Lync address book not working after using absconfig.exe

Warning: Absconfig.exe that is shipped with RTM version on Lync Server 2010 is out of date. Meaning that this version of absconfig.exe is actually designed for OCS, not Lync. Using this version of the tool will corrupt your RTC.dbo.abattribute database table and break your Lync clients. Updated version of the tool can be found here:http://support.microsoft.com/kb/2621857

If you already ran the tool, keep reading this article as i will provide instructions to fix the corrupt database.

First, how do you know if your RTC.dbo.abattribute database table is corrupt ?

1. Logon to your Lync SQL server, open SQL management studio
2. Expand RTC database, right click on the dbo.abattribute and choose “return top 1000 rows”
dbo.abattribute_OCSdbo.abattribute_Lync

If your Lync RTC dbo.abattribute table looks like the OCS server, you need to keep reading. Below steps should help you rebuild the dbo.abattribute table

 

1. On the server which holds the RTC database, install the Microsoft  SQL Server 2008 Management Studio and connect to the RTC database.

2. Click on “New Query” and paste the following SQL into the query window and click the execute button. The execute button is the small green “play” icon.

use rtc
 exec dbo.RtcDeleteAbAttributes
 exec dbo.RtcAddAbAttribute 1, N'givenName', 0x01400000
 exec dbo.RtcAddAbAttribute 2, N'sn', 0x02400000
 exec dbo.RtcAddAbAttribute 3, N'displayName', 0x03420000
 exec dbo.RtcAddAbAttribute 4, N'title', 0x04000000
 exec dbo.RtcAddAbAttribute 5, N'mailNickname', 0x05400000
 exec dbo.RtcAddAbAttribute 6, N'company', 0x06000000
 exec dbo.RtcAddAbAttribute 7, N'physicalDeliveryOfficeName', 0x07000000
 exec dbo.RtcAddAbAttribute 8, N'msRTCSIP-PrimaryUserAddress', 0x08520C00
 exec dbo.RtcAddAbAttribute 9, N'telephoneNumber', 0x09622800
 exec dbo.RtcAddAbAttribute 10, N'homePhone', 0x0A302800
 exec dbo.RtcAddAbAttribute 11, N'mobile', 0x0B622800
 exec dbo.RtcAddAbAttribute 12, N'otherTelephone', 0x0C302000
 exec dbo.RtcAddAbAttribute 13, N'ipPhone', 0x0D302000
 exec dbo.RtcAddAbAttribute 14, N'mail', 0x0E500000
 exec dbo.RtcAddAbAttribute 15, N'groupType', 0x0F010800
 exec dbo.RtcAddAbAttribute 16, N'Department', 0x10000000
 exec dbo.RtcAddAbAttribute 17, N'Description', 0x11000100
 exec dbo.RtcAddAbAttribute 18, N'manager', 0x12040001
 exec dbo.RtcAddAbAttribute 19, N'proxyAddresses', 0x00500105
 exec dbo.RtcAddAbAttribute 20, N'msExchHideFromAddressLists', 0xFF000003

3. From the Lync Management Shell run the following command: Update-CsUserDatabase

4. Open up the servers event viewer and wait until you can see Lync events 30024, 30027 & 30028 before proceeding with the next step.

5. From the Lync Management Shell run the following command: Update-CsAddressBook and wait around ten minutes before proceeding with the next step.

6. Open a Lync 2010 client and wait for the address book to download, this should have now resolved all address book issues.

 

Franky’s Web — to go place for Microsoft Exchange and Active Directory updates

A little bit about Frank Zoechiling Microsoft Exchange and Active Directory blog:

I work as a system administrator and system administrator at a house mittelständischem system. However, my professional career had some other stations, but the one here and now!

To my professional duties include the administration of the network, where the support for customers / colleagues and, if a little time is left, the implementation of various projects for clients.

Anyone who believes that authorization and access structures are complicated enough in networks has not yet identify appropriate equivalents close learns in my private life. There is the overall structure of family, which consists of the domains wife and children. The permissions on both domains are sometimes undurchsichtlich. Sometimes one is Enterprise Admin, sometimes you can be lucky if you have guest privileges (where also the account is disabled now and then). But only at the margins, the overall structure is very close to my heart!

Back to this page: As I stumble from time to time on interesting problems, I decided to create this blog. This site should therefore offer major practical content, I put here so clearly less emphasis on explaining the technical issues than on describing the approach. I’ve imagined the whole thing like this:

Problem -> Problem solved -> article on problem and solution J

Maybe I can spare the A or else search the net and here present solutions or approaches. If time permits, there is sometimes a HOWTO. But all depends on how I would like:-)

Removing old Exchange meetings for departed users

As nature of the business, employees come and go. This turnover rate is often higher in large demographic areas such as New York. Once user leaves the company, IT team performs the usual termination process. This article will discuss what happen to Exchange / Outlook meetings that were owned by a user when she leaves the company. When a meeting organizer leaves the company, her Exchange mailbox is either archived or deleted. This means her meetings were never canceled. As a result, company resources such as conference rooms are tied up with these stale reoccurring meetings. It is almost impossible to ask end-users to cancel these meetings. There are ways to handle this:

Manually cancel meetings
Inefficient but simply method is to login to departed user mailbox and manually cancel all reoccurring meetings. This ensures that conference room resources are no longer tied by the user.

Use Z-Term to cancel user meetings
You can use Z-Term to cancel meetings on behalf of the user with a simple click. This tool simply goes through user mailbox and cancels all future meetings. There are two options when using this tool, you can choose to cancel meetings behalf of the user as noted above or go through conference room mailboxes and remove user’s bookings.

CancelMeetings

Provision AD, Exchange and Lync Users from Excel spreadsheet

At one time or another as IT administrators, our organization will have to go through mergers and acquisition process. Mergers and acquisition usually requires organizations to integrate two systems together. From IT administrator perspective this means creating user accounts from Excel spreadsheet that’s provided by HR. Especially if two organizations are running heterogeneous systems. Creating user accounts from Excel file is fairly a simple process. I will talk you through how this can be done in mere minutes. First step is to generate an excel file with employee names and second step is to create a script to process the excel file.

The most important part of the process is taking the Excel spread sheet from HR department with list of users and generating unique username for these users. This list contains employee’s information such as Firstname, Lastname, Employee number, etc. We need to add additional column named “username” to the spreadsheet. This will be unique SamAccountName of the new users. Since SamAccountName needs to be unique, we need to find a way to detect duplicate accounts in your current Active Directory environment. Best way to accomplish this is to export current Active Directory user information, paste it in new Excel worksheet and perform vlookup function against it.

Let dive into this deeper in more details. To create the username column, use an excel function to put together the firstname and lastname column. In below screenshot, I am using the firstinitial lastname format so “LEFT(“ Excel function is used.

excel1Export list of samaccountnames from your current Active Directory environment and paste it into the “CurrentADexport” worksheet. It should look like something below.

excel2Next step is to perform vlookup against the “CurrentADexport” worksheet to detect duplicate samaccountname. Create a new column “DuplicateLookup” and configure vlookup function as seen in below screenshot. Make sure you use the “$”—dollar signs in the formula. This will compare data from username column to all data from “CurrentADexport” worksheet. Once duplicate names are solved, move on to next step below.

excel3Now, save the “NewUserListFromHR” worksheet to proper format our script can understand.

excel4

 

# Script to process Excel spread
# and create user accounts in Active Directory, Exchange and Lync

$data=Import-Csv -Path .\UsersExport.csv
foreach ($user in $data)
{
New-ADuser -SamAccountName $user.username -Firstname $user.firstname -Lastname $user.lastname
}

#Add Exchange
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
#region ExchangeCHECK
$exchangeusercheck = $false
do {
#code block
$ADExchangecheck = get-user $user.username
if ($ADExchangecheck -ne $null) {$exchangeusercheck = $true}
if ($ADExchangecheck -eq $null) {
Write-Host "Sleep for 20 secs"
sleep 20
}
}
while ($exchangeusercheck -eq $false)
#endregion #ExchangeCheck
Enable-Mailbox $user.username
sleep 10
#Add Lync
Import-Module Lync
#Region LyncStuff
sleep 90
Enable-csuser $user.username -registrarpool "lyncFE01.zohno.com" -SipAddressType emailaddress -SipDomain zohno.com

Lync User Creation Script

One of the main responsibilities of a Lync administrator is to create Lync account for new users. This can be very time consuming and tedious. This article will describe how you can streamline this task and how powershell script below can be used for this process. In fact, this article will cover Active Directory, Lync and Exchange. In most organizations, most Lync users uses the same settings and this can be scripted. Below PowerShell script will start off by asking basic user information such as Fristname, Lastname, Displayname, SamAccountName and password. It creates AD account using this information. Duplicate username check is run before proceeding. This ensures that username entered is allowed and prevent future errors. If duplicate user already exists in Active Directory, PowerShell script will automatically exit to avoid errors. Once script ensures that there are no duplicates, it will proceed to creating a new Active Directory user. Line #32 in the script is where this occurs and can be modified to fit your needs. For example, you may want to place the user in different OU, set other attributes such as….

company
Department
departmentNumber
Description
Desktop-Profile
Division
E-mail-Addresses
Employee-ID
Employee-Number
Employee-Type
Home-Directory
Home-Drive
photo
Physical-Delivery-Office-Name
Physical-Location-Object
Picture

Next part of the script from line 38 ensures that Exchange server can see the Active Directory user prior to creating the mailbox. This is very important because script will error and halt if we attempt to create a Mailbox before Active Directory replication occur. This block of code from line 38 to line 50 checks to make sure Exchange server can see the Active Directory user before proceeding. If it doesn’t see the user, it will simply sleep for 20 seconds and checks again. Line 51 runs the enable mailbox command that creates the mailbox. There are a lot of customizations that can be performed here. See below of list of switches you can use….

Equipment
Room
Shared
AddressBookPolicy
Archive
DomainController
ManagedFolderMailboxPolicy
PrimarySmtpAddress

Line 57 in the script finally create the Lync user account. This is simply running the powershell command and specifying the registrarpool. A lot of customizations can be done here also..such as…

RegistrarPool
SipAddress
SipAddressType

Line 59 adds the lync user to lync polices. There are the list of polices you can choose from.
Set-CsArchivingPolicy
Set-CsBandwidthPolicyServiceConfiguration
Set-CsClientPolicy
Set-CsClientVersionPolicy
Set-CsClientVersionPolicyRule
Set-CsConferencingPolicy
Set-CsExternalAccessPolicy
Set-CsHostedVoicemailPolicy
Set-CsLocationPolicy
Set-CsNetworkBandwidthPolicyProfile
Set-CsNetworkInterSitePolicy
Set-CsPinPolicy
Set-CsPresencePolicy
Set-CsVoicePolicy
Set-ExecutionPolicy

#Script Starts here
Write-Host "Enter user's Firstname"
$first=Read-Host
Write-Host "-----------------------------"
Write-Host "Enter user's Lastname"
$last=Read-Host
Write-Host "-----------------------------"
Write-Host "Enter user's DisplayName"
$displayname = Read-Host
Write-Host "-----------------------------"
Write-Host "Enter user's username"
$username=Read-Host
Write-Host "-----------------------------"
Write-Host "Enter user's password"
$password=Read-Host
Write-Host "-----------------------------"
$username = $username.Replace(" ","")
Write-Host "---See Below for User Info---"
#region Create_individual_AD
$cnname = $first + " " + $last
$upnname = $username + "@zohno.com"
#username check
$namecheck = Get-qaduser $username
if ($namecheck -ne $null) {
Write-Host "Duplicate username exist" -ForegroundColor red
Exit
}
New-QADUser -name $cnname -FirstName $first -LastName $last -SamAccountName $username -ParentContainer "zohno.com/Users" -UserPassword $password -UserPrincipalName $upnname -DisplayName $displayname
sleep 10
#endregion # Create_Individual_AD
sleep 60
#Add Exchange
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
#region ExchangeCHECK
$exchangeusercheck = $false
do {
#code block
$ADExchangecheck = get-user $username
if ($ADExchangecheck -ne $null) {$exchangeusercheck = $true}
if ($ADExchangecheck -eq $null) {
Write-Host "Sleep for 20 secs"
sleep 20
}
}
while ($exchangeusercheck -eq $false)
#endregion #ExchangeCheck
Enable-Mailbox $username
sleep 60
#Add Lync
Import-Module Lync
#Region LyncStuff
sleep 120
Enable-csuser $username -registrarpool "lyncFE01.zohno.com" -SipAddressType emailaddress -SipDomain zohno.com
sleep 60
Grant-csConferencingpolicy $username -policyname "ConfPolicy"
Grant-CSExternalAccessPolicy $username -policyname "ExternalAccessPolicy"
#endregion # LyncStuff

How to Restore Active Directory User Objects on Windows Server 2012

Windows Server 2012 Active Directory recycle bin allow administrators to restore active directory user objects natively. Previously this can only be done by 3rd party products. Note that Windows Server 2012 recycle bin only allow restores for objects in the domain partitions. This means Configuration objects such as Exchange servers are not allowed for restore. Luckily, AD user objects are allow for restore. Another down side to this recycle, it only restore single objects and sub level objects. For example, if you restore an organizational unit, it will not restore the Active Directory users under the organizational unit. Before we enable Widows Server 2012 Active Directory recycle bin, the forest must be in “Windows server 2008 R2” functional level.

How to configure Active Directory Recycle Bin in Windows Server 2012 (step by step)

1. Open Active Directory Administrator from Server Manager, Click on “Enable Recycle Bin” on the right pane. (Note that you can also run the Enable-ADoptionalFeature command from the commandline)
ConfigureActiveDirectoryRecycleBinConfigureActiveDirectoryRecycleBinii2. Once replication is completed, you will see “Deleted Objects” container.

ConfigureActiveDirectoryRecycleBin2

 

 

 

 

 

Bulk Import Active Directory Users

Follow below simple to steps for bulk Active Directory user creation

  1. Create a CSV file (using Excel) with below columns
    SamAccountName,FirstName,Initials,Lastname,DisplayName,OfficeName,Description,Mail,StreetAddress,L,PostalCode,CO,UPN,Company,Department,Title,Phone,Password
    excel
  2. Logon to Server 2008 R2 domain controller with Active Directory Powershell Module installed. Launch PowerShell and run below script.

    #################### SCRIPT STARTS HERE ###########################
    #Input CSV Excel spreadsheet must have below columns
    #SamAccountName,FirstName,Initials,Lastname,DisplayName,OfficeName,Description,Mail,StreetAddress,L,PostalCode,CO,UPN,Company,Department,Title,Phone,Password
    ########### START CONFIG ##########################
    $NewUsersOU = “OU=NewUsers,DC=testdomain,DC=com”
    $CSVpath = “.\ad_users_list.csv”
    $log = “.\log.log”
    ########### END CONFIG ############################

    Import-Module ActiveDirectory

    $i = 0
    Import-CSV $CSVpath | ForEach-Object {
    $SamAccountName = $_.SamAccountName

    Try   { $exists = Get-ADUser -LDAPFilter “(sAMAccountName=$SamAccountName)” }
    Catch { }
    If(!$exists)
    {
    $i++
    $pwdinClearText = ConvertTo-SecureString -AsPlainText $_.Password -force
    New-ADUser $SamAccountName -GivenName $_.FirstName -Initials $_.Initials -Surname $_.Lastname -DisplayName $_.DisplayName -Office $_.OfficeName -Description $_.Description -EmailAddress $_.Mail -StreetAddress $_.StreetAddress -City $_.L -PostalCode $_.PostalCode -Country $_.CO -UserPrincipalName $_.UPN -Company $_.Company -Department $_.Department -EmployeeID $_.ID -Title $_.Title -OfficePhone $_.Phone -AccountPassword $pwdinClearText
    Move-ADObject -Identity $SamAccountName -TargetPath $NewUsersOU
    }
    Else
    {
    “User exist in AD: ” + $SamAccountName | Out-File $log -append
    }
    }

    ###################### SCRIPT ENDS HERE ###########################

Exchange 2013 Message Transport Pipeline

Here are three services that make up the Transport pipeline in Exchange 2013.

 

Mailbox Transport service Mailbox server role is responsible for this service and made up of two components—Transport Submission and Transport Delivery. Hub service uses RPC protocol to deliver the message to mailboxes using Transport Delivery component. Transport submission is responsible for other way around – messages from Mailboxes to Hub service via SMTP.
Hub Transport service Since Exchange 2013 doesn’t include a Hub role, This service runs on the Mailbox server. This service is a broker between Mailbox Transport service and FrontEnd services.
FrontEnd Transport service As the name implies this service handles all transport from clients so it runs on the CAS server. All the SMTP transactions are proxy through CAS server and then to the FrontEnd Transport service which delivers it to Hub Transport service

Exchange 2013 Transport Pipline

Exchange 2013 DLP Feature and Transport pipeline

DLP is a big topic in messaging security arena and a lot of vendors such as Symantec have solutions that can help prevent data loss. Now, Exchange 2013 has included a lot basic DLP functionality to Exchange and no longer requires 3rd party products. Exchange 2013 leverage existing Transport engine to apply DLP polices. In a nutshell, DLP polices are preconfigured Transport rules that is made up of actions and conditions using regular expressions. This feature allows admins to monitor the mailbox transport pipeline for known data leakage patterns such SSN formats or credit card numbers. TransportAgents in Exchange 2013 also allows 3rd party vendors to write software for Exchange that access messages during transit.  You can use one of the existing templates from Exchange Administration Center. To do this Go to Procection => Data Loss Prevention.

Also, below PowerShell commands can be used to configure the TransportAgents.

Install-TransportAgent

Uninstall-TransportAgent

Enable-TransportAgent

Disable-TransportAgent

Get-TransportAgent

Set-TransportAgent

 

 

 

 

 

Exchange 2013 Roles Overview

Exchange 2013 now offers only two roles, compare to four roles with Exchange 2010. This is designed to simply deployment and utilizes CPUs to its fullest.  Client Access Server—CAS role and Mailbox server roles are two roles that’s part of Exchange 2013. Client Access Server acts as frontEnd server to all clients and refer connections to Mailbox Servers. As in Exchange 2010, Microsoft still offers the concept of CAS Arrays for high availability. Mailbox server roles also supports DAGs as it did in Exchange 2010. Microsoft removed EdgeTransport role from Exchange 2013 but it allows for coexistence with Exchange 2010 Edge Transport servers. This allows customers to upgrade to Exchange 2013 while leaving Exchange 2010 Edge servers in place.

Now that CAS server is not running RPC service and acting as a “director”, it can take a lot more load. CAS server simply authenticates clients and passes the connections to the mailbox server. All the data processing happens on the mailbox server. There are two major functions of the CAS role: Client Access Service and FrontEnd Transport service. Here are the responsibilities of each.

 

Client Access Service FrontEnd Transport Service
-  Authentication and security

– Process End Client requests

–  Direct client requests to proper Server

–   Responsible for routing

-  Distribute SMTP and End Client loads

– Figure out best route to deliver messages

–   Responsible for Edge message routing

As mentioned earlier, Exchange 2013 still allows DAG and clustering.  Minor improvements have been made to Exchange 2013 DAG by allowing automatic DAG network configureation. A lot of work have been done on the database engine including overhaul of store engine in managed code to reduce IO load. Unlike previous version of Exchanges, database now runs under its own process. Here are the responsibilities of a mailbox server

 

Mailbox Service
-          Moving clients, when  Database fails over

–          Responsible for processing MRM and Retention polices

–          High availability service via DAG

–          SmartSearch Feature of Exchange 2013

–          Process email address polices

–          Public Folders and its replication

–          Mailbox Databases and its schedule jobs

Exchange2013Roles

 

 

Exchange 2013 New Features

Exchange was released a few weeks ago, along with Lync 2013 and Sharepoint 2013. Microsoft has redesign Exchange 2013 to fit the growing trends and to help total cost of ownership. Exchange 2013 is now a lot more social than previous versions and allows users to merge contact information from social media sources. Microsoft smart search features sorts Exchange search results based on communication patterns. OWA—Outlook Web App is now has a metro feel to it and allows for better integration with other systems such as Lync. Outlook Web App is now a gateway hub for office apps. This integration goes further by allowing e-Discovery searches across Microsoft platforms suchs as Lync and Sharepoint. Exchange Server 2013 is designed to scale, utilize hardware and allows redundancy at cost of CPU. Now that processors are cheaper than ever, Exchange 2013 role has been reduced to two roles—CAS and Mailbox Server role. Typical services found in Exchange Server 2010—CAS, Hub, Mailbox and UM role are now all part of Mailbox Server. CAS server in Exchange 2013 is more of a proxy and allows for load balancing, redirection and authentication services. No data exist on CAS server but still process all the frontEnd services such as SMTP,IMAP,POP and HTTP. In Exchange 2013, CAS is more of a redirector and all the processing happens at the mailbox role. This means you no longer need a CAS server in every site. This new design allows for flexibility and ability to scale quickly. Remember the days where you always have to upgrade CAS server first, before anything else. That’s no more. Exchange 2013 design allows upgrade in any order. All the communications between Exchange and Outlook happens over HTTPS which allows CAS to run without RPC Client access service. Good news is Mailbox server role DAG design is unchanged from Exchange 2010. When it comes to managing Exchange 2010, we used two tools—Exchange Management Console and Exchange Control Panel. These tools have been rolled into one tool in Exchange 2013—Exchange Administration Center, aka EAC. EAC tool also allows admins to search for Mailbox audit log and administrator audit logs.

Overview major architecture changes:

– Only two roles and Exchange 2013—CAS and Mailbox
– No need to CAS server in every site.
– All Outlook connectivity is using RPC over HTTPS
– Only Outlook 2007 and higher
– Exchange Management Console and Exchange Control Panel is replaced by Exchange Administration Center.
– Exchange 2013 Public Folders are now part of DAG and replication is now handled by DAG.

Here is a good diagram from Microsoft on how CAS and Mailbox role interacts.

Exchange 2013

 

IT Account Lifecycle Automation