Run and leave the default setting of Retrieve the configuration data directly from the Central Management Store and complete the wizard.
Reviewing the results in the execution window should confirm that the second SQL Express instance of RTCLOCAL was installed as well as the core SFB Server components.
Checking prerequisite SupportedOSNoDC…prerequisite satisfied.
Checking prerequisite DotNet35…prerequisite satisfied.
Checking prerequisite SupportedSqlRtcLocal…prerequisite satisfied.
Checking prerequisite WMIEnabled…prerequisite satisfied.
Checking prerequisite NoOtherVersionInstalled…prerequisite satisfied.
Checking prerequisite PowerShell…prerequisite satisfied.
Checking prerequisite SqlUpgradeInstanceRtcLocal…prerequisite satisfied.
Installing SQLEXPR_x64.exe(/Q /IACCEPTSQLSERVERLICENSETERMS /UPDATEENABLED=0 /HIDECONSOLE /ACTION=Install
/FEATURES=SQLEngine,Tools /INSTANCENAME=RTCLOCAL /TCPENABLED=1 /SQL…
Secondly the Local CMS replica was instantiated by importing the configuration from the existing CMS database an then replicating the database data itself.
Import-CSConfiguration -FileName "C:\Users\ADMINI~1.JDS\AppData\Local\Temp\2\CSConfigData-2015_06_08-13_19_39.zip" -Verbose -LocalStore
> Enable local replica service
Enable-CSReplica -Verbose -Confirm:$false -Report "C:\Users\administrator.JDSKYPE\AppData\Local\Temp\2\Enable-CSReplica-[2015_06_08][13_17_14].html"
Additionally the replication of any certificates stored in the CMS is performed. Although no certificates have been installed yet for this deployment had there been one then this action would have replicated any existing OAuthcertificates required for server to server MTLS communications.
> Replicate-CsCmsCertificates
Logging status to: C:\Users\administrator.JDSKYPE\AppData\Local\Temp\2\ReplicateCMSCertificates-[2015_06_08][13_17_14].html
To confirm the installation location of the RTCLOCAL database files on the server check the default SQL Server installation directory for the existence of the xds files.
%ProgramFiles%\Microsoft SQL Server\MSSQL12.RTCLOCAL\MSSQL\DATA
- On the Skype for Business Server Deployment Wizard advance to Step 2: Setup or Remove Skype for Business Server Components and click Run to start the Set Up Lync server Components wizard.
Once again the Bootstrapper application will execute and perform a prerequisite check before installing additional components. These include a third SQL instance called LyncLocal and additional Windows Speech components and foreign language packs.
Checking prerequisite KB2858668Installed…prerequisite satisfied.
Installing vcredist_11_x64.exe(/Q)…success
Installing WindowsFabric\v3\WindowsFabric.msi( REBOOT=ReallySuppress STARTUPTYPE=demand REMOVEDATA=yes IACCEPTEULA=yes TESTMODESKIPPREREQUISITECHECK=yes)…success
Installing MicrosoftIdentityExtensions.msi( REBOOT=ReallySuppress ALLUSERS=1)…success
Checking prerequisite SqlUpgradeInstanceLyncLocal…prerequisite satisfied.
Installing SQLEXPR_x64.exe(/Q /IACCEPTSQLSERVERLICENSETERMS /UPDATEENABLED=0 /HIDECONSOLE /ACTION=Install
/FEATURES=SQLEngine,Tools /INSTANCENAME=LYNCLOCAL /TCPENABLED=1 /SQL…
Immediately following will be the installation of the Lync server components which make up the different services and roles on the Front End server (e.g. AVMCU, Mediation Server).
Verify that the installation task status was reported as successfully completed.
Create Default Server Certificate
Returning to the server deployment process the next step is to request and assign server certificates so that the Lync services can be started.
If using an Enterprise Windows CA make sure that before any server certificates are requested that the guidance mentioned in the Environment section of the previous article is followed. In order to properly support PowerPoint file sharing to any Office Web App attendees which are on workstations which are not domain-joined then the default Windows Certificate Authority configuration must be modified.
- Using the guidance covered in either of these two articles launch the Certification Authority (certsrv.exe) application and under the CA’s properties configure the CRL Distribution Point (CDP) and Authority Information Access (AIA) extensions to include the HTTP paths in any certificates issued and signed by this CA.
At this point any new certificate requests will include this critical information in the issued certificate.
- Run Step 3: Request, Install or Assign Certificates and then expand the Default Certificate entry to verify that all roles are checked. Click Request to start the Certificate Request wizard.
-
Populate the desired information making sure to select the SIP domain to add the sip.<sipdomain> record to the certificate.
The Friendly Name can be set to anything and is not actually part of the certificate request, it can even be changed after the certificate is returned and imported. Note that although Lyncdiscover.<sipdomain> was not defined as an internal DNS record in the previous article the certificate wizard still includes this FQDN as a requirement for external support.
- Submit the request to the online certificate authority and when the task completes successfully select the View Certificate Details button to validate the certificate status and that a private key was correctly associated.
- Advance to the next wizard to perform the Certificate Assignment task. In the event that the role assignment is accidentally lost between the request and assignment wizards then the assignment task might fail with an error that a Type has not been provided. If that occurs simply cancel out of the wizard and return to the main wizard screen. On the Certificate Wizard main screen If the checkboxes to the left of the Server Default, Web Service Internal, and Web Service External roles are no longer selected then reselect them and click Assign.
- Verify that the proper certificate is highlighted (in the event that this server already has any other server certificates installed on it) and then complete the wizard, verifying that the task status is reported as Completed.
- Back at the Certificate Wizard main screen the new certificate should now be listed on each of the three Default Certificate roles.
Create OAuth Certificate
As this is the first SfB server deployed into the environment then a new OAuth certificate needs to be created as well. This is a one-time process as this certificate will be shared by any other SfB server which may be later installed.
- On the Certificate Wizard main screen select the OAuthTokenIssuer role and then click Request.
- Enter a descriptive Friendly Name and then submit the certificate request.
- Advance through the assignment wizard to finish the OAuth certificate configuration in the same fashion as performed for the server certificate.
Start Services
In previous releases the services could be started directly from the deployment wizard as part of Step 4: Start Services. With the addition of a new PowerShell cmdlet in SFB this task is now a manual one. While SfB Server now includes a new cmdlet called Start-CsPool this is only intended for use with multiple node Enterprise Edition pools. When dealing with a single server in a pool or a Standard Edition server as in this article then the previous guidance of using the CsWindowsService cmdlets still holds true.
- Launch the Skype for Business Server Management Shell and execute the following Start-CsWindowsService cmdlet.
Start-CsWindowsService
To validate the server status the Get-CsWindowsService cmdlet can be issued to list the individual SfB services.
Get-CsWindowsService
Verify Topology
Utilizing the Skype for Business Server 2015 Control Panel the basic functionality of the new deployment can begun to be tested.
Before opening the Skype for Business Server 2015 Control Panel, just as with previous Lync Server releases, it is helpful to configure the local server’s Internet Options to bypass the the prompt for credentials whenever the tool is launched.
- Open Internet Options, navigate to the Security tab, select Local Internet and click Sites, then click Advanced.
- Enter the local server’s FQDN as a URL (e.g. https://fe.jdskype.net) and then save the changes.
- If Silverlight is not already installed on the server than the Control Panel will report this fact.
- Use the provided link to immediately download and install Silverlight on the local server.
- Once the installation is complete the Home page of the control panel will be displayed. Select the Topology menu and verify that the new server is listed and the Status and Replication fields are healthy.
Summary
With the conclusion of this article a functional Skype for Business Server should now be deployed and is ready for further configuration. The next article in the series will cover enabling a test user account and then progress on with deploying additional server roles like the Office Web Apps Server.
Hey Jeff,
Great write up as usual! You link at the top of the page appears to be broken “Continuing from a previous post”.
Andrew
Thanks, link fixed.
Still the link is not working
I have not yet posted the third article in this series.
Is the third article posted? I clicked on the link and it’s not working.
Part 3 was posted back in August, I’ve fixed the link as well.
Since upgrading to S4B 2015, our Polycom HDX endpoints no longer have the ‘join now’ button, have you seen this issue?
Thanks!
Yes, this can be due to the wording in the invitation changing from “Join Online Meeting” to “Join Skype Meeting”. The HDX is unable to locate the Meeting URL because of that change. Given that the HDX platform is no longer under development I don’t know if it will be addressed or not in any future firmware updates.
[…] concludes the preparation of the environment and the next article in this series will address defining a new topology and installing the SfB Front End server […]
I’ve been looking for a discussion of DR scenarios where a Production Data Center goes “dark” and you have to cut over services to your Disaster Recovery / COOP Data Center. I’m thinking about a back hoe to fiber or natural disaster scenario that prevents us from the services normally hosted in our Production Data Center – Skype For Business for example.
Skype could and should be a primary communication tool during such an event but only if Skype services can be quickly brought back up from an alternate / DR Data Center.
To build that out we plan to deploy a FE Pool with an Edge Pool in our DR Data Center. The DR FE pool will be set up with Pool Pairing for our Production pool to make it easier and faster to move all users to DR if our Prod DC becomes unavailable.
What I haven’t found is clear documentation on how to “swing” external services from 1 Data Center and Edge Pool to another Data Center and Edge Pool.
I assume it will require some DNS swings so our Public DNS Resolution goes to our DR Data Center.
If you could do an article with workflows, architecture diagrams and how to implement something like this I’m sure it would be very widely appreciated.
Thanks for all the Lync and Skype content you’ve provided. It’s always helpful.
Mike
Hi Jeff,
Will you also be publishing steps to enable Skype for Business is a hybrid configuration with Office 365?
I hadn’t planned on doing that any time soon. I’m sure there are a few other blog sites out there which cover the Hybrid configuration in depth.
Hi Jeff..
Always you are the first one in publishing artclies with implementation steps for Lync server.. Great stuff!!
Thank you
Great article Jeff.
Will it be possible for you to share some limitations/constraints in Sfb Server 2015. I know its too early, since SfB was RTM in May 2015 only. My area of interest currently lies in upgrade of Lync 2010 SBAs to SfB Server 2015 ( I know there is a direct upgrade path without going to Lync 2013 first). I want to know what all needs to be taken care when attempting this upgrade, what all is broken for which there is no CU/patch etc. Mainly focused around Cisco ISR SBAs.
Jeff,
We are deploying Skype for business 2015 in a multi-tenant deployment. We can get a CX500 and 600 phone to work on the root domain, but unable on the hosting domains for clients. Any ideas, we are struggling.
Thanks
ALOT
Todd
Todd, Lync Phone Edition devices are only supported by Microsoft for On-Premises single-tenant and Office 365 environments. Other multi-tenant hosted environments are not supported, the VVX model of phones can address this limitation.
Hi Todd and Jeff,
I have been looking for some information on trying to accomplish a multi-tenant Skype for Business environment and am seeing that the add on pack has been discontinued for Lync 2013. Can you please let me know if there is any other means or option to accomplish a multi-tenant setup?
Solicit your kind assistance.
Thank you,
Joyjit Ghosh
No, not that I’m aware of.
I recently upgraded our Lync 2013 standard pool and edge server to Skype for business 2015.
We had a Polycom DMA and RMX configured as per their doc (Trusted application pool in topology).
Upgrading to Skype seem to have broken functionality – The Lync error suggests that it is not trying to hit the DMA by the Trusted app pool fqdn instead of the actual DMA fqdn specified – this all worked prior to upgrade. If I remove the multi-computer pool and instead create just a single computer pool and use the DMA’s fqdn that way – it works but of course, then the RMX fails (ICE/OCS reg failure)
I have been working with Polycom but not getting anywhere.
I will reach out to MS as well, but grimace that impending back and forth 🙂
Have you experienced issues with Multi-Computer trusted application pools using Skype for Business? Any light you could shine on this would be great.
Usage of a multi-computer pool is still best practice and is required as both the DMA and RMX need to be defined. I’ve not seen this yet, but make sure that you are using the latest firmware on each component for official SfB support (DMA 6.3, RMX 8.6).
Anyone had the issue when deployed SFB 2015 edge server with single external IP and NAT enabled I get an SSL Certification error from https://testconnectivity.microsoft.com “The Microsoft Connectivity Analyzer is attempting to obtain the SSL certificate from remote server skype.gendac.co.za on port 443.” I am using a wildcard Certificate and all services are running on my edge server. Any suggestions?
Wildcard certificates are not supported on the Edge Server, only for web services like Simple URLs and Lync Discover.
I am not able to install Web Components Server and Enterprise Web Application Server for Skype for Business Server 2015.
Setup shows status as completed.
Plz suggest.
quick question Jeff. I want to do a swing migration (not really comfortable doing an in place migration and I have the hardware), is the process the same as when performing the upgrade from 2010 to 2013? only this time, have a 2013 enterprise pool and a Skype enterprise pool co-existing?
Yes, the process is basically the same. Make sure to consult the TechNet documentation for the supported procedure.
Hi Jeff,
I wanted to say thank you for the documentation. I used your stuff when we deployed our Lync pilot internally and now for the Skype upgrade. I have deployed a new pool and plan to migrate users from the Lync pool to the Skype pool.
I just finished installation of Skype for Business, but now I cannot log into the Control Panel. It just accepts the credentials and then prompts again. I am a domain administrator, and in the proper RTC admin groups. After prompting 3 times I get a 401.1 error. I am trying to find something in the logs to point me in the right direction, but I haven’t found anything. Have you seen this before?
Thanks in advance!
Allen
Allen, are you using the same account that you deployed SfB with? It almost sounds more like a service issue than a permissions issue.
I have the similar issue, how did you fixed this issue ?
Hi Jeff,
big thanks for this guide. I’m curious about the tnext series!
Thanks again,
Chris
Hi jeff,
I have a sfb server and lync 2010 server running side by side. I also have one rmx2000 which has been integrated with lync server 2010. Currently I’m testing realconnect with sfb. Can I run all required sfb configuration script to the RMX without affecting Lync Server. I know RMX can only register to one SIP server at a time, but is there any impact configuring sfb to point to single rmx.
No that will be fine. Typically I remove the entire configuration in Lync and then reconfigure everything with the new SfB Front End pool as the Trusted Application’s next hop pool.
What is the process for using a third party vendor for the cert I have not had much luck. I have done self assigned and been able to manually install cert on client and it works.
Thanks
Howie
Upon importing the cert I get it does not match because of the .local which I am doing split DNS any suggestions? so the service wont run because of it not matching is there a way with powershell I can exclude or something??
I’m not sure what you are trying to do but if the FQDNs do not match exactly then the certificate will not be accepted.
Do you have any info on Application Web Proxy and ADFS for lync for outside access?
I have setup ADFS and Web app proxy on my DMZ network.
Just need to tie them together now
I recently performed an in place upgrade and even though the upgrade went smoothly without any errors I can longer communicate with any of our federated partners. Their status shows as presence unknown.
Federation was working fine before the upgrade.
Thanks
Something that is very important, you need to right click, ‘run as administrator’ for most of the functions. The one that is most important is the deploy step, otherwise the creation of the directory tree and it’s appropriate permissions for the shared folder will not work.
Also, the databases will not create is the server name doesn’t match when installing Standard version.
Other than that, a very comprehensive writeup.
Hi Jeff,
Awesome blog. Do you have any pointers for cross-forest migration of SFB where the namespace must remain the same?
Hi Jeff am from Guatemala and managed to successfully implement SFB through the tutorial you posted, but unfortunately I can not login in the client SFB, apparently tells me it’s a problem with certificates.
In my domain controller I installed the important role of CA however have doubts about how I configure this service, Could you help me?
Gustavo, you can just follow the basic CA deployment articles available on Microsoft TechNet. Make sure you create the root CA certificate using SHA1 or SHA2 and no more than 4Kb in key length.
Hi Jeff, I have tired to Skype for Business and I was able to follow your guide until I got to the web control panel.
I am at present unable to log into the panel, when I type in my link to the server the only thing I get is web.config and the skype.icon showing up for either the internal or external pages. What could be the possibly reason for the issue and where should I look on how to fix it?
Richard, does the Control Panel application work or does that have the same problem?
Hi Jeff
if i have internal domain like (local.com) and external domain like (public.net)
my ask when create SkypePool it will be SkypePool.local.com or SkypePool.public.net
thanks
The EE pool name can be in either namespace. I suggesting reading up more on this as there are varying practices and reasons for using either.
hi Jeff,
Nice tutorial.
Otherwise, I have an error on the step 2 (Setup or Remove Skype for Business Server Components) , and after verification I do not find the instance LYNCLOCAL.
how can amended this error.
thx
Can’t say why but it appears the SQL database installation failed if that instance is missing.
I have installed a skype for business enterprise FE Pool and Edge pool to use in a multitenant environment
my question is when you add an additional sip domain for a tenant it creates a meet.tennent.com entry in topology and when the tenant creates a skype meeting in outlook this is the embedded URL.
This creates an Issue that we would have to tell the customers to create a A record externally for meet.tennent.com and add that entry to our Certificate.
we currently only want tennents to have to create a CName for Lyncdiscover and SIP and the two SRV records.
Is there a way to use one Meet URL for every tenant or do it like Office 365 do and have meet.ourdoamin/tenantdomain
Thanks
Brilliant write-up. Thanks so much.
Nice work. I’m curious if you have a write up on doing a side by side migration from 2013 to SFB 2015. My goal is to get SFB 2015 up and running with test users before migrating my 2013 environment over. Any help would be great. Thanks.
I have not done any migration articles but there a several available from various other MVPs and experts in the field.
I have a question! We have Skype for business 2015 and we are having the hardest time with the mobile app. Since our upgrade users can only log in if they are on one front end server. That server happens to be the first server in the DNS host file for the skype pool. If we change the order the users on the other server will be able to get in (whatever is first in line) Any suggestions for this? We have been banging our heads for months.
I don’t follow what you mean by ‘DNS Hosts file’. Your server should typically be utilizing DNS Load Balancing for all traffic other than HTTP/HTTPS which requires a Hard Load Balancer. AS the mobile clients are HTTP/HTTPS clients only then they leverage the HLB to communicate with your pool. I suspect something in your deployment is not correct as DNS hosts files are not something you should be dealing with in this day and age.
Hi Jeff,
I am new to the SFB server install. I am trying to setup S4B 2019, getting the following error while publishing the topology. can you please comment on this particular error? what do I look for??
“Error Details:
Get-CsManagementStoreLocation did not return a valid connection”