RSS Subscription 168 Posts and 2,769 Comments

Archive for October, 2010

Lync 2010 Client Policies

General Information

Rejoice Lync Administrators!  Gone are the days of out-of-band provisioning (Group Policy) and utilizing in-band-provisioning (connecting to the server and getting custom settings).  This is great news as many companies have machines that are either domain-joined and/or are outside of the network.  Deploying Group Policies are not viable for non-domain joined machines and are possible to mobile workers if you are using Direct Access.  But, with Lync 2010, you won’t have to worry about either.  Because Group Policies for Lync 2010 Client Settings have now been moved to in-band provisioning.  Lync 2010 uses the Lync Management Shell (LMS) to manage these in-band settings utilizing commands with the following noun: CSClientPolicy*.  Commands with this noun include:

  • New-CSClientPolicy
  • Get-CSClientPolicy
  • Set-CSClientPolicy
  • Grant-CSClientPolicy
  • Remove-CSClientPolicy
  • New-CSClientPolicyEntry

The main commands will will look at are the first four commands.

The biggest thing to note about Client Policies, is that they can be configured at three different levels.  These levels include:

  • User Level
  • Site Level
  • Global Level

By default, user policies are set at the Global Level.  Unfortunately, the Get-CSClientPolicy -Identity User, does not show anything other than the user set policies. So let’s say I want to see what I am assigned.  I can run the following command:

Get-CSUser “Shudnow, Elan”

VoicePolicy                       : ChicagoVoicePolicy
ConferencingPolicy                :
PresencePolicy                    :
DialPlan                          :
LocationPolicy                    :
ClientPolicy                      : ChicagoClientPolicy
ClientVersionPolicy               :
ArchivingPolicy                   :
PinPolicy                         : ChicagoPinPolicy
ExternalAccessPolicy              :
HostedVoiceMail                   :
HostedVoicemailPolicy             :

If one of the variables above is $null, that doesn’t mean you are not abiding by some policy.  The above will only display User Level Policies.  Site Level and Global Policies are not displayed.  This is because User Level Policies are readily available in Active Directory whereas the Site Level Policies and Global Policies.  More information on this as well as a script that can provide more verbose information showing what policies including Site Level Policies or Global Level Policies are included here.

But by default, we can see that no policies exist other than the Global Policy by running the following command:

Get-CsClientPolicy | FL Identity

There are some fundamental things you should know about when managing policies on users:

  • When we want to create policies, we use the New-CSClientPolicy command.
  • When we want to modify policies, we use the Set-CSClientPolicy command.
  • When using the Set-CSClientPolicy with no -Identity (as -Identity is actually Optional), the Global Policy is modified.
  • When using the Set-CSClientPolicy with the -Identity specified, if we want to modify or create a Site Policy, we prefice the Identity with site:.  For Example: Set-CSClientPolicy -Identity site:Chicago.
  • When using the Set-CSClientPolicy with the -Identity specified, if we want to modify or create a User Policy, we do not prefice the Identity. For Example: Set-CSClientPolicy -Idenitty ChicagoClientPolicy.
  • When setting a client policy on a user, we use the Grant-CSClientPolicy.  For Example: Grant-CsClientPolicy -Identity “Elan Shudnow” -PolicyName SalesPolicy


Let’s take a look at an example.  Let’s remove the ability for my account to be able to display photos.  As you can see in the following screenshot, I currently have the ability to display photos:

We need to first create the ChicagoClientPolicy.  We do this by running the following command:

New-CSClientPolicy -Identity ChicagoClientPolicy

Now let’s re-run the command we saw in the first screenshot in this article to verify we see both a Global Policy as well as our new ChicagoClientPolicy.

Get-CsClientPolicy | FL Identity

I will run the following two commands command to remove the ability to Display Photos for our new ChicagoClientPolicy and then verify the DisplayPhoto parameter is set to NoPhoto:

Set-CSClientPolicy -Identity ChicagoClientPolicy -DisplayPhoto NoPhoto
Get-CSClientPolicy -Identity ChicagoClientPolicy | Format-List DisplayPhoto

Now we’ll have to assign the ChicagoClientPolicy to my user account and then verify it was assigned.  We do this by running the following commands:

Grant-CSClientPolicy -Identity “Shudnow, Elan” -PolicyName ChicagoClientPolicy
Get-CSUser -Identity “Shudnow, Elan” | FL ClientPolicy

After signing out and signing back in, voila, pictures are no longer there.  Success!

But, let’s say we wanted to reverse this.  You may think to yourself, can I just set the setting to Null/Remove Policy or do I have to set the property to the opposite value to reset the registry setting?  Well, let’s have a look.  I’m going to try to just remove the policy from my account and verify that and then see if that takes care of it.  I’ll do this by running the following command:

Grant-CSClientPolicy -Identity “Shudnow, Elan” -PolicyName $Null
Get-CSUser -Identity “Shudnow, Elan” | FL ClientPolicy

After signing out and signing back in, voila, pictures are back.  Success again!


Lync Server 2010 RC and Snooper.exe

Lync Server 2010 RC currently has no Resource Kit. Until it does, follow these instructions to grant Snooper.exe the ability to automatically analyze your Lync Logger traces. Keep in mind, this blog article will not be needed anymore once the Lync Resource Kit Tools are released.

For those of you working in a lab environment, you may need to do some more thorough troubleshooting besides looking at Event Logs. These tools that provide the ability to do further troubleshooting are located in the Resource Kit Tools. As stated above, Lync 2010 RC does not have Resource Kit Tools, yet. I’m sure most of you would then think of doing the following: to install the OCS 2007 R2 Resource Kit. But, there’s a problem. If you go to install the OCS 2007 R2 Resource Kit, you get the following error:

Thankfully, there is a way to get Snooper installed so that we may do some deeper analysis of Lync Server 2010 RC.  The first thing we will need to do, is take the OCS 2007 R2 Resource Kit Tools, and extract the tools using msiexec.  To do this, I will put the OCSResKit.msi in the C:\ volume at the root level.

We now want to build our msiexec command to extract this MSI file.  The command utilized will structured as such:

msiexec /a MsiPath /qb TARGETDIR=FullPathToExtractDirectory

Because our cmd.exe is in the same location as the MSI file we will be extracting and we want our folder to also be located on C:\, we will use the following command:

msiexec /a OCSResKit.msi /qb TARGETDIR=C:\OCSResKit

After running the command, we will see the MSI Extraction processes which looks as if the OCS Resource Kit is installing.

Let’s navigate to the location of our Snooper.exe.  This is located in “C:\OCSResKit\BuiltIn\Microsoft Office Communications Server 2007 R2\ResKit\Tracing”

Copy the Snooper.exe executable and navigate to and paste the file in the following directory “C:\Program Files\Common Files\Microsoft Lync Server 2010\Tracing”

Now when you are doing tracing with The Lync Server 2010 Logging Tool and click Analyze, it will have the ability to automatically launch Snooper.exe just like with OCS after you had installed the OCS 2007 R2 Resource Kit in OCS 2007 R2.


Lync 2010 Collocated Mediation Server vs. Dedicated Mediation Server

To Collocate or not to Collocate – That is the Question


One of the new capabilities in Microsoft Lync 2010 is the ability to collocate your Mediation Server onto the Front End Server(s).  There are few situations to be cognizant about in regards to collocation of the Mediation Server.

1.  Amount of Media Bypass calls vs. non-Media Bypass calls.  For information on what Media Bypass is, refer to my article on Media Bypass here.

2.  Dedicated Audio/Video Server(s) or Collocated Audio/Video Servers.

3.  Utilizing Direct SIP vs. SIP Trunking vs. Voice Gateway.

Amount of Media Bypass calls vs. non-Media Bypass calls

As stated in the General Information section, please refer to my article on Media Bypass here. In environments with at least one branch site, these branch sites may or may not be utilizing Media Bypass.  If not utilizing Media Bypass, the clients in a site where Media Bypass is not enabled will be utilizing the Mediation Server(s) at the main site for both Signaling as well as Media.  The Mediation will receive RTAudio media from these clients and transcode it to G.711 and send it the gateway.  This takes processing power to do.  In an environment where there is a lot of heavy voice users, this media transcoding will take a toll on the Front End Pool and possibly overload it causing a possible degradation of voice quality.

Dedicated Audio/Video Server(s) or Collocated Audio/Video Servers

This one is fairly simple.  The existing guidance, which may change at RTM, is if you have over 10,000 users, deploy a dedicated Audio/Video Conferencing Pool.  The Lync Server 2010 Planning Tool will assist in determining the amount of dedicated Audio/Video Conferencing Pool Servers you require.  If both the A/V and Mediation Server are on the Front End Server(s), you should ensure that there is at least 30% CPU available for just the processing of calls.  If 30% is unavailable, the Mediation Server(s) should be split into a separate Mediation Server Pool.

Utilizing Direct SIP vs. SIP Trunking vs. Voice Gateway

All Front End Server(s) in a Pool are created equally. The Topology Document’s view of a Voice Peer is applied consistently across all servers in a Pool. If the Mediation Servers are collocated, each Front End/Mediation Server will need to talk to the Mediation Server’s Peers in the same fashion. Internet Telephony Service Provider’s (ITSP) SIP Trunk Peers and IP-PBX Direct SIP  Peers have certain recommendations in regards to collocation while IP Gateways have separate recommendations.  Let’s take a look at these recommendations and why these recommendations exist.

SIP Trunks and Direct SIP

If you are utilizing SIP Trunks or using Direct SIP, you will need a trunk going to each Mediation Server.  The Peer will provide load balancing mechanisms to ensure that all traffic to a Mediation Server is load balanced.

When taking SIP Trunks with an ITSP, some ITSPs will charge on a per trunk basis. So for each Mediation Server used and connecting to a  Session Border Controller (SBC) when utilizing a SIP Trunk, you will most likely be spending more money. If you have 10 Front End Servers with a SIP Trunk going to each, the costs can be high.  Instead, it would make more sense to have dedicated Mediation Servers where only possibly 3 are required and now you are only paying for 3 trunks, you have dedicated processing for Mediation Traffic and you reduce hardware utilization on your Front End Server(s).  The same issue occurs with Direct SIP to an on-site PBX.  You don’t have the cost issue, but you may have the requirement to do application layer load balancing which is another reason why you want a Sip Trunk defined from each Mediation Server to each SBC/Direct SIP PBX.

IP Gateways

This is all different when utilizing Certified IP Gateways.  Certified IP Gateways should support DNS Load Balancing to the Mediation Pool.  The Certified IP Gateways can also receive traffic from any Mediation Server.  Keep in mind, if not using DNS Load Balancing, you’ll still have to set up a SIP Trunk to each Mediation Server.

Standard Edition Front End Server with Collocated Mediation Server

This all becomes a moot point if you only have one Front End Server anyways since you don’t have to worry about any type of load balancing or extra costs associated with more than one SIP Trunks to an ISTP.