Quick Thoughts: Operating Between G Suite and Office 365

(I’ve decided to change things up a little bit and add some tech opinions every now and then, especially since I’ve changed jobs and I am now working for a medium-large school district. I’m titling these, “Quick Thoughts” that I’m going to write during my lunch breaks. Perhaps first of many…)

As a systems engineer for a school district, one of the tasks I have is to assist in the configuration and maintenance of our end-users working with whatever tools are offered by and Microsoft and Google. At our school district, we are primarily a G Suite shop, with students and staff working within the G Suite apps, but what about the tools that Microsoft offers with Office 365 such as OneNote, Microsoft Classroom, and others? How do we, as the administrators of such tools, give these users the ability to work with whatever tools they want?

It seems a bit difficult at times because each platform, G Suite and Office 365, appear to really rely on their email services to leverage alerts and messaging, so if you miss a conversation in Skype for Business, you’ll only receive the email within your Exchange email, but you won’t receive it on the Gmail side. I’m not entirely sure this is a two-way street on the Google side, as I’ve seem to have no problems logging into services like Meetup.com with my G Suite account, but receive my emails from the account on my Office 365 account.

It seems like Google is playing fair with their services, but Microsoft certainly doesn’t seem that way. So do we move email services to Office 365, and will this provide our users a better experience?

I’m not sure, and of course I don’t make those decisions, but I do think about it.

Maybe the more accurate question is “How cleanly can users operate in both worlds?” Sadly, while Google appears to behave better than Microsoft, this behavior actually hurts them a little bit for organizations like ours that want to use both services, as it forces us to consider using Exchange services for email to make the overall user experience better.

Microsoft seems to be the bad actor in this situation because they’re services don’t behave well with email systems other than Exchange. Even on-premise Exchange takes a bit of work to get working with Office 365 services.

Microsoft really wants all the business and tries to push organizations that way, but Google plays better with others, and Google’s platform seems to be more easily adopted by teachers than Microsoft’s (especially evident by how much marketing Microsoft has to do for education).

Of course, I’m assuming Google does play nice, but I haven’t tested every Google product, but Google has shown signs of not playing nice too, like dropping XMPP support for Hangouts, but that’s another conversation, and I’ve got to head back to work.

AudioCodes Mediant 1000 One-Way Outbound Audio on SIP Trunk

Had a strange issue recently when I was setting up a SIP trunk between two Mediant 1000s (M1K for shorthand). The SIP trunk was causing one-way audio issues in which I could receive media/RTP from the other side, but from the new M1K, I wasn’t sending any RTP packets whatsoever. It was the most odd thing because this SIP trunk didn’t have anything special about it since it was within a secure layer 2 network (no auth, no TLS).

I had to engage AudioCodes about the issue because I was completely puzzled. This isn’t complicated (relatively speaking); point the SIP trunk to the next hop, and assuming the network configuration is correct, there shouldn’t be an issue. When you did a Wireshark capture, it showed SIP traffic, but no RTP whatsoever:

audiocodesm1k_nortpout

After going through the initial process of getting the usual responses from AudioCodes to adjust IP profile, adjust this, adjust other things that I’ve already done or are non-consequential to the issue I’m having, they finally set a remote support session.

Within minutes, the tech identified the issue.

The network card that you purchase from AudioCodes comes with four ethernet ports, and those are configured in two-pairs for redundancy, which in my case was GE_7_1 and GE_7_2 as one pair, GE_7_3 and GE_7_4 as another pair. In my situation I reconfigured port 7_1 and 7_2 to be independent ports operating in what AudioCodes calls ‘Single’ mode.

Here’s the problem: in version 6.8 of the M1K software, you can configure the ports to operate this way in the GUI, but the software doesn’t actually support this function.

Why would the software allow you to configure it one way, but not support it in the back end? No idea. I’ll chalk it up to the same reason why you can use the ‘Search’ button on the top left, find settings that you actually don’t have support for and can’t find by just clicking around, configure those settings, and those settings won’t actually work.

audiocodessearchbutton

Anyways, here’s the solution: you can either stick with 6.8 and just move the ethernet group to use GE_7_3 (or any other odd-numbered interface on a network card), or upgrade to 7.0 that actually supports this configuration.

My configuration ended up looking something like this:

audiocodesethernetgroups

Hope that helps someone out there.

Exchange 2016 Updates: Don’t forget to activate the components!

I’ve done a number of Exchange and Skype for Business server deployments over the last year, and recently I moved to Exchange 2016 versus 2013 just to get the deployments up and running on the latest. However, after performing my upgrade to Exchange 2016 (per these instructions), my EWS connections between Skype for Business and Exchange were not working correctly. Of course, Exchange isn’t fully running for anyone, I’m still testing things out, so not a big deal, but still. What the hell is going on?

In S4B, when I run Test-CSExStorageConnectivity, I’m getting “Test-CsExStorageConnectivity : ExCreateItem exchange operation failed, code=50043”.

testcsexstorageconnectivityerror

The standard response, and search result in Google, for a 50043 error is to check and make sure that your “ExchangeAutodiscoverUrl” property after running Get-CSOAuthConfiguration is configured for the Exchange server’s autodiscover metadata json URL (“https://<exchangeAutodiscover>/autodiscover/metadata/json/1”). But what happens if you’ve already checked that? The URL is correct and you’re good to go, so what changed?

Wait, didn’t I say I upgraded to the latest Exchange 2016 CU (CU3)? Did I completely follow the instructions?

Hmm..let’s check the Exchange server components (something new, AFAIK, to Exchange 2016):

Well. Guess I didn’t the follow instructions at the end that states you to have run the following:

followtheinstructions

I’m going to start tagging moments like this as ‘ya dummy’ moments.

Now, let’s check the component status:

get-servercomponentsactive

And then running Test-CSExStorageConnectivty works, and all is well.

So I guess one thing to look at if you’re getting a 50043 error and your have the Metadata URL correct is to verify that EWS is running on your Exchange box.

Audiocodes IP Phone Manager Custom Placeholders

Audiocodes, Audiocodes…oh, Audiocodes. I continually battle with your poorly written documentation for your excellent products. It’s either you write your documentation poorly, I’m just a terrible reader of technical documentation, or maybe it’s somewhere in the middle. Usually I blame myself, but I really think it’s you this time.

AudioCodes Logo

A great example of this is AudioCodes IP Phone Manager Express, a centralized management server for AudioCodes VoIP phones that is free for the first 500 phones purchased. The program sits on top of IIS, installs and utilizes SQL Express, and leverages option 160 (custom option) from DHCP for directing phones for registration. These guys have an excellent write-up on how to install it (just don’t have two option 160s like I did, for some stupid reason).

So you get it installed, phones are registering with it, the wind is against your back, and now you want to customize options. If you follow the administrative manual that comes bundled with the download (or just download it here), you might think you’re limited to just the placeholder values that come with it. Page 21 in the manual demonstrates how to enter the values for the placeholders, but it doesn’t show you where. The manual for the IP Phone Manager (non-express, download it here), has more information to explain what’s going on, but even it lacks some clear, explicit directions for creating those placeholder values.

This is my biggest complaint about AudioCodes documentation: instructions and documentation isn’t always clear and straightforward, written from the perspective of someone installing this stuff.

So how do you create those placeholders? Turns out it relatively simple, and makes sense once you connect the dots.

To create placeholders, you create the variable values in the configuration templates. Go to Phones Configuration > Templates > select the phone template you want to adjust:

IPP Template

In the above example, I’m creating a multicast group for paging. Also, I kept the naming scheme consistent, but you don’t need to include “ITCS_” for the variable, as long as it matches later. (09/22/16) Correction: you do need to keep the naming scheme the same, at least from what I can tell in setting region placeholders. When you enter the placeholder name, IPP appends the name with “%ITCS_<yourPlaceHolder>%”.

Then, you can create your ‘Regions’ for customizing configurations, and then add your customized values to each region like this:

IPP Region Values

Next, change the region of the phone(s), if you haven’t done this already:

IPP Phone Options

Finally, update the phone configurations. Go to Users > Manage Multiple Devices, add the devices you want to update, select the action “Generate IP Phones Configuration Files” or “Update Configuration File”, then click “Generate IP Phones Configuration Files”:

IPP Update Config

Generating will restart the phone, updating will not. I prefer generating, but you may not want to avoid the phone restart.

That’s it.

AudioCodes has a great system here, and it’s pretty cool that it comes free. The only hiccup I’ve encountered with the program so far is that I have some phones that I can’t issue commands to for some reason. There are some users that I can’t put in regions or update configurations, and when I try, IPP tells me that the user is not approved, but when I try to approve the user, it says the user is already approved. It’s very strange, and thankfully I don’t worry about it much because the users are in the default region, but I could see this being an issue for sure. I haven’t reached out to AudioCodes yet for support, but I’ll update something here when I do.

Happy phone managing!

Skype for Business/Lync Server and Exchange UM: Errors with Event IDs 1079 & 1136

During a recent Skype for Business-Exchange 2013 deployment, I tried running all calls to a DID, then to an Exchange 2013 UM Auto Attendant. After some hiccups I had it working, but painfully, dialing by extension and transfers did not work from the Auto Attendant. After doing some investigating, the Skype server wasn’t giving me an errors, and my syslog from the Audiocodes gateway was indicating calls were transferring.

However, the Exchange server gave me two errors regarding unified messaging: 1079 and 1136.

1079:

exUMError1079

1136:

exUMError1136

I tried lots of solutions, tested my environment numerous times, but nothing was working. If you look these errors up when doing a Skype for Business server deployment, you’ll often see Microsoft KB 3069206 come titled, “Exchange UM Auto Attendant cannot transfer calls to a phone or extension number in Skype for Business Server 2015“. Looks great and promising…

…but I’ve already updated the server to the latest CU.

With more Google-fu, I found my solution: I needed to change my certificate for the Exchange server.

According to this TechNet thread, the certificate assigned to the UM services on the Exchange server needs to have it’s subject name be the same as the Exchange UM server’s name. I had used the same UCC-SAN cert for UM services that I set up for the Skype for Business Edge server, and added all the subject alternative names needed.

The fix: perform a new certificate request from the internal CA, apply the certificate to the UM services, then restart the UM services on the Exchange server..

After that, call transfers worked!

Hope this helps someone.

 

Skype for Business: “Prerequisite installation failed: MSSpeech_TTS_pt-BR_Heloisa”

While doing a Skype for Business deployment, I encountered this strange error that was preventing the S4B server components from installing: “Prerequisite installation failed: MSSpeech_TTS_pt-BR_Heloisa”.

The log file showed the following:

languageErrors

After doing some Googling, the consensus was to find the MSI file and replace it.

The file was located here: C:\ProgramData\Microsoft\Skype for Business Server\Deployment\cache\6.0.9319.0\setup\speech\pt-BR\

However, the question was where to get the speech files. I tried getting them from the ISO, but it appeared the files on the ISO were corrupted, so I had to get the files here:

Microsoft Speech Platform – Server Runtime Languages (Version 10.1)

I ended downloading what I needed, but subsequent MSI files were also having problems, so I ended up just replacing MSIs in the the directories “pt-BR” through “zh-TW” just to be safe.

The installation then continued successfully as expected.

Hope this helps someone.

Update (06/07/16): Had this problem again (forgot to replace ISO), and I found out that if you keep the S4B ISO mounted or DVD in the system, then S4B will re-download the bad packages from the ISO/DVD. Dismount or eject the media, then copy the MSI files.

Update 2 (09/20/16): You can also just re-download the ISO. Problem solved. 😀

Virtualbox VLANs in Ubuntu

Wanted to add quick note about VLANs, VirtualBox, and Ubuntu.

Virtualbox does VLANs a little differently on Ubuntu than other hypervisors. In order to get a VLANs working for a Virtualbox VM, you have to create a subinterface that is for a specific VLAN (of course, assuming your NIC supports 802.1q tagging). To create a subinterface in Ubuntu, follow the instructions here:

https://wiki.ubuntu.com/vlan

Then in Virtualbox, you set the network interface to ‘bridged mode’, then select the subinterface. Assuming your new subinterface is permanent, the VM will use that subinterface and be within that VLAN.

I’m not entirely sure how to accomplish this for Virtualbox on Windows. It would seem like you would need a separate physical interface, especially for Windows 10 and probably others.

Unrelated note: Virtualbox on Windows 10 is horrible, and so is the native Hyper-V, but that’s for another post, maybe.

Edit (20180705): A few years later, and I can honestly say VirtualBox on Windows 10 is stable now, and has been for awhile. Felt the need to update this. :-p

Setting Up a Separate WSUS to Work with SCCM Environment

Sometimes I feel thick-headed.

This is especially true, sometimes, with SCCM — but c’mon, it’s SCCM, so it comes with the territory.

The issue I was having was that I didn’t quite understand what the role a separate WSUS server would play in an SCCM environment. I thought it would be configured something like this:

sccmWsus1

I didn’t quite understand how the WSUS server worked with the SCCM environment. I knew SCCM managed WSUS, but it didn’t make sense to me how. Why wouldn’t I just configure WSUS and SCCM on the same box if I had to have the WSUS role already on the same system? This setup would cause the WSUS role on the SCCM primary site to be managed, but it tried to get updates from a WSUS that wasn’t doing anything, and I would have to manage updates from it, PLUS manage the updates in SCCM for deployment.

This seemed ridiculous to me, and super-redundant. Well, that’s because it is ridiculous and super-redundant.

In reality, it should be something like this:

sccmWsus2

Basically:

  • WSUS console is installed on SCCM Primary Site
  • WSUS server has the WSUS role installed, but nothing else
  • No group policy configured for the WSUS server to point to an internal box
  • In SCCM, configure the WSUS server as a ‘Site System’ with the Software Update Point role configured.
  • Your software updates for WSUS then get their updates from Microsoft, unless you have another WSUS upstream server.
  • Then all updates come from the WSUS server.

I kind of feel like a bonehead for this, but hey, I get it now!

More info on the process here (although my setup is a little different):
Installing a remote Software Update Point in SCCM 2012 R2

How to Find the Microsoft Store GPO in Server 2012 and 2012 R2

Edit (02/15/16): I learned recently that a better approach is to just copy the Administrative Templates from group policy on a workstation and copy it into your AD administrative templates. Not as ridiculous, but still annoying.

This is probably one of the most ridiculous things I’ve encountered.

If you’re a system administrator, you sure as hell don’t want to deal with the Microsoft Store for your image deployments. It’s a superfluous piece of software that’s imposed on us, and Microsoft doesn’t give any tools during the deployment to get rid of it.

They make it even more difficult in a very asinine way to get the GPO you need to manage the Store.

In order to get the Store GPO, you have to install the ‘Desktop Experience’ feature.

Why Microsoft decided to do this is beyond me. Why would do I have to install a piece of bloat on my servers in order to get the GPO to manage the Microsoft Store?

Then you can go to Computer Configuration > Administrative Templates > Windows Components > Store.

Creating New Powershell Virtual Directories in Exchange 2013

I encountered the most bizarre issue: after removing my Powershell Virtual Directory, I could not for the life of me recreate the VD. I continually received the following error:

New-PSSession : [subdomain.mail.domain.com] Connecting to remote server mail.domain.com failed with the following
error message : The WinRM client sent a request to an HTTP server and got a response saying the requested HTTP URL was not available. This is usually returned by a HTTP server that does not support the WS-Management protocol. For more information, see the about_Remote_Troubleshooting Help topic.

Nothing online was helping, until I read something randomly about adding the Exchange Snap-In in a regular Powershell window. So I typed the following in Powershell:

Bingo. Directory created.

Weird.