Synchronizing Network Time Protocol in a Windows Environment

Audience

Active Directory Administrators

Summary

Time synchronization between Windows based systems is important because time stamps are used in many forms of authentication, encryption and security methods.  If the clocks of two computers are too far apart, they simple may not be able to communicate with each other and may experience several kinds of esoteric failures.

By default, in a Windows environment, domain-joined machines will synchronize their time with their domain controller.  All domain controllers will get their time from the domain controller (DC) that is the PDC emulator.  All time in your environment flows out from this one server.  It is important to have this service synchronized with an accurate time source.

Common Choices

  • Windows Time Service
    • windows.com
  • NTP org service
    • pool.ntp.org
    • pool.ntp.org
    • pool.ntp.org

 

PDC Emulator

Because of the flow of time synchronization in the domain, it is important to note that modifications to the time source should ONLY be done on the PDC emulator.  This PowerShell command will help determine it:

Get-ADForest | Select-Object -ExpandProperty RootDomain | Get-ADDomain | Select-Object -Property PDCEmulator

 

Current Time

You can determine the current synchronization target of the computer by running (on the PDC Emulator):

w32tm /query /source

This is sometimes “Free Running Clock” or “CMOS Clock”, which indicates it is not synchronized to anything.

 

Polling Interval

You can determine the polling interval of a computer with:

w32tm /query /status

Domain controllers and member servers do not typically have the same interval – member servers are longer, and frequently at least an hour.  So, you may wish to incrementally change the time of the “Free Running” PDC, over the course of a few days, prior to synchronizing it to an official time source.

 

Plan Your Synchronization to Public NTP

You can determine how far off the clock currently is from the preferred target with:

w32tm /stripchart /computer:time.windows.com /samples:5 /dataonly

If the difference is large, immediately changing the time to synchronize may not work correctly, or may induce failures within the domain as computers fail to talk to one another.

 

Synchronize with Public NTP

To synchronize it, use:

w32tm /config /manualpeerlist:time.windows.com /syncfromflags:manual /reliable:yes /update

Or you can use:

w32tm /config /manualpeerlist:0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,0x1 /syncfromflags:manual /reliable:yes /update

Depending on your preferred source.

Advertisements

Skype for Business: Useful PowerShell Commands for Standard Edition Failover

Audience

System Administrators

Summary

This is by no means meant to be a Disaster Recovery Plan. This document is a listing of useful commands that can be used to help educate and build your organization’s Disaster Recovery Plan. This may not provide all the necessary insight to resolve every disaster situation. Before you run any commands, you should research them to understand what they do and how to use them properly.

 

Backing Up Skype Components

It is important to keep up to date backups of Skype’s major configuration components. Store these backups in a safe place so they are available in the event of incident. This is a very basic set of commands to help back up some of the components of Skype for Business. There are some very good, and very well thought out scripts available in the Tech Community that will do far more than what is listed below.

Visit the link below for one of the better backup scripts I have seen

Lasse Wedø

https://gallery.technet.microsoft.com/office/Backup-Skype-for-Business-8194d0b6

 

Configuration Data

Export the CsConfiguration

Export-CsConfiguration -FileName c:\Folder\backup\10.25.16\CsConfiguration-backup.zip

Import the CsConfiguration

Import-CsConfiguration -FileName c:\Folder\backup\10.25.16\CsConfiguration-backup.zip

 

Export User Data for Users Homed in the Indicated Pool

Export-CsUserData -PoolFQDN "atl-cs-001.domain.com" -FileName C:\Logs\ExportedUserData.zip"

 

Location Information Database

Note that this information is not replicated to the backup pool. In the event of failover to the backup pool you will need to import this LIS database into the new pool.

Export Location Information Database

Export-CsLisConfiguration -FileName "c:\Folder\backup\10.25.16\CsLis-backup.bak"

 

Import Location Information Database

Import-CsLisConfiguration -FileName "c:\Folder\backup\10.25.16\CsLis-backup.bak"

 

Response Group Configuration

Export Response Group Data

Export-CsRgsConfiguration -Source "ApplicationServer:skypepoolname.domain.com" -FileName "c:\Folder\backup\10.25.16\CsRgs-backup.zip"

Import Response Group Data

Import-CsRgsConfiguration -FileName "c:\Folder\backup\10.25.16\CsRgs-backup.zip" -Destination "ApplicationServer:skypepoolname.domain.com"

 

Pool Failover

Invoke the migration of users from the primary pool to the backup pool

Invoke-CsPoolFailover –PoolFqdn <primary pool fqdn> –Verbose

 

*Add “-DisasterMode” if the Primary pool is unreachable, or the services are down.

Invoke-CsPoolFailBack –PoolFqdn <Primary Pool Fqdn> -Verbose

 

Central Management Failover

Determine the Current CMS host

Get-CsService –CentralManagement

 

Run this command against the pool that you want to failover with the -WhatIf parameter to verify the results before actually running the command

Invoke-CsManagementServerFailover -Whatif

 

Verify the CMS Backup Pool Target

Get-CsPoolBackupRelationship -PoolFQDN <CMS.Pool.FQDN>

 

Verify the Status of CMS Replication

Get-CsManagementStoreReplicationStatus -CentralManagementStoreStatus

If the ActiveMasterFQDN and ActiveFileTransferAgentFQDN are on the failed pool, proceed with CMS failover

Determine if SQL Mirroring is in Use

Get-CsDatabaseMirrorState -DatabaseType Centralmgmt -PoolFqdn <Backup.Pool.Fqdn>

 

If Mirroring is Not in Use or the Primary is the Principal

 Invoke-CSManagementServerFailover -BackupSQLServerFqdn <Backup.Pool. Primary.SQL.FQDN> -BackupSQLInstanceName <Backup.Pool.Primary.SQL.Instance.Name>

 

If Mirroring is in Use and the Mirror is Primary

Invoke-CSManagementServerFailover -MirrorSQLServerFqdn <Backup.Pool.Mirror.SQL.FQDN> -MirrorSQLInstanceName <Backup.Pool.Mirror.SQL.Instance.Name>

 

Verify CMS Failover is Complete

Get-CsManagementStoreReplicationStatus -CentralManagementStoreStatus

 

Verify CMS replication to all non-failed servers

Get-CsManagementStoreReplicationStatus

 

Polycom: Voice VLAN Discovery via DHCP

Audience

Systems Engineers, Polycom Endpoint Administrators

Summary

This document is intended to assist in the configuration of the Voice VLAN for Polycom Endpoints when Cisco Discovery Protocol (CDP) and Link Layer Discovery Protocol (LLDP) are not available.

By default, the UC Software based endpoints (VVX, Trio 8800) use LLDP, or CDP in order to discover the configured Voice VLAN. When those protocols are not an option you can configure the endpoints to discover the Voice VLAN through the use of DHCP Scope Options.

 

Default Polycom Endpoint Startup Sequence

  1. The phone establishes network connectivity. Wired phones establish a 10M/100M/1000M network link with an Ethernet switch device and do not function until this link is established. If the phone cannot establish a link to the LAN, an error message ‘Network link is Down’

 

  1. (Optional) Apply appropriate security and Quality of Service (QoS) settings.

 

  1. Assign the phone to a VLAN and/or 802.1X authentication.

 

  1. Establish DHCP negotiation with the network and IP address, network addressing options, network gateway address, and time server.

 

  1. Provisioning server discovery. This is commonly done using DHCP as part of the previous step. As of UC Software 4.0, the phone contacts the provisioning server after the phone is operational in order to speed up boot time. You can disable the provisioning server discovery process as a way of reducing load on a provision server, for example, after a power failure.

 

Preparation Steps

Additions to the Device Settings Configuration

By default, the UC Software endpoints are set to use CDP, and LLDP for VLAN discovery. You can set the VLAN Discovery to use DHCP with the following parameters in your Device Settings Configuration.

 

Enable VLAN Discovery using Options

device.dhcp.dhcpVlanDiscUseOpt.set=”1″

 

Set the discover method to “Fixed”

device.dhcp.dhcpVlanDiscUseOpt=”Fixed”

 

Optional – If you want to specify a Scope Option Code different from the default of 129

 

Enable the hard set of the Option Code

device.dhcp.dhcpVlanDiscOpt.set=”1″

 

Specify the Option Code

device.dhcp.dhcpVlanDiscOpt=”128″

 

Create DHCP Scope Option 161 on your Data VLAN

In order to set the endpoint to look to DHCP for Voice VLAN assignment you will need to make changes to the device configuration. You can manually make these changes through the Web UI, or you can make bulk changes through FTP Provisioning. To do this you will need to make the FTP provisioning server available on your Data VLAN by adding the DHCP Scope Option 161 to the data scope.

Once this is completed the and endpoint will be given an IP Address on the Data VLAN along with Option 161 which will allow the phone to find the provisioning server. The endpoint will request its configuration (which will have the added parameters to set DHCP Discovery to “Fixed”) and reboot. When it comes back online it will then look to DHCP for VLAN assignment.

DHCP Scope Option for VLAN Assignment Configuration

You will need to create a DHCP Scope Option in order to identify the Voice VLAN.

  • At the server level Right Click “Predefined Options and Values”
  • Select “Add”
    • Name
    • Data Type = “String”
    • Code = 129
      • *You can change this if needed, but this is the default configured on the endpoint
    • Value = “VLAN-A=N;”
  • Where “N” is equal to the decimal VLAN number
  • **Note this is case sensitive, and must be followed by a semi-colon

 

Polycom VLAN DHCP 1-1

  • Next, under your Scope, right click the “Scope Options”
  • Scroll down and find your newly created Scope Option 129 and select the check box.
  • Select OK

 

Congratulations!

Skype for Business: Replacing the Public Certificate on your IIS ARR Reverse Proxy

This article outlines the steps for replacing the public certificate that is used by the IIS ARR reverse proxy. These steps are focused on Skype for Business, however this process is generic to IIS ARR.

Summary

This document is intended to help update the public certificate that IIS binds to for the use of the reverse proxy functionality using SSL. Skype uses this for External Web Services, Office Web Apps, and the Simple URLs such as lyncdiscover, dialin, and meet.

Before You Begin: Baseline Testing

If your current certificate is still valid test Web URLs in order to provide baseline assurance that your Simple URLs are functioning prior to making changes.

https://meet.domain.com

https://dialin.domain.com

If you have the Skype/Lync Mobile Client make sure that you can sign in on your internal network, as well as external to your network.

Installing the New Public Certificate

You can install this in two ways

  • Import via the Certificates Console
    • Give it a Friendly name that is different than the current Certificate
    • Please note that sometimes IIS won’t recognize the binding of the certificate when using this method.
    • See the “Binding the Imported Certificate to SSL” below
  • Import via the IIS Management Console (Preferred)
    • Open IIS Manager
    • Select the top-level server node
    • Open “Server Certificates”
    • Select “Import” from the right-hand pane

 

Binding the Imported Certificate to SSL

 In IIS Management Console

  • Select “Default Web Site”
  • On the right-hand pane select “Bindings”
  • Double Click/Open “HTTPS”
  • SSL Certificate Pull down – Select the “New Public Certificate by Friendly Name”
  • Hit “OK”
  • Close the “Site Bindings” Page

Reset IIS Service

  • Open PowerShell as Administrator
  • Run the Command
    IIS RESET

**This is Service Impacting

Testing to Verify Functionality Using the New Certificate

If you have the Skype/Lync Mobile Client make sure that you can sign in on your internal network, and also when external to your network.

Polycom: Factory Reset VVX Endpoints Without the Administrator Password

This step by step guide is helpful if you have a VVX endpoint, and cannot access the Factory Reset function because you do not have the Administrator Password, and it is no longer set as the default password

Summary

In some scenarios you might find yourself needing to perform a factory reset on a Polycom VVX (Example: VVX series, Trio Series) endpoint. By default you are required to present the administrator password in order to access the “Factory Reset” functionality. The following steps will guide you through performing the factory reset function without using the administrator password.

Before you begin

Identify the MAC Address of the device. This can be located easily on the back of the device in most cases. Otherwise you can discover the settings by going to:

Menu >Status>Platform>Phone

Alternatively you can use the “Multi-Key Combination” method for displaying information by pressing and holding the following key combination on the endpoint dialpad until the information is displayed on screen:

1 + 4 + 7

Steps for Factory Reset

Step 1

Restart the phone by removing the power.

Alternatively you can use the “Multi-Key Combination” method for rebooting the endpoint by pressing and holding the following key combination on the endpoint dial pad until the information is displayed on screen:

1 + 0 + 3

Step 2

While the device is rebooting you should see the following screen.

When you do –  Select “Cancel” to interrupt

VVXadmin1

The next screen shows the following options

VVXadmin2.png

Step 3

Use the “Multi-Key Combination” to enter the Factory Reset screen. Each refer to the following table to find the key sequence for the model device you wish to reset.

 

Table 1-1

Device MKC
SoundPoint IP 321, 331, 335, 450  1 3 5 7
SoundStation IP 5000, Duo 1 3 5 7
SoundPoint IP 550, 560, 650  4 6 8 *
VVX 1500 4 6 8 *
VVX 300, 310, 400, 410, 500, 600 1 3 5

 

Step 4

Instead of the Administrative password, you can use the MAC address of the device in order to factory reset the device, and in turn reset the Admin password to “456” again.

You will need to toggle between the three categories of character inputs in order to accomplish this. Be sure that all of your letters are input as UPPERCASE LETTERS.

When inputting letters in the Upper Case mode you will need to push the button in quick succession in order to select the nested letter. For instance, you will need to push the number “2” dial pad button THREE times quickly in order to input the letter “C”

1->Aa = Numeric

A->a1= Upper Case Letters (All of your letters must be upper case)

a->1A= Lower Case Letters (You will not use these for the MAC address)

VVXadmin3

 

Congratulations!

You will know you have succeeded when the screen shows the following.

VVXadmin4

 

*Screenshots were taken from from a Polycom VVX 410

**Table 1-1 was pulled from the Polycom VVX Administrators Guide found at http://www.Polycom.com