wordpress.com€¦ · web view1.3 what’s available in the lync server multitenant hosting pack 1...

Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting Deployment GuideMicrosoft Lync Server 2010 Multitenant Pack for Partner Hosting

Published: January 2012

Abstract: The Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting features include integration with Microsoft Exchange Server, Microsoft Outlook, and other communication technologies. Lync Server Multitenant Hosting Pack enables customers to manage geographically dispersed offices and mobile users in a way that reduces travel expenses, while maintaining highly collaborative team environments. This document describes the Lync Server Multitenant Hosting Pack, and includes information about how to deploy and configure it.

This document is provided “as-is”. Information and views expressed in this document, including URL and other Internet Web site references, may change without notice.Some examples depicted herein are provided for illustration only and are fictitious. No real association or connection is intended or should be inferred.This document does not provide you with any legal rights to any intellectual property in any Microsoft product. You may copy and use this document for your internal, reference purposes.Copyright © 2011 Microsoft Corporation. All rights reserved.

Contents1 Overview of the Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting.................1

1.1 Understanding the Lync Server Multitenant Hosting Pack.................................................11.2 How to get the Lync Server Multitenant Hosting Pack Software........................................11.3 What’s Available in the Lync Server Multitenant Hosting Pack..........................................1

1.3.1 Comparing the Lync Server Multitenant Hosting Pack with Microsoft Lync Online......21.4 Known Issues.................................................................................................................... 5

2 Determining Your Infrastructure Requirements........................................................................5

2.1 Hardware Requirements....................................................................................................52.1.1 Hardware Requirements for Servers Running Lync Server 2010................................52.1.2 Hardware Requirements for Back End Servers and Other Database Servers............6

2.2 Exchange Server 2010......................................................................................................62.3 Network Infrastructure Requirements................................................................................72.4 Domain Name System (DNS) Requirements....................................................................72.5 Active Directory Domain Services Requirements..............................................................72.6 Load Balancing Requirements..........................................................................................72.7 Port and Protocol Requirements.......................................................................................72.8 Certificate Requirements...................................................................................................8

3 Understanding the Lync Server Multitenant Hosting Pack.......................................................8

3.1 About Lync Server Multitenant Hosting Pack User Types..................................................83.2 Lync Server Multitenant Hosting Pack Server Roles.........................................................83.3 Lync Server 2010 Control Panel........................................................................................93.4 Exchange Server 2010 SP2 Roles....................................................................................9

4 Planning for the Lync Server Multitenant Hosting Pack...........................................................9

4.1 Architectures..................................................................................................................... 94.1.1 Architecture 1 – Support for 50,000 Tenant Users.....................................................114.1.2 Architecture 2 – Support for 5,000 Tenant Users......................................................13

4.2 Flexible Systems Scaling.................................................................................................174.3 Role-specific Load Balancing and Fault Tolerance..........................................................174.4 Mailbox Server Storage Design.......................................................................................18

5 Deploying the Lync Server Multitenant Hosting Pack.............................................................18

5.1 Deploying Architecture 2..................................................................................................185.2 Change the Name and Domain of the Server Running Lync Server...............................195.3 Installation Media............................................................................................................205.4 Install the Lync Server Multitenant Hosting Pack.............................................................20

6 Define the Topology...............................................................................................................21

6.1 Create a Front End Pool..................................................................................................226.2 Configure Front End Servers...........................................................................................226.3 Add Server Roles............................................................................................................236.4 Deploy Edge Servers.......................................................................................................236.5 Define the Edge Topology...............................................................................................24

6.6 Build the Edge and Directory Topology............................................................................246.7 Deploy the Director..........................................................................................................246.8 Monitoring........................................................................................................................25

7 Post-Installation Configuration...............................................................................................25

7.1 Install Additional Components.........................................................................................257.2 Modify Lync Server Management Shell...........................................................................257.3 Update Active Directory for Hosted Management Services.............................................25

7.3.1 Move Root Tenant OU...............................................................................................267.4 Global Client Policies for Address Book Web Query.......................................................267.5 Lync Server Dial Plans....................................................................................................277.6 Proxy Configuration.........................................................................................................27

8 Provisioning Tenant Organizations........................................................................................27

8.1 Create and Secure the Organizational Units...................................................................278.2 Set TenantId and ObjectId...............................................................................................288.3 Add UPN Suffix to Tenant OU..........................................................................................298.4 Create Tenant SIP Domain..............................................................................................298.5 Configure Exchange Email..............................................................................................298.6 Configure Unified Messaging..........................................................................................29

8.6.1 Create Tenant Exchange Dial Plan and Exchange UM Mailbox Policy.....................298.6.2 Assign Tenant Dial Plan to All Available Exchange UM Servers................................308.6.3 Update Exchange UM/Lync Server Integration Configuration...................................308.6.4 Create Lync Server Contacts for Exchange UM Subscriber Access.........................30

8.7 Configure Tenant Federation Settings.............................................................................328.7.1 Getting Tenant Federation Settings...........................................................................328.7.2 Adding Domains to the Tenant Allow List..................................................................338.7.3 Adding Domains to the Tenant Block List..................................................................338.7.4 Clearing the Tenant Block List...................................................................................338.7.5 Clearing the Tenant Allow List...................................................................................348.7.6 Resetting Tenant to Allow All Domains Except Those Listed on the Block List..........348.7.7 Enabling a Tenant for Federation..............................................................................34

8.8 Configure Federation Between Two Fully-Hosted Tenants..............................................348.8.1 Configure Federation Between Lync Server On-Premises and Lync Server

Multitenant Hosting Pack....................................................................................................358.9 Create Tenant DNS Records...........................................................................................358.10 Configure Tenant Meeting URL....................................................................................358.11 Create Tenant Meeting Simple URLs...........................................................................36

8.11.1 Import the Required Modules for Windows PowerShell........................................368.11.2 Configure the Simple URL to Use the Back-end Database...................................368.11.3 Create the Simple URLs for a Tenant Organization...............................................368.11.4 Set the Simple URL DNS Name............................................................................378.11.5 Execute Enable-CsComputer on Front End and Director Servers........................38

8.12 Update Certificates.......................................................................................................389 Provisioning Tenant Users.....................................................................................................38

9.1 Enable Tenant Users for Exchange UM...........................................................................389.2 Set User TenantID and GroupingID.................................................................................39

9.2.1 Known Issue..............................................................................................................399.3 Configure the user Base Simple URL with the Tenant Organization’s Base URL............419.4 Enable Tenants for Lync Server.......................................................................................419.5 Set Address Book Policy for Tenant User........................................................................42

10 Overview of the Audio Conferencing Provider....................................................................42

10.1 Integrating with Audio Conferencing Provider..............................................................4210.2 Provisioning with Audio Conferencing Provider............................................................4310.3 Integration Workflows with Audio Conferencing Provider.............................................43

10.3.1 Create and Schedule a Web Conference..............................................................4410.3.2 Activate a Conference...........................................................................................4410.3.3 Join Conference by Using Conferencing Dial-out..................................................4410.3.4 Audio Bridging Sequence......................................................................................4510.3.5 Use Audio Controls from Lync Server...................................................................46

10.4 Known Issues...............................................................................................................4711 Code Samples....................................................................................................................47

11.1 Prerequisites................................................................................................................4711.2 Dependencies..............................................................................................................4711.3 Provision a Tenant Organization..................................................................................48

11.3.1 Create and Secure Organizational Unit.................................................................4811.3.2 Enable the Tenant Organization............................................................................4811.3.3 Add an Additional SIP Domain to the Tenant Organization....................................5011.3.4 Adding Domains to the Tenant Allow List for Federation.......................................5111.3.5 Adding Domains to the Tenant Block List for Federation.......................................5211.3.6 Removing Domains from the Tenant Allow List for Federation..............................5311.3.7 Removing Domains from the Tenant Block List for Federation..............................5411.3.8 Allowing all Domains for Tenant Federation..........................................................5511.3.9 Enabling a Tenant for Federation..........................................................................5611.3.10 Enabling a Tenant for Public IM Connectivity........................................................5711.3.11 Enabling Federation between two Hosted Tenants...............................................58

11.4 Provision Tenant Users................................................................................................59

1 Overview of the Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting

Microsoft® Lync™ Server 2010 Multitenant Pack for Partner Hosting is a unified communications (UC) solution for telecom and hosting providers. Unified communications is a way for telecom and hosting providers to expand their service offering to their current customers. The Lync Server Multitenant Hosting Pack features include integration with Microsoft Exchange Server, Microsoft Outlook®, and other communication technologies. Lync Server Multitenant Hosting Pack enables customers to manage geographically dispersed offices and mobile users in a way that reduces travel expenses, while maintaining highly collaborative team environments. This increased integration of communication channels translates to improved organizational flexibility that is often difficult to find in larger enterprise organizations.

1.1 Understanding the Lync Server Multitenant Hosting PackThis section describes how the Lync Server Multitenant Hosting Pack integrates with the core system infrastructure. To better understand the overall system it helps to define unified communications, Lync Server, and the Lync Server Multitenant Hosting Pack.

Unified communications (UC) is a system that integrates platforms for communications including email, voice mail, telephony, instant messaging (IM), and voice and video conferencing. UC solutions are installed on the client’s core systems, adding a UC layer to the overall infrastructure. This UC layer adds integration and interconnects the communications systems with the organization’s core system services.

Microsoft Lync Server 2010 is a family of servers functioning as UC servers that integrate with all the Microsoft line-of-business software. Lync Server adds these new communication possibilities within the organization. A Lync Server and Exchange Server layer provide system integration between Exchange and other communication systems like IM, presence, voice and video calls, desktop sharing, file transfer, and ad hoc conferences.

Microsoft Lync Server Multitenant Hosting Pack is a special deployment configuration scoped for hosting or telecom services providers. The solution enables service providers to host multitenant Lync Server instances shared across multiple customer environments. In addition, the Lync Server Multitenant Hosting Pack solution includes an add-on layer that allows our partners to build communication packages that use the Lync Server Multitenant Hosting Pack to integrate with the core layer.

1.2 How to get the Lync Server Multitenant Hosting Pack SoftwareA license is required to use the software. To download and install the Lync Server Multitenant Hosting Pack software, you need to login to the Microsoft Volume Licensing Service Center at http://go.microsoft.com/fwlink/?LinkId=238381.

1.3 What’s Available in the Lync Server Multitenant Hosting PackThe features that integrate with other components and applications include the following:

Presence A collection of attributes that provides an indication of a person's status, activity, location, willingness to communicate, and contact information.

Instant messaging (IM) A form of real-time text-based communication. Data and desktop sharing A feature that allows users to share files, use whiteboard, and

display their desktop to a meeting or to conversation participants. Conferencing Two-way video and audio transmissions between users in multiple locations.

1

http://go.microsoft.com/fwlink/?LinkId=238381

Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting Deployment Guide

Unified Messaging An application that consolidates a user's voice mail, fax, and email into one mailbox, so that the user only needs to check a single location for messages, regardless of type. The email server is the platform for all types of messages, making it unnecessary to maintain separate voice mail and email infrastructures.

Private branch exchange (PBX) replacement UC integration with Voice over Internet Protocol (VoIP) systems can replace traditional phone exchange systems.

Lync Server Multitenant Hosting Pack partner feature sets include: Appliances Hand and head set I/O devices. Conferencing server gateway video Real-time IP video, voice, and data services. Mobility solution Allows mobile phones the same access to services as a standard desktop

handset. Audio conferencing provider Integration with hosted conferencing systems. Short Message Service (SMS) Text messaging systems used by phones and mobile

communication systems.

1.3.1 Comparing the Lync Server Multitenant Hosting Pack with Microsoft Lync Online

The features available in the Lync Server Multitenant Hosting Pack are similar to those available in Lync Online. The following table lists the features that are available for each.

Feature Comparison: Lync Server Multitenant Hosting Pack versus Lync Online

Lync Server feature Lync Multitenant

Hosting Pack

Lync Online

Presence

Contacts list Yes Yes

Address Book Service Web Query service Yes Yes

Distribution List Expansion protocol (DLX) Yes Yes

Instant Messaging (IM)

Point-to-point IM Yes Yes

Multiparty/Group IM Yes Yes

Group Chat No No

Client Support

Lync desktop client Yes Yes

Mac Messenger Yes Yes

Attendee (meeting only) Yes Yes

Lync Mobile on:iPhone, iPad, Windows Phone 7, Android

Yes Yes

2



Hosting Pack

Lync Online

Conferencing and Sharing

Point-to-point audio/video Yes Yes

Video conferencing over IP Yes Yes

Audio conferencing over IP only Yes Yes

Meeting recording Yes Yes

Ad-hoc audio dial-out conferencing Yesvia SIP Trunk

Yesvia SIP Trunk

“Meet now” audio dial-out conferencing Yesvia ACP

Yesvia ACP

Scheduled audio dial-out conferencing Yesvia ACP

Yesvia ACP

Sharing

Point-to-point/multiparty data conference (white boarding) Yes Yes

Point-to-point/multiparty file share Yes Yes

Point-to-point/multiparty desktop and application sharing Yes Yes

Point-to-point/multiparty Microsoft PowerPoint® slide sharing Yes Yes

Polling Yes Yes

Integration

Microsoft Outlook integration for IM, presence, calendar(with users on the same hosting partner)

Yes Yes

Microsoft SharePoint® integration for IM, presence(with users on the same hosting partner)

Yes Yes

PIC and Federation

Intertenant federation Yes Yes

Federation with Extensible Messaging and Presence Protocol (XMPP)

No No

Public IM connectivity and presenceWindows Live®, AOL®, Yahoo!®

No Yes

3



Hosting Pack

Lync Online

Public IM connectivity audio/videoWindows Live

No Yes

Basic calling features

Public switched telephone network (PSTN) calling via Lync incoming and outgoing

Yes Yes

Call controlshold, transfer, forward, simultaneous ring

Yes Yes

Voice policies Yes Yes

Advanced calling features

Team call No No

Response groups No No

Delegation No No

Private line (secondary Direct Inward Dialing (DID)) No No

Call park No No

Outgoing DID manipulation No No

Voice features

Private dial plans No No

Hosted Exchange Unified Messaging (UM) for voice mail Yes Yes

1.4 Known IssuesBy design, public IM connectivity is not supported in this release.

2 Determining Your Infrastructure RequirementsAll servers running Lync Server 2010 must meet certain minimum system requirements. System requirements for Lync Server 2010 include the server hardware, the operating system to be installed on each server, and related software requirements, such as Windows® updates and other software that must be installed on the servers.

2.1 Hardware RequirementsLync Server 2010 server roles and computers running Lync Server administrative tools require 64-bit hardware.

4


The specific hardware used for a Lync Server 2010 deployment can vary depending on size and usage requirements. This section describes the recommended hardware. Although these are recommendations, not requirements, using hardware that does not meet these recommendations can result in a significant impact on performance and other problems.

2.1.1 Hardware Requirements for Servers Running Lync Server 2010The following table describes the recommended hardware for all servers where you plan to install Lync Server 2010, except for the Director server role. These recommendations are based on a user pool of 80,000 users with eight Front End Servers and one Back End Server.

Hardware Recommendations for Servers Running Lync Server 2010

Hardware component Recommended

CPU One of the following: 64-bit dual processor, quad-core, 2.0 GHz or higher 64-bit 4-way processor, dual-core, 2.0 GHz or higher

Intel Itanium processors are not supported for Lync Server 2010 server roles.

Memory 16 GB

Disk Local storage with at least 72 GB free disk space on a 10,000 RPM disk drive

Network 1 network adapter required (2 recommended), each 1 Gbps or higher

Servers running the Director role have lesser hardware requirements. These recommendations are based on a maximum of 39,000 external users per Front End pool (which follows the user model of 80,000 users per Front End pool, with 30% of users connecting externally and 1.5 multiple points of presence (MPOP).

2.1.2 Hardware Requirements for Back End Servers and Other Database Servers

The requirements for the Back End Server and other database servers are similar to those of servers running Lync Server 2010, except that Back End Servers require additional memory. The following table describes the recommended hardware for a Back End Server or other database servers, based on an 80,000 user pool with eight Front End Servers and one Back End Server containing all databases required for your Lync Server deployment.

Hardware Recommendations for Back End Servers and Other Database Servers

Hardware component Recommended

CPU One of the following: 64-bit dual processor, quad-core, 2.0 GHz or higher 64-bit 4-way processor, dual-core, 2.0 GHz or higher

Intel Itanium processors are not supported for Lync Server 2010 server roles.

Memory 32 GB recommended for Back End Server (with or without collocated Archiving and Monitoring databases), 16 GB recommended for Archiving

5


and Monitoring database (not collocated with the Back End Server).

Disk Local storage with at least 72 GB free disk space on a 10,000 RPM disk drive

Network 1 network adapter required (2 recommended), each 1 Gbps or higher

2.2 Exchange Server 2010Lync Server Multitenant Hosting Pack uses Exchange Server as an integration point for the user. By using Exchange UM, Lync Server Multitenant Hosting Pack can store multiple communication technology messages including: presence, IM, workload, conferencing, and VoIP servers and services. For more information about hosted Exchange, see the “Exchange Server 2010 Hosting and Multi-Tenancy Solutions and Guidance” at http://go.microsoft.com/fwlink/?LinkId=234782.Deploy the following Microsoft Exchange Server 2010 roles according to the Exchange Server guidance. For details, see “Deploying Exchange 2010” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230798:

Client Access Server Hub Transport Server Mailbox Server (public folders are optional) Edge Transport Server (optional) Unified Messaging

Apply Exchange Service Pack 2 to all Exchange servers. You can download Microsoft Exchange Server 2010 Service Pack 2 (SP2) at http://go.microsoft.com/fwlink/?LinkId=236894.

2.3 Network Infrastructure RequirementsThe requirements for your network infrastructure will vary greatly depending on your deployment, the number of tenant users you need to support, and the features used by those tenants. For general information about network infrastructure requirements for Lync Server 2010, see “Network Infrastructure Requirements” at http://go.microsoft.com/fwlink/?linkid=204603 .Specific requirements for deploying the Lync Server Multitenant Hosting Pack, or requirements that differ from those for Lync Server 2010 Enterprise Edition, are noted in the sections for the associated deployment task.

2.4 Domain Name System (DNS) RequirementsTo support client automatic configuration for all hosted domains, you must work with your hosted customers to ensure that the required DNS records are created for each hosted domain. You must add the appropriate subject alternative names to certificates used by Director and Edge Servers for each of these domains. To facilitate initial testing, this documentation assumes that hosting providers will follow the standard guidance to configure a single supported SIP domain during initial deployment. That SIP domain is both publicly registered and used as the Active Directory® Domain Services domain for all servers running Lync Server 2010. It will be used for initial testing. The “Provisioning Tenant Organizations” section later in this document covers adding DNS records, updating certificates, and other related steps.

2.5 Active Directory Domain Services RequirementsDeploy a pair of redundant Active Directory servers according to Exchange Server 2010 guidance. For details, see “Planning Active Directory” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230823.

6



http://go.microsoft.com/fwlink/?linkid=204603






The Lync Server Multitenant Hosting Pack supports a Single forest Active Directory environment with User or Resource forests. For details about Active Directory and Lync Server 2010, see “Active Directory Domain Services Requirements, Support, and Topologies” in the TechNet Library at http://technet.microsoft.com/en-us/library/gg398760.aspx.

2.6 Load Balancing Requirements We recommend that you use hardware load balancing for all supported roles. For details about hardware load balancing in Lync Server, see “Load Balancing Requirements” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=235820, and “Components Required for External User Access” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=235821.

2.7 Port and Protocol RequirementsFor details about port and protocol requirements for communications between Lync Server, see “Ports and Protocols for Internal Servers” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=235822. Specific information about port and protocol requirements that differ from Lync Server 2010 Enterprise are called out in the associated section of this document.

2.8 Certificate RequirementsFor Lync Server 2010 certificate requirements, see “Certificates for Lync Server 2010” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=235823.For Exchange Server 2010 certificate requirements, see “Certificates” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=235824, and “Understanding Certificate Requirements” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=235825.Additional or specific certificate requirements that differ from the requirements for Lync Server 2010 and Exchange Server 2010 are called out in the associated sections of this document.

3 Understanding the Lync Server Multitenant Hosting Pack

The Lync Server Multitenant Hosting Pack solution is an infrastructure layer that enables connection between various technology solutions. Dependencies for the solution include Microsoft Exchange Server, Exchange UM and Active Directory. Additionally the Lync Server Multitenant Hosting Pack can also communicate with VoIP devices.The logical infrastructure for Lync Server Multitenant Hosting Pack includes zones for edge systems, proxy systems, data center systems, and VoIP. The server roles are focused within the edge system roles, proxy roles for Exchange, data center roles for Active Directory, Lync Server Multitenant Hosting Pack, and Exchange.

3.1 About Lync Server Multitenant Hosting Pack User TypesIt is important to understand the different types of users to understand why server roles used in a Lync Server Multitenant Hosting Pack deployment differ from those used in an enterprise deployment of Lync Server 2010.In a typical enterprise deployment of Lync Server 2010, there are the following types of users:

Internal users These users access Lync Server services from inside the corporate network. External users These users have Lync Server user accounts and access Lync Server from

outside the corporate network. Federated users These users have accounts with federated partners and access Lync Server

from outside the corporate network.

7


http://technet.microsoft.com/en-us/library/gg476123.aspx







http://technet.microsoft.com/en-us/library/gg398760.aspx


In a Lync Server Multitenant Hosting Pack deployment, there are the following types of users: External users Also known as tenant users in this guide, these users have Lync Server user

accounts associated with a specific tenant, and access Lync Server from outside the host’s network.

Federated users These users have accounts with federated partners and access Lync Server from outside the host’s network.

3.2 Lync Server Multitenant Hosting Pack Server RolesEdge Servers only act as the first point of contact from requests coming from federated partners in a hosted deployment. This differs from a typical Lync Server 2010 Enterprise Edition deployment where the Edge Servers handle all incoming requests from outside the corporate network.In a Lync Server Multitenant Hosting Pack deployment, incoming requests from tenant users go straight to Directors, bypassing Edge Servers. The Directors authenticate tenant users’ requests and redirect them to the appropriate Front End pool.

Important Front End pools are external-facing, and are therefore visible to the public Internet. Additional IP addresses and certificates are required. This is different from a Lync Server 2010 enterprise deployment.

In cases where Lync Server deployments span multiple data centers, Directors must be the first point of contact to refer clients to the data centers hosting the Front End pool on which that user is homed. A pool of Directors with identical configurations provides fault tolerance for Lync Server Multitenant Hosting Pack deployments.For the reference architectures included in this guide, all other server roles are the same as the roles for Lync Server 2010. For details, see “Server Roles” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230824.

3.3 Lync Server 2010 Control PanelSome enhancements included in the Lync Server Multitenant Hosting Pack are not compatible with the Lync Server Control Panel. For example, enabled users are not displayed in the User section of the Lync Server Control Panel.You should use the Lync Server Control Panel only in read-only mode. You should make all changes to the topology, server configuration, or user configuration by using cmdlets in the Lync Server Management Shell. For details, see “Lync Server Management Shell” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=213040.

Important There are no restrictions on the use of the Topology Builder tool. You can use Topology Builder as you would normally with a Lync Server 2010 Enterprise Edition deployment.

3.4 Exchange Server 2010 SP2 RolesThe following Microsoft Exchange Server 2010 Service Pack 2 (SP2) roles are required to support a voice-enabled messaging system:

Client Access Servers Support components such as Microsoft Exchange ActiveSync, Microsoft Outlook Web App, and Outlook Anywhere.

Hub Transport Servers Perform the internal message transfers. Mailbox Servers Maintain mailbox store databases. Unified Messaging Servers Accept calls from the Lync Server infrastructure and present Auto

Attendants, and record and play back voice mail messages.

8




4 Planning for the Lync Server Multitenant Hosting Pack

This section provides information to assist you in planning and preparing for deploying the Lync Server Multitenant Hosting Pack.

4.1 ArchitecturesThe architectures described in this section illustrate the basic architectures necessary to support the specified number of tenant users. They are not meant to describe an actual deployment, but rather as a starting point for planning a deployment. They provide a high-level understanding of the architecture and scalability of the product, and how it integrates with a similarly-scaled hosted Exchange Server 2010 environment. Exchange Server is included to support the common customer requirement of including a voice mail system with their telephony solution. The architectures are designed to support tenant user workloads as follows:

Architecture 1 50K Users—Heavy business users with approximately 75% concurrency and PSTN access

Architecture 2 5K Users—Heavy business users with approximately 75% concurrency and PSTN access

You should use the architectures provided as a starting point in the planning process. Keep in mind that you’ll need to modify these architectures to meet the needs of your organization’s expected usage profiles, service level agreements, and cost control requirements.The following table lists the naming conventions that we use in the configuration diagrams and procedures for these architectures.

Server Role Naming Conventions

Server Server role Naming convention

Active Directory Domain Controller AD01, AD02, etc.

Exchange Server Client Access server EXCAS01, EXCAS02, etc.

Hub Transport server EXHUB01, EXHUB02, etc.

Mailbox EXMBX01, EXMBX02, etc.

Unified Messaging EXUM01, EXUM02, etc.

Lync Server A/V Conferencing Server AV0101, AV0102, etc.

Note The first pair of digits identifies the pool.

Back End Server BESQL01, BESQL02, etc.

Director DIR0101, DIR0102, etc.

Note The first pair of digits identifies the pool.

Edge Server EDGE01, EDGE02, etc.

9


Server Server role Naming convention

Front End Server FE0101, FE0102, etc.

Note The first pair of digits identifies the pool and allows for up to 99 pools.

Mediation Server MED0101, MED0102, etc.

Note The first pair of digits identifies the pool and allows for up to 99 pools.

Monitoring and Archiving Servers

MONARCH01, MONARCH02, etc.

Monitoring and Archiving back-end database

MONARCHSQL01, MONARCHSQL02, etc.

Scaling estimates are based on testing done by Microsoft using Lync Server 2010 Enterprise Edition. For details, see the following:

“Server Virtualization in Microsoft Lync Server 2010” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=211394.

“Capacity Planning Using the User Models” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230825.

“Estimating Voice Usage and Traffic” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230826.

4.1.1 Architecture 1 – Support for 50,000 Tenant UsersArchitecture 1 is designed to support up to 50,000 tenant users that have PSTN access and A/V/PSTN, and that primarily use MAPI (that is, Outlook Anywhere) at approximately 75% concurrency. Server allocation provides basic redundancy for each server role with the exception of Monitoring and Archiving, which do not support fault-tolerance. It also provides additional servers and RAM for the Mailbox role to ensure performance meets expected levels during periods of peak activity.Other assumptions about this architecture include the following:

Concurrency of use for the Exchange UM service will be <0.5%. On average, only one in ten users is expected to be in a call at any given time. For details about

estimating voice usage and traffic, see “Estimating Voice Usage and Traffic” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230826. Depending on the percentage of calls using media bypass (including PC-to-PC calls), you may need fewer or additional Mediation Servers in your environment.

The following figure illustrates the topology for Architecture 1, and includes key mail server roles placed within recommended networks or zones.

10







11


Architecture 1 topologyThe following table provides details about the number and types of servers in the Architecture 1, as well as the processor, memory, and operating system requirements for each.

Servers in Architecture 1

Server role # of servers

Operating system CPU cores

RAM

Edge Server 2 Windows Server 2008 R2 Standard

4 16 GB

Front End pool 1 8 Windows Server 2008 R2 Standard

4 16 GB

Director 6 Windows Server 2008 R2 Standard

4 16 GB

A/V Conferencing Server 6 Windows Server 2008 R2 Standard

4 16 GB

Mediation Server 8 Windows Server 2008 R2 Standard

4 16 GB

Monitoring/Archiving Server 1 Windows Server 2008 R2 Standard

4 16 GB

Back End Server 2 Windows Server 2008 R2 Enterprise

4 32 GB

Monitoring/Archiving database 2 Windows Server 2008 R2 Enterprise

4 32 GB

Exchange Server, Hub Transport server, Client Access server + offline address book (OAB)

8 Windows Server 2008 R2 Standard

4 16 GB

Exchange Server UM 7 Windows Server 2008 R2 Standard

4 16 GB

Exchange Server, Mailbox server 10 Windows Server 2008 R2 Enterprise

4 32 GB

Active Directory domain controllers 3 Windows Server 2008 R2 Standard

4 16 GB

Note All operating systems listed in the previous table are 64-bit editions.

4.1.2 Architecture 2 – Support for 5,000 Tenant UsersArchitecture 2 is designed for service providers who need a system to support up to 5,000 tenant users that have PSTN access and A/V/PSTN, and that primarily use MAPI (that is, Outlook Anywhere) at approximately 75% concurrency. Server allocation provides basic redundancy for each server role with

12


the exception of Monitoring and Archiving (which do not support fault-tolerance), and provides additional servers and RAM in the Exchange Server Mailbox server role to ensure performance during peak activity.Other assumptions used in creating this design include the following:

Concurrency of use for the Exchange UM service will be <0.5%. On average, only one in ten users is expected to be in a call at any given time. For details about

estimating voice usage and traffic, see “Estimating Voice Usage and Traffic” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230826. Depending on the percentage of calls using media bypass (including PC-to-PC calls), more or fewer Mediation Servers may be required.

The following figure illustrates the Architecture 2 topology, focusing on key collaboration server roles placed within recommended networks or zones.

13



Architecture 2 topologyThe image does not display the following details:

None of the elements in the Edge zone are configured with external addresses configured for network address translation (NAT).

14


Some servers in the Proxy zone that need to communicate through the internet do not have addresses configured for NAT.

Some servers in the Data Center zone can have multiple network interfaces (NICs). Each server can have connections to multiple zones.

One adaptor for each Director and Front End Server is actually in the Edge zone.The following table provides details about the number and types of servers in this reference architecture, as well as the processor, memory, and operating system requirements for each.

Architecture 2 Servers

Server role # of servers

Operating system CPU cores

RAM

Edge Server 2 Windows Server 2008 R2 Standard

4 16 GB

Front End pool 1 2 Windows Server 2008 R2 Standard

4 16 GB

Director 2 Windows Server 2008 R2 Standard

4 16 GB

A/V Conferencing Server 2 Windows Server 2008 R2 Standard

4 16 GB

Mediation Server 2 Windows Server 2008 R2 Standard

4 16 GB

Monitoring/Archiving Server 1 Windows Server 2008 R2 Standard

4 16 GB

Back End Server 2 Windows Server 2008 R2 Enterprise

4 32 GB

Monitoring/Archiving database 2 Windows Server 2008 R2 Enterprise

4 32 GB

Exchange Server, Hub Transport server, Client Access server (CAS) + offline address book (OAB)

4 Windows Server 2008 R2 Standard

4 16 GB

Exchange UM 2 Windows Server 2008 R2 Standard

4 16 GB

Exchange Server, Mailbox servers 2 Windows Server 2008 R2 Enterprise

4 32 GB

Active Directory domain controllers 2 Windows Server 2008 R2 Standard

4 16 GB

Note All operating systems listed in the previous table are 64-bit editions.

15


4.2 Flexible Systems ScalingIt is possible to configure multiple Lync Server Multitenant Hosting Pack server roles on a single physical or virtual server, but it is not recommended for any roles other than Monitoring and Archiving server roles. For best performance and scalability, you should use one role per server. For example, as demand for web conferencing services increases, you can increase the number of A/V Conferencing Servers without affecting other areas in the collaboration environment.

4.3 Role-specific Load Balancing and Fault ToleranceDifferent server roles support different techniques and architectures for load balancing and fault tolerance. Most Lync Server roles are designed to use DNS load balancing, a new feature in Lync Server 2010 implemented at the application level in both clients and servers. When used in a Lync Server Multitenant Hosting Pack deployment, the requesting application retrieves a list of the IP addresses of all available Front End Servers in a given pool and tries to connect with one after another until a connection succeeds. In contrast, most SIP trunk providers need to be told in advance the IP addresses of all Mediation Servers and will distribute incoming calls to those servers in a round-robin fashion. To learn more about DNS load balancing for Lync Server 2010, see the following:

“DNS Load Balancing” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230827 “DNS Load Balancing in Lync Server 2010” NextHop blog article at

http://go.microsoft.com/fwlink/?LinkId=230828 The following table lists the load balancing technology per server role that service providers can use as a guideline for deployment in a production environment to implement high availability and fault tolerance.

Load Balancing Per Server Role

Server role Load balancing technology

Director Hardware load balancers

Edge Server Hardware load balancers

Front End Server Hardware load balancers

External Web Services Integrated reverse proxy and load balancer or hardware load balancers

Note We recommend that you publish these services from the Director pool and not the Front End Server. The web services URL for both the Director pool and Front End pool must be published via the Reverse Proxy and resolve to their respective pools.

Mediation Server outbound to PSTN Hardware load balancers

Mediation Server inbound from PSTN SIP Trunk Configuration

Exchange Server, Mailbox server Exchange DAGs

Exchange Server, Hub Transport server Automatic load balancing through the Microsoft Exchange Mail Submission serviceHardware load balancers for incoming mail connectivity

16




Server role Load balancing technology

Exchange Server, Client Access server Hardware load balancers

4.4 Mailbox Server Storage DesignYou must consider the following components when planning the Mailbox server storage design:

mailbox size (quotas) storage technology resiliency levels backup and restore capabilities

Each component must be considered to achieve the optimal storage design for Exchange Server 2010. To make this process easier, Microsoft has released the Exchange 2010 Mailbox Server Role Requirements Calculator, which is available on the Exchange Team Blog at http://go.microsoft.com/fwlink/?LinkId=230829. In addition, we recommend that Service Providers study “Mailbox Server Storage Design” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230830.

5 Deploying the Lync Server Multitenant Hosting Pack

The deployment of Lync Server Multitenant Hosting Pack is very similar to the deployment of Lync Server 2010, Enterprise Edition. This document provides guidance only on which steps to complete, skip, or modify to deploy the Lync Server Multitenant Hosting Pack successfully.This section details where service providers must perform tasks other than the standard Lync Server 2010 tasks defined in “Deploying Lync Server 2010 Enterprise Edition” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=205563. Unless otherwise directed, follow all the steps in that guide. Any steps to be added, skipped, or modified are noted as appropriate in the remainder of this guide, and include a link to the applicable procedure.

5.1 Deploying Architecture 2This section provides instructions on how to deploy Lync Server Multitenant Hosting Pack using Architecture 2 as an example. This sample deployment is designed to support approximately 5,000 tenant users. It includes guidance on how to integrate Lync Server with an existing Active Directory and Exchange Server 2010 infrastructure, but does not provide instructions on the initial deployment of that infrastructure. Note that the existing infrastructure must not include any previous deployments of Lync Server 2010. It also includes a summary of the process for creating private tenant organizations within Active Directory, and options for providing private tenant Exchange address books. Instructions about how to configure Exchange UM features to provide voice mail and other features for Lync Server users are also included.This documentation provides a staged approach to deploying a consolidated Lync Server Multitenant Hosting Pack lab, starting with the minimum configuration required to get you up and running. The initial Hosting Pack topology deployment described in this section includes the following environment and components:

A single forest, single domain Active Directory structure Two domain controllers with DNS and an Enterprise Root certification authority (CA) A Director pool consisting of two Directors An Edge pool consisting of two Edge Servers An Enterprise Edition Front End pool consisting of two Front End Servers A Mediation Server pool consisting of two Mediation Servers

17





An enterprise AV/Conferencing pool consisting of two A/V Conferencing Servers A single server with both the Monitoring Server and Archiving Server role installed A clustered SQL Server-based Back End Server that also contains the Central Management store A clustered SQL Server-based Monitoring and Archiving back-end server database A clustered file server hosting the Lync Server file store

A Lync Server Multitenant Hosting Pack deployment is different from a Lync Server 2010 Enterprise Edition deployment in the following ways:

A different set of installation media is used. Hosting Pack installation media has been optimized for hosts and is the only media supported for hosted, multitenant deployments.

No provision is made for “internal” users. All users are expected to connect over the Internet. Procedures are provided to permit per-tenant Exchange Server dial plans without

requiring per-tenant Lync Server dial plans. Directors are used to provide for geographic redundancy and load distribution. By making

Directors the first point of contact, clients can be redirected to the most appropriate data center.Other than the few procedural modifications required to accommodate the preceding, deployment procedures are based on the following standard deployment process for Lync Server 2010 Enterprise Edition:

Lync Server 2010: “Deployment” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=206142 lists the standard procedures for deploying Lync Server 2010.

Exchange Server 2010: “Deploying Exchange 2010” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230798 provides detailed steps on configuring SMTP domains, mailboxes, UM IP gateways, UM dial plans and UM mailbox policies.

5.2 Change the Name and Domain of the Server Running Lync ServerIt can be difficult to change server names after you deploy the Lync Server Multitenant Hosting Pack. You should make sure the server names for the following roles are the name you want to use before you start your deployment:

Edge Server Front End Director AV Conferencing Server Mediation Server

To change the computer name and domain of a server1. To open Server Manager, click Start, click Administrative Tools, click Server Manager.2. In Server Manager, click Change System Properties.3. In the System Properties, click Change.4. In Computer Name/Domain Changes, click More.5. On the DNS Suffix and NetBIOS Computer Name dialog box, do the following:

a. In the Primary DNS suffix of this computer field, enter the name of the external domain to be used by Lync Server (for example, <externaldomain>.com).

b. Clear the Change primary DNS suffix when domain membership changes check box.6. Click OK on each dialog box until you close the System Properties dialog box.7. Verify that both the public domain name and the private Active Directory name are in the DNS

suffix search order for the IP address.8. Restart the server to apply the changes.

5.3 Installation MediaYou can install the Lync Server Multitenant Hosting Pack by running Setup.exe included with the installation media.

18





After the Setup Wizard starts, the installation proceeds as described in the standard Lync Server 2010 Enterprise Edition Deployment documentation in the TechNet Library documentation, with any exceptions to those steps noted in this document.

5.4 Install the Lync Server Multitenant Hosting PackUse the Lync Server Multitenant Hosting Pack installation media for this procedure. To start the installation, open Setup.exe in the \amd64 folder.The installation media also includes a tool for applying patches to the Lync Server software, \amd64\LyncServerUpdateInstaller.exe.

Important You must run the Lync Server Update tool on each server in your deployment after you complete the Setup or Remove Lync Server Components page in the Lync Server Deployment Wizard.

After you run the Lync Server update tool, use the Lync Server Deployment Wizard to complete the installation.

You must also run the Lync Server Update tool after installing the CSServices.msi file.To begin your deployment, follow the procedures in the topics listed in the following table. Include each of the child topics within the sections listed.

Checklist for Installing the Lync Server Multitenant Hosting Pack

Completed

Topic

Deploying Lync Server 2010 Enterprise Editionhttp://go.microsoft.com/fwlink/?linkid=205563

Preparing the Infrastructure and Systemshttp://go.microsoft.com/fwlink/?LinkId=235827

Set Up Hardware and the System Infrastructurehttp://go.microsoft.com/fwlink/?LinkId=235828 System Requirements for Enterprise Edition Servershttp://go.microsoft.com/fwlink/?LinkId=235829

Install Operating Systems and Prerequisite Software on Servershttp://go.microsoft.com/fwlink/?LinkId=235830

Request Certificates in Advance (Optional)http://go.microsoft.com/fwlink/?LinkId=235831

Configure IIShttp://go.microsoft.com/fwlink/?LinkId=235832

Configure SQL Server for Lync Server 2010http://go.microsoft.com/fwlink/?LinkId=235833

Configure DNS Records for a Front End Poolhttp://go.microsoft.com/fwlink/?LinkId=207218

Defining the Topology in Topology Builder

19









http://go.microsoft.com/fwlink/?linkid=205563


Completed

Topic


Topology Builder Installation Requirementshttp://go.microsoft.com/fwlink/?LinkId=235835

Install Lync Server Administrative Toolshttp://go.microsoft.com/fwlink/?LinkId=230832

6 Define the TopologyWhen you perform the procedures for defining the topology, there are changes to two of the procedures that you need to be aware of for a Lync Server Multitenant Hosting Pack deployment.

Note The Lync Server 2010, Planning Tool is not supported for the Lync Server Multitenant Hosting Pack.These changes apply to the procedures in “Defining and Configuring the Topology” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230835:

When performing the steps in “Define and Configure a Topology in Topology Builder” at http://go.microsoft.com/fwlink/?LinkId=230837, you will be prompted to provide a location and file name for saving the topology. Choose New Topology and follow the instructions.

You do not need to specify additional supported domains at this time. Adding tenant SIP domains is covered later in the “Create Tenant SIP Domain” and in the “Provisioning Tenant Organizations” sections in this document.

The Topology Builder does not allow you to configure a topology in which the Edge Servers are bypassed. Because of this, you must make some configuration changes to your topology to enable communications between Lync Server 2010 servers. You should perform the steps described in the following sections of this document after you deploy Lync Serve 2010 and the Lync Server 2010 Multitenant Hosting Pack:

Proxy Configuration Describes how to set Front End Servers to capture needed information about NAT traversal. (In enterprise deployments, this information is captured by the Edge Servers.)

Create Tenant DNS Records Lists the service records that you need to create and includes notes about port usage.

6.1 Create a Front End PoolWhen performing the steps in “Define and Configure a Front End Pool” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230838, create a new Enterprise Edition Front End pool. Continue to follow the steps provided, applying the modifications described as described in the following list:

1. When defining the computers in this pool, use the fully qualified domain names (FQDNs) of the computers that will be in the Front End pool. These servers are FE0101 and FE0102 in the architecture, where the first two digits represent the pool number (in this case there is just one), and the second two digits represent the server within the pool (in this case “01” and “02”).

2. On the Select features page, select all features.3. On the Select collocated server roles page, leave all options unselected. You will deploy stand-

alone A/V Conferencing and Mediation Servers in later steps.4. On the Associate server roles with this Front End pool page, leave all options unselected.

You will update the topology when these server roles are deployed in later steps.

20








5. On the Define the SQL store page, define a new SQL database, specifying the FQDN and (optionally) named instance you created earlier according to Configure SQL Server for Lync Server 2010.

6. Complete all remaining steps in “Define and Configure a Front End Pool” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230838.

7. After you define and configure your topology, proceed with all steps listed in “Finalizing and Implementing the Topology Design” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230839.

6.2 Configure Front End ServersYou can complete most of procedures involved in “Setting Up Front End Servers and Front End Pools” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=205559 without modification. There are two exceptions:

The “Bootstrap local machine” process assumes that a great number of language packs are installed and will raise errors for any not installed. It is safe to ignore these errors for any languages that you don’t intend to use.

Front End Servers should have public IP addresses that are not configured to use NAT in addition to their private ones. This is because the Lync Server Multitenant Hosting Pack topology does not use Edge Servers to proxy SIP communication between the Internet and the Front End Servers.

6.3 Add Server RolesExcept where noted in this section, you can follow the standard procedures for “Adding Server Roles” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230842. You need to deploy the following additional server roles:

Directors Instructions for service providers are provided in the “Deploy Edge Servers” section later in this document.

Stand-Alone A/V Conferencing Server Edge Servers Instructions for service providers are provided in the “Deploy Edge Servers”

section later in this document. Enterprise Voice (Mediation Servers) Dial-in Conferencing For an overview, see the “Overview of the Audio Conferencing Provider”

later in this document. Monitoring Archiving Response Group

Note Do not add the Call Park application because it is not supported in the Lync Server Multitenant Hosting Pack.

6.4 Deploy Edge ServersBoth the Lync Server Multitenant Hosting Pack and Lync Online differ from Lync Server enterprise deployments in their use of Directors to refer clients to the appropriate data center. Also, Directors are domain-joined in the Lync Server Multitenant Hosting Pack instead of being deployed in the perimeter network. This guidance does not include a multi-data center configuration, but by configuring Directors as described in this section makes them available for appropriate referrals if additional data centers are added later.To provide for data center referrals between data centers by Directors, the Lync Server Multitenant Hosting Pack employs the following configurations that differ from Lync Server 2010 Enterprise Edition deployments:

Directors are accessible via unproxied public IP addresses. This allows Directors to be the first point of contact, and to direct clients to the correct pool in the correct data center.

21







Directors are configured to direct clients to the public IP addresses of Front End Server pools instead of the private IP addresses of Front End Servers. This, in turn, requires making the internal FQDN of the Front End pool resolve to its external IP addresses.

The guidance in this section and in the “Provisioning Tenant Organizations and Tenants” section later in this document describes how to implement these configurations. Follow the standard guidance in “Deploying Edge Servers” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=205567 unless otherwise directed below:

When you follow the steps in “Configure DNS Records for Edge Support” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230843, you must configure the DNS records for the initial test SIP domain. Configure the SRV record to point to the Director pool, not the Edge Server pool. In addition, create one external DNS record for the FQDN of the Front End pool for each external IP address of the Front End Servers. This results in client automatic configuration requests to go to the Director pool, which will then refer the requests to the Front End pool.

When you perform the steps in “Configure the DNS Suffix for Edge Servers” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230844, set the DNS suffix to the value to the name of the external domain used by the Lync Server deployment.

6.5 Define the Edge TopologyTo be consistent with instructions provided in “Defining Your Edge Topology” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230845, this document assumes that you’re using DNS load balancing. If you choose to use hardware load balancing for the Edge Server pool, you need to develop your own procedures for doing so.Also, this deployment guide assumes that the external Edge interfaces are not configured to use NAT. If you choose to use NAT for this purpose, you will need to develop your own procedures for doing so.Complete the steps to “Define the Topology for a DNS Load Balanced Edge Pool” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230846 .

6.6 Build the Edge and Directory TopologyFor an overview of the tasks involved in this process, see “Building an Edge and Director Topology” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230847. Configuring the Director for use with Lync Server Multitenant Hosting Pack will require two deviations from the typical Lync Server 2010, Enterprise Edition deployment:

As with other roles, begin by running Setup.exe. The Directors require public IP addresses that do not use NAT.

The following sections describe these configurations in the context of the standard guidance.If you choose to use hardware load balancing, you will need to develop your own procedures. Otherwise, follow the steps provided in the following:

“Define the Director” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230848. “Defining Your Edge Topology” in the TechNet Library at http://go.microsoft.com/fwlink/?

LinkId=230845.An issue can arise if you follow the steps to “Define the Topology for a DNS Load Balanced Edge Pool” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230846 in a Lync Server Multitenant Hosting Pack deployment. If the Director pool is specified as described in Step 18 Define the next hop, an endless loop is created because the Director is the client’s first point of contact. Instead, select the Front End pool in this step.

6.7 Deploy the DirectorBecause the Director pool serves as the first point of contact for Lync Server clients, each Lync Server must have interfaces with public, IP addresses that do not use NAT. In this respect, they are similar to Edge Servers. As such, you should follow the guidance “To configure interfaces with DNS servers in the

22












perimeter network” found under “Set Up Network Interfaces for Edge Servers” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230849.Setting up the Director and Edge Servers for use with the Lync Server Multitenant Hosting Pack does not require any other special guidance.

6.8 MonitoringFor details about Monitoring, see “Deploying Monitoring” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=207085.

7 Post-Installation ConfigurationYou must complete the tasks in this section after you complete the installation.

7.1 Install Additional ComponentsYou need to install a few more components on all Front End Servers, Edge Servers, Mediation Servers, Monitoring Server, and Archiving Servers before you can complete the post-installation configuration process. Run the following Windows Installer scripts from an elevated command prompt on every instance of these servers before proceeding:\SQLSysClrTypes.msi\ShareManagementObjects.msi\Setup\CSServices.msi

After you install the Hosted Management Services, you must update them by running the Lync Server Update tool, LyncServerUpdateInstaller.exe, on each server on which you installed them.

7.2 Modify Lync Server Management ShellThe Lync Server Multitenant Hosting Pack includes an additional Windows PowerShell® module that provides cmdlets used in the management of tenants and other aspects of the hosted solution. You can automatically provide access to these cmdlets by modifying the target of the shortcut for the Lync Server Management Shell as follows:C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe -noexit -command "cd $env:UserProfile; Import-Module 'C:\Program Files\Common Files\Microsoft Lync Server 2010\Modules\Lync\Lync.psd1'; Import-Module LyncOnline"

Alternatively, you can run the following command each time you open the Lync Server Management Shell:Import-Module LyncOnline

7.3 Update Active Directory for Hosted Management ServicesThe Lync Server 2010 Hosting Pack includes tools to update the Active Directory schema and create a root organizational unit for Lync resellers and tenants. To use them, open the Lync Server Management Shell with elevated permissions (open as administrator) and run the following commands:Install-CsAdServiceSchemaEnable-CsAdForestEnable-CsAdDomain(Get-CsTopology -AsXml).ToString() > C:\Topology.xmlPublish-CsTopology -FileName "C:\Topology.xml"

23




Enable-CsTopologyEnable-CsServiceTopology

The first command extends the Active Directory schema to include information required by the Lync Server 2010 Hosting Pack. The second command prepares the Active Directory forests for operation of the Lync Server 2010 Hosting Pack. The third command prepares the Active Directory domain for the Lync Server 2010 Hosting Pack. The remaining commands re-publish and enable the topology.Part of the Active Directory domain preparation is the creation of the root tenant OU, “\OCS Tenants”. Tenants can be created either directly in this directory, or in one or more levels of nested reseller OUs.

7.3.1 Move Root Tenant OUIf you are installing the Lync Server Multitenant Hosting Pack in an Active Directory environment that already has an organizational unit for tenants, or if you want to change the root tenant OU for any other reason, you can do so by with the following procedure.This procedure describes how to use ldp.exe to change the otherWellKnownObjects attribute to point to the root tenant OU.

To change the root OU for a tenant1. Run ldp.exe.2. In the Connection menu, click Connect.3. In the Connection menu, click Bind.4. In the View menu, click Tree and select the configuration partition from drop-down menu, then

click OK.

Note The configuration partition option is the one that begins with “CN=Configuration”.5. Right-click on the root node, select Modify, and then do the following:

c. In the Edit Entry box, enter “otherWellKnownObjects” for Attribute and “B:32:DE8197E3283B2C439A62F871E529F7DD:<DN of root tenant OU here>” for Values.

d. In the Operation box, select the Replace radio button and click Enter.e. Then click Run.

6. On the Connection menu, click Exit to close ldp.exe.

7.4 Global Client Policies for Address Book Web QueryThe Lync Server 2010 Hosting Pack is designed to allow clients to use only the Address Book Web Query service, and not the Address Book Service that can be used in Lync Server 2010 Enterprise Edition. The following cmdlet demonstrates how to configure the Address Book server for all users by setting the global client policy to allow only the Address Book Web Query service:Set-CsClientPolicy –Identity global -AddressBookAvailability WebSearchOnly

This command sets the AddressBookAvailability parameter to WebSearchOnly. Keep in mind that if client policies are set at the site or user level, these policies must also have the AddressBookAvailability parameter set to WebSearchOnly. For example, if there is a client policy for users on the Redmond site, you must set the AddressBookAvailability property of that policy:Set-CsClientPolicy –Identity site:Redmond –AddressBookAvailability WebSearchOnly

7.5 Lync Server Dial PlansDial plans in Lync Server are distinct from dial plans in Exchange UM. Dial plans, which were called location profiles in Microsoft Office Communications Server 2007, do not route calls to Exchange by matching the name of the Lync Server dial plan to the name of the Exchange dial plan. Instead, calls are

24


routed in part by matching the Lync Server user’s SIP address with their SIP unified messaging extension. As a result, Lync Server administrators can create one or more Lync Server dial plans based on geography, tolling or other considerations and employ them without regard to the tenant to which a user belongs.To create a new Lync Server dial plan, run a command similar to the following from the Lync Server Management Shell:New-CsDialPlan –Identity Site:Seattle –SimpleName SeattleDialPlan

When you create a dial plan, a default normalization rule is associated with that dial plan. You should modify that normalization rule to apply to the dial plan. Here is an example of modifying a normalization rule for the SeattleDialPlan we just created:New-CsVoiceNormalizationRule – Identity ‘Site:Seattle/SeattlePrefix’ –Pattern ‘^9(\d*){1,5}$’ –Translation ‘+1206$1’

The preceding dial plan was created at the user scope, which means it must be assigned directly to the user or users to whom it will apply. To assign a dial plan to a user, use the Grant-CsDialPlan cmdlet:Grant-CsDialPlan –Identity [email protected] –PolicyName "SeattleDialPlan"

7.6 Proxy ConfigurationThe Lync Server platform must be configured to treat all clients as external to ensure that their private and public IP addresses are provided to Exchange UM when calls are transferred from the Front End Server to the Exchange UM server. By default, clients trying to connect through Edge Servers are treated as external and those connecting through Front End Servers are treated as internal. To ensure that all clients are treated as external, run the following command:Set-CsProxyConfiguration –Identity global –TreatAllClientsAsRemote $True

Setting the TreatAllClientsAsRemote parameter to True will cause the proxy server to treat all connections as external connections.

8 Provisioning Tenant OrganizationsAfter you deploy the Lync Server 2010 Hosting Pack, including the Director, Edge Server, Front End Server, Back End Server, Mediation Server, and A/V Conferencing Server roles, you can provision tenant organizations. Before you can provision individual users, you must create tenant organizations in Active Directory, Lync Server, and Exchange Server by following the steps in this section.

8.1 Create and Secure the Organizational UnitsThe Lync Server 2010 Hosting Pack requires that tenant OUs be created under the root organizational unit called “\OCS Tenants”. Many hosters will want to represent reseller organizations as subordinate OUs (sub-OUs), each with sub-OUs representing tenants. You should use Active Directory permissions or other suitable mechanisms to ensure that management tools have adequate access to the tenant OU, and that other tenants do not have inappropriate access.

8.2 Set TenantId and ObjectIdLync Server 2010 Hosting Pack uses the Active Directory attributes msRTCSIP-TenantId and msRTCSIP-ObjectId to associate tenant OUs with individual users, so you must copy the tenant OUs to those attributes. You can use Windows PowerShell commands from the Active Directory module to create this association. To use the Active Directory cmdlets you must either import the Active Directory module into your Windows PowerShell or Lync Server Management Shell window, or you must run the

25


commands from the Active Directory Module for Windows PowerShell window. The Active Directory module is installed by default on your domain controller. To import the Active Directory module, run the following command at the Windows PowerShell prompt:Import-Module ActiveDirectory

Alternatively, to open the Active Directory Module for Windows PowerShell window, on the Start menu, click Administrative Tools, and then click Active Directory Module for Windows PowerShell.The following commands will copy the tenant OU, based on the globally-unique identifier (GUID) of the OU, into the msRTCSIP-TenantId and msRTCSIP-ObjectId attributes.$OU = "OU=fabrikam,OU=OCS Tenants,DC=litwareinc,DC=com"

$OUObject = Get-ADOrganizationalUnit -Identity $OU

$GUID = $OUObject.ObjectGUID

The first line in the preceding commands sets a variable to the full LDAP path of the OU we want to set. The second line calls the Get-ADOrganizationalUnit cmdlet to retrieve that OU, storing it the variable $OUObject. The third line retrieves the GUID, stored in the ObjectGUID property, of the OU and stores it in another variable ($GUID). Next we need to set the msRTCSIP-TenantId and msRTCSIP-ObjectId properties. $OUObject |Set-ADOrganizationalUnit -Replace @{'msRTCSIP-TenantId'=$GUID}$OUObject |Set-ADOrganizationalUnit -Replace @{'msRTCSIP-ObjectId'=$GUID}

In these two lines we pipe the OU object that is stored in our $OUObject variable to the Set-ADOrganizationalUnit cmdlet. Set-CsADOrganizationalUnit has a number of parameters that allow you to directly set Active Directory properties, such as Server, City, and PostalCode. For the less-commonly used properties, such as msRTCSIP-TenantId, we use the Replace parameter, passing it the name of the property we want to set and the value we want to set it to. Using the Replace parameter will replace any value or values currently stored in that property with the value you specify.Finally, we retrieve all the users in the specified OU and set the msRTCSIP-GroupId and msRTCSIP-TenantId properties to the GUID of the OU:Get-ADUser -LDAPFilter "(ObjectClass=user)" -SearchBase $OU -Properties msRTCSIP-GroupingID,msRTCSIP-PrimaryUserAddress,comment |Set-ADUser -Replace @{'msRTCSIP-GroupingID'=$GUID}Get-ADUser -LDAPFilter "(ObjectClass=user)" -SearchBase $OU -Properties msRTCSIP-GroupingID,msRTCSip-TenantID,msRTCSIP-PrimaryUserAddress,comment |Set-ADUser -Replace @{'msRTCSip-TenantID'=$GUID}

The first thing we do in each of these commands is to retrieve all the users in the OU. We do that by calling the Get-ADUser cmdlet and passing values for the LDAPFilter and SearchBase parameters. The LDAPFilter value specifies that we want to retrieve all users who actually are users, meaning their ObjectClass property has a value of user. The SearchBase property is set to the FQDN of the OU (which we stored previously in the $OU variable). Notice that we also supply values for the Properties parameter. This isn’t necessary, but it will speed up your query by limiting the amount of data about each user that is returned. This is especially useful if you’re running these commands over a remote session.After we’ve retrieved all the users in the specified OU, we pipe that information to the Set-ADUser cmdlet, which will modify the settings for each of those users. We again use the Replace parameter, this time replacing the value in the msRTCSIP-GroupingId property with the GUID of the OU. Finally, we do the exact same thing, but this time replacing the value of the msRTCSIP-TenantId property with the GUID.

26


8.3 Add UPN Suffix to Tenant OUTo enable users in the tenant OU to have user principal names (UPNs) that match their email and SIP addresses, the domain must be added as a permitted UPN suffix to the tenant OU. Use ADSIEdit or other tool to add the domain to the OU’s uPNSuffixes property.

8.4 Create Tenant SIP DomainTo provide customized behaviors for a tenant-specific SIP domain (referred to in this document as tenant SIP domain), Lync Server needs to be aware of the domain.To create the tenant SIP domain and associate it with the tenant OU, first run the following command in the Lync Server Management Shell:New-CsSipDomain –Identity fabrikam.com

Next, use ADSIEdit or other tool to add the domain to the msRTCSIP-Domains attribute of the tenant OU. Afterwards, you should see the domain listed when querying the properties of the tenant:Get-CsTenant | Format-Table -AutoSize Id,Domains

Id Domains-- -------OU=fabrikam.com,OU=OCS Tenants,DC=partner-hosted,DC=com {fabrikam.com}OU=fabrikam.net,OU=OCS Tenants,DC=partner-hosted,DC=com {fabrikam.net}

8.5 Configure Exchange EmailUse tools and procedures of your choice to configure the tenant OU with email, including one or more SMTP domains and private address lists.

8.6 Configure Unified MessagingTo configure Exchange UM, you need to perform steps on servers running Exchange and Lync Server.

8.6.1 Create Tenant Exchange Dial Plan and Exchange UM Mailbox PolicyTo enable users for Exchange UM, they must be assigned a dial plan and Exchange UM mailbox policy. In order for each tenant organization to have its own dial-by-name directory and other forms of privacy, each tenant must be assigned to a different dial plan. A tenant dial plan and associated Exchange UM mailbox policy can be created using the following Exchange 2010 Management Shell command:New-UMDialplan -Name "<TenantDialPlanName>" -UriType SipName -NumberofDigitsInExtension <TenantExtensionDigits> -VoIPSecurity Secured -CountryorRegionCode 1 -GenerateUMMailboxPolicy $true -AccessTelephoneNumbers <TenantAccessTelephoneNumber>

This example uses variables as placeholders that you should replace with real values when provisioning a tenant:

TenantDialPlanName A unique name for the dial plan. It is advantageous for troubleshooting purposes to have the TenantDialPlanName reflect the name of the tenant and reseller.

TenantExtensionDigits The number of digits to be used in Exchange UM extensions. Note that to simplify management, full 10-digit phone numbers were used when developing this documentation.

TenantAccessTelephoneNumber This is the E.164 telephone number or numbers that users will call to retrieve their voicemail and otherwise interact with Outlook Voice Access.

Here’s an example of what this command might look like:

27


New-UMDialplan -Name "FabrikamDP" -UriType SipName -NumberofDigitsInExtension 10 -VoIPSecurity Secured -CountryorRegionCode 1 -GenerateUMMailboxPolicy $true -AccessTelephoneNumbers "+12065551234"

The UriType specifies the URI type that will be sent and received with SIP messages. Possible values are SipName, E164, and TelExtn. The VoIPSecurity parameter can have a value of Secured, SIPSecured, or Unsecured. GenerateUMMailboxPolicy is True by default, which indicates that we want to create an Exchange UM mailbox when the dial plan is created.

8.6.2 Assign Tenant Dial Plan to All Available Exchange UM ServersAfter creating the Exchange UM dial plan you must associate it with an Exchange UM server. To do this, user a command such as the following from the Exchange Management Console:Set-UmServer –Identity UMServer1 –DialPlans Fabrikam1

8.6.3 Update Exchange UM/Lync Server Integration ConfigurationMicrosoft provides the script exchucutil.ps1, located in the scripts subfolder of the Exchange installation folder on Exchange UM servers, to automate the following tasks:

Create an Exchange UM IP gateway representing each Front End pool. This allows calls to be routed between the Exchange and Lync Server platforms.

Create an Exchange UM hunt groups for each dial plan. This links the configuration of each dial plan to the Exchange UM IP gateway by creating hunt groups including each of the TenantAccessTelephoneNumbers.

Grant Lync Server permission to read Exchange UM Active Directory objects.During testing, this script was run repeatedly without damaging existing dial plans or other Exchange UM configurations. For additional safety and efficiency, hosts may want to develop modified versions of exchucutil.ps1 that perform only the functions specific to a new tenant.

8.6.4 Create Lync Server Contacts for Exchange UM Subscriber AccessFor Lync Server to route calls to and from Exchange Server, it needs to configure contact objects representing Exchange UM objects. To configure these contacts, use the Exchange UM Integration Utility.

1. On a Front End Server, open a command prompt as an administrator: click Start, click Accessories, right-click Command Prompt, and then click Run as Administrator.

2. Type the following command and then press Enter:cd %CommonProgramFiles%\Microsoft Lync Server 2010\Support

3. To run the Exchange UM Integration Utility, type the following command and then press Enter:OcsUmUtil.exe

4. Click Load Data. You should see all of the Exchange Server dial plans listed in the left column, “SIP Dial Plans,” but with no contacts listed for the most-recently added dial plan.

5. Click Add, and then fill in the required information as follows:o Dial Plan This should be auto-populated with the correct information.o Organizational Unit For the purpose of developing this documentation, all Lync Server

contacts related to Exchange UM were stored in a root-level OU named “Lync UM Contacts.”o Name The name of the dial plan should appear automatically.o SIP Address This should take the form of sip:<PhoneContext of the dial plan, as

reported by the Exchange Management Shell cmdlet get-umdialplan>@<TenantSipDomain> (for example, sip:[email protected]).

o Server or pool Select your Front End pool, not your Director pool.

28


o Phone Number This should be one of the E.164 phone numbers contained in the AccessTelephoneNumbers property, as reported by the Exchange Management Shell cmdlet Get-UMDialPlan.

o Contact Type Subscriber Access.6. Click OK. After you have created the contact, you will still see a red exclamation point and the

following error message:A location profile has not been created that matches this dial plan. Until a location profile is created, the UM play-on-phone and call transfer features may not work (ignore this error for Exchange 14 SP1 and above).

As the error message states, you can safely ignore it. Avoid creating a Lync Server dial plan that matches the Exchange Server dial plan.

7. To be able to associate UM-related contacts with a tenant organization, Lync Server 2010 Hosting Pack uses the Active Directory attribute msRTCSIP-TenantId to associate tenant OUs, users, and contacts. You can create this association by running the following commands as an administrator at an Active Directory Module for Windows PowerShell command prompt, which will copy the tenant OU’s globally-unique identifier (GUID) into the msRTCSIP-TenantId and msRTCSIP-GroupingId attributes of the contact:$OU = "OU=fabrikam,OU=OCS Tenants,DC=litwareinc,DC=com"$Contact = "CN=tenant1,OU=fabrikam,OU=OCS Tenants,DC=litwareinc,DC=com"


$GUID = $OUObject.ObjectGUID

Get-ADObject -Identity $Contact -Properties msRTCSIP-GroupingID,msRTCSIP-TenantID |Set-ADObject -Replace @{'msRTCSIP-GroupingID'=$GUID}

Get-ADObject -Identity $Contact -Properties msRTCSIP-GroupingID,msRTCSIP-TenantID |Set-ADObject -Replace @{'msRTCSip-TenantID'=$GUID}

Get-ADObject -Identity $Contact -Properties msRTCSIP-GroupingID,msRTCSIP-TenantID |Format-Table -AutoSize name,msRTCSIP-GroupingID,msRTCSIP-TenantID

These commands begin by setting some variables that will be used to retrieve and set information. The first variable we set is $OU, which contains the distinguished name of the OU you want to work with. The second variable, $Contact, contains the distinguished name of the contact you want to associate with the OU. Next, call the Get-ADOrganizationalUnit command, passing it the distinguished name of the OU to retrieve the OU object, and then store that object in the $OUObject variable. Finally, you retrieve the GUID for that OU object from the ObjectGUID property and store it in the $GUID variable.Now you are ready to set the contact attributes in the same way that you set the attributes on the users as described previously in the Set TenantId and ObjectId section.

8.7 Configure Tenant Federation SettingsImportant When you configure tenant federation settings, you should follow the steps either in this section, or the steps in section

Tenants may want to allow their users to communicate with some, all or no other tenants; or with outside organizations. The following are examples of how you can use Lync Server Management Shell commands to achieve the settings you want for a tenant.

29


8.7.1 Getting Tenant Federation SettingsTo retrieve the settings for a particular tenant, use the following command:Get-CsTenantFederationConfiguration -Tenant [TenantID]

Note that unlike most Lync Server Get-* cmdlets, you cannot call Get-CsTenantFederationConfiguration with no parameters to return all configurations, you must specify a Tenant ID. Tenant IDs are in the form of a GUID. For example, your command to retrieve a tenant federation configuration will look something like this:Get-CsTenantFederationConfiguration -Tenant 595b58ab-3137-406a-a32b-32e23fc8b56b

Another way to retrieve a tenant federation configuration would be to first retrieve the tenant ID, save the ID to a variable, then pass that variable to the Get-CsTenantFederationConfiguration cmdlet, as shown in the following commands:$t = Get-CsTenant | Where-Object {$_.DisplayName –eq "Tenant1"}Get-CsTenantFederationConfiguration –Tenant $t.TenantId

The first command calls Get-CsTenant to retrieve all tenants, and then it pipes that list of tenants to the Where-Object cmdlet. Where-Object looks for the tenant with a DisplayName that is equal to (-eq) Tenant1. That tenant is saved to the variable $t. Now when we call Get-CsTenantFederationConfiguration we can pass the TenantId property of the tenant we just retrieved. By using these commands we were able to retrieve a tenant federation configuration without having the type in a GUID.

8.7.2 Adding Domains to the Tenant Allow ListTo allow a tenant to communicate with other domains, you must add those domains to the Allow list. To add domains to the Allow list for a tenant, run the following commands:$d1 = New-CsEdgeDomainPattern -Domain "fabrikam.com"$d2 = New-CsEdgeDomainPattern -Domain "contoso.com"

$a = New-CsEdgeAllowList -AllowedDomain @{replace=$d1,$d2}Set-CsTenantFederationConfiguration -Tenant [TenantID]-AllowedDomains $a

The first two commands call the New-CsEdgeDomainPattern cmdlet. This cmdlet creates the domain object that will be added to the Allow list. Notice that we assigned the results of these commands to variables ($d1 and $d2). If you don’t assign the new object to a variable, that object will be created only in memory and will not be saved.Next, we call New-CsEdgeAllowList with the AllowedDomain parameter. We add the two domains we just created to the Allow list and save the list object to the variable $a. Like New-CsEdgeDomainPattern, the object is created only in memory so we must save it to a variable. Finally, we call Set-CsTenantFederationConfiguration, specifying the ID (that is, the GUID) of the tenant we want to modify as the value for the Tenant parameter, and the list we just created as the value for the AllowedDomains parameter.

8.7.3 Adding Domains to the Tenant Block ListTo prevent a tenant from communicating with another domain you must add that domain to the tenant’s Block list. The commands for adding a domain to the Block list are similar to adding the domain to the Allow list as described in the previous section. The only difference is that instead of creating a list object

30


with the domains, we simply add the domains directly to the tenant federation configuration by using the BlockedDomains parameter, passing it the domains we want to block.$bd1 = New-CsEdgeDomainPattern -Domain "cohowinery.com"$bd2 = New-CsEdgeDomainPattern -Domain "tailspintoys.com"

Set-CsTenantFederationConfiguration -Tenant [TenantID] -BlockedDomains @{Replace=$bd1,$bd2}

8.7.4 Clearing the Tenant Block ListThe remove all domains from a tenant’s Block list, run the following command:Set-CsTenantFederationConfiguration -Tenant [TenantID] -BlockedDomains $null

To remove a single domain from a tenant’s Block list, run commands similar to the following:$bd2 = New-CsEdgeDomainPattern -Domain "tailspintoys.com"Set-CsTenantFederationConfiguration -Tenant [TenantID] -BlockedDomains @{Remove=$bd2}

In this example, we called the New-CsEdgeDomainPattern cmdlet to create a reference to the tailspintoys.com domain, one of the domains we added to our Block list in the previous section. This time when we call Set-CsTenantFederationConfiguration, we use the Remove command in the BlockedDomains parameter value rather than Replace. This will remove the domain tailspintoys.com from the Block list, but leave all other domains in the list.

8.7.5 Clearing the Tenant Allow ListTo remove all domains from a tenant’s Allow list, run the following commands:$a = New-CsEdgeAllowListSet-CsTenantFederationConfiguration -Tenant [TenantID] -AllowedDomains $a

The first command creates an empty Allow list. The second command then assigns that list to the tenant federation configuration. To remove only one domain from the list, you’ll need to recreate the list without the specific domain you want to remove.

8.7.6 Resetting Tenant to Allow All Domains Except Those Listed on the Block List

To ensure the tenant is allowed to communicate with all domains in the deployment except those in the tenant’s Block list, run the following commands:$all = New-CsEdgeAllowAllKnownDomainsSet-CsTenantFederationConfiguration -Tenant [TenantID] -AllowedDomains $all

8.7.7 Enabling a Tenant for FederationTo enable a tenant for federation, run the Set-CsTenantFederationConfiguration cmdlet on that tenant and set the AllowFederatedUsers parameter to True, as shown in the following command:Set-CsTenantFederationConfiguration -Tenant [TenantID] -AllowFederatedUsers $true

31


8.8 Configure Federation Between Two Fully-Hosted TenantsYou can also configure federation between two fully-hosted tenant organizations. To do so, add each tenant to the other tenant’s Allow list, as described previously in section 8.7.2. For example, if you want to enable federation between mydomain.com and yourdomain.com, use the following steps.Add "t2.com" as an ALLOWED partner on "t1.com"$d1 = New-CSEdgeDomainPattern -Domain "t2.com"

$a = New-CSEdgeAllowList -AllowedDomain @{replace=$d1}

Set-CSTenantFederationConfiguration -Tenant <t1.com's GUID> -AllowedDomains $a

Do the converse at "t2.com". Add "t1.com" as an ALLOWED partner on "t2.com"$d1 = New-CSEdgeDomainPattern -Domain "t1.com"

$a = New-CSEdgeAllowList -AllowedDomain @{replace=$d1}

Set-CSTenantFederationConfiguration -Tenant <t2.com's GUID> -AllowedDomains $a

This enables federation for users in in each tenant SIP domain.

8.8.1 Configure Federation Between Lync Server On-Premises and Lync Server Multitenant Hosting Pack

The steps for configuring federation between an on-premises Lync Server deployment and a Lync Server Multitenant Hosting Pack deployment are the same as configuring federation with Lync Online. For details, see “Configuring Federation Support for a Lync Online 2010 Customer” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=235837.

8.9 Create Tenant DNS RecordsSeveral tenant-specific DNS records are required for tenant users to be able to use hosted Lync Server easily. Lync Server clients comply with SIP RFCs, which state that TLS connections must require that the server’s domain name match the SIP domain name of the client user. The client looks for a service (SRV) record with a matching domain name, which in turn must point to a server or servers with matching domain names.The following table shows which records need to be created for each SIP domain to be used by a given tenant.

Tenant-specific DNS Records

Type FQDN Target IP address/FQDN Port Maps to/comments

SRV _sip._tls.<TenantSIPDomain>

access.<TenantSIPdomain> 5061 Used for automatic configuration of Lync Server clients and meeting attendant

SRV _sipfederationtls._tls.<TenantSIPDomain>

access.<TenantSIPdomain> 5061 Used for federation with other Lync Server deployments

32



A access.<TenantSIPdomain> IP address of Edge Server NA Create one for each Director

A meet.<TenantSIPdomain> Published IP address of A/V Conferencing Server

NA Facilitates use of simple URLs for tenant meetings

8.10Configure Tenant Meeting URLLync Server must be told which URLs to use to be able to automatically include tenant-specific meeting URLs in meeting invitations. Run the following cmdlets on the Director in the Lync Server Management Shell to configure these URLs:Set-CsSimpleUrlConfiguration –UseBackEndDatabase $true

$urlEntry = New-CsSimpleUrlEntry -Url https://meet.<TenantSipDomain>

$simpleUrl = New-CsSimpleUrl -Component "meet" -Domain "<TenantSipDomain>" -SimpleUrl $urlEntry -ActiveUrl "https://<TenantSipDomain>"

Set-CsSimpleUrlConfiguration -Identity Global –TenantId [TenantId] -SimpleUrl @{Add=$simpleUrl}

After running the Set-CsSimplyUrlConfiguration cmdlet, you might need to rerun the Enable-CsComputer cmdlet for the changes to take effect. The TenantSipDomain should be the tenant domain name, such as litwareinc.com.

Note Keep in mind that you must import the Lync Online Windows PowerShell module for these commands to work. Although these commands are available in the Lync Server Management Shell Windows PowerShell module, the Lync Online Windows PowerShell module contains additional parameters that are used here.

8.11Create Tenant Meeting Simple URLsUse the Topology Builder to edit the meeting URL for the tenant SIP domain so that it conforms to the pattern https://meet.[Hoster Domain]/[Tenant SIP Domain]. After adjusting meeting URL, publish the topology and execute the following Windows PowerShell cmdlet on each Front End and Director server:Enable-CsComputer

8.11.1 Import the Required Modules for Windows PowerShellTo import the modules necessary to create Tenant Meeting URLs, execute the following cmdlets at an elevated Windows PowerShell prompt:Import-Module ActiveDirectory

Import-Module Lync

Import-Module LyncOnline

To verify that the modules loaded successfully, execute the following cmdlet:

33


Get-Module

8.11.2 Configure the Simple URL to Use the Back-end DatabaseExecute the following cmdlet to configure the Simple URL to use the back-end database. This configures your deployment as a service environment.Set-CsSimpleUrlConfiguration –UseBackEndDatabase $true

To verify that the settings were applied, run the following cmdlet:Get-CsSimpleUrlConfiguration -Identity "Global"

8.11.3 Create the Simple URLs for a Tenant OrganizationTo create the Simple URLs for a tenant organization, run the following cmdlets:

$SIPDomain = “fabrikam.com”

$BaseURL = "https://meet.litwareinc.com/"

$URL = "https://meet.litwareinc.com/" + $SIPDomain

$urlEntry = New-CsSimpleUrlEntry -Url $URL

$urlEntry = New-CsSimpleUrlEntry -Url $URL

$simpleUrl = New-CsSimpleUrl -Component "meet" -Domain $SIPDomain -SimpleUrl $urlEntry -ActiveUrl $URL

$CompanyName = “Litware Inc.”

$PathRoot = "OU=OCS Tenants,DC=Hoster,DC=com"

$TargetOU = "OU="+$CompanyName+","+$pathRoot

$TenantOU = Get-ADOrganizationalUnit -Identity $TargetOU -Properties msRTCSIP-TenantId -Server "DC01.litwareinc.com"

$TenORgID = New-Object -TypeName System.guid -ArgumentList $TenantOU.ObjectGUID

Set-CsSimpleUrlConfiguration –Tenant $TenORgID -SimpleUrl @{Add=$simpleUrl} -ErrorAction Stop

To confirm the Tenant Org meeting URL successfully created, run the following cmdlet:Get-CsTenant | ft -AutoSize -Property Name, TenantId

Use the value returned for the TenantId into the following cmdlet:(Get-CsSimpleUrlConfiguration -Tenant "TenantID GUID").simpleurl | ft –AutoSize

34


8.11.4 Set the Simple URL DNS NameTo set the DNS name for the Simple URL, run the following cmdlets:


set-CsProvisionServiceConfiguration -SimpleUrlDnsName $BaseURL

To verify that the DNS name was set, run the following cmdlet:(Get-CsProvisionServiceConfiguration).SimpleUrlDNSName

8.11.5 Execute Enable-CsComputer on Front End and Director ServersRun the Enable-CsComputer cmdlet on all Front End and Director servers in your topology:Enable-CsComputer

8.12Update CertificatesThe FQDNs listed in the tenant-specific DNS Records table must be added as subject alternative names to the certificates used by those servers because the certificates used within the Lync Server infrastructure must match those used in the request.

9 Provisioning Tenant UsersAfter you have created the tenant organization, you can provision tenant users and enable them for Exchange UM and Lync Server services.

9.1 Enable Tenant Users for Exchange UMAfter you have created a user and you’ve enabled the user for Exchange Server within the tenant OU, you can enable the user for Exchange UM by running the following Exchange Management Shell commands:Set-Mailbox -Identity [email protected] -AddressBookPolicy $nullEnable-UMMailbox -Identity [email protected] -UMMailboxPolicy <TenantUmMailboxPolicyName> -Extensions <extension> -SIPResourceIdentifier "<UserPrincipalName>" -PIN <user pin>

The first line removes any existing address book policy for the user [email protected] next line enables Exchange UM for that user. Keep in mind that this command will run successfully only if the Exchange Unified Messaging Service is running.To run the Enable-UMMailbox cmdlet you can use any of the values listed above for the Identity of the user. The value you specify for the UMMailboxPolicy parameter must be the Name of an existing Exchange UM mailbox policy. To find existing UM mailbox policies, run the following cmdlet:Get-UMMailboxPolicy

To create a new Exchange UM mailbox policy (and the associated Exchange UM dial plan), follow the instructions previously in the Create Tenant Exchange Dial Plan and Exchange UM Mailbox Policy section.The value you specify for the Extensions parameter of the Enable-UMMailbox cmdlet must match the values allowed in the specified Exchange UM dial plan. For example, if the UM dial plan requires that extensions consist of five digits, the value specified for the Extensions parameter in the call to Enable-UMMailbox can be any 5-digit number, such as 12345.

35


If you’re enabling the user with a SIP URI or E.164 dial plan, the call to Enable-UMMailbox requires a value for the parameter SIPResourceIdentifier. The SIPResourceIdentifier is a user principal name, similar to [email protected]. This value should have a suffix matching the tenant SIP domain of the Lync Server contact object. For details, see the previous “Create Tenant SIP Domain” section in this document.This example also includes the personal identification number (PIN) parameter, where you specify the PIN the user can user to access the mailbox. If you do not specify a PIN, a value is generated automatically and sent to the user.

9.2 Set User TenantID and GroupingIDEach tenant user account must have two Active Directory attributes assigned to it so that Lync Server knows that it is a member of a tenant organization. Assigning the TenantID and GroupingID provides privacy for the tenant address book.

Note You cannot migrate a Lync Server 2010 Enterprise Edition deployment to a Lync Server 2010 Hosting Pack deployment. If you use GroupingID, you must perform tenant provisioning again.

The following example script reads the GUID of the tenant OU and populates the msRTCSip-TenantId and msRTCSip-GroupingId with the value of the GUID. You can run these commands from the Active Directory Module for Windows PowerShell.$OU = " OU=fabrikam,OU=OCS Tenants,DC=litwareinc,DC=com"


$GUID = $OUObject.objectguid

Get-ADOrganizationalUnit -identity $OU -properties name,msRTCSIP-TenantId |Set-ADOrganizationalUnit -replace @{'msRTCSIP-TenantId'=$GUID}Get-ADOrganizationalUnit -identity $OU -properties name,msRTCSIP-ObjectId |Set-ADOrganizationalUnit -replace @{'msRTCSIP-ObjectId'=$GUID}

Get-ADUser -LDAPFilter "(objectClass=user)" -searchbase $OU -properties msRTCSIP-GroupingID,msRTCSIP-PrimaryUserAddress,comment |Set-ADUser -replace @{'msRTCSIP-GroupingID'=$GUID}Get-ADUser -LDAPFilter "(objectClass=user)" -searchbase $OU -properties msRTCSIP-GroupingID,msRTCSip-TenantID,msRTCSIP-PrimaryUserAddress,comment |Set-ADUser -replace @{'msRTCSip-TenantID'=$GUID}

9.2.1 Known IssueIn some environments, it may be important to set the user's msRTCSIP-GroupingID or msRTCSIP-TenantID before the user is enabled for Lync Server. Depending on the specifics of your deployment (for example, if Office Communications Server or Lync Server Enterprise Edition has been previously deployed in the environment, or if you have locked-down Active Directory with access control lists (ACLs)), Lync Server may only be able to act on these settings at the time the account is enabled for Lync Server. If the value is changed later, the user may not be able to see other users' presence status, or find other users via address book search. You may also see errors such as the following in the Lync event log on Front End Servers:Log Name: Lync ServerSource: LS User ReplicatorDate: 10/25/2011 2:19:51 PMEvent ID: 30039

36


Task Category: (1009)Level: WarningKeywords: ClassicUser: N/AComputer: [Server FQDN]Description:A Tenant ID attribute value was changed, deleted, or added for an existing user in the database. Resolve the conflict by restoring the original value or deleting the user from AD.

The DN of the user whose Tenant ID value User Replicator tried to replicateis:[User Distinguished Name]

This update came from domain:[Windows Domain]

Cause: Typically caused by manual modification of msRTCSIP-TenantId attribute value instead of using management tools

Resolution:Restore the original value of msRTCSIP-TenantId attribute or delete the user from AD. You may use Dbanalyze to diagnose the problem.

Event Xml:<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event"> <System> <Provider Name="LS User Replicator" /> <EventID Qualifiers="33777">30039</EventID> <Level>3</Level> <Task>1009</Task> <Keywords>0x80000000000000</Keywords> <TimeCreated SystemTime="2011-10-25T21:19:51.000000000Z" /> <EventRecordID>2414</EventRecordID> <Channel>Lync Server</Channel> <Computer>[Server FQDN] <Security /> </System> <EventData> <Data>[User Distinguished Name] <Data>[Windows Domain DNS Name]</Data> </EventData></Event>

If you need to set a user's msRTCSIP-GroupingId or msRTCSIP-TenantId after the user has been enabled for Lync Server, you need to first disable the user’s account in Lync Server, change the values, and then enable the user for Lync Server again.

37

http://schemas.microsoft.com/win/2004/08/events/event


9.3 Configure the user Base Simple URL with the Tenant Organization’s Base URL

As part of the tenant user account creation process the msRTCSIP-BaseSimpleURL attribute needs to be populated with the tenant organization’s base URL. To do so, run the following commands from the Active Directory module for Windows PowerShell window:$CompanyName = "Litware Inc."


$PathRoot = "OU=OCS Tenants,DC=litwareinc,DC=com"

$TargetOU = "OU="+$CompanyName+","+$PathRoot

$OUObject = Get-ADOrganizationalunit -Identity $TargetOU

$BaseURL = "https://meet.litwareinc.com/"+$SIPDomain

Get-ADUser -LDAPFilter "(objectClass=user)" -SearchBase $TargetOU -Properties msRTCSIP-BaseSimpleUrl -Server "DC01.fabrikam.com" |Set-ADUser -Replace @{'msRTCSIP-BaseSimpleUrl'=$BaseURL}

Important The value for the BaseURL property must use the https:// prefix.

9.4 Enable Tenants for Lync ServerYou should use the Lync Server Management Shell to enable tenant users on the Lync Server because the Lync Server Control Panel is read-only in the Lync Server 2010 Hosting Pack. The exact commands you use depends on your choice of service features and the provisioning automation that you employ.

Note You need to apply these changes only once per user, and you can run the command on any Lync Server in your deployment.

The following example set of commands enables a user on Lync Server who is already enabled for Exchange UM located within the tenant OU:Enable-CsUser -Identity <UserPrincipalName> -RegistrarPool <FQDN of Front End Pool> -SipAddressType UserPrincipalName

After the user is enabled on Lync Server, the user must be granted access to a Lync Server dial plan. In this example, a single Lync Server dial plan is used for all users. Using a single Lync Server dial plan for all tenant users is recommended because the maximum number of dial plans supported by Lync Server could constrain the total number of tenants if each one were given their own dial plan. To create a new dial plan, see the Lync Server Dial Plans section. The following command demonstrates how to assign the dial plan TenantDP to the user:Grant-CsDialPlan -Identity [email protected] -PolicyName TenantDP

After the user is enabled for Lync Server and has access to a dial plan, the user can be enabled for Enterprise Voice by running the following command:Set-CsUser [email protected] -EnterpriseVoiceEnabled $true -LineURI tel:+12065551234

The line URI is the telephone number through which the user can be reached via the PSTN. That number must have been properly provisioned with your SIP trunk provider.After you complete this step, the user should be able to log on and use Enterprise Voice and Exchange UM features.

38


9.5 Set Address Book Policy for Tenant UserThese policies are applied as the last step. In order to assign an address book policy to a tenant user, open an Exchange Management Shell and run the following command:Set-Mailbox -Identity [email protected] -AddressBookPolicy TenantAB

10 Overview of the Audio Conferencing ProviderThe audio conferencing provider provides PSTN integration to Lync Server conferencing and collaboration. PSTN integration expands modality options for participating in Lync Server conferences.By using an audio conferencing provider, providers can enable the following scenarios:

A user can dial-in to a Lync Server conference from a phone. A user can dial-out from a Lync Server conference to a Lync Server user who was not part of the

original conference invitee list or call-out to someone who will attend by phone only. Users can mute or unmute themselves and others on Lync Server VoIP and PSTN. The conference can be locked. Participants can be removed.

10.1 Integrating with Audio Conferencing ProviderThere are two ways to integrate with audio conferencing provider:

Use an external audio conferencing provider that is qualified for Microsoft Office 365. Use internal conferencing integration.

The Lync Server Multitenant Hosting Pack includes an audio conference provider, which serves as the signaling and control gateway between Lync Server and audio conferencing provider environments. This component initiates the audio bridging, and connects through access point to the audio conferencing provider module within the conferencing architecture in audio conferencing provider.The audio conferencing provider module abstracts the Centralized Conference Control Protocol (C3P) for native Lync Server integration with audio conferencing provider environment. It handles the control channel between Lync Server and the audio conferencing provider including managing basic signaling, such as roster updates and adding users via conferencing dial-out.

Integrating with Audio Conferencing ProviderHosts can use the audio conferencing provider SDK to develop internal applications for conference initiation, session management, and conference control.

39


10.2Provisioning with Audio Conferencing ProviderAudio conferencing provider attributes are provisioned into Active Directory through a Windows PowerShell cmdlet. These attributes are then replicated to the presence server from which the scheduling client pulls this data for scheduling a conference.You can provision users either of the following of two ways:

By using a Lync Server Management Shell cmdlet to provision users one at a time using audio conferencing provider attributes

By developing a script to enable a bulk upload of attributes for provisioning a large number of tenant users all at the same time

The audio conferencing provider attributes needed to provision users are as follows: ID First Name Last Name Tollnumber TollFreeNumber Name Web Domain Port

10.3 Integration Workflows with Audio Conferencing ProviderThis section provides an overview of the integration workflows when using audio conferencing provider to integrate with Lync Server Multitenant Hosting Pack.

10.3.1 Create and Schedule a Web ConferenceScheduling a web conference with Lync Server and audio conferencing provider follows the same basic process as scheduling a VoIP-only Lync Server conference. The main difference is the communication that occurs between the audio conferencing provider conferencing server and the audio conferencing provider module:

1. Online Meeting Add-in for Lync 2010 gets audio conferencing provider information from the presence database.

2. Organizer creates a Lync Server meeting or web conference.3. Organizer selects meeting participants.4. The Lync Server scheduling client (that is, Online Meeting Add-in for Lync 2010) issues

addConference to the Focus Factory along with audio conferencing provider-specific dial-in information.

Note To understand the role of the Focus Factory in the Lync Server 2010 conferencing topology, see Conference Features in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=230850 .

5. The Focus Factory creates conference and returns conference info to scheduling client.6. The Lync Server client sends meeting invitations to participants.

10.3.2 Activate a ConferenceDuring conference activation, the audio conferencing provider conferencing server receives a request containing dial-in phone numbers, participant pass code, and audio conferencing provider domain. The following subsequent steps then occur:

1. The audio conferencing provider conferencing server sends an INVITE (for third-party call control) and SUBSCRIBE (for conference state changes) to the audio conferencing provider module.

2. The audio conferencing provider module responds with the bridge URI to be used for the audio bridging initiation when users join from both modalities (that is, VoIP, PSTN).

40



3. The audio conferencing provider conferencing server retains the bridge URI to initiate bridging once users join via both PSTN and VoIPConference activation.

Conference activation traffic flow

10.3.3 Join Conference by Using Conferencing Dial-outWhen a user wants to join the conference by having Lync Server dial-out to him or her using the Lync feature to call the conference attendee back (that is, conferencing dial-out), the following steps occur:

1. The Lync Server client sends request to add a user in to Focus.2. The Focus sends adduser command to the audio conferencing provider conferencing server.3. The audio conferencing provider conferencing server forwards INFO command to audio

conferencing provider module via INVITE dialog box.4. The audio conferencing provider module sends calls out command to the audio conferencing

provider environment.5. The audio conferencing provider module sends NOTIFY in SUBSCRIBE dialog back to audio

conferencing provider conferencing server that the user is connected.6. The audio conferencing provider conferencing server sends userconnected to the Focus.7. The Focus sends roster update notification to clients.

Traffic flow for joining a conference

10.3.4 Audio Bridging SequenceThe audio conferencing provider conferencing server is polling the Focus at regular intervals for state changes (for example, when a PSTN user joins the conference). When the audio conferencing provider conferencing server recognizes that there are users on both bridges, it does a VoIP dial-out to initiate the bridging. This process flow describes how audio is bridged between the Lync Server, A/V Conferencing Server and audio conferencing provider:

1. The Focus sends INFO command (adduser) to the audio conferencing provider conferencing server (if dial-in, the audio conferencing provider module sends adduser request to the audio conferencing provider conferencing server).

41


2. The audio conferencing provider conferencing server sends adduser dial-out request to the A/V Conferencing Server with bridge URI received at conference activation.

3. A/V Conferencing Server establishes RTP stream with audio conferencing provider Session Border Controller (SBC) via the Mediation Server.

4. Audio stream established between the SBC and PSTN bridge.5. Bridged audio stream between A/V Conferencing Server and PSTN bridge.

Audio bridging sequence

10.3.5 Use Audio Controls from Lync ServerAt conference activation, the audio conferencing provider conferencing server established an INVITE dialog box with the audio conferencing provider module to facilitate third-party conference control during a bridged conference. This process flow describes how commands are passed and acted on from a Lync Server client through the audio conferencing provider components and back during a conference:

1. The Lync Server client sends CCCP INFO command to the Focus.2. The Focus sends a command to the audio conferencing provider conferencing server.3. The audio conferencing provider conferencing server sends an INFO command to audio

conferencing provider module using the established INVITE dialog box.4. The audio conferencing provider module sends command to PSTN middleware and bridge to act

on command (for example, mute user or lock conference).5. The audio conferencing provider module sends a NOTIFY to the audio conferencing provider

conferencing server via the SUBSCRIBE dialog box, indicating new state of participant.6. The audio conferencing provider conferencing server sends a command back to the Focus, to

indicate new state of participant.7. The Focus sends a roster update to the Lync Server clients.

42


Audio conferencing provider communication flow

10.4Known IssuesThe following known issues exist at the time this guide was published:

PSTN Attendee count announcements This is a standard message played to attendees who join a PSTN audio bridge (for example, “You are the fourth person in the conference” or “There are five others in the conference”). At this time, there is no way for Lync Server to present the audio conferencing provider module with the current number of participants, so this may be misleading.

Mute all Currently PSTN users cannot use dual-tone multifrequency (DTMF) codes to “mute all,” including VoIP users—only the PSTN audio attendees will be muted.

Locked conference with no PSTN users on audio conferencing provider bridge There is a valid scenario where all participants join via Lync audio (that is, VoIP) and choose to lock the conference so that no additional users may join by either modality. The audio conferencing provider module will receive the conference lock command from the audio conferencing provider conferencing server and must initiate a locked conference state on a bridge where no participants joined via the PSTN; therefore, no conference exists.

Blocked calls from participants PSTN participants that block their phone number (for example, by using *67) will show up in the client as a random phone number generated from the audio conferencing provider. The software development kit (SDK) doesn’t currently support non-integers as values. As a result, values like “Guest,” “No Phone Available,” and so on are not currently supported. Note that if the audio conferencing provider receives a blocked call via a toll-free number, the number will be presented with a flag for “Blocked,” and so on. The audio conferencing provider must act on the flag and send a randomly generated number to denote the participant in Lync.

11 Code SamplesThis section introduces how a service provider or an independent software vendor (ISV) can automate provisioning using .NET Framework and the Lync Server Multitenant Hosting Pack management shell. The selected examples are tasks that most hosting providers with a Lync Server Multitenant Hosting Pack deployment will need to do on a routine basis. You can use the code samples in this section as a starting point for customizing or creating control panels involved in managing the provisioning process.Before using these samples, you should be familiar with the cmdlets that are installed with Lync Server Multitenant Hosting Pack, which provide a wide range of provisioning and management capabilities.

11.1PrerequisitesBefore you use any of the samples in this section, verify that these prerequisites are available in your environment:

Lync Server Multitenant Hosting Pack Visual Studio 2010 .NET Framework 3.5.1 or higher Windows Server 2008 R2 or higher

43


11.2DependenciesAll code samples require the following using directives: using System; using System.Collections; using System.Collections.ObjectModel; // powershell namespaces using System.Management.Automation.Runspaces; using System.Management.Automation; using System.Text; using System.Data.SqlClient;

11.3Provision a Tenant OrganizationThe samples in this section demonstrate the use of the Active Directory module for Windows PowerShell to set properties on a tenant OU. This module is installed automatically with Windows Server 2008 when you install the Active Directory Domain Services (AD DS) or Active Directory Lightweight Directory Services (AD LDS) server roles. For details about the Active Directory module for Windows PowerShell, see “Active Directory Administration with Windows PowerShell” in the TechNet Library at http://go.microsoft.com/fwlink/?LinkId=235838.These samples also use the Lync Server cmdlets.

11.3.1 Create and Secure Organizational UnitThe Lync Server Multitenant Hosting Pack requires that tenant OUs be created under the “root organizational unit” called “\OCS Tenants”. Many service providers will want to represent reseller organizations as subordinate OUs (sub-OUs), each with sub-OUs representing tenants. You should use AD permissions or other suitable mechanisms to ensure that management tools have adequate access to the tenant OU, and that other tenants do not have inappropriate access. As no specific set of permissions is mandated by the Lync Server Multitenant Hosting Pack, it is beyond the scope of this document to provide samples for creating and securing a tenant organization.

11.3.2 Enable the Tenant OrganizationTo enable a tenant, you must do the following:

Create at least one SIP Domain for the tenant. Add the SIP Domain to the upnSuffixes property of the OU. Add the SIP Domain to the msRTCSIP-Domains property of the OU. Set the msRTCSIP-TenantId and msRTCSIP-ObjectId to a unique identifier which will be used to

identify the tenant in the Lync Server Multitenant Hosting Pack operating environment and to associate users with that tenant.

The following sample demonstrates the automation of these steps by invoking Windows PowerShell commands via C# code.// sip domain and tenant DNstring sipDomain = "AlpineSkiHouse.com";string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";

// create an initial session state with the Active Directory Windows PowerShell module loaded and the Lync Server 2010 modulesInitialSessionState session = InitialSessionState.CreateDefault();session.ImportPSModule(new string[]

44



{ "ActiveDirectory" , "Lync", "LyncOnline"});

// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){ // open the runspace runspace.Open();

using (Pipeline pipeline = runspace.CreatePipeline()) { // create a SIP Domain in the Lync system. Command sipCommand = new Command("New-CsSipDomain"); sipCommand.Parameters.Add(new CommandParameter("Identity", sipDomain)); pipeline.Commands.Add(sipCommand); pipeline.Invoke();

} using (Pipeline pipeline = runspace.CreatePipeline()) { // create a hashtable to contain the property settings for the OU // these will add the SIP domain to the upnSuffixes and msRTCSIP-Domains properties Hashtable properties = new Hashtable(); properties.Add("upnSuffixes", sipDomain); properties.Add("msRTCSIP-Domains", sipDomain);

// add a command to retrieve the OU using the supplied distinguished name Command getCommand = new Command("Get-ADOrganizationalUnit"); getCommand.Parameters.Add(new CommandParameter("Identity", distinguishedName)); pipeline.Commands.Add(getCommand);

// pipe the OU to a set command to set the domain properties // the add parameter of the set command is used to append the // SIP domain value. Command setCommand = new Command("Set-ADOrganizationalUnit"); setCommand.Parameters.Add(new CommandParameter("add", properties)); pipeline.Commands.Add(setCommand);

pipeline.Invoke(); }

using (Pipeline pipeline = runspace.CreatePipeline()) {

45


// create the guid that will be used for the msRTCSIP-TenantId and msRTCSIP-ObjectId Guid id = Guid.NewGuid(); Hashtable properties = new Hashtable(); properties.Add("msRTCSIP-TenantId", id); properties.Add("msRTCSIP-ObjectId", id);


// pipe the OU to a set command to set the id properties // using the replace parameter of the set command. Command setCommand = new Command("Set-ADOrganizationalUnit"); setCommand.Parameters.Add(new CommandParameter("replace", properties)); pipeline.Commands.Add(setCommand);

pipeline.Invoke();

}}

11.3.3 Add an Additional SIP Domain to the Tenant OrganizationMany organizations have more than a single domain that needs to be added to a Lync Server Multitenant Hosting Pack operating environment. This can be done using a subset of the code sample shown in the “Enable the Tenant Organization” section. The following example code demonstrates how to add another SIP domain to a tenant.// sip domain and tenant DNstring sipDomain = "AlpineSkiHouse.net";string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";

// create an initial session state with the Active Directory Windows PowerShell module loaded and the Lync Server 2010 modulesInitialSessionState session = InitialSessionState.CreateDefault();session.ImportPSModule(new string[] { "ActiveDirectory" , "Lync", "LyncOnline"});// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){ // open the runspace runspace.Open();

46


using (Pipeline pipeline = runspace.CreatePipeline()) { // create a SIP Domain in the Lync system. Command sipCommand = new Command("New-CsSipDomain"); sipCommand.Parameters.Add(new CommandParameter("Identity",sipDomain)); pipeline.Commands.Add(sipCommand); pipeline.Invoke();

} using(Pipeline pipeline = runspace.CreatePipeline()) { // create a hashtable to contain the property settings for the OU Hashtable properties = new Hashtable(); properties.Add("upnSuffixes", sipDomain); properties.Add("msRTCSIP-Domains", sipDomain);


// pipe the OU to a set command to set the id properties // supply the $properties variable established with the SetVariable command // to the add parameter of the set command. Command setCommand = new Command("Set-ADOrganizationalUnit"); setCommand.Parameters.Add(new CommandParameter("add", properties)); pipeline.Commands.Add(setCommand);

pipeline.Invoke();

}}

11.3.4 Adding Domains to the Tenant Allow List for FederationTenants may want to allow their users to communicate with users of a domain outside their organization. The following example demonstrates how to add a domain to the tenant’s list of allowed domains.// allowed domain and tenant DNstring allowedDomain = "AdventureWorks.com";string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";

// create an initial session state with the Lync 2010 modules loadedInitialSessionState session = InitialSessionState.CreateDefault();session.ImportPSModule(new string[] { "Lync", "LyncOnline"

47


});

// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){ // open the runspace runspace.Open(); // set variables for the distinguished name and domain runspace.SessionStateProxy.SetVariable("dn", distiguishedName); runspace.SessionStateProxy.SetVariable("domainName", allowedDomain); // build a script for adding the domain StringBuilder builder = new StringBuilder(); builder.AppendLine("$tenant = Get-CsTenant -Identity $dn"); builder.AppendLine("$domain = New-CsEdgeDomainPattern -Domain $domainName"); builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId"); builder.AppendLine("$all = New-CsEdgeAllowAllKnownDomains"); builder.AppendLine("$allowList = $config.AllowedDomains"); // test to see if AllowedDomains property is equal to Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowAllKnownDomains builder.AppendLine("if($allowList.GetType() -eq $all.GetType())"); builder.AppendLine("{"); builder.AppendLine("\t$newList = New-CSEdgeAllowList -AllowedDomain $domain"); builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $newList"); builder.AppendLine("}"); builder.AppendLine("else"); builder.AppendLine("{"); builder.AppendLine("\t$allowList.AllowedDomain.Add($domain)");

builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $allowList"); builder.AppendLine("}"); string script = builder.ToString();

// use a RunspaceInvoke instance to invoke the script using (RunspaceInvoke invoker = new RunspaceInvoke(runspace)) { invoker.Invoke(script); } }

11.3.5 Adding Domains to the Tenant Block List for FederationTenants may want to block their users from communicating with users of certain domains outside their organization. The following example demonstrates how to add a domain to the tenant’s list of blocked domains.// blocked domain and tenant DNstring blockedDomain = "BadDomain.com";

48


string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";

// create an initial session state with the Lync 2010 modules loadedInitialSessionState session = InitialSessionState.CreateDefault();session.ImportPSModule(new string[] { "Lync", "LyncOnline"});

// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){ // open the runspace runspace.Open(); // set variables for the distinguished name and domain runspace.SessionStateProxy.SetVariable("dn", distiguishedName); runspace.SessionStateProxy.SetVariable("domainName", allowedDomain); // build a script for adding the domain StringBuilder builder = new StringBuilder(); builder.AppendLine("$tenant = Get-CsTenant -Identity $dn"); builder.AppendLine("$domain = New-CsEdgeDomainPattern -Domain $domainName"); builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId"); builder.AppendLine("$config.BlockedDomains.Add($domain)");

builder.AppendLine("Set-CsTenantFederationConfiguration -Tenant $tenant.TenantId -BlockedDomains $config.BlockedDomains");

string script = builder.ToString();

// use a RunspaceInvoke instance to invoke the script using (RunspaceInvoke invoker = new RunspaceInvoke(runspace)) { invoker.Invoke(script); }}

11.3.6 Removing Domains from the Tenant Allow List for FederationIf you need to remove a previously added Allowed domain from a specific tenant, you can use a similar technique to the one you used to add it to remove it. // allowed domain and tenant DNstring allowedDomain = "AdventureWorks.com";string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";

// create an initial session state with the Lync 2010 modules loadedInitialSessionState session = InitialSessionState.CreateDefault();session.ImportPSModule(new string[]

49


{ "Lync", "LyncOnline"});

// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){ // open the runspace runspace.Open(); // set variables for the distinguished name and domain runspace.SessionStateProxy.SetVariable("dn", distiguishedName); runspace.SessionStateProxy.SetVariable("domainName", allowedDomain); // build a script for removing the domain StringBuilder builder = new StringBuilder(); builder.AppendLine("$tenant = Get-CsTenant -Identity $dn"); builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId"); builder.AppendLine("$domain = $config.AllowedDomains.AllowedDomain | ?{$_.Domain -eq $domainName}"); builder.AppendLine("if($domain -ne $null)"); builder.AppendLine("{"); builder.AppendLine("\t$config.AllowedDomains.AllowedDomain.Remove($domain)"); builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $config.AllowedDomains"); builder.AppendLine("}"); string script = builder.ToString();


11.3.7 Removing Domains from the Tenant Block List for FederationIf you need to remove a previously added Blocked domain from a specific tenant, you can use a similar technique to the one you used to add it to remove it. // blocked domain and tenant DNstring blockedDomain = "BadDomain.com";string distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";

// create an initial session state with the Lync 2010 modules loadedInitialSessionState session = InitialSessionState.CreateDefault();session.ImportPSModule(new string[] { "Lync", "LyncOnline"

50


});

// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){ // open the runspace runspace.Open(); // set variables for the distinguished name and domain runspace.SessionStateProxy.SetVariable("dn", distiguishedName); runspace.SessionStateProxy.SetVariable("domainName", blockedDomain); // build a script for removing the domain StringBuilder builder = new StringBuilder(); builder.AppendLine("$tenant = Get-CsTenant -Identity $dn"); builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId"); builder.AppendLine("$domain = $config.BlockedDomains | ?{$_.Domain -eq $domainName}"); builder.AppendLine("if($domain -ne $null)"); builder.AppendLine("{"); builder.AppendLine("\t$config.BlockedDomains.Remove($domain)"); builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -BlockedDomains $config.BlockedDomains"); builder.AppendLine("}"); string script = builder.ToString();


11.3.8 Allowing all Domains for Tenant FederationThe following code sample shows how to allow a tenant to federate with all domains except for those that appear in the tenant’s list of blocked domains. // tenant DNstring distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";


// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){

51


// open the runspace runspace.Open(); // set variables for the distinguished name and domain runspace.SessionStateProxy.SetVariable("dn", distiguishedName); // build a script setting allowed domains to all StringBuilder builder = new StringBuilder(); builder.AppendLine("$tenant = Get-CsTenant -Identity $dn"); builder.AppendLine("$all = New-CsEdgeAllowAllKnownDomains"); builder.AppendLine("Set-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $all"); string script = builder.ToString();


11.3.9 Enabling a Tenant for FederationTo enable a tenant for federation, you must set the AllowFederatedUsers property of the CsTenantFederationConfiguration instance to True.// tenant DNstring distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";


// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){ // open the runspace runspace.Open(); // get the tenant id Guid tenantId = Guid.Empty; using (Pipeline pipeline = runspace.CreatePipeline()) { Command cmd = new Command("Get-CsTenant"); cmd.Parameters.Add(new CommandParameter("Identity",distiguishedName)); pipeline.Commands.Add(cmd); Collection<PSObject> result = pipeline.Invoke();

// there should be only one since we specified a unique identity

52


// if the tenant did not exist the Invoke would have thrown // an exception PSObject tenant = result[0];

// get the tenant id tenantId = (Guid)tenant.Properties["TenantId"].Value; } // set the property using (Pipeline pipeline = runspace.CreatePipeline()) { Command setCmd = new Command("Set-CsTenantFederationConfiguration"); setCmd.Parameters.Add(new CommandParameter("Tenant", tenantId)); setCmd.Parameters.Add(new CommandParameter("AllowFederatedUsers",true)); pipeline.Commands.Add(setCmd); pipeline.Invoke(); } }

11.3.10Enabling a Tenant for Public IM ConnectivityTo enable a tenant for public IM, you must set the AllowPublicUsers property of the CsTenantFederationConfiguration instance to True.// tenant DNstring distinguishedName = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";


// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){ // open the runspace runspace.Open(); // get the tenant id Guid tenantId = Guid.Empty; using (Pipeline pipeline = runspace.CreatePipeline()) { Command cmd = new Command("Get-CsTenant"); cmd.Parameters.Add(new CommandParameter("Identity",distiguishedName)); pipeline.Commands.Add(cmd); Collection<PSObject> result = pipeline.Invoke();

// there should be only one since we specified a unique identity // if the tenant did not exist the Invoke would have thrown

53


// an exception PSObject tenant = result[0];

// get the tenant id tenantId = (Guid)tenant.Properties["TenantId"].Value; } // set the property using (Pipeline pipeline = runspace.CreatePipeline()) { Command setCmd = new Command("Set-CsTenantFederationConfiguration"); setCmd.Parameters.Add(new CommandParameter("Tenant", tenantId)); setCmd.Parameters.Add(new CommandParameter("AllowPublicUsers",true)); pipeline.Commands.Add(setCmd); pipeline.Invoke(); } }

11.3.11Enabling Federation between two Hosted TenantsYou can also configure federation between two tenant organizations on the same hosted platform. To do so, add each tenant to the other tenant’s Allow list. static void Main(string[] args){ string tenantA = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com"; string domainA = "AlpineSkiHouse.com"; string tenantB = "ou=AdventureWorks,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com"; string domainB = "AdventureWorks.com"; // add domains to each tenant LyncSample sample = new LyncSample(); sample.AddAllowedDomain(tenantA, domainB); sample.AddAllowedDomain(tenantB, domainA);}

The following example shows the AddAllowedDomain function called in the sample above.public void AddAllowedDomain(string distinguishedName, string allowedDomain){ // create an initial session state with the Lync 2010 modules loaded InitialSessionState session = InitialSessionState.CreateDefault(); session.ImportPSModule(new string[] { "Lync", "LyncOnline" });

// create a runspace using the session state. using (Runspace runspace = RunspaceFactory.CreateRunspace(session)) { // open the runspace runspace.Open(); // set variables for the distinquished name and domain

54


runspace.SessionStateProxy.SetVariable("dn", distinguishedName); runspace.SessionStateProxy.SetVariable("domainName", allowedDomain); // build a script for adding the domain StringBuilder builder = new StringBuilder(); builder.AppendLine("$tenant = Get-CsTenant -Identity $dn"); builder.AppendLine("$domain = New-CsEdgeDomainPattern -Domain $domainName"); builder.AppendLine("$config = Get-CsTenantFederationConfiguration -Tenant $tenant.TenantId"); builder.AppendLine("$all = New-CsEdgeAllowAllKnownDomains"); builder.AppendLine("$allowList = $config.AllowedDomains"); // test to see if AllowedDomains property is equal to Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowAllKnownDomains builder.AppendLine("if($allowList.GetType() -eq $all.GetType())"); builder.AppendLine("{"); builder.AppendLine("\t$newList = New-CSEdgeAllowList -AllowedDomain $domain"); builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $newList"); builder.AppendLine("}"); builder.AppendLine("else"); builder.AppendLine("{"); builder.AppendLine("\t$allowList.AllowedDomain.Add($domain)");

builder.AppendLine("\tSet-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $allowList"); builder.AppendLine("}");

string script = builder.ToString();

// use a RunspaceInvoke instance to invoke the script using (RunspaceInvoke invoker = new RunspaceInvoke(runspace)) { invoker.Invoke(script); } }}

11.4Provision Tenant UsersThe following code example demonstrates how to enable a user for Lync Server 2010 including the following tasks:

Enabling the user for Lync Server 2010 Granting a dial plan to the user Setting the tenant and group IDs Setting the simple URL for meetings

string tenantOU = "ou=AlpineSkiHouse,ou=ConsolidatedMessenger,ou=OCS Tenants,dc=fabrikam,dc=com";string userPrincipalName = "[email protected]";string poolFQDN = "lyncpool01.fabrikam.com";

55


// create an initial session state with the AD and Lync modules loaded

InitialSessionState session = InitialSessionState.CreateDefault();session.ImportPSModule(new string[] { "ActiveDirectory" , "Lync", "LyncOnline"});

// create a runspace using the session state.using (Runspace runspace = RunspaceFactory.CreateRunspace(session)){ // open the runspace runspace.Open(); // get the tenant id Guid tenantId = Guid.Empty; using (Pipeline pipeline = runspace.CreatePipeline()) { Command cmd = new Command("Get-CsTenant"); cmd.Parameters.Add(new CommandParameter("Identity", tenantOU)); pipeline.Commands.Add(cmd); Collection<PSObject> result = pipeline.Invoke();

// there should be only one since we specified a unique identity // if the tenant did not exist the Invoke would have thrown // an exception PSObject tenant = result[0];

// get the tenant id tenantId = (Guid)tenant.Properties["TenantId"].Value; } // get the tenant OU simple URL string simpleUrl = string.Empty; using (Pipeline pipeline = runspace.CreatePipeline()) { Command cmd = new Command("Get-CsSimpleUrlConfiguration"); cmd.Parameters.Add("Tenant", tenantId); pipeline.Commands.Add(cmd);

Collection<PSObject> result = pipeline.Invoke();

// there should be only one since we specified a unique identity PSObject urlConfig = result[0]; // get the simple url simpleUrl = (string)urlConfig.Properties["ActiveUrl"].Value; } // enable the user using (Pipeline pipeline = runspace.CreatePipeline()) { Command cmd = new Command("Enable-CsUser");

56


cmd.Parameters.Add("Identity", userPrincipalName); cmd.Parameters.Add("RegistrarPool", poolFQDN); cmd.Parameters.Add("SipAddressType", "UserPrincipalName"); pipeline.Commands.Add(cmd);

pipeline.Invoke(); } //grant the dial plan using (Pipeline pipeline = runspace.CreatePipeline()) { Command cmd = new Command("Grant-CsDialPlan"); cmd.Parameters.Add("Identity", userPrincipalName); cmd.Parameters.Add("PolicyName", dialPlanName); pipeline.Commands.Add(cmd);

pipeline.Invoke(); } //set the grouping and tenant ids using (Pipeline pipeline = runspace.CreatePipeline()) { Hashtable properties = new Hashtable(); properties.Add("msRTCSIP-GroupingID", tenantId); properties.Add("msRTCSIP-TenantId", tenantId); properties.Add("msRTCSIP-BaseSimpleUrl", simpleUrl); Command getCmd = new Command("Get-AdUser"); getCmd.Parameters.Add("Identity", userPrincipalName);

pipeline.Commands.Add(getCmd);

Command setCmd = new Command("Set-AdUser"); setCmd.Parameters.Add("Replace", properties);

pipeline.Invoke(); }}

57

wordpress.com€¦ · web view1.3 what’s available in the lync server multitenant hosting pack 1...

Documents