WordPress.com
[pic]
Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting Deployment Guide
Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting
Published: January 2012
Abstract: The Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting features include integration with Microsoft Exchange Server, Microsoft Outlook, and other communication technologies. Lync Server Multitenant Hosting Pack enables customers to manage geographically dispersed offices and mobile users in a way that reduces travel expenses, while maintaining highly collaborative team environments. This document describes the Lync Server Multitenant Hosting Pack, and includes information about how to deploy and configure it.
This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.
Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.
This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.
Copyright © 2011 Microsoft Corporation. All rights reserved.
Contents
1 Overview of the Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting 1
1.1 Understanding the Lync Server Multitenant Hosting Pack 1
1.2 How to get the Lync Server Multitenant Hosting Pack Software 1
1.3 What’s Available in the Lync Server Multitenant Hosting Pack 1
1.3.1 Comparing the Lync Server Multitenant Hosting Pack with Microsoft Lync Online 2
1.4 Known Issues 5
2 Determining Your Infrastructure Requirements 5
2.1 Hardware Requirements 5
2.1.1 Hardware Requirements for Servers Running Lync Server 2010 5
2.1.2 Hardware Requirements for Back End Servers and Other Database Servers 6
2.2 Exchange Server 2010 6
2.3 Network Infrastructure Requirements 7
2.4 Domain Name System (DNS) Requirements 7
2.5 Active Directory Domain Services Requirements 7
2.6 Load Balancing Requirements 7
2.7 Port and Protocol Requirements 7
2.8 Certificate Requirements 8
3 Understanding the Lync Server Multitenant Hosting Pack 8
3.1 About Lync Server Multitenant Hosting Pack User Types 8
3.2 Lync Server Multitenant Hosting Pack Server Roles 8
3.3 Lync Server 2010 Control Panel 9
3.4 Exchange Server 2010 SP2 Roles 9
4 Planning for the Lync Server Multitenant Hosting Pack 9
4.1 Architectures 9
4.1.1 Architecture 1 – Support for 50,000 Tenant Users 11
4.1.2 Architecture 2 – Support for 5,000 Tenant Users 13
4.2 Flexible Systems Scaling 17
4.3 Role-specific Load Balancing and Fault Tolerance 17
4.4 Mailbox Server Storage Design 18
5 Deploying the Lync Server Multitenant Hosting Pack 18
5.1 Deploying Architecture 2 18
5.2 Change the Name and Domain of the Server Running Lync Server 19
5.3 Installation Media 20
5.4 Install the Lync Server Multitenant Hosting Pack 20
6 Define the Topology 21
6.1 Create a Front End Pool 22
6.2 Configure Front End Servers 22
6.3 Add Server Roles 23
6.4 Deploy Edge Servers 23
6.5 Define the Edge Topology 24
6.6 Build the Edge and Directory Topology 24
6.7 Deploy the Director 24
6.8 Monitoring 25
7 Post-Installation Configuration 25
7.1 Install Additional Components 25
7.2 Modify Lync Server Management Shell 25
7.3 Update Active Directory for Hosted Management Services 25
7.3.1 Move Root Tenant OU 26
7.4 Global Client Policies for Address Book Web Query 26
7.5 Lync Server Dial Plans 27
7.6 Proxy Configuration 27
8 Provisioning Tenant Organizations 27
8.1 Create and Secure the Organizational Units 27
8.2 Set TenantId and ObjectId 28
8.3 Add UPN Suffix to Tenant OU 29
8.4 Create Tenant SIP Domain 29
8.5 Configure Exchange Email 29
8.6 Configure Unified Messaging 29
8.6.1 Create Tenant Exchange Dial Plan and Exchange UM Mailbox Policy 29
8.6.2 Assign Tenant Dial Plan to All Available Exchange UM Servers 30
8.6.3 Update Exchange UM/Lync Server Integration Configuration 30
8.6.4 Create Lync Server Contacts for Exchange UM Subscriber Access 30
8.7 Configure Tenant Federation Settings 32
8.7.1 Getting Tenant Federation Settings 32
8.7.2 Adding Domains to the Tenant Allow List 33
8.7.3 Adding Domains to the Tenant Block List 33
8.7.4 Clearing the Tenant Block List 33
8.7.5 Clearing the Tenant Allow List 34
8.7.6 Resetting Tenant to Allow All Domains Except Those Listed on the Block List 34
8.7.7 Enabling a Tenant for Federation 34
8.8 Configure Federation Between Two Fully-Hosted Tenants 34
8.8.1 Configure Federation Between Lync Server On-Premises and Lync Server Multitenant Hosting Pack 35
8.9 Create Tenant DNS Records 35
8.10 Configure Tenant Meeting URL 35
8.11 Create Tenant Meeting Simple URLs 36
8.11.1 Import the Required Modules for Windows PowerShell 36
8.11.2 Configure the Simple URL to Use the Back-end Database 36
8.11.3 Create the Simple URLs for a Tenant Organization 36
8.11.4 Set the Simple URL DNS Name 37
8.11.5 Execute Enable-CsComputer on Front End and Director Servers 38
8.12 Update Certificates 38
9 Provisioning Tenant Users 38
9.1 Enable Tenant Users for Exchange UM 38
9.2 Set User TenantID and GroupingID 39
9.2.1 Known Issue 39
9.3 Configure the user Base Simple URL with the Tenant Organization’s Base URL 41
9.4 Enable Tenants for Lync Server 41
9.5 Set Address Book Policy for Tenant User 42
10 Overview of the Audio Conferencing Provider 42
10.1 Integrating with Audio Conferencing Provider 42
10.2 Provisioning with Audio Conferencing Provider 43
10.3 Integration Workflows with Audio Conferencing Provider 43
10.3.1 Create and Schedule a Web Conference 44
10.3.2 Activate a Conference 44
10.3.3 Join Conference by Using Conferencing Dial-out 44
10.3.4 Audio Bridging Sequence 45
10.3.5 Use Audio Controls from Lync Server 46
10.4 Known Issues 47
11 Code Samples 47
11.1 Prerequisites 47
11.2 Dependencies 47
11.3 Provision a Tenant Organization 48
11.3.1 Create and Secure Organizational Unit 48
11.3.2 Enable the Tenant Organization 48
11.3.3 Add an Additional SIP Domain to the Tenant Organization 50
11.3.4 Adding Domains to the Tenant Allow List for Federation 51
11.3.5 Adding Domains to the Tenant Block List for Federation 52
11.3.6 Removing Domains from the Tenant Allow List for Federation 53
11.3.7 Removing Domains from the Tenant Block List for Federation 54
11.3.8 Allowing all Domains for Tenant Federation 55
11.3.9 Enabling a Tenant for Federation 56
11.3.10 Enabling a Tenant for Public IM Connectivity 57
11.3.11 Enabling Federation between two Hosted Tenants 58
11.4 Provision Tenant Users 59
1. Overview of the Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting
Microsoft® Lync™ Server 2010 Multitenant Pack for Partner Hosting is a unified communications (UC) solution for telecom and hosting providers. Unified communications is a way for telecom and hosting providers to expand their service offering to their current customers.
The Lync Server Multitenant Hosting Pack features include integration with Microsoft Exchange Server, Microsoft Outlook®, and other communication technologies. Lync Server Multitenant Hosting Pack enables customers to manage geographically dispersed offices and mobile users in a way that reduces travel expenses, while maintaining highly collaborative team environments. This increased integration of communication channels translates to improved organizational flexibility that is often difficult to find in larger enterprise organizations.
1. Understanding the Lync Server Multitenant Hosting Pack
This section describes how the Lync Server Multitenant Hosting Pack integrates with the core system infrastructure. To better understand the overall system it helps to define unified communications, Lync Server, and the Lync Server Multitenant Hosting Pack.
Unified communications (UC) is a system that integrates platforms for communications including email, voice mail, telephony, instant messaging (IM), and voice and video conferencing. UC solutions are installed on the client’s core systems, adding a UC layer to the overall infrastructure. This UC layer adds integration and interconnects the communications systems with the organization’s core system services.
Microsoft Lync Server 2010 is a family of servers functioning as UC servers that integrate with all the Microsoft line-of-business software. Lync Server adds these new communication possibilities within the organization. A Lync Server and Exchange Server layer provide system integration between Exchange and other communication systems like IM, presence, voice and video calls, desktop sharing, file transfer, and ad hoc conferences.
Microsoft Lync Server Multitenant Hosting Pack is a special deployment configuration scoped for hosting or telecom services providers. The solution enables service providers to host multitenant Lync Server instances shared across multiple customer environments. In addition, the Lync Server Multitenant Hosting Pack solution includes an add-on layer that allows our partners to build communication packages that use the Lync Server Multitenant Hosting Pack to integrate with the core layer.
2. How to get the Lync Server Multitenant Hosting Pack Software
A license is required to use the software. To download and install the Lync Server Multitenant Hosting Pack software, you need to login to the Microsoft Volume Licensing Service Center at .
3. What’s Available in the Lync Server Multitenant Hosting Pack
The features that integrate with other components and applications include the following:
• Presence A collection of attributes that provides an indication of a person's status, activity, location, willingness to communicate, and contact information.
• Instant messaging (IM) A form of real-time text-based communication.
• Data and desktop sharing A feature that allows users to share files, use whiteboard, and display their desktop to a meeting or to conversation participants.
• Conferencing Two-way video and audio transmissions between users in multiple locations.
• Unified Messaging An application that consolidates a user's voice mail, fax, and email into one mailbox, so that the user only needs to check a single location for messages, regardless of type. The email server is the platform for all types of messages, making it unnecessary to maintain separate voice mail and email infrastructures.
• Private branch exchange (PBX) replacement UC integration with Voice over Internet Protocol (VoIP) systems can replace traditional phone exchange systems.
Lync Server Multitenant Hosting Pack partner feature sets include:
• Appliances Hand and head set I/O devices.
• Conferencing server gateway video Real-time IP video, voice, and data services.
• Mobility solution Allows mobile phones the same access to services as a standard desktop handset.
• Audio conferencing provider Integration with hosted conferencing systems.
• Short Message Service (SMS) Text messaging systems used by phones and mobile communication systems.
1. Comparing the Lync Server Multitenant Hosting Pack with Microsoft Lync Online
The features available in the Lync Server Multitenant Hosting Pack are similar to those available in Lync Online. The following table lists the features that are available for each.
Feature Comparison: Lync Server Multitenant Hosting Pack versus Lync Online
|Lync Server feature |Lync Multitenant |Lync Online |
| |Hosting Pack | |
|Presence | | |
|Contacts list |Yes |Yes |
|Address Book Service Web Query service |Yes |Yes |
|Distribution List Expansion protocol (DLX) |Yes |Yes |
|Instant Messaging (IM) | | |
|Point-to-point IM |Yes |Yes |
|Multiparty/Group IM |Yes |Yes |
|Group Chat |No |No |
|Client Support | | |
|Lync desktop client |Yes |Yes |
|Mac Messenger |Yes |Yes |
|Attendee (meeting only) |Yes |Yes |
|Lync Mobile on: |Yes |Yes |
|iPhone, iPad, Windows Phone 7, Android | | |
|Conferencing and Sharing | | |
|Point-to-point audio/video |Yes |Yes |
|Video conferencing over IP |Yes |Yes |
|Audio conferencing over IP only |Yes |Yes |
|Meeting recording |Yes |Yes |
|Ad-hoc audio dial-out conferencing |Yes |Yes |
| |via SIP Trunk |via SIP Trunk |
|“Meet now” audio dial-out conferencing |Yes |Yes |
| |via ACP |via ACP |
|Scheduled audio dial-out conferencing |Yes |Yes |
| |via ACP |via ACP |
|Sharing | | |
|Point-to-point/multiparty data conference (white boarding) |Yes |Yes |
|Point-to-point/multiparty file share |Yes |Yes |
|Point-to-point/multiparty desktop and application sharing |Yes |Yes |
|Point-to-point/multiparty Microsoft PowerPoint® slide sharing |Yes |Yes |
|Polling |Yes |Yes |
|Integration | | |
|Microsoft Outlook integration for IM, presence, calendar |Yes |Yes |
|(with users on the same hosting partner) | | |
|Microsoft SharePoint® integration for IM, presence |Yes |Yes |
|(with users on the same hosting partner) | | |
|PIC and Federation | | |
|Intertenant federation |Yes |Yes |
|Federation with Extensible Messaging and Presence Protocol (XMPP) |No |No |
|Public IM connectivity and presence |No |Yes |
|Windows Live®, AOL®, Yahoo!® | | |
|Public IM connectivity audio/video |No |Yes |
|Windows Live | | |
|Basic calling features | | |
|Public switched telephone network (PSTN) calling via Lync |Yes |Yes |
|incoming and outgoing | | |
|Call controls |Yes |Yes |
|hold, transfer, forward, simultaneous ring | | |
|Voice policies |Yes |Yes |
|Advanced calling features | | |
|Team call |No |No |
|Response groups |No |No |
|Delegation |No |No |
|Private line (secondary Direct Inward Dialing (DID)) |No |No |
|Call park |No |No |
|Outgoing DID manipulation |No |No |
|Voice features | | |
|Private dial plans |No |No |
|Hosted Exchange Unified Messaging (UM) for voice mail |Yes |Yes |
4. Known Issues
By design, public IM connectivity is not supported in this release.
2. Determining Your Infrastructure Requirements
All servers running Lync Server 2010 must meet certain minimum system requirements. System requirements for Lync Server 2010 include the server hardware, the operating system to be installed on each server, and related software requirements, such as Windows® updates and other software that must be installed on the servers.
1. Hardware Requirements
Lync Server 2010 server roles and computers running Lync Server administrative tools require 64-bit hardware.
The specific hardware used for a Lync Server 2010 deployment can vary depending on size and usage requirements. This section describes the recommended hardware. Although these are recommendations, not requirements, using hardware that does not meet these recommendations can result in a significant impact on performance and other problems.
1. Hardware Requirements for Servers Running Lync Server 2010
The following table describes the recommended hardware for all servers where you plan to install Lync Server 2010, except for the Director server role. These recommendations are based on a user pool of 80,000 users with eight Front End Servers and one Back End Server.
Hardware Recommendations for Servers Running Lync Server 2010
|Hardware component |Recommended |
|CPU |One of the following: |
| |64-bit dual processor, quad-core, 2.0 GHz or higher |
| |64-bit 4-way processor, dual-core, 2.0 GHz or higher |
| |Intel Itanium processors are not supported for Lync Server 2010 server roles. |
|Memory |16 GB |
|Disk |Local storage with at least 72 GB free disk space on a 10,000 RPM disk drive |
|Network |1 network adapter required (2 recommended), each 1 Gbps or higher |
Servers running the Director role have lesser hardware requirements. These recommendations are based on a maximum of 39,000 external users per Front End pool (which follows the user model of 80,000 users per Front End pool, with 30% of users connecting externally and 1.5 multiple points of presence (MPOP).
2. Hardware Requirements for Back End Servers and Other Database Servers
The requirements for the Back End Server and other database servers are similar to those of servers running Lync Server 2010, except that Back End Servers require additional memory. The following table describes the recommended hardware for a Back End Server or other database servers, based on an 80,000 user pool with eight Front End Servers and one Back End Server containing all databases required for your Lync Server deployment.
Hardware Recommendations for Back End Servers and Other Database Servers
|Hardware component |Recommended |
|CPU |One of the following: |
| |64-bit dual processor, quad-core, 2.0 GHz or higher |
| |64-bit 4-way processor, dual-core, 2.0 GHz or higher |
| |Intel Itanium processors are not supported for Lync Server 2010 server roles. |
|Memory |32 GB recommended for Back End Server (with or without collocated Archiving and Monitoring|
| |databases), 16 GB recommended for Archiving and Monitoring database (not collocated with |
| |the Back End Server). |
|Disk |Local storage with at least 72 GB free disk space on a 10,000 RPM disk drive |
|Network |1 network adapter required (2 recommended), each 1 Gbps or higher |
2. Exchange Server 2010
Lync Server Multitenant Hosting Pack uses Exchange Server as an integration point for the user. By using Exchange UM, Lync Server Multitenant Hosting Pack can store multiple communication technology messages including: presence, IM, workload, conferencing, and VoIP servers and services.
For more information about hosted Exchange, see the “Exchange Server 2010 Hosting and Multi-Tenancy Solutions and Guidance” at .
Deploy the following Microsoft Exchange Server 2010 roles according to the Exchange Server guidance. For details, see “Deploying Exchange 2010” in the TechNet Library at :
• Client Access Server
• Hub Transport Server
• Mailbox Server (public folders are optional)
• Edge Transport Server (optional)
• Unified Messaging
Apply Exchange Service Pack 2 to all Exchange servers. You can download Microsoft Exchange Server 2010 Service Pack 2 (SP2) at .
3. Network Infrastructure Requirements
The requirements for your network infrastructure will vary greatly depending on your deployment, the number of tenant users you need to support, and the features used by those tenants. For general information about network infrastructure requirements for Lync Server 2010, see “Network Infrastructure Requirements” at .
Specific requirements for deploying the Lync Server Multitenant Hosting Pack, or requirements that differ from those for Lync Server 2010 Enterprise Edition, are noted in the sections for the associated deployment task.
4. Domain Name System (DNS) Requirements
To support client automatic configuration for all hosted domains, you must work with your hosted customers to ensure that the required DNS records are created for each hosted domain. You must add the appropriate subject alternative names to certificates used by Director and Edge Servers for each of these domains. To facilitate initial testing, this documentation assumes that hosting providers will follow the standard guidance to configure a single supported SIP domain during initial deployment. That SIP domain is both publicly registered and used as the Active Directory® Domain Services domain for all servers running Lync Server 2010. It will be used for initial testing. The “Provisioning Tenant Organizations” section later in this document covers adding DNS records, updating certificates, and other related steps.
5. Active Directory Domain Services Requirements
Deploy a pair of redundant Active Directory servers according to Exchange Server 2010 guidance. For details, see “Planning Active Directory” in the TechNet Library at .
The Lync Server Multitenant Hosting Pack supports a Single forest Active Directory environment with User or Resource forests. For details about Active Directory and Lync Server 2010, see “Active Directory Domain Services Requirements, Support, and Topologies” in the TechNet Library at .
6. Load Balancing Requirements
We recommend that you use hardware load balancing for all supported roles. For details about hardware load balancing in Lync Server, see “Load Balancing Requirements” in the TechNet Library at , and “Components Required for External User Access” in the TechNet Library at .
7. Port and Protocol Requirements
For details about port and protocol requirements for communications between Lync Server, see “Ports and Protocols for Internal Servers” in the TechNet Library at . Specific information about port and protocol requirements that differ from Lync Server 2010 Enterprise are called out in the associated section of this document.
8. Certificate Requirements
For Lync Server 2010 certificate requirements, see “Certificates for Lync Server 2010” in the TechNet Library at .
For Exchange Server 2010 certificate requirements, see “Certificates” in the TechNet Library at , and “Understanding Certificate Requirements” in the TechNet Library at .
Additional or specific certificate requirements that differ from the requirements for Lync Server 2010 and Exchange Server 2010 are called out in the associated sections of this document.
3. Understanding the Lync Server Multitenant Hosting Pack
The Lync Server Multitenant Hosting Pack solution is an infrastructure layer that enables connection between various technology solutions. Dependencies for the solution include Microsoft Exchange Server, Exchange UM and Active Directory. Additionally the Lync Server Multitenant Hosting Pack can also communicate with VoIP devices.
The logical infrastructure for Lync Server Multitenant Hosting Pack includes zones for edge systems, proxy systems, data center systems, and VoIP. The server roles are focused within the edge system roles, proxy roles for Exchange, data center roles for Active Directory, Lync Server Multitenant Hosting Pack, and Exchange.
1. About Lync Server Multitenant Hosting Pack User Types
It is important to understand the different types of users to understand why server roles used in a Lync Server Multitenant Hosting Pack deployment differ from those used in an enterprise deployment of Lync Server 2010.
In a typical enterprise deployment of Lync Server 2010, there are the following types of users:
• Internal users These users access Lync Server services from inside the corporate network.
• External users These users have Lync Server user accounts and access Lync Server from outside the corporate network.
• Federated users These users have accounts with federated partners and access Lync Server from outside the corporate network.
In a Lync Server Multitenant Hosting Pack deployment, there are the following types of users:
• External users Also known as tenant users in this guide, these users have Lync Server user accounts associated with a specific tenant, and access Lync Server from outside the host’s network.
• Federated users These users have accounts with federated partners and access Lync Server from outside the host’s network.
2. Lync Server Multitenant Hosting Pack Server Roles
Edge Servers only act as the first point of contact from requests coming from federated partners in a hosted deployment. This differs from a typical Lync Server 2010 Enterprise Edition deployment where the Edge Servers handle all incoming requests from outside the corporate network.
In a Lync Server Multitenant Hosting Pack deployment, incoming requests from tenant users go straight to Directors, bypassing Edge Servers. The Directors authenticate tenant users’ requests and redirect them to the appropriate Front End pool.
Important Front End pools are external-facing, and are therefore visible to the public Internet. Additional IP addresses and certificates are required. This is different from a Lync Server 2010 enterprise deployment.
In cases where Lync Server deployments span multiple data centers, Directors must be the first point of contact to refer clients to the data centers hosting the Front End pool on which that user is homed. A pool of Directors with identical configurations provides fault tolerance for Lync Server Multitenant Hosting Pack deployments.
For the reference architectures included in this guide, all other server roles are the same as the roles for Lync Server 2010. For details, see “Server Roles” in the TechNet Library at .
3. Lync Server 2010 Control Panel
Some enhancements included in the Lync Server Multitenant Hosting Pack are not compatible with the Lync Server Control Panel. For example, enabled users are not displayed in the User section of the Lync Server Control Panel.
You should use the Lync Server Control Panel only in read-only mode. You should make all changes to the topology, server configuration, or user configuration by using cmdlets in the Lync Server Management Shell. For details, see “Lync Server Management Shell” in the TechNet Library at .
Important There are no restrictions on the use of the Topology Builder tool. You can use Topology Builder as you would normally with a Lync Server 2010 Enterprise Edition deployment.
4. Exchange Server 2010 SP2 Roles
The following Microsoft Exchange Server 2010 Service Pack 2 (SP2) roles are required to support a voice-enabled messaging system:
• Client Access Servers Support components such as Microsoft Exchange ActiveSync, Microsoft Outlook Web App, and Outlook Anywhere.
• Hub Transport Servers Perform the internal message transfers.
• Mailbox Servers Maintain mailbox store databases.
• Unified Messaging Servers Accept calls from the Lync Server infrastructure and present Auto Attendants, and record and play back voice mail messages.
4. Planning for the Lync Server Multitenant Hosting Pack
This section provides information to assist you in planning and preparing for deploying the Lync Server Multitenant Hosting Pack.
1. Architectures
The architectures described in this section illustrate the basic architectures necessary to support the specified number of tenant users. They are not meant to describe an actual deployment, but rather as a starting point for planning a deployment. They provide a high-level understanding of the architecture and scalability of the product, and how it integrates with a similarly-scaled hosted Exchange Server 2010 environment. Exchange Server is included to support the common customer requirement of including a voice mail system with their telephony solution. The architectures are designed to support tenant user workloads as follows:
• Architecture 1 50K Users—Heavy business users with approximately 75% concurrency and PSTN access
• Architecture 2 5K Users—Heavy business users with approximately 75% concurrency and PSTN access
You should use the architectures provided as a starting point in the planning process. Keep in mind that you’ll need to modify these architectures to meet the needs of your organization’s expected usage profiles, service level agreements, and cost control requirements.
The following table lists the naming conventions that we use in the configuration diagrams and procedures for these architectures.
Server Role Naming Conventions
|Server |Server role |Naming convention |
|Active Directory |Domain Controller |AD01, AD02, etc. |
|Exchange Server |Client Access server |EXCAS01, EXCAS02, etc. |
| |Hub Transport server |EXHUB01, EXHUB02, etc. |
| |Mailbox |EXMBX01, EXMBX02, etc. |
| |Unified Messaging |EXUM01, EXUM02, etc. |
|Lync Server |A/V Conferencing Server |AV0101, AV0102, etc. |
| | |Note The first pair of digits identifies the pool. |
| |Back End Server |BESQL01, BESQL02, etc. |
| |Director |DIR0101, DIR0102, etc. |
| | |Note The first pair of digits identifies the pool. |
| |Edge Server |EDGE01, EDGE02, etc. |
| |Front End Server |FE0101, FE0102, etc. |
| | |Note The first pair of digits identifies the pool and allows |
| | |for up to 99 pools. |
| |Mediation Server |MED0101, MED0102, etc. |
| | |Note The first pair of digits identifies the pool and allows |
| | |for up to 99 pools. |
| |Monitoring and Archiving Servers |MONARCH01, MONARCH02, etc. |
| |Monitoring and Archiving back-end |MONARCHSQL01, MONARCHSQL02, etc. |
| |database | |
Scaling estimates are based on testing done by Microsoft using Lync Server 2010 Enterprise Edition. For details, see the following:
• “Server Virtualization in Microsoft Lync Server 2010” in the TechNet Library at .
• “Capacity Planning Using the User Models” in the TechNet Library at .
• “Estimating Voice Usage and Traffic” in the TechNet Library at .
1. Architecture 1 – Support for 50,000 Tenant Users
Architecture 1 is designed to support up to 50,000 tenant users that have PSTN access and A/V/PSTN, and that primarily use MAPI (that is, Outlook Anywhere) at approximately 75% concurrency. Server allocation provides basic redundancy for each server role with the exception of Monitoring and Archiving, which do not support fault-tolerance. It also provides additional servers and RAM for the Mailbox role to ensure performance meets expected levels during periods of peak activity.
Other assumptions about this architecture include the following:
• Concurrency of use for the Exchange UM service will be -AllowedDomains $a
This enables federation for users in in each tenant SIP domain.
1. Configure Federation Between Lync Server On-Premises and Lync Server Multitenant Hosting Pack
The steps for configuring federation between an on-premises Lync Server deployment and a Lync Server Multitenant Hosting Pack deployment are the same as configuring federation with Lync Online. For details, see “Configuring Federation Support for a Lync Online 2010 Customer” in the TechNet Library at .
9. Create Tenant DNS Records
Several tenant-specific DNS records are required for tenant users to be able to use hosted Lync Server easily. Lync Server clients comply with SIP RFCs, which state that TLS connections must require that the server’s domain name match the SIP domain name of the client user. The client looks for a service (SRV) record with a matching domain name, which in turn must point to a server or servers with matching domain names.
The following table shows which records need to be created for each SIP domain to be used by a given tenant.
Tenant-specific DNS Records
|Type |FQDN |Target IP address/FQDN |Port |Maps to/comments |
|SRV |_sip._tls. |access. |5061 |Used for automatic configuration of |
| | | | |Lync Server clients and meeting |
| | | | |attendant |
|SRV |_sipfederationtls._tls. | | |Server deployments |
|A |access. |IP address of Edge Server |NA |Create one for each Director |
|A |meet. |Published IP address of A/V |NA |Facilitates use of simple URLs for |
| | |Conferencing Server | |tenant meetings |
10. Configure Tenant Meeting URL
Lync Server must be told which URLs to use to be able to automatically include tenant-specific meeting URLs in meeting invitations. Run the following cmdlets on the Director in the Lync Server Management Shell to configure these URLs:
Set-CsSimpleUrlConfiguration –UseBackEndDatabase $true
$urlEntry = New-CsSimpleUrlEntry -Url .
$simpleUrl = New-CsSimpleUrl -Component "meet" -Domain "" -SimpleUrl $urlEntry -ActiveUrl "https://"
Set-CsSimpleUrlConfiguration -Identity Global –TenantId [TenantId] -SimpleUrl @{Add=$simpleUrl}
After running the Set-CsSimplyUrlConfiguration cmdlet, you might need to rerun the Enable-CsComputer cmdlet for the changes to take effect.
The TenantSipDomain should be the tenant domain name, such as .
Note Keep in mind that you must import the Lync Online Windows PowerShell module for these commands to work. Although these commands are available in the Lync Server Management Shell Windows PowerShell module, the Lync Online Windows PowerShell module contains additional parameters that are used here.
11. Create Tenant Meeting Simple URLs
Use the Topology Builder to edit the meeting URL for the tenant SIP domain so that it conforms to the pattern .[Hoster Domain]/[Tenant SIP Domain].
After adjusting meeting URL, publish the topology and execute the following Windows PowerShell cmdlet on each Front End and Director server:
Enable-CsComputer
1. Import the Required Modules for Windows PowerShell
To import the modules necessary to create Tenant Meeting URLs, execute the following cmdlets at an elevated Windows PowerShell prompt:
Import-Module ActiveDirectory
Import-Module Lync
Import-Module LyncOnline
To verify that the modules loaded successfully, execute the following cmdlet:
Get-Module
2. Configure the Simple URL to Use the Back-end Database
Execute the following cmdlet to configure the Simple URL to use the back-end database. This configures your deployment as a service environment.
Set-CsSimpleUrlConfiguration –UseBackEndDatabase $true
To verify that the settings were applied, run the following cmdlet:
Get-CsSimpleUrlConfiguration -Identity "Global"
3. Create the Simple URLs for a Tenant Organization
To create the Simple URLs for a tenant organization, run the following cmdlets:
$SIPDomain = “”
$BaseURL = ""
$URL = "" + $SIPDomain
$urlEntry = New-CsSimpleUrlEntry -Url $URL
$urlEntry = New-CsSimpleUrlEntry -Url $URL
$simpleUrl = New-CsSimpleUrl -Component "meet" -Domain $SIPDomain -SimpleUrl $urlEntry -ActiveUrl $URL
$CompanyName = “Litware Inc.”
$PathRoot = "OU=OCS Tenants,DC=Hoster,DC=com"
$TargetOU = "OU="+$CompanyName+","+$pathRoot
$TenantOU = Get-ADOrganizationalUnit -Identity $TargetOU -Properties msRTCSIP-TenantId -Server "DC01."
$TenORgID = New-Object -TypeName System.guid -ArgumentList $TenantOU.ObjectGUID
Set-CsSimpleUrlConfiguration –Tenant $TenORgID -SimpleUrl @{Add=$simpleUrl} -ErrorAction Stop
To confirm the Tenant Org meeting URL successfully created, run the following cmdlet:
Get-CsTenant | ft -AutoSize -Property Name, TenantId
Use the value returned for the TenantId into the following cmdlet:
(Get-CsSimpleUrlConfiguration -Tenant "TenantID GUID").simpleurl | ft –AutoSize
4. Set the Simple URL DNS Name
To set the DNS name for the Simple URL, run the following cmdlets:
$BaseURL = ""
set-CsProvisionServiceConfiguration -SimpleUrlDnsName $BaseURL
To verify that the DNS name was set, run the following cmdlet:
(Get-CsProvisionServiceConfiguration).SimpleUrlDNSName
5. Execute Enable-CsComputer on Front End and Director Servers
Run the Enable-CsComputer cmdlet on all Front End and Director servers in your topology:
Enable-CsComputer
12. Update Certificates
The FQDNs listed in the tenant-specific DNS Records table must be added as subject alternative names to the certificates used by those servers because the certificates used within the Lync Server infrastructure must match those used in the request.
9. Provisioning Tenant Users
After you have created the tenant organization, you can provision tenant users and enable them for Exchange UM and Lync Server services.
1. Enable Tenant Users for Exchange UM
After you have created a user and you’ve enabled the user for Exchange Server within the tenant OU, you can enable the user for Exchange UM by running the following Exchange Management Shell commands:
Set-Mailbox -Identity john@ -AddressBookPolicy $null
Enable-UMMailbox -Identity john@ -UMMailboxPolicy -Extensions -SIPResourceIdentifier "" -PIN
The first line removes any existing address book policy for the user john@.
The next line enables Exchange UM for that user. Keep in mind that this command will run successfully only if the Exchange Unified Messaging Service is running.
To run the Enable-UMMailbox cmdlet you can use any of the values listed above for the Identity of the user. The value you specify for the UMMailboxPolicy parameter must be the Name of an existing Exchange UM mailbox policy. To find existing UM mailbox policies, run the following cmdlet:
Get-UMMailboxPolicy
To create a new Exchange UM mailbox policy (and the associated Exchange UM dial plan), follow the instructions previously in the Create Tenant Exchange Dial Plan and Exchange UM Mailbox Policy section.
The value you specify for the Extensions parameter of the Enable-UMMailbox cmdlet must match the values allowed in the specified Exchange UM dial plan. For example, if the UM dial plan requires that extensions consist of five digits, the value specified for the Extensions parameter in the call to Enable-UMMailbox can be any 5-digit number, such as 12345.
If you’re enabling the user with a SIP URI or E.164 dial plan, the call to Enable-UMMailbox requires a value for the parameter SIPResourceIdentifier. The SIPResourceIdentifier is a user principal name, similar to id1@. This value should have a suffix matching the tenant SIP domain of the Lync Server contact object. For details, see the previous “Create Tenant SIP Domain” section in this document.
This example also includes the personal identification number (PIN) parameter, where you specify the PIN the user can user to access the mailbox. If you do not specify a PIN, a value is generated automatically and sent to the user.
2. Set User TenantID and GroupingID
Each tenant user account must have two Active Directory attributes assigned to it so that Lync Server knows that it is a member of a tenant organization. Assigning the TenantID and GroupingID provides privacy for the tenant address book.
Note You cannot migrate a Lync Server 2010 Enterprise Edition deployment to a Lync Server 2010 Hosting Pack deployment. If you use GroupingID, you must perform tenant provisioning again.
The following example script reads the GUID of the tenant OU and populates the msRTCSip-TenantId and msRTCSip-GroupingId with the value of the GUID. You can run these commands from the Active Directory Module for Windows PowerShell.
$OU = " OU=fabrikam,OU=OCS Tenants,DC=litwareinc,DC=com"
$OUObject = Get-ADOrganizationalUnit -Identity $OU
$GUID = $OUObject.objectguid
Get-ADOrganizationalUnit -identity $OU -properties name,msRTCSIP-TenantId |Set-ADOrganizationalUnit -replace @{'msRTCSIP-TenantId'=$GUID}
Get-ADOrganizationalUnit -identity $OU -properties name,msRTCSIP-ObjectId |Set-ADOrganizationalUnit -replace @{'msRTCSIP-ObjectId'=$GUID}
Get-ADUser -LDAPFilter "(objectClass=user)" -searchbase $OU -properties msRTCSIP-GroupingID,msRTCSIP-PrimaryUserAddress,comment |Set-ADUser -replace @{'msRTCSIP-GroupingID'=$GUID}
Get-ADUser -LDAPFilter "(objectClass=user)" -searchbase $OU -properties msRTCSIP-GroupingID,msRTCSip-TenantID,msRTCSIP-PrimaryUserAddress,comment |Set-ADUser -replace @{'msRTCSip-TenantID'=$GUID}
1. Known Issue
In some environments, it may be important to set the user's msRTCSIP-GroupingID or msRTCSIP-TenantID before the user is enabled for Lync Server. Depending on the specifics of your deployment (for example, if Office Communications Server or Lync Server Enterprise Edition has been previously deployed in the environment, or if you have locked-down Active Directory with access control lists (ACLs)), Lync Server may only be able to act on these settings at the time the account is enabled for Lync Server. If the value is changed later, the user may not be able to see other users' presence status, or find other users via address book search.
You may also see errors such as the following in the Lync event log on Front End Servers:
Log Name: Lync Server
Source: LS User Replicator
Date: 10/25/2011 2:19:51 PM
Event ID: 30039
Task Category: (1009)
Level: Warning
Keywords: Classic
User: N/A
Computer: [Server FQDN]
Description:
A Tenant ID attribute value was changed, deleted, or added for an existing user in the database. Resolve the conflict by restoring the original value or deleting the user from AD.
The DN of the user whose Tenant ID value User Replicator tried to replicate
is:
[User Distinguished Name]
This update came from domain:
[Windows Domain]
Cause: Typically caused by manual modification of msRTCSIP-TenantId attribute value instead of using management tools
Resolution:
Restore the original value of msRTCSIP-TenantId attribute or delete the user from AD. You may use Dbanalyze to diagnose the problem.
Event Xml:
30039
3
1009
0x80000000000000
2414
Lync Server
[Server FQDN]
[User Distinguished Name]
[Windows Domain DNS Name]
If you need to set a user's msRTCSIP-GroupingId or msRTCSIP-TenantId after the user has been enabled for Lync Server, you need to first disable the user’s account in Lync Server, change the values, and then enable the user for Lync Server again.
3. Configure the user Base Simple URL with the Tenant Organization’s Base URL
As part of the tenant user account creation process the msRTCSIP-BaseSimpleURL attribute needs to be populated with the tenant organization’s base URL. To do so, run the following commands from the Active Directory module for Windows PowerShell window:
$CompanyName = "Litware Inc."
$BaseURL = ""
$PathRoot = "OU=OCS Tenants,DC=litwareinc,DC=com"
$TargetOU = "OU="+$CompanyName+","+$PathRoot
$OUObject = Get-ADOrganizationalunit -Identity $TargetOU
$BaseURL = ""+$SIPDomain
Get-ADUser -LDAPFilter "(objectClass=user)" -SearchBase $TargetOU -Properties msRTCSIP-BaseSimpleUrl -Server "DC01." |Set-ADUser -Replace @{'msRTCSIP-BaseSimpleUrl'=$BaseURL}
Important The value for the BaseURL property must use the https:// prefix.
4. Enable Tenants for Lync Server
You should use the Lync Server Management Shell to enable tenant users on the Lync Server because the Lync Server Control Panel is read-only in the Lync Server 2010 Hosting Pack. The exact commands you use depends on your choice of service features and the provisioning automation that you employ.
Note You need to apply these changes only once per user, and you can run the command on any Lync Server in your deployment.
The following example set of commands enables a user on Lync Server who is already enabled for Exchange UM located within the tenant OU:
Enable-CsUser -Identity -RegistrarPool -SipAddressType UserPrincipalName
After the user is enabled on Lync Server, the user must be granted access to a Lync Server dial plan. In this example, a single Lync Server dial plan is used for all users. Using a single Lync Server dial plan for all tenant users is recommended because the maximum number of dial plans supported by Lync Server could constrain the total number of tenants if each one were given their own dial plan. To create a new dial plan, see the Lync Server Dial Plans section. The following command demonstrates how to assign the dial plan TenantDP to the user:
Grant-CsDialPlan -Identity kenmyer@ -PolicyName TenantDP
After the user is enabled for Lync Server and has access to a dial plan, the user can be enabled for Enterprise Voice by running the following command:
Set-CsUser kenmyer@ -EnterpriseVoiceEnabled $true -LineURI tel:+12065551234
The line URI is the telephone number through which the user can be reached via the PSTN. That number must have been properly provisioned with your SIP trunk provider.
After you complete this step, the user should be able to log on and use Enterprise Voice and Exchange UM features.
5. Set Address Book Policy for Tenant User
These policies are applied as the last step. In order to assign an address book policy to a tenant user, open an Exchange Management Shell and run the following command:
Set-Mailbox -Identity john@ -AddressBookPolicy TenantAB
10. Overview of the Audio Conferencing Provider
The audio conferencing provider provides PSTN integration to Lync Server conferencing and collaboration. PSTN integration expands modality options for participating in Lync Server conferences.
By using an audio conferencing provider, providers can enable the following scenarios:
• A user can dial-in to a Lync Server conference from a phone.
• A user can dial-out from a Lync Server conference to a Lync Server user who was not part of the original conference invitee list or call-out to someone who will attend by phone only.
• Users can mute or unmute themselves and others on Lync Server VoIP and PSTN.
• The conference can be locked.
• Participants can be removed.
1. Integrating with Audio Conferencing Provider
There are two ways to integrate with audio conferencing provider:
• Use an external audio conferencing provider that is qualified for Microsoft Office 365.
• Use internal conferencing integration.
The Lync Server Multitenant Hosting Pack includes an audio conference provider, which serves as the signaling and control gateway between Lync Server and audio conferencing provider environments. This component initiates the audio bridging, and connects through access point to the audio conferencing provider module within the conferencing architecture in audio conferencing provider.
The audio conferencing provider module abstracts the Centralized Conference Control Protocol (C3P) for native Lync Server integration with audio conferencing provider environment. It handles the control channel between Lync Server and the audio conferencing provider including managing basic signaling, such as roster updates and adding users via conferencing dial-out.
[pic]
Integrating with Audio Conferencing Provider
Hosts can use the audio conferencing provider SDK to develop internal applications for conference initiation, session management, and conference control.
2. Provisioning with Audio Conferencing Provider
Audio conferencing provider attributes are provisioned into Active Directory through a Windows PowerShell cmdlet. These attributes are then replicated to the presence server from which the scheduling client pulls this data for scheduling a conference.
You can provision users either of the following of two ways:
• By using a Lync Server Management Shell cmdlet to provision users one at a time using audio conferencing provider attributes
• By developing a script to enable a bulk upload of attributes for provisioning a large number of tenant users all at the same time
The audio conferencing provider attributes needed to provision users are as follows:
• ID
• First Name
• Last Name
• Tollnumber
• TollFreeNumber
• Name
• Web
• Domain
• Port
3. Integration Workflows with Audio Conferencing Provider
This section provides an overview of the integration workflows when using audio conferencing provider to integrate with Lync Server Multitenant Hosting Pack.
1. Create and Schedule a Web Conference
Scheduling a web conference with Lync Server and audio conferencing provider follows the same basic process as scheduling a VoIP-only Lync Server conference. The main difference is the communication that occurs between the audio conferencing provider conferencing server and the audio conferencing provider module:
1. Online Meeting Add-in for Lync 2010 gets audio conferencing provider information from the presence database.
22. Organizer creates a Lync Server meeting or web conference.
23. Organizer selects meeting participants.
24. The Lync Server scheduling client (that is, Online Meeting Add-in for Lync 2010) issues addConference to the Focus Factory along with audio conferencing provider-specific dial-in information.
Note To understand the role of the Focus Factory in the Lync Server 2010 conferencing topology, see Conference Features in the TechNet Library at .
25. The Focus Factory creates conference and returns conference info to scheduling client.
26. The Lync Server client sends meeting invitations to participants.
2. Activate a Conference
During conference activation, the audio conferencing provider conferencing server receives a request containing dial-in phone numbers, participant pass code, and audio conferencing provider domain. The following subsequent steps then occur:
1. The audio conferencing provider conferencing server sends an INVITE (for third-party call control) and SUBSCRIBE (for conference state changes) to the audio conferencing provider module.
27. The audio conferencing provider module responds with the bridge URI to be used for the audio bridging initiation when users join from both modalities (that is, VoIP, PSTN).
28. The audio conferencing provider conferencing server retains the bridge URI to initiate bridging once users join via both PSTN and VoIPConference activation.
[pic]
Conference activation traffic flow
3. Join Conference by Using Conferencing Dial-out
When a user wants to join the conference by having Lync Server dial-out to him or her using the Lync feature to call the conference attendee back (that is, conferencing dial-out), the following steps occur:
1. The Lync Server client sends request to add a user in to Focus.
29. The Focus sends adduser command to the audio conferencing provider conferencing server.
30. The audio conferencing provider conferencing server forwards INFO command to audio conferencing provider module via INVITE dialog box.
31. The audio conferencing provider module sends calls out command to the audio conferencing provider environment.
32. The audio conferencing provider module sends NOTIFY in SUBSCRIBE dialog back to audio conferencing provider conferencing server that the user is connected.
33. The audio conferencing provider conferencing server sends userconnected to the Focus.
34. The Focus sends roster update notification to clients.
[pic]
Traffic flow for joining a conference
4. Audio Bridging Sequence
The audio conferencing provider conferencing server is polling the Focus at regular intervals for state changes (for example, when a PSTN user joins the conference). When the audio conferencing provider conferencing server recognizes that there are users on both bridges, it does a VoIP dial-out to initiate the bridging. This process flow describes how audio is bridged between the Lync Server, A/V Conferencing Server and audio conferencing provider:
1. The Focus sends INFO command (adduser) to the audio conferencing provider conferencing server (if dial-in, the audio conferencing provider module sends adduser request to the audio conferencing provider conferencing server).
35. The audio conferencing provider conferencing server sends adduser dial-out request to the A/V Conferencing Server with bridge URI received at conference activation.
36. A/V Conferencing Server establishes RTP stream with audio conferencing provider Session Border Controller (SBC) via the Mediation Server.
37. Audio stream established between the SBC and PSTN bridge.
38. Bridged audio stream between A/V Conferencing Server and PSTN bridge.
[pic]
Audio bridging sequence
5. Use Audio Controls from Lync Server
At conference activation, the audio conferencing provider conferencing server established an INVITE dialog box with the audio conferencing provider module to facilitate third-party conference control during a bridged conference. This process flow describes how commands are passed and acted on from a Lync Server client through the audio conferencing provider components and back during a conference:
1. The Lync Server client sends CCCP INFO command to the Focus.
39. The Focus sends a command to the audio conferencing provider conferencing server.
40. The audio conferencing provider conferencing server sends an INFO command to audio conferencing provider module using the established INVITE dialog box.
41. The audio conferencing provider module sends command to PSTN middleware and bridge to act on command (for example, mute user or lock conference).
42. The audio conferencing provider module sends a NOTIFY to the audio conferencing provider conferencing server via the SUBSCRIBE dialog box, indicating new state of participant.
43. The audio conferencing provider conferencing server sends a command back to the Focus, to indicate new state of participant.
44. The Focus sends a roster update to the Lync Server clients.
[pic]
Audio conferencing provider communication flow
4. Known Issues
The following known issues exist at the time this guide was published:
• PSTN Attendee count announcements This is a standard message played to attendees who join a PSTN audio bridge (for example, “You are the fourth person in the conference” or “There are five others in the conference”). At this time, there is no way for Lync Server to present the audio conferencing provider module with the current number of participants, so this may be misleading.
• Mute all Currently PSTN users cannot use dual-tone multifrequency (DTMF) codes to “mute all,” including VoIP users—only the PSTN audio attendees will be muted.
• Locked conference with no PSTN users on audio conferencing provider bridge There is a valid scenario where all participants join via Lync audio (that is, VoIP) and choose to lock the conference so that no additional users may join by either modality. The audio conferencing provider module will receive the conference lock command from the audio conferencing provider conferencing server and must initiate a locked conference state on a bridge where no participants joined via the PSTN; therefore, no conference exists.
• Blocked calls from participants PSTN participants that block their phone number (for example, by using *67) will show up in the client as a random phone number generated from the audio conferencing provider. The software development kit (SDK) doesn’t currently support non-integers as values. As a result, values like “Guest,” “No Phone Available,” and so on are not currently supported. Note that if the audio conferencing provider receives a blocked call via a toll-free number, the number will be presented with a flag for “Blocked,” and so on. The audio conferencing provider must act on the flag and send a randomly generated number to denote the participant in Lync.
11. Code Samples
This section introduces how a service provider or an independent software vendor (ISV) can automate provisioning using .NET Framework and the Lync Server Multitenant Hosting Pack management shell. The selected examples are tasks that most hosting providers with a Lync Server Multitenant Hosting Pack deployment will need to do on a routine basis. You can use the code samples in this section as a starting point for customizing or creating control panels involved in managing the provisioning process.
Before using these samples, you should be familiar with the cmdlets that are installed with Lync Server Multitenant Hosting Pack, which provide a wide range of provisioning and management capabilities.
1. Prerequisites
Before you use any of the samples in this section, verify that these prerequisites are available in your environment:
• Lync Server Multitenant Hosting Pack
• Visual Studio 2010
• .NET Framework 3.5.1 or higher
• Windows Server 2008 R2 or higher
2. Dependencies
All code samples require the following using directives:
using System;
using System.Collections;
using System.Collections.ObjectModel;
// powershell namespaces
using System.Management.Automation.Runspaces;
using System.Management.Automation;
using System.Text;
using System.Data.SqlClient;
3. Provision a Tenant Organization
The samples in this section demonstrate the use of the Active Directory module for Windows PowerShell to set properties on a tenant OU. This module is installed automatically with Windows Server 2008 when you install the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server roles. For details about the Active Directory module for Windows PowerShell, see “Active Directory Administration with Windows PowerShell” in the TechNet Library at .
These samples also use the Lync Server cmdlets.
1. Create and Secure Organizational Unit
The Lync Server Multitenant Hosting Pack requires that tenant OUs be created under the “root organizational unit” called “\OCS Tenants”. Many service providers will want to represent reseller organizations as subordinate OUs (sub-OUs), each with sub-OUs representing tenants. You should use AD permissions or other suitable mechanisms to ensure that management tools have adequate access to the tenant OU, and that other tenants do not have inappropriate access. As no specific set of permissions is mandated by the Lync Server Multitenant Hosting Pack, it is beyond the scope of this document to provide samples for creating and securing a tenant organization.
2. Enable the Tenant Organization
To enable a tenant, you must do the following:
• Create at least one SIP Domain for the tenant.
• Add the SIP Domain to the upnSuffixes property of the OU.
• Add the SIP Domain to the msRTCSIP-Domains property of the OU.
• Set the msRTCSIP-TenantId and msRTCSIP-ObjectId to a unique identifier which will be used to identify the tenant in the Lync Server Multitenant Hosting Pack operating environment and to associate users with that tenant.
The following sample demonstrates the automation of these steps by invoking Windows PowerShell commands via C# code.
// sip domain and tenant DN
string sipDomain = "";
string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
// create an initial session state with the Active Directory Windows PowerShell module loaded and the Lync Server 2010 modules
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"ActiveDirectory" ,
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
using (Pipeline pipeline = runspace.CreatePipeline())
{
// create a SIP Domain in the Lync system.
Command sipCommand = new Command("New-CsSipDomain");
sipCommand.Parameters.Add(new CommandParameter("Identity", sipDomain));
mands.Add(sipCommand);
pipeline.Invoke();
}
using (Pipeline pipeline = runspace.CreatePipeline())
{
// create a hashtable to contain the property settings for the OU
// these will add the SIP domain to the upnSuffixes and msRTCSIP-Domains properties
Hashtable properties = new Hashtable();
properties.Add("upnSuffixes", sipDomain);
properties.Add("msRTCSIP-Domains", sipDomain);
// add a command to retrieve the OU using the supplied distinguished name
Command getCommand = new Command("Get-ADOrganizationalUnit");
getCommand.Parameters.Add(new CommandParameter("Identity", distinguishedName));
mands.Add(getCommand);
// pipe the OU to a set command to set the domain properties
// the add parameter of the set command is used to append the
// SIP domain value.
Command setCommand = new Command("Set-ADOrganizationalUnit");
setCommand.Parameters.Add(new CommandParameter("add", properties));
mands.Add(setCommand);
pipeline.Invoke();
}
using (Pipeline pipeline = runspace.CreatePipeline())
{
// create the guid that will be used for the msRTCSIP-TenantId and msRTCSIP-ObjectId
Guid id = Guid.NewGuid();
Hashtable properties = new Hashtable();
properties.Add("msRTCSIP-TenantId", id);
properties.Add("msRTCSIP-ObjectId", id);
// add a command to retrieve the OU using the supplied distinguished name
Command getCommand = new Command("Get-ADOrganizationalUnit");
getCommand.Parameters.Add(new CommandParameter("Identity", distinguishedName));
mands.Add(getCommand);
// pipe the OU to a set command to set the id properties
// using the replace parameter of the set command.
Command setCommand = new Command("Set-ADOrganizationalUnit");
setCommand.Parameters.Add(new CommandParameter("replace", properties));
mands.Add(setCommand);
pipeline.Invoke();
}
}
3. Add an Additional SIP Domain to the Tenant Organization
Many organizations have more than a single domain that needs to be added to a Lync Server Multitenant Hosting Pack operating environment. This can be done using a subset of the code sample shown in the “Enable the Tenant Organization” section. The following example code demonstrates how to add another SIP domain to a tenant.
// sip domain and tenant DN
string sipDomain = "";
string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
// create an initial session state with the Active Directory Windows PowerShell module loaded and the Lync Server 2010 modules
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"ActiveDirectory" ,
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
using (Pipeline pipeline = runspace.CreatePipeline())
{
// create a SIP Domain in the Lync system.
Command sipCommand = new Command("New-CsSipDomain");
sipCommand.Parameters.Add(new CommandParameter("Identity",sipDomain));
mands.Add(sipCommand);
pipeline.Invoke();
}
using(Pipeline pipeline = runspace.CreatePipeline())
{
// create a hashtable to contain the property settings for the OU
Hashtable properties = new Hashtable();
properties.Add("upnSuffixes", sipDomain);
properties.Add("msRTCSIP-Domains", sipDomain);
// add a command to retrieve the OU using the supplied distinguished name
Command getCommand = new Command("Get-ADOrganizationalUnit");
getCommand.Parameters.Add(new CommandParameter("Identity", distinguishedName));
mands.Add(getCommand);
// pipe the OU to a set command to set the id properties
// supply the $properties variable established with the SetVariable command
// to the add parameter of the set command.
Command setCommand = new Command("Set-ADOrganizationalUnit");
setCommand.Parameters.Add(new CommandParameter("add", properties));
mands.Add(setCommand);
pipeline.Invoke();
}
}
4. Adding Domains to the Tenant Allow List for Federation
Tenants may want to allow their users to communicate with users of a domain outside their organization. The following example demonstrates how to add a domain to the tenant’s list of allowed domains.
// allowed domain and tenant DN
string allowedDomain = "";
string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
// create an initial session state with the Lync 2010 modules loaded
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
// set variables for the distinguished name and domain
runspace.SessionStateProxy.SetVariable("dn", distiguishedName);
runspace.SessionStateProxy.SetVariable("domainName", allowedDomain);
// build a script for adding the domain
StringBuilder builder = new StringBuilder();
builder.AppendLine("$tenant = Get-CsTenant -Identity $dn");
builder.AppendLine("$domain = New-CsEdgeDomainPattern -Domain $domainName");
builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId");
builder.AppendLine("$all = New-CsEdgeAllowAllKnownDomains");
builder.AppendLine("$allowList = $config.AllowedDomains");
// test to see if AllowedDomains property is equal to Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowAllKnownDomains
builder.AppendLine("if($allowList.GetType() -eq $all.GetType())");
builder.AppendLine("{");
builder.AppendLine("\t$newList = New-CSEdgeAllowList -AllowedDomain $domain");
builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $newList");
builder.AppendLine("}");
builder.AppendLine("else");
builder.AppendLine("{");
builder.AppendLine("\t$allowList.AllowedDomain.Add($domain)");
builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $allowList");
builder.AppendLine("}");
string script = builder.ToString();
// use a RunspaceInvoke instance to invoke the script
using (RunspaceInvoke invoker = new RunspaceInvoke(runspace))
{
invoker.Invoke(script);
}
}
5. Adding Domains to the Tenant Block List for Federation
Tenants may want to block their users from communicating with users of certain domains outside their organization. The following example demonstrates how to add a domain to the tenant’s list of blocked domains.
// blocked domain and tenant DN
string blockedDomain = "";
string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
// create an initial session state with the Lync 2010 modules loaded
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
// set variables for the distinguished name and domain
runspace.SessionStateProxy.SetVariable("dn", distiguishedName);
runspace.SessionStateProxy.SetVariable("domainName", allowedDomain);
// build a script for adding the domain
StringBuilder builder = new StringBuilder();
builder.AppendLine("$tenant = Get-CsTenant -Identity $dn");
builder.AppendLine("$domain = New-CsEdgeDomainPattern -Domain $domainName");
builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId");
builder.AppendLine("$config.BlockedDomains.Add($domain)");
builder.AppendLine("Set-CsTenantFederationConfiguration -Tenant $tenant.TenantId -BlockedDomains $config.BlockedDomains");
string script = builder.ToString();
// use a RunspaceInvoke instance to invoke the script
using (RunspaceInvoke invoker = new RunspaceInvoke(runspace))
{
invoker.Invoke(script);
}
}
6. Removing Domains from the Tenant Allow List for Federation
If you need to remove a previously added Allowed domain from a specific tenant, you can use a similar technique to the one you used to add it to remove it.
// allowed domain and tenant DN
string allowedDomain = "";
string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
// create an initial session state with the Lync 2010 modules loaded
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
// set variables for the distinguished name and domain
runspace.SessionStateProxy.SetVariable("dn", distiguishedName);
runspace.SessionStateProxy.SetVariable("domainName", allowedDomain);
// build a script for removing the domain
StringBuilder builder = new StringBuilder();
builder.AppendLine("$tenant = Get-CsTenant -Identity $dn");
builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId");
builder.AppendLine("$domain = $config.AllowedDomains.AllowedDomain | ?{$_.Domain -eq $domainName}");
builder.AppendLine("if($domain -ne $null)");
builder.AppendLine("{");
builder.AppendLine("\t$config.AllowedDomains.AllowedDomain.Remove($domain)");
builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $config.AllowedDomains");
builder.AppendLine("}");
string script = builder.ToString();
// use a RunspaceInvoke instance to invoke the script
using (RunspaceInvoke invoker = new RunspaceInvoke(runspace))
{
invoker.Invoke(script);
}
}
7. Removing Domains from the Tenant Block List for Federation
If you need to remove a previously added Blocked domain from a specific tenant, you can use a similar technique to the one you used to add it to remove it.
// blocked domain and tenant DN
string blockedDomain = "";
string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
// create an initial session state with the Lync 2010 modules loaded
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
// set variables for the distinguished name and domain
runspace.SessionStateProxy.SetVariable("dn", distiguishedName);
runspace.SessionStateProxy.SetVariable("domainName", blockedDomain);
// build a script for removing the domain
StringBuilder builder = new StringBuilder();
builder.AppendLine("$tenant = Get-CsTenant -Identity $dn");
builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId");
builder.AppendLine("$domain = $config.BlockedDomains | ?{$_.Domain -eq $domainName}");
builder.AppendLine("if($domain -ne $null)");
builder.AppendLine("{");
builder.AppendLine("\t$config.BlockedDomains.Remove($domain)");
builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -BlockedDomains $config.BlockedDomains");
builder.AppendLine("}");
string script = builder.ToString();
// use a RunspaceInvoke instance to invoke the script
using (RunspaceInvoke invoker = new RunspaceInvoke(runspace))
{
invoker.Invoke(script);
}
}
8. Allowing all Domains for Tenant Federation
The following code sample shows how to allow a tenant to federate with all domains except for those that appear in the tenant’s list of blocked domains.
// tenant DN
string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
// create an initial session state with the Lync 2010 modules loaded
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
// set variables for the distinguished name and domain
runspace.SessionStateProxy.SetVariable("dn", distiguishedName);
// build a script setting allowed domains to all
StringBuilder builder = new StringBuilder();
builder.AppendLine("$tenant = Get-CsTenant -Identity $dn");
builder.AppendLine("$all = New-CsEdgeAllowAllKnownDomains");
builder.AppendLine("Set-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $all");
string script = builder.ToString();
// use a RunspaceInvoke instance to invoke the script
using (RunspaceInvoke invoker = new RunspaceInvoke(runspace))
{
invoker.Invoke(script);
}
}
9. Enabling a Tenant for Federation
To enable a tenant for federation, you must set the AllowFederatedUsers property of the CsTenantFederationConfiguration instance to True.
// tenant DN
string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
// create an initial session state with the Lync 2010 modules loaded
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
// get the tenant id
Guid tenantId = Guid.Empty;
using (Pipeline pipeline = runspace.CreatePipeline())
{
Command cmd = new Command("Get-CsTenant");
cmd.Parameters.Add(new CommandParameter("Identity",distiguishedName));
mands.Add(cmd);
Collection result = pipeline.Invoke();
// there should be only one since we specified a unique identity
// if the tenant did not exist the Invoke would have thrown
// an exception
PSObject tenant = result[0];
// get the tenant id
tenantId = (Guid)tenant.Properties["TenantId"].Value;
}
// set the property
using (Pipeline pipeline = runspace.CreatePipeline())
{
Command setCmd = new Command("Set-CsTenantFederationConfiguration");
setCmd.Parameters.Add(new CommandParameter("Tenant", tenantId));
setCmd.Parameters.Add(new CommandParameter("AllowFederatedUsers",true));
mands.Add(setCmd);
pipeline.Invoke();
}
}
10. Enabling a Tenant for Public IM Connectivity
To enable a tenant for public IM, you must set the AllowPublicUsers property of the CsTenantFederationConfiguration instance to True.
// tenant DN
string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
// create an initial session state with the Lync 2010 modules loaded
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
// get the tenant id
Guid tenantId = Guid.Empty;
using (Pipeline pipeline = runspace.CreatePipeline())
{
Command cmd = new Command("Get-CsTenant");
cmd.Parameters.Add(new CommandParameter("Identity",distiguishedName));
mands.Add(cmd);
Collection result = pipeline.Invoke();
// there should be only one since we specified a unique identity
// if the tenant did not exist the Invoke would have thrown
// an exception
PSObject tenant = result[0];
// get the tenant id
tenantId = (Guid)tenant.Properties["TenantId"].Value;
}
// set the property
using (Pipeline pipeline = runspace.CreatePipeline())
{
Command setCmd = new Command("Set-CsTenantFederationConfiguration");
setCmd.Parameters.Add(new CommandParameter("Tenant", tenantId));
setCmd.Parameters.Add(new CommandParameter("AllowPublicUsers",true));
mands.Add(setCmd);
pipeline.Invoke();
}
}
11. Enabling Federation between two Hosted Tenants
You can also configure federation between two tenant organizations on the same hosted platform. To do so, add each tenant to the other tenant’s Allow list.
static void Main(string[] args)
{
string tenantA = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
string domainA = "";
string tenantB = "ou=AdventureWorks,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
string domainB = "";
// add domains to each tenant
LyncSample sample = new LyncSample();
sample.AddAllowedDomain(tenantA, domainB);
sample.AddAllowedDomain(tenantB, domainA);
}
The following example shows the AddAllowedDomain function called in the sample above.
public void AddAllowedDomain(string distinguishedName, string allowedDomain)
{
// create an initial session state with the Lync 2010 modules loaded
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
// set variables for the distinquished name and domain
runspace.SessionStateProxy.SetVariable("dn", distinguishedName);
runspace.SessionStateProxy.SetVariable("domainName", allowedDomain);
// build a script for adding the domain
StringBuilder builder = new StringBuilder();
builder.AppendLine("$tenant = Get-CsTenant -Identity $dn");
builder.AppendLine("$domain = New-CsEdgeDomainPattern -Domain $domainName");
builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId");
builder.AppendLine("$all = New-CsEdgeAllowAllKnownDomains");
builder.AppendLine("$allowList = $config.AllowedDomains");
// test to see if AllowedDomains property is equal to Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowAllKnownDomains
builder.AppendLine("if($allowList.GetType() -eq $all.GetType())");
builder.AppendLine("{");
builder.AppendLine("\t$newList = New-CSEdgeAllowList -AllowedDomain $domain");
builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $newList");
builder.AppendLine("}");
builder.AppendLine("else");
builder.AppendLine("{");
builder.AppendLine("\t$allowList.AllowedDomain.Add($domain)");
builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $allowList");
builder.AppendLine("}");
string script = builder.ToString();
// use a RunspaceInvoke instance to invoke the script
using (RunspaceInvoke invoker = new RunspaceInvoke(runspace))
{
invoker.Invoke(script);
}
}
}
4. Provision Tenant Users
The following code example demonstrates how to enable a user for Lync Server 2010 including the following tasks:
• Enabling the user for Lync Server 2010
• Granting a dial plan to the user
• Setting the tenant and group IDs
• Setting the simple URL for meetings
string tenantOU = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";
string userPrincipalName = "testuser@";
string poolFQDN = "lyncpool01.";
// create an initial session state with the AD and Lync modules loaded
InitialSessionState session = InitialSessionState.CreateDefault();
session.ImportPSModule(new string[]
{
"ActiveDirectory" ,
"Lync",
"LyncOnline"
});
// create a runspace using the session state.
using (Runspace runspace = RunspaceFactory.CreateRunspace(session))
{
// open the runspace
runspace.Open();
// get the tenant id
Guid tenantId = Guid.Empty;
using (Pipeline pipeline = runspace.CreatePipeline())
{
Command cmd = new Command("Get-CsTenant");
cmd.Parameters.Add(new CommandParameter("Identity", tenantOU));
mands.Add(cmd);
Collection result = pipeline.Invoke();
// there should be only one since we specified a unique identity
// if the tenant did not exist the Invoke would have thrown
// an exception
PSObject tenant = result[0];
// get the tenant id
tenantId = (Guid)tenant.Properties["TenantId"].Value;
}
// get the tenant OU simple URL
string simpleUrl = string.Empty;
using (Pipeline pipeline = runspace.CreatePipeline())
{
Command cmd = new Command("Get-CsSimpleUrlConfiguration");
cmd.Parameters.Add("Tenant", tenantId);
mands.Add(cmd);
Collection result = pipeline.Invoke();
// there should be only one since we specified a unique identity
PSObject urlConfig = result[0];
// get the simple url
simpleUrl = (string)urlConfig.Properties["ActiveUrl"].Value;
}
// enable the user
using (Pipeline pipeline = runspace.CreatePipeline())
{
Command cmd = new Command("Enable-CsUser");
cmd.Parameters.Add("Identity", userPrincipalName);
cmd.Parameters.Add("RegistrarPool", poolFQDN);
cmd.Parameters.Add("SipAddressType", "UserPrincipalName");
mands.Add(cmd);
pipeline.Invoke();
}
//grant the dial plan
using (Pipeline pipeline = runspace.CreatePipeline())
{
Command cmd = new Command("Grant-CsDialPlan");
cmd.Parameters.Add("Identity", userPrincipalName);
cmd.Parameters.Add("PolicyName", dialPlanName);
mands.Add(cmd);
pipeline.Invoke();
}
//set the grouping and tenant ids
using (Pipeline pipeline = runspace.CreatePipeline())
{
Hashtable properties = new Hashtable();
properties.Add("msRTCSIP-GroupingID", tenantId);
properties.Add("msRTCSIP-TenantId", tenantId);
properties.Add("msRTCSIP-BaseSimpleUrl", simpleUrl);
Command getCmd = new Command("Get-AdUser");
getCmd.Parameters.Add("Identity", userPrincipalName);
mands.Add(getCmd);
Command setCmd = new Command("Set-AdUser");
setCmd.Parameters.Add("Replace", properties);
pipeline.Invoke();
}
}
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- wordpress passing data between pages
- wordpress business templates
- wordpress rss feed not working
- wordpress jquery is not defined
- create wordpress blog
- wordpress roles editor
- wordpress full rss feed
- wordpress rss feed settings
- wordpress rss feed plugin
- wordpress display rss feed
- wordpress rss feed link
- wordpress rss feed to post