Skype for Business: Cleanly Shutting Down Server (Invoke-CSComputerFailover and More)

It’s been over three years since I managed and deployed a Skype for Business/Lync system, and at my new job I was hired on as a be a network engineer, but I noted in a past life I received a MCSE in Skype for Business, so I could definitely be the backup for the primary SME (subject matter expert) in SfB. However, in a strange twist, the primary SME left — and you know what, there’s just not a lot of Skype for Business/Lync engineers out there, especially in a small labor market, so I stepped up to help the organization because I was the most qualified by a long-shot.

So I’m back doing some Skype for Business again.

Captain America Here We Go Again

I actually have always liked voice routing, so it’s fun to be doing some of this stuff again (although SfB is a pretty intense, integrative technology, so it’s not all Pop-Tarts and unicorns).

However, I was trying to get reacquainted with some commands for cleanly shutting down a Skype For Business server, and I just didn’t find a lot of good information out there, so I thought I might write something up “real quick”. This is somewhat basic info for SfB enterprise deployments, but it might be helpful.

Enough of the pretext, let’s get to the first command…

Get-CSWindowsService

I’m starting with this command because it’s the most basic command you should already know, but plays a role for later in this post. Typically you’ll use the command to see how many connections are being used by a service, if a service is running, etc.

The command is straightforward: Get all or one of the SfB (or Communication Server, which is where the acronym CS comes from) Windows Services on the machine.

Stop-CSWindowsService

The command `Stop-CSWindowsService` is the most basic command you’ll use to stop all or one of the services on a SfB server. The command will execute stopping of services in the proper order of stopping SfB services, including any dependent services.

Typically you’ll be using this command on a ‘Standard’ deployment SfB server, or any non-front end server in an ‘Enterprise’ deployment such as mediation/edge servers (more info: standard vs enterprise deployment). However, there are probably rare situations in which you’ll stop just one service, so you’ll likely be stopping all of them.

If you’re doing this outside a maintenance window for some reason, I prefer to do the following: Stop-CSWindowsService -Graceful. The -Graceful is important here, because what it does is it puts the services into a paused state, preventing any new connections from happening and waiting on existing connections to disconnect. On mediation servers, whenever I’ve need to stop a server in a mediation pool, this is my preferred method so that I wait for the calls to end. However, it won’t stop until the call is done, so you might be waiting awhile.

Invoke-CSComputerFailover

For whatever reason, this command scared me at first, largely because of my ignorance of what it does. The official documentation on the command I don’t think does it justice, so here’s my attempt at it.

The command `Invoke-CSComputerFailover` will basically perform a Stop-CSWindowsService -Graceful operation, but it acts slightly different. The differences:

  1. It’s used on front end servers in an enterprise deployment (or at least I’ve never seen it documented or used on other SfB server pools). The command causes the front end server to be in a ‘failover’ state, making it unavailable to the rest of the front end pool.
  2. The command migrates data, routing groups, and more to the other front end servers.
  3. The command has a wait time of 1 hour per service, after which if the connections haven’t disconnected, it will force a disconnect. This default can be changed with the `-WaitTime` parameter.
  4. This command will make the server unavailable in the front end pool. After a reboot, or if for some reason you run Start-CSWindowsService, the server won’t be available until you run Invoke-CSComputerFailBack.

After working with it and using it several times, it’s not as scary as I thought. Just run it on one machine at a time lest you have some Windows Fabric issue due to quorum loss (or something to that effect).

Invoke-CSComputerFailover Hanging or Taking Awhile

Sometimes when you’re failing over a front end server, you get stuck waiting for some services to stop like this:

Status screen waiting for Invoke-CSComputerFailover to Progress

If you look at `Get-CSWindowsService`, you might actually find something like this:

Get-CSWindowsService Seeing Services With Hanging Connections

If you note the red and blue arrows, the services are left open, likely from a conference that has ended already, but is being left open for whatever reason. To speed up Invoke-CSComputerFailover, just open a separate elevated terminal and stop the services like this:

Stopping the stalled services with Stop-CSWindowsService in separate window

After which, `Invoke-CSComputerFailover` will continue on as expected.

Invoke-CSComputerFailover progressing

I originally tried out the idea on my own, but the following blog entry also helped me and explains it from a different perspective.

Microsoft Ignite 2017 Thoughts

A few weeks ago I had the pleasure of attending Microsoft Ignite 2017 in Orlando, Florida, one of the best and well-organized conferences I have ever attended. There were a ton of sessions to attend for people of all backgrounds in IT, so I couldn’t hit them all (thankfully they’re posting the sessions on YouTube).

It’s a juggling act at events like this to strike the balance between personal interest and getting information/training to add value to the organization that sends you, so I focused on Windows 10 Deployment, Azure IaaS, and whatever Powershell nuggets I could find. All three topics are too much for one post alone, so I wanted to dump some thoughts on one that stuck out the most: Windows 10 Deployment.

Creeping from the Old to the New: Windows 10 Deployment

Device deployment in the Microsoft world has been dominated by what they call “traditional IT”, which we in the SCCM/MDT world would just call imaging. The “traditional” method of deploying devices often involved a lot of preconfiguration before the device actually reached the end-users, often with BIOS updates/configs and the tried and true method of wipe and load.

Of course, at Microsoft Ignite, you’re going to get proselytized about the company’s newest technology, and the direction Microsoft is transitioning to is something they call “modern IT”. It’s best summarized in this slide fromĀ Michael Niehaus’ session on deploying Windows 10:

Traditional IT VS Modern IT

In practice, what this actually looks like is a bit of gradient between on-premise and cloud-based services, but the direction Microsoft is taking is to move identity services to Azure Active Directory, device management to InTune, applications are deployed from the Windows Store, and updates are managed via Windows Updates for Business. The entire process initiated on end-devices after a user logs into a device with their email and password with an Internet connection, removing the need for special provisioning. The entire process is summarized into what Microsoft calls “Windows AutoPilot“.

However, what I took from AutoPilot and all the deployment sessions was that while Microsoft would love for organizations to move their deployments online and sign-up for that recurring revenue, they know this is still a little ways off and doesn’t offer the feature parity of AD/SCCM. So instead, they’ve designed InTune and SCCM to really work in what they call “co-existence”, which comes from using the old and new methods together as a form of transition (to varying degrees): InTune-SCCM-AAD, or InTune-SCCM-AD, or (insert combo). The idea here is to not go full cloud, but transition to it to some degree.

One of the deployment MVPs who represented Microsoft explained it to me like this. Microsoft’s story about centralized Windows management has been largely one-sided for over 20 years: SCCM or nothing. There was no middle-ground between nothing and SCCM (although you could cobble-up some combination of AD, MDT, and scripts). InTune, AutoPilot, Windows Store — the combination of it all presents a middle-ground, a sort of gradient to centralized management. If you want a lot of control over your devices, continue using SCCM; if you want something simple, you have InTune now.

I think what Microsoft has done is make an interesting case for “modern” deployment, but until their on-premise AD component is deployed and fully-tested, I just don’t see a compelling case to even try InTune yet. The current deployment process, while not perfect, works pretty well, so this would have to be hardware that is proven to work well. Past experience makes me skeptical that hardware will work as well and consistently as SCCM OSD does (then again, I’m not working with users across the globe, so maybe there’s a better case to be made in that scenario).

Modern Windows 10 Deployment and Education

Bringing this closer to the industry I currently work in, Microsoft’s case for Windows 10 deployment and management for education is strong and better than ever before. Windows AutoPilot is indeed a great way to deploy devices (no matter which way you approach it), Azure AD and Office 365 are stellar products, OneNote is awesome (best education tool I’ve seen), Microsoft Teams looks amazing (especially with its takeover of Skype for Business and integration with Microsoft Classroom), and Microsoft’s licensing is making a big change. The classroom tools are indeed there, and management is as easy as G Suite (IMO).

However, I can’t help but ask: has the ship already sailed for a lot of K-12 organizations? I mean, Microsoft certainly has this great product for K-12, but a lot of organizations have already made massive investments in their device purchases, the technology choices they’re using in the classroom, and the email/cloud platform that they’re running applications with. These organizations already have inertia in the direction of these choices, so does Microsoft have enough to unbalance this forward motion?

Office 365 vs. G Suite

I personally don’t think so, at least for the G Suite organizations. These organizations chose G Suite (or Google Apps at the time) largely because they could purchase educational devices for cheap, thereby getting more devices into student’s hands, and Google’s services (which users organically learned to use over the years) was free. Around the same time, Office 365 licensing was confusing, and while there were some free options, the service parity for device management just wasn’t there compared to G Suite.

Fast forward to today, and the case for medium and large education institutions moving to Microsoft 365 is more compelling in the context of data security. The new A3 and A5 pricing structures from Microsoft bring with them EMS, thereby allowing greater data loss protection and services. Meanwhile, Google removes feature parity between it’s Education and Enterprise products, requiring organizations acquire the Enterprise suite at $25/user per month for services such as DLP.

Education Desktop Bundling Licensing Changes

Maybe it’s the Microsoft Ignite kool-aid in my system, but Microsoft has a better case for it’s products than Google with it’s licensing combos, or maybe Microsoft is just better at marketing and promoting it’s platform than Google. In the education world, I hardly ever hear from Google themselves promoting their products, it’s always someone doing something randomly. Microsoft constantly makes contact with my org, but Google — not a peep.

Kid drinking Kool-Aid
Yes…give me more…

I’m going to go drink some MDT kool-aid now…

Quick Thoughts: Operating Between G Suite and Office 365

(I’ve decided to change things up a little bit and add some tech opinions every now and then, especially since I’ve changed jobs and I am now working for a medium-large school district. I’m titling these, “Quick Thoughts” that I’m going to write during my lunch breaks. Perhaps first of many…)

As a systems engineer for a school district, one of the tasks I have is to assist in the configuration and maintenance of our end-users working with whatever tools are offered by and Microsoft and Google. At our school district, we are primarily a G Suite shop, with students and staff working within the G Suite apps, but what about the tools that Microsoft offers with Office 365 such as OneNote, Microsoft Classroom, and others? How do we, as the administrators of such tools, give these users the ability to work with whatever tools they want?

It seems a bit difficult at times because each platform, G Suite and Office 365, appear to really rely on their email services to leverage alerts and messaging, so if you miss a conversation in Skype for Business, you’ll only receive the email within your Exchange email, but you won’t receive it on the Gmail side. I’m not entirely sure this is a two-way street on the Google side, as I’ve seem to have no problems logging into services likeĀ Meetup.com with my G Suite account, but receive my emails from the account on my Office 365 account.

It seems like Google is playing fair with their services, but Microsoft certainly doesn’t seem that way. So do we move email services to Office 365, and will this provide our users a better experience?

I’m not sure, and of course I don’t make those decisions, but I do think about it.

Maybe the more accurate question is “How cleanly can users operate in both worlds?” Sadly, while Google appears to behave better than Microsoft, this behavior actually hurts them a little bit for organizations like ours that want to use both services, as it forces us to consider using Exchange services for email to make the overall user experience better.

Microsoft seems to be the bad actor in this situation because they’re services don’t behave well with email systems other than Exchange. Even on-premise Exchange takes a bit of work to get working with Office 365 services.

Microsoft really wants all the business and tries to push organizations that way, but Google plays better with others, and Google’s platform seems to be more easily adopted by teachers than Microsoft’s (especially evident by how much marketing Microsoft has to do for education).

Of course, I’m assuming Google does play nice, but I haven’t tested every Google product, but Google has shown signs of not playing nice too, like dropping XMPP support for Hangouts, but that’s another conversation, and I’ve got to head back to work.

How to Find the Microsoft Store GPO in Server 2012 and 2012 R2

Edit (02/15/16): I learned recently that a better approach is to just copy the Administrative Templates from group policy on a workstation and copy it into your AD administrative templates. Not as ridiculous, but still annoying.

This is probably one of the most ridiculous things I’ve encountered.

If you’re a system administrator, you sure as hell don’t want to deal with the Microsoft Store for your image deployments. It’s a superfluous piece of software that’s imposed on us, and Microsoft doesn’t give any tools during the deployment to get rid of it.

They make it even more difficult in a very asinine way to get the GPO you need to manage the Store.

In order to get the Store GPO, you have to install the ‘Desktop Experience’ feature.

Why Microsoft decided to do this is beyond me. Why would do I have to install a piece of bloat on my servers in order to get the GPO to manage the Microsoft Store?

Then you can go to Computer Configuration > Administrative Templates > Windows Components > Store.