Skype for Business Trusted Root Certificate Authorities strike again

Tags

, , , ,

Issue

This issue was flagged as a Contact Center that’s unable to receive calls. Shortly after it was noted that users we where unable to join or create meetings using the “Meet Now” option within the SFB client and that the RGS service was failing to start.

Environment is Skype for Business 2015, Standard Edition.

Troubleshooting

All services were running with the exception of the Response group service. A quick dive into the event logs on the Front End Pool showed a number of errors as follows:-

Event ID 31147

Event ID 31147 LS Response Group Service – Cannot update active Match Making Server because SQL Server does not respond. Standard error for issues with connectivity to SQL.

That explains why the Response Group Service wont start. What else we got here?

Event ID 32178

Event ID 32178 LS User Service – Failed to Sync Data for Routing Group from backup store.

Cause indicates an issue with connectivity to the back-end database. Another SQL connectivity issue by the looks of it. Digging further, I also found a few other MCU errors like:

Event ID 61037

Event ID 61037 LS MCU Infrastructure – The Audio-Video Conferencing Server failed to send health notifications to the MCU factory.

And also:Event ID 61043

Event ID 61043 LS MCU Infrastructure – The IM Conferencing Server failed to send health notifications to the MCU factory.

Almost missed this sneaky Information message (should be Error right..?).

Event ID 61029

Event ID 61029 LS MCU Infrastructure – stating that the certificate applied to the front end pool was somehow invalid.

OK so here is what I have learnt so far:

  • Response Group Service has an issue connecting the SQL back-end (even though the back-end is local in Standard Edition)
  • MCU cant connect to the back-end either and its complaining about an invalid certificate

Resolution

My money is on certificates even though technically speaking the event log entry referring to this was informational. A quick look at the certificates proves that they all look fine and no expiring certs hanging around.

Double checked the trusted root CA and that too looks fine.

However..

When checking the Trusted Root Certificates Authorities store I spotted something that wasn’t right. Usually the certificates in this store have identical Issued To and Issued By entries.

Anything that deviates from that, as far as I have experienced, generally prevented the RTCSRV service from starting. Not the case this time around.

Could this be the reason why I saw the Invalid Certificate warning before? Asked the on-site engineer what the deal was with these certs. Turns out they had been added by an engineer for some firewall trusts he was mucking around with.

Removed these dodgy certs, gave the RGS Service another start and boom, running! A round of tests to confirm and we are cooking with gas.

Folks! Seriously, there is no need to drop certs from the SAME CA as your server on the local store. They are from the same CA..

Lesson for today, if you don’t know what you are doing with certificates be warned. You could accidentally take out a Contact Center.

 

 

Guide to Vendor Classes and DHCP Policies

Tags

, , ,

I often need to add a Vendor Class (Option 066) to define vendor specific settings to be sent to the endpoints in question. Typically this used to be rather a pain and often a little confusing, especially since you don’t set this up every day.

Finally with the release of Windows 2016, DHCP has matured to the extent that you are able to define policies dependent on other criteria. In this case I will explain how you can send specific option settings based on a vendor class.

My scenario includes two IP Phone variants, Yealink and V-Tech.

First I will define the Vendor Classes. The I will create a policy. The policy will look for Vendor Class matches, if a match is found then specific options will be sent to the IP phone.

From the DHCP Server, right click IP-V4 (of course you can do IP-V6 if that’s what you are running). Select Define Vendor ClassesVendor Classes

Click Add

02 Define Vendor Classes

Give your new Vendor Class a Display Name. In this example I am adding Yealink IP Phones. It is important to note that the ASCII value needs to be the Vendor Class as specified by the device vendor, in the case on Yealink IP Phones its simply yealink (lower case)

03 Yealink Vendor Class

You will now see Yealink appear as a new vendor class (I have also added V-Tech which is another IP Phone brand I will be using, vendor class for the V-Tech phones)

04 Yealink Vendor Class

Next, we will define a Policy that simply matches the vendor classes we want as a condition, then applying specific class options to the matched vendor classes.

05 DHCP Policies

For the Scope in question, right click on Policies and select New Policy

06 DHCP Policies

Give your Policy a Name and Description if needed, Click Next

07 Policy Based Options

Since I plan to have 2 vendor classes as conditions, I will set this as an OR condition (so it matched Yealink OR V-Tech) by selecting the OR Radio button, then click Add

08 Policy Based Options

Select the criteria as Vendor Class, Operator as Equals and choose the required vendor class. Click Add and Ok

09 Policy Based Options

You should now see the selected Vendor class as in the image below

10 Policy Based Options

We now add the second vendor class to our criteria, same as we just did before. This time I am selecting V-Tech (my other IP Phone variant)

11 Policy Based Options

We should now see both selected Vendor classes as per the screenshot. Click Next to proceed.

12 Policy Based Options

I won’t be handing out any specific IP addressing for my IP Phones recognized by the vendor classes, so I select the No radio button followed by Next

13 Policy Based Options

The DHCP Scope option I’d like to associate with my Vendor Classes is Option 066 – Boot Server Host Name, this is a Standard Option. Specify the String Value and Click Next.

14 DHCP Option 066

NOTE: The String Value is the TFTP Boot Server and will depend on the location and platform you are working with.

Complete the Policy by clicking Finish

15 Policy Based Options

If you now navigate to the DHCP Options for Scope you have just created the Policy for, you should see the Option with associated policy Name like the screen shot.

17 DHCP Options

You should now be good to go.

My (ongoing) journey to achieving a Work/Life Balance

Tags

, ,

work-life-balance

It wasn’t that long ago that a fellow employee asked why my calendar had Monday through Friday blocked out from 4pm with an entry titles WLB.

It was a desperate attempt to train others to give me back the many late days I assumed they were taking from me. As time went by I came to realize that the real culprit stealthily making me late for dinner on a regular basis, was in fact, no one else but yours truly.

Truth be told, it was my inability to manage my own time that got me into this unsustainable predicament. A predicament that has slowly squeezed the life out of me, robbing me of sleep as I tossed and turntime managemented at night, processing the days activities. Once asleep, the smallest interruption awakens my mind and a new days activities start queuing in my over active mind. Ever processing, even when I am trying not to.

Am I a workaholic? I don’t believe so, I don’t choose to work, I simply understand that there are things that need doing. Sometimes its possible to plan time to get things done but often there aren’t enough hours in the day, that’s when I have struggled. Is this an excuse? Perhaps.

One thing for sure though, I am no 9-5 employee.

Root Cause Analysis

They say recognizing you have a problem is the first step to recovery.

house on fire

For me, balancing my work responsibilities with my personal life, family, hobbies etc. hasn’t come easy. I have this inability to switch off, especially when the workload piles up or if there are unfinished tasks or a nagging issue I have been scratching my head over.

In my mind its like trying to get some rest when the house is on fire.

If, like me, your “spare time” is spent doing something very similar to your day job, the lines between work and life become blurred.

Like an addiction, I had to admit that my loved ones were getting the short end. I was not happy, my health was slipping and I had developed sleeping problems. Something needed to change.

Rebooting Priorities

Who was I kidding, my self imposed expectations were not shared by others. Back to basics, I had to find a way to identify what meant the most to me, simply asking myself what would hurt the most, loosing my employment, loosing my family, loosing myself..

Something Needed to Change

The answer was obvious. I gave my employer the best of me and yet it was a part of my life easiest to replace.  What I am most afraid of loosing was my loved ones. They need to get the best of me. Time to reset priorities.

Taking Control

I still have high expectations of myself but have learnt to push back, to set realistic expectations. I have negotiated flexible time with my employer by stating my intent to be more balanced.

Wednesday morning are blocked out as “time off”, I can go to school events, help with charity work, do things that are important to the balance of my existence. And when I can’t take time out on Wednesday morning, I may clip off the end of Friday or another day. Its not as consistent as I would like but slowly, this is becoming my new normal.

A Delicate Balance

Some folks have found it simple to box up time slots and have a clear division between Delicate balancework and life. Not so in my case. Often doing work that can’t be done in business hours, often across time zones, deadlines of all sorts, its almost impossible to time box in my case.

Instead its a very delicate balance, one I am often re-adjusting. Its a never ending work in progress. When I start sliding down that slippery slope, its time to reboot and prioritize. I wont give up trying, I cant afford to, there is too mush at stake.

Reset Priorities

I haven’t removed my WLD calendar entry that recurs every week day at 4PM, from time to time I do need to grab the time slot but its an exception and no more the norm.

I have also added a new entry blocking out every Wednesday morning. I have focus time locked in my calendar and have started gardening. I really needed something away from my keyboard. I realized that my keyboard is my kryptonite.

In time, I hope to trained myself how to truly balance my Work and Life. In the mean time, returning to this article will serve as my reminder.

Never give up!