About Me

My photo
This is a blog for John Weber. One of my joys in life is helping others get ahead in life. Content here will be focused on that from this date forward. John was a Skype for Business MVP (2015-2018) - before that, a Lync Server MVP (2010-2014). I used to write a variety of articles (https://tsoorad.blogspot.com) on technical issues with a smattering of other interests. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. The opinions expressed on this blog are mine and mine alone.

2015/07/23

Lync 2013 Edge Server Replication Failing

Background reading: http://tsoorad.blogspot.com/2015/07/windows-pki-sha-1-to-sha-2.html

Environment Outline:

Mixed Lync 2013 (Edge) with SfB user pools.  CMS on SfB SE. Operating systems:  All user pools are 2012R2, Edge servers are 2012 (no R2).  Windows updates are current.  PKI is public for Edge external land FE external; PKI is AD DS for FE internal and Edge internal.  Customer changed  AD certificate authority from sha-1 to sha-2.  New root cert pushed to all servers via active directory routines; edge server new trusted root manually imported.

The Issue:

Lync Edge server fails to pick up on the concept that the domain root cert had changed even after we manually imported the new root cert (sha-2) into the certificate store. The certs on both the CMS master and the Edge server all chained up properly, but the cmsreplication was failing. All the certificates assigned to all services in the Lync/SfB environment checked good, were all current, and all showed that they chained properly to either the internal PKI root or the Digicert root.  Basic connection testing using <telnet fqdn 4443> were successful both directions.

The Fix:

We had to reboot the Edge server to get it to recognize the trusted root cert chain.

Logic path:

The CMS master was presenting the edge server with changes, but the Edge server did not like the new cert on the CMS master. The Edge server had a copy of the new Root Cert, but would not accept the TLS from the CMS master until the Edge restarted. Restarting services on the Edge server did not resolve the issue; a reboot was needed.

Conclusion:

If you change the domain Root cert, Lync and SfB may or may not like the root certificate change AT THE OPERATING SYSTEM LEVEL, until a reboot, or even longer. <Sigh>

YMMV

No comments:

test 02 Feb

this is a test it’s only a test this should be a picture