How to prepare for your RAP as a Service for Lync/Skype for Business Server

The Tools machine is used to connect to each of the servers in your environment and retrieve

configuration and health information from them. The Tools machine retrieves information from

the environment communicating over Remote Procedure Call (RPC), Server Message Block

(SMB), and Distributed Component Object Model (DCOM). Once data is collected, the Tools

machine is used to upload the data to the Microsoft Premier Services portal for automated

analysis, followed up by manual analysis by one of our expert engineers. This upload requires

internet HTTPS connectivity to specific sites. Alternatively, you can also export the collected data

from the Tools machine and use a different machine to submit it. You need to ensure the ma-

chine used to upload the data also has the Rap as a Service client tool installed and has internet

connection.

At a high level, your steps to success are:

1. Install prerequisites on your Tools machine and configure your environment

2. Collect data from your environment

3. Submit the data to Microsoft Premier Services for assessment

A checklist of prerequisite actions follows. Each item links to any additional software required

for the Tools machine, and detailed steps included later in this document.

Checklist

Please ensure the following items have been completed before accessing the RAP as a Service

Portal for the first time and starting your engagement.

1. General Use

A Microsoft Account is required to activate and sign in to the RAP as a Service portal.

If you don’t have one already, you can create one at http://login.live.com

• To learn more about Microsoft Accounts, see: http://windows.microsoft.com/en-

US/windows-live/sign-in-what-is-microsoft-account

Ensure access to https://services.premier.microsoft.com

Ensure the Internet browser on the data collection machine has JavaScript enabled.

Last modified:

February, 2018

RAP as a Service for Lync/Skype for Business Server

Prerequisites

Download the latest prerequisites from:

http://www.microsoft.com/en-us/download/details.aspx?id=34698

Internet connectivity is

needed to:

Access the RAP as a

Service portal

Activate your

account

Download the

toolset

Submit data

Data submission to

Microsoft online servers

and displaying your

results on the online

portal uses encryption

to help protect your

data. Your data is

analyzed using our

RAP expert system.

Follow the steps listed at How to enable scripting in your browser. Internet Explorer 9,

Internet Explorer 10 and Internet Explorer 11 are the supported and recommended

browsers for this offering. Most other modern HTML5 based browsers will also work.

The site https://ppas.uservoice.com provides access to the Support Forum and Knowledge Base Articles for RAP as a Ser-

vice. If there are data collection issues during the discovery phase we recommend you to raise a support ticket via the con-

tact support button on top right side of the page.

2. Activation

Ensure access to http://corp.sts.microsoft.com

Ensure access to http://live.com

3. Data Collection

The next pages provide details on prerequisites for Data Collection:

Tools machine hardware and Operating System

Software installed including Lync/Skype for Business prerequisites

Account Rights on collection workstation, domains and SQL databases

Network and Remote Access

Lync/Skype for Business Server Health Monitoring / Synthetic Transactions

The Appendix Data Collection Methods details the methods used to collect data.

4. Submission

Internet connectivity is required to submit the collected data to Microsoft.

Ensure access to *.accesscontrol.windows.net

this URL is used to authenticate the data submission before accepting it.

The rest of this document contains detailed information on the steps discussed above.

Once you have completed these prerequisites, you are ready to use the RAP as a Service Portal to begin your assessment.

1. Hardware and Software

a. Tools machine hardware and Operating System:

Important: Do not run the toolset on any of your Lync/Skype for Business servers, you should use a dedicated collection

workstation.

Server-class or high-end workstation machine running Windows 7, Windows 8, Windows 8.1, or Windows Server

2008, Windows Server 2012 or their R2 versions and Windows Server 2016

Note: Windows Server 2003 and Windows 10 workstation are not supported as Tools machine. In addition to this

Windows Server 2016 is only supported with the Skype for Business Admin tools.

Important: To successfully gather Performance data, please ensure the data collection machine’s OS matches, or is a

higher version of the highest versioned OS target machine used within the environment. Typically, this means that Win-

dows 8 or Windows Server 2012 (R2) is OK to use.

Minimum: 8GB RAM, single 2Ghz processor (dual-core/quad-core recommended for faster processing), 5 GB of free

disk space plus up to 7 GB for every 100,000 objects in the assessed environment during data collection

64-bit operating system

At least a 1024x768 screen resolution (higher preferred)

Joined to one of the domains of the forest to be assessed

b. Software:

.NET Framework 3.5 installed and Microsoft® .NET Framework 4.0 installed.

To validate proper installation, navigate to this Windows Registry path:

Machine Requirements and Account Rights

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\NET Framework Setup\NDP. The major version number of each .NET Framework releases installed can be found at this Registry path. Click the major version number key and there is a string value called “Version” on the right-pane that reports the full version number of that .NET framework.

Windows PowerShell 3.0 or higher

You can validate the version installed opening a Windows PowerShell console and

running $PSVersionTable. You should see ‘3.0’ or higher listed for PSVersion,

WSManStackVersion and PSCompatibleVersions:

Remark: to collect data from a hybrid environment the Azure AD Powershell V2

module is required which requires at least Powershell 5.0

Install the relevant Lync Server Administrative Tools/

Skype for Business Server Administrative Tools and latest server updates

Note: Install the Lync Server 2010 Administrative Tools if you only have Lync

Server 2010 deployed. After installing the Administrative tools proceed with

the latest server update on the collection workstation to update the Lync

Administrative tools.

If you have installed both Lync Server 2013 and Skype for Business Server

2015 install only the Skype for Business Server 2015 tools and update the

Skype for Business Administrative tools.

Internet connectivity is

needed for the delivery

of your engagement

Ensure access to the following URLs:

For General Use:

https://services.premier.microsoft.com.

For the Token Activation and Authentication: http://corp.sts.microsoft.com.

http://live.com

For Data Collection:

http://go.microsoft.com

For Data Submission

https://services.premier.microsoft.com https://*.windows.net

https://ajax.aspnetcdn.com

Review the article below for complete

information regarding these URLs

https://ppas.uservoice.com/knowledgebase/articles/120616-what-do-i-need-to-open-in-my-firewall-proxy-to-use

Important: After the installation of the tools on the data collector node please reboot the data collec-

tor.

Depending on the operating system installed on the collection workstation, install the required version of Remote

Server Administrative Tools (RSAT):

• Remote Server Administration Tools for Windows 8.1

• Remote Server Administration Tools for Windows 8

• Remote Server Administration Tools for Windows 7 with Service Pack 1 (SP1)

Under Windows Features, make sure to install the ‘AD DS and AD LDS Tools’, one of the Role Administration Tools.

In case of a hybrid configuration make sure the Skype for Business Online PowerShell module is installed. (Please read

the Topic “Skype for Business Online” for more details)

c. Account Rights & Permissions:

A domain account needs to be setup to run the Rap as a Service for Lync/Skype for Business Server tools. This account needs to have the following permissions:

Domain Admin on every domain of the forest, or, Local Administrator access for all Lync/Skype for Business Servers (including Survivable Branch Appliances or Servers, also known as SBA/SBS)

Membership of Lync/Skype for Business Server related Active Directory groups:

• RTCComponentUniversalServices

• RTCSBAUniversalServices

• RTCUniversalSBATechnicians

• RTCUniversalServerAdmins

• RTCUniversalUserAdmins

• CSAdministrator

Tip: You can validate group membership by running the command: whoami /groups

Important: Do not use the Run As feature to start Rap as a Service client. Some collectors might fail. The account starting

the client must logon to the domain directly on the local machine.

A Windows Account to logon to the Premier Proactive Assessment Services portal (https://services.premier.microsoft.com). This is the RAP as a Service portal where you will activate your access token, down-load the toolset and fill out the operational survey, and the URL that hosts the web service that coordinates the data submission.

If you don’t have one, you can create one at http://signup.live.com

Please contact your TAM if the token in your Welcome Email has expired or can no longer be activated. Tokens expire after 10 days. Your TAM can provide new activation tokens for additional people.

The user account being used needs to be capable of running specific queries to SQL databases that support the Lync/Skype for Business Server environment being assessed. Here are the requirements for SQL:

Local administrator on all SQL servers that support Lync/Skype for Business Server (for clusters, on all nodes where the instance can be present)

For each Lync/Skype for Business Server related instance, minimum set of permissions need to be at least

• Connect SQL

• View Any Database

• View Server State

To verify, use Microsoft SQL Server Management Studio to connect to the instance. Under the instance properties, se-lect the page ‘Permissions’. Then, on the ‘logins and roles’ list select the one that represents your account, and check the effective permissions.

In case of SQL always on please verify with SQL Management Studio you are able to review the SQL Always on configu-ration. If you can’t open the configuration please make sure you have been assigned the correct permissions.

For each Lync/Skype for Business Server related database, specifially RTC/XDS database on Enterprise Edition pools, and LcsCDR and QoEMetrics databases that support Lync/Skype for Business Server Monitoring server role, minimum set of permissions need to be at least

• Connect

• Execute

• Select

To verify, use Microsoft SQL Server Management Studio to connect to the database. Under the database properties, select the page ‘Permissions’. Then, on the ‘logins and roles’ list select the one that represents your account, and check the effective permissions.

Important: Hidden SQL instances have not been tested and therefore are not supported.

Tip: If you find issues connecting to SQL instances or databases from the collection workstation, consider that there are many ways to connect, and you should try open TCP port 1433 (default instance), UDP 1434 (for browser service), and dy-namic TCP ports.

If your environment is part of a hybrid deployment you need to have an account in the .onmicrosoft.com directory. This account needs to have the following permissions:

Skype for Business Online administrator in the tenant

2. Network and Remote Access

Ensure that the browser on the tools machine or the machine from where you activate, download and submit data has JavaScript enabled. Follow the steps on How to enable scripting in your browser.

Internet Explorer is the supported browser for a better experience with the portal. Ensure Internet Explorer Enhanced Security Configuration (ESC) is not blocking java on sites. A workaround would be to temporary disable Internet Explorer Enhanced Security Configuration when accessing the https://services.premier.microsoft.com portal.

It ‘s important that during the collection any proxy configuration is temporarily disabled. To (temporary) disable the

proxy in Internet Explorer use the following instructions here.

In case of a hybrid configuration it is important that the data collector can connect to the online tenant.

Remote PowerShell is used to obtain data locally on the Lync/Skype for Business Servers (including SBAs and SBSs). On

these servers, run the following command to enable Remote PowerShell:

winrm quickconfig

To validate WinRM configuration on each of the servers validate the TCP ports configured for WinRM, by running the follow-

ing command on a PowerShell console:

Get-ChildItem WSMan:\localhost\Client\DefaultPorts

The result should be similar to:

Type Name SourceOfValue Value

---- ---- ------------- -----

System.String HTTP 5985

System.String HTTPS 5986

You can now use the telnet tool (or similar) to test connectivity to port assigned to HTTP (TCP 5985, by default).

Note: More information on the Installation and Configuration for Windows Remote Management can be found here

Due to the fact that the Rap as a Server tool collects data using multiple methods. It might be required to make changes to

the Windows firewall configuration. This can either be done by:

• create a firewall rule which allows all traffic from the data collector (recommended)

• create a GPO and assigning it to all Lync/Skype for Business Server related servers

• create separate rules on each server manually

Allow any traffic from the data collector to the Lync/Skype for Business related servers: :

Configure unrestricted network access to every Lync/Skype for Business Server (including SBAs/SBSs) in the Forest from the Collection Workstation

• The Lync/Skype for Business collector workstation requires connectivity to the remote Lync/Skype for Business

Servers to perform many tasks. Some existing firewall policies may interfere with data collection. Consider imple-

menting a temporary rule to allow unrestricted communication from the collector workstation.

• To implement , open Windows PowerShell and run the following:

netsh advfirewall firewall add rule name=“Allow all traffic from Collector

Workstation” dir=in action=allow enable=yes profile=any localip=any

remoteip=<IP Address of collection machine>

Group policy:

Configure a Group Policy Object to allow remote Event Log Management on Windows Firewall

• Create a new GPO and within the GPO open Computer Configuration\Policies\Windows Settings\Security

Settings\Windows Firewall with Advanced Security\ Windows Firewall with Advanced Security, and then

right-click Inbound Rules and click New Rule.

• In the New Inbound Rule Wizard “Rule Type” page, select Predefined, and in the rule list click Remote Event

Log Management, and then click Next.

• On the Predefined Rules page select the Remote Event Log Management (RPC) rule check box, and then click Next.

• On the Action page select Allow the connection and then click Finish.

• In the New Inbound Rule Wizard “Rule Type” page, select Predefined, and in the rule list click Remote Event

Log Management, and then click Next.

• On the Predefined Rules page select the Performance Log an Alerts rule check box, and then click Next.

• On the Action page select Allow the connection and then click Finish.

• In the New Inbound Rule Wizard “Rule Type” page, select Program, and in the this program path specify the loca-

tion of SQLserver.exe or click the browse button and locate SQLserver.exe, and then click Next.

• On the Action page select the Allow the connection rule check box, and then click Finish.

NOTE: Allow for this GPO to replicate and apply to all Lync/Skype for Business Server hosts before starting data collec-

tion. Keep in mind that the SQL server firewall rule might also need to be assigned to the SQL backend servers if no

connection is allowed from the data collector directly to SQL.

Separate Firewall rules :

Allow remote connection to the event log:

Configure the Server Firewall to ensure all Lync/Skype for Business Server hosts running Windows Server 2008/R2 and higher have “Remote Event Log Management” enabled.

• RAP as a Service Client might be unable to collect event log information from a Windows Server 2008/R2 or higher server if Remote Event Log Management has not been allowed. When Remote Management is enabled, the corre-sponding firewall rules that allow Remote Event Log Management are also enabled.

• To test if the tool will be able to collect event log data from a Windows Server 2008 R2 server you can try to connect to the Windows Server 2008/R2 server using eventvwr.msc. If you are able to connect, collecting event log data

is possible. If the remote connection is unsuccessful you may need to enable the Windows built-in firewall to allow Remote Event Log Management.

Allow remote connection to Performance and Alerts:

Configure the Server Firewall to ensure all Lync/Skype for Business Server hosts running Windows Server 2008/R2 and higher have “Performance and Alerts Management” enabled.

• RAP as a Service Client might be unable to collect performance data from a Windows Server 2008/R2 or higher server if Performance Logs and Alerts has not been allowed.

• To test if the tool will be able to collect event log data from a Windows Server 2008 R2 or higher server you can try to connect to the Windows Server 2008/R2 server using Performance Monitor. If you are able to connect,

collecting Performance data is possible. If the remote connection is unsuccessful you may need to enable the Windows built-in firewall to allow Performance Logs and Alerts.

Allow remote connection to SQL

Configure the Server Firewall to ensure all Lync/Skype for Business Server hosts running Windows Server 2008/R2 and higher have remote access enabled to the SQL instances:

• RAP as a Service Client might be unable to collect data from a Windows Server 2008/R2 or higher server if a remote connection to the SQL instances has not been allowed. This includes both the instances located on the Lync/Skype for Business Servers and the SQL backend to store the Lync/Skype for Business related databases.

3. Lync Server Health Monitoring / Synthetic Transactions

Configure Lync Server CsHealthMonitoringConfiguration

Synthetic transactions are Windows PowerShell cmdlets that verify that key end user scenarios—such as the ability to sign in to the system, or the ability to exchange instant messages—are working as expected. To perform these tests, user accounts are required but do not need to represent actual people, but they must be valid Active Directory Domain Services (AD DS) accounts; in addition, these accounts must be enabled for Lync Server, they must have valid SIP ad-dresses, and they should be enabled for Enterprise Voice (to use the Test-CsPstnPeerToPeerCall synthetic

transaction).

Validate if Lync Health Monitoring has already been configured for all Registrar Pools (including SBAs/SBSs), by opening the Lync/Skype for Business Management Shell, and running the following command:

Get-CsHealthMonitoringConfiguration –identity <poolname>

For any pool that has not been configured yet, use the next steps to enable a New-CsHealthMonitoringConfiguration for that pool, or alternatively leverage the script detailed

in the Create and Configure Users for Synthetic Transactions post on the NextHop Microsoft Blog.

• Configure a New-CsHealthMonitoringConfiguration for each Registrar Pool in the Lync environment:

• Create two User Accounts per Registrar Pool in Active Directory and enable them for Lync/Skype for Busi-ness (also make sure they are Enterprise Voice enabled). These accounts can be disabled in Active Directory once created:

<Poolname>Test1 Details:

SamAccount PoolnameTest1

SIP URI PoolnameTest1@contoso.com

<Poolname>Test2 Details:

SamAccount PoolnameTest2

SIP URI PoolnameTest2@contoso.com

• Open the Lync/Skype for Business Management Shell, and run the following command:

New-CsHealthMonitoringConfiguration –Identity <poolname> -FirstTestUserSipUri

“sip:PoolnameTest1@contoso.com” –FirstTestSamAccountName

“<CONTOSO\PoolnameTest1>” –SecondTestUserSipUri

“sip:PoolnameTest2@contoso.com>” –SecondTestSamAccountName

“<CONTOSO\PoolnameTest2>”

Note: Repeat these steps for every Registrar Pool (including SBAs or SBSs) in the Lync environment

• In order to use Synthetic transactions correctly your health users should be able to invite anonymous users in their conferencing policies and you should enable them for Enterprise Voice if it is deployed in your environment.

• If mobility is deployed in the environment make sure a mobility policy is assigned to the health users which allows

the usage of the mobility options.

4. Skype for Business Online

a. Software

Make sure both the Azure AD V2 Powershell module and the Skype for Business Online Powershell module is installed on your

machine.

The Azure AD V2 Powershell module requires a minimum version of Powershell 5 and in addition to this requires the Microsoft

sign-in assistant to be installed.

Software can be downloaded by using the links below:

Powershell V5: https://www.powershellgallery.com/packages/AzureAD/2.0.0.131

Microsoft Sign In assistant: https://www.microsoft.com/en-us/Download/details.aspx?id=28177

Azure AD V2 Powershell module: https://www.powershellgallery.com/packages/AzureAD/2.0.0.131

To validate if the Azure AD V2 Powershell module is installed verify if the Connect-AzureAD cmdlet is available, this can be done

by opening the Powershell console and run the following cmdlet Get-Command Connect-AzureAD. If the cmdlet will be found an

output similar like below will be displayed:

To validate the Skype for Business Online module is installed ensure that the New-CsOnlineSession cmdlet is available by run-

ning the following cmdlet Get-Command New-CsOnlineSession which should give you an output similar like the one displayed

below:

If one of the modules has just been installed the module restart the data collector machine and restart the data collection.

b. Permissions

To collect data from Skype for Business Online the account being used to collect the data from Skype for Business Online needs

to be assigned the Global Administrator role in the Office 365 portal.

5. Running the client

This chapter describes at a high level how to run the tool.

Open the tool by right clicking the Rap as a Service client and select the option Run as Administrator.

Make sure the correct assessment is selected:

Click Start to start the assessment.

In the next screen specify the tenant domain, this only needs to be specified if you also want to collect data from your Skype for Business Online tenant. Once specified click Check to start the discovery process.

During the discovery phase you will be prompted to specify the credentials to be used to collect data from Skype for Business Online. Specify the user name in the following format: username@domain.com. If the you entered incorrect credentials 3 times no data will be collected from the Skype for Business Online tenant.

Once the discovery has finished confirm that the Success rate is 100%. If not review the errors by selecting the View Errors option. If all errors are fixed rerun the discovery part by selecting the Retry option, continue until the success rate is 100%.

If the success rate is 100% click Collect to start the data collection:

Wait until the data collection has completed.

Confirm a green bar is displayed once the data collection has completed:

Click Submit to continue uploading the data to the portal

Specify a your email address and press the I Agree button:

Wait until data has been submitted:

Select the Schedule button if you want to run the assessment on a scheduled base. If not select the Close button.

Logon to the Rap as a Service Portal and continue filling in the operational assessment.

Frequently asked questions

1. I see some failures on the discovery of my Lync/Skype for Business environment. Should I proceed?

Under normal circumstances, you may see errors on several domain controllers and SQL instances or databases. This may be ex-

pected as you may not have connectivity or permissions on those objects. For the SQL instances and databases, as long as they

don’t represent objects that support Lync/Skype for Business databases, you can safely ignore these errors and carry on with the

collection of data.

2. Can I complete the Rap as a Service if I have not completed all the prerequisites?

The Rap as a Service will not complete successfully until all the prerequisites have been met. The process can continue and upload

data, however the data will be incomplete and results may be misleading.

3. If some prerequisites have failed, can I fix them and complete the Rap as a Service at a later time?

Yes. If it takes time to complete the prerequisites, the Rap as a Service collection can be completed at a later time. It is important

not to complete the data collection and upload the data for analysis until it is complete.

4. I have received a screen showing lots of failures (such as below), do I have to fix all of these problems before continuing?

In a number of cases, specific collectors which are dependant upon prerequisites will show as failed along with the prerequisites.

This will make the toolset appear to have more problems—for example a number of collectors are dependent upon the ‘Remoting’

functionality of PowerShell. If this is not enabled, in addition to the prerequisite collector (Prerequisite - Cannot connect to Lync/

Skype for Business PowerShell) failing, all dependant collectors will show as failed.

It is important to check the list of failed collectors for any which start with “Prerequisite” in the name, these should be corrected

first, then the tool re-run to highlight any further failures.

5. The collection process is failing on a specific site/pool/server—this is only a test server and I don’t want it analysed. What

should I do?

Although it may only be test infrastructure,

Lync/Skype for Business uses a single topology

model, so you will get best results by analysing

all infrastructure—policies or configuration may

applied from the test infrastructure to objects

and without full disclosure may be difficult to

trace the root cause of problems.

Appendix: Data Collection Methods

RAP as a Service for Skype for Business Server uses multiple data collection methods to collect information. This section describes

the methods used to collect data from a Lync/Skype for Business Server environment. No VB scripts are used to collect data. Data

collection uses workflows and collectors. The collectors are:

1. Registry Collectors

2. LDAP Collectors

3. Event Log Collector

4. Lync Management Shell

5. WMI

1. Registry Collectors

Registry keys and values are read from the Lync/Skype for Business Servers. They include items such as:

Version information from HKLM\SOFTWARE\Microsoft\Real-Time Communications.

This allows to determine the version of each Lync/Skype for Business component installed on Lync/Skype for Business

Servers.

2. LDAP Collectors

LDAP queries are used to collect data for the Forest and Domain(s), Partitions and other components from

Active Directory itself. For a complete list of ports required by AD, see: http://support.microsoft.com/kb/179442.

3. Event Log Collector

Collects event logs from Lync/Skype for Business Servers. We collect the last 7 days of Warnings and Errors from the Lync/Skype

for Business Server log.

4. Lync/Skype for Business Management Shell

With the Lync/Skype for Business module for Windows PowerShell, we collect Lync/Skype for Business Server configurations.

5. Windows Management Instrumentation (WMI)

WMI is used to collect various information such as:

WIN32_Volume

Collects information on Volume Settings for each DC in the forest. The information is used for instance to determine the

system volume and drive letter which allows the client to collect information on files located on the system drive.

Win32_Process

Collect information on the processes running on each DC in the forest. The information provides insight in processes that

consume a large amount of threads, memory or have a large page file usage.

Win32_LogicalDisk

Used to collect information on the logical disks. We use the information to determine the amount of free space on the disk

where the database or log files are located.