• If you decide to go virtual, Lync only supports Hyper-V R2 or ESX 4.0 platforms. Windows Server 2008 Hyper-V is NOT supported as “A number of enhancements that are critical for running virtualized Lync Server media workloads were implemented with Windows Server 2008 R2 to address network packet loss.”
• If you choose virtual. All roles in virtual must run on Windows Server 2008 R2 as the guest/child OS, citing more network optimizations.
• In general, all roles can be virtualized, except for the 3^rd party Survivable Branch hardware appliance (obviously).
• You need to decide physical or virtual on a per pool basis. Inside the pool, the roles on separate servers (physical or virtual) need to be of similar resources (hardware), as “Balanced end-to end-performance is required.”
• The exceptions to this rule, is you can always choose the Front End to be virtual and the DB backend to be physical in any scenario.
• Virtualization high availability features (Windows clustering, VMotion, Live Migration, etc.) are not a substitute for Lync’s built-in redundancy features inside its architecture (multiple front-end’s, SQL redundancy, etc.).
• Even in a small virtualized pool, the following are not recommended: shared networking port for host and guests, shared disk spindles for host and guests or for multiple guests, network connectivity less than 1GB, and dynamic disks.
• Disabling IPv6 on the host and guests will improve performance (although it doesn’t specify which technique to use for disabling. Is unchecking the box in Network Connection Properties enough even though it doesn’t completely disable IPv6?).
• Notes are included for enabling VMQ on Intel network adapters and other driver/reg modifications to improve performance.

Maybe it’s just me, or maybe I’ve not read other Microsoft server virtualization recommendation white papers… but this one was particularly detailed and full of real-word guidance for sizing virtual and physical machines, including what perfmon counters to use for baselining. Bravo Lync team. If only all server apps came with this level of detail.

There’s been a similar feature since XP to share connections, but this required you to use two different NIC’s and only supported peer-to-peer network. This software fixes both issues.

Software: Virtual Router – Wifi Hot Spot for Windows 7 – 2008 R2

Info: Share Wireless Internet Connection In Windows 7 Without Ad Hoc

1. Install the .NET Framework 3.5.1 feature
2. Download the SQL SP1 service pack
3. Expand the service pack by using 7zip or the command SQLServer2008SP1-KB968369-x64-ENU.exe /x:C:\SP1
4. Install the SQL Setup Support files from the SP1 download C:\SP1\x64\setup\1033\sqlsupport.msi
5. Now run the SQL Setup.exe from DVD or network and point setup to where SP1 is Setup.exe /PCUSource=C:\SP1

Note the long term best method is “Procedure 2: create a merged drop” but the above is great for the 1 or 2 installs.

Problem: when you send a link from Communicator client to another, the link isn’t clickable, has a _ (underbar) in front of it, or both.  Results may be different on different computers. It’ll look like this

_http://www.google.com

Solution:  Two things are happening here that are not related.  The first is the OCS Server (and Edge Server) have the URL Filter enabled, which are adding the _ underbar to all links.  Also called “Intelligent IM Filter”.  You need to tone that filter down or disable all together to your liking.  If users are coming in through an Edge Server, they will follow the Filter settings of the Edge Server they are using, which seams to supersede the Front End Server (my guess is the most restrictive wins).  So be sure to set it on both servers separately.  Results were instant in new IM’s.

The other issue is the lack of a clickable hyperlink.  If you disable the URL Filters above, the underbar goes away but links are still not blue and underlined.  To fix this you need to apply a GPO or set a local registry setting to allow Communicator to make hyperlinks clickable:

HKEY_CURRENT_USER\Software\Policies\Microsoft\Communicator\
new DWORD EnableURL=1

After that exit and restart Communicator.

In both of these cases they are secure by default, which is great; but even years after this features release over several versions their use and configuration are still a mystery to most starting out.

please log in access was denied 0×85010002

In the ISA Monitoring you would see a denied connection on your ActiveSync rule with this status:

12239 The server requires authorization to fulfill the request. Access to the Web server is denied. Contact the server administrator.

I tested with Windows Mobile Emulator from outside the firewall and was able to reproduce the error within hours (just letting it sit there).

I first thought this was the HTTP session timeout that changed with a Exchange 2003  service pack when Direct Push came out back in 2005.  I remembered that setting and looked under the ISA Web Listener for ActiveSync on the Connections tab>Advanced>“connection timeout”.  The wizard had correctly set it to 1800 seconds (30 minutes). No dice.

I poked around the web listener settings some more and noticed the timeout settings for forms authentication were set (this same web listener was used for OWA).  ISA is supposed to be smart enough to not apply any of the forms auth settings to clients that don’t support it (falling back to basic auth as with ActiveSync).

Tom and the forums at isaserver.org confirmed my suspicion.  The forms auth timeout was indeed affecting ActiveSync.  To find it, look for the web listener of your ActiveSync rule, go to properties>Forms tab>Advanced> and make sure “apply session timeout to non-browser clients” is unchecked. 

Failed to configure the service NETLOGON as requested “the wait operation timed out.”

The root problem was that this domain controller had a DNS entry to another domain controller that no longer existed.  It was trying to contact it but couldn’t.  Removing that entry and running dcpromo.exe again solved it.

I discovered one more resaon beyond the obvious permissions problems.  If you put a graphic or something embded in a page, then publish that page but NOT the embeded object (i.e. it’s still draft or unapproved) you’ll get an auth prompt when the page loads.

On a busy (lots of stuff) page it can be tough to find what’s the issue.  The quickest way I’ve found to discover the problem (99% of time an image) is to cancel out of auth prompts, then look for broken stuff on the page.  An image you can right click the broken icon and find the location of it… then jump to that library and check the file.  My bet is it’s never been published.

• search is running but no results returned
• search errors in event log (can’t access content, etc.)
• you can access sites fine from other boxes but not from the local server
• only seems to happen for URL’s (http://sitename1, http://sitename2) that are different then the host name (http://servername).

Problem:

Windows Server 2003 SP2 and newer (Windows Server 2008) have a Anti Denial Of Service feature that prevents the server from accessing itself via different names (that’s the simple answer).

Fix (assuming you want to keep your custom URL’s):

• Set a registry value to turn off this security feature (I still don’t understand the specific type of attack that it’s preventing)
• Set a registry value to a list of all the cname’s your server goes by.

Further Info:

• example SharePoint people having the issue
• short explanation of fix
• long explanation of issue and risks

Rant:

In the KB Microsoft basically says “don’t turn it all off unless your lame”, so your left with “edit the registry every time you add a website”.  This is a cumbersome workaround for something that happens out of the box default.  Most SharePoint boxes will want more then one web site name and best practice says to NOT make production sites the server name. IMO SharePoint should be updating the reg key itself and keep in sync with the host headers created/managed by central admin. Or, the localhost loopback “new feature” should be looking at iis host headers and allowing them.

OK so this blog post explains it well but it has gotten worse since that post a month ago.  Here’s an update and shorter version of what’s going on:

There’s a optional monitoring feature of OCS that many small shops likely won’t install. That’s fine, cus it’s optional right?  Well turns out it’s now required (actually just part of it, the MSMQ service) for a hotfix to successfully install.  That hotfix is now on Microsoft Update and is likely already on your box, WSUS, SCCM, SMS, etc: (KB967831).  The patch is not smart enough to either:

1. Do pre-check’s and prevent install unless you have MSMQ
2. Roll back it’s changes to leave you in a running state
3. Or ignore the fact that you don’t have something optional installed in the first place and just keep patching

So it leaves you a nice broke server to repair in the morning.  Front-End and Edge Services service stopped, with cryptic misleading Event Log messages.  So multiple boxes are down.  Crazy thing is this happens in a “default install” scenario as if no one full tested the patch or something.  I would give a pass for a hotfix, but a MU patch… fail!

Quick fix: install MSMQ (even though you don’t need it unless you setup RtcQmaAgent for OCS Monitoring) via this script (win2003 servers), then re-run the update either via MU or downloading and running it manually.

From the responsiveness of the interface, awesome boot and return-from-sleep times, to the overall look, the new “best taskbar eva”, to little things like knowing the difference between a “default audio device” (speakers) and your “default communications device” (headset or webcam/mic)…. it’s got a lot going for it.  I’m starting to get more comfortable with the “library” concepts (old habits of caring exactly where your file is located on disk die hard).  Though, I’m still not a huge IE8 fan compared to Firefox (and now my new fav: Chrome… yes I said it.  Just give it’s minimalism a week and you won’t miss the bloat of Firefox’s add-ins).

Just tried the “play to” option in Media Player to push music from my office to the living room PC, which is plugged into the house audio receiver. Couldn’t be easier.  Love the simple and effective management window.

Next is to decide how I will implement a HomeGroup, which removes the need for me to manage share permissions, user passwords, etc. on the various home computers.