Lync Edge Server Replication failed FALSE with red cross

-
LYNC REPLICATION NOT WORKING

In a Lync Deployment, where we have installed Lync Edge Server, we see the Replication is not healthy. You will notice a red cross or in the Management Shell the Replication is not UpToDate: False.

If actually have telnet to the Edge Servers Port 4443, you realize that the port is open and working.
As well you can test access the service itself:
https://<edgeserver.fqdn>/replicationwebservice

Via this access, you also be able to validate the assigned internal Certificate and the Certificate Chain. If you encounter an error with trusted root certificate, you will end up adding it other Trusted Root Authorities.

Afterwards, you will still encounter the red cross, or false up-to-date status.

This is normal!
The Replication itself is working fine, but your Connectivity to the Edge is limited.
This mean we cannot query the service due to the SECURE CHANNEL limitation.

Solution:
Open REGEDIT
navigate to:

HKey_Local_Machine\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

add the new DWORD:
ClientAuthTrustMode Value=2

Now reboot the edge server. After it has restarted, you might need forcing the CMS to replicate:
Invoke-CsManagementStoreReplication

Problem is now solved...!

-----------------------

Documentation:

Validation:





Set new Registry Key on Edge Server:

Do not forget the reboot.

Verification:



---------------------------------------

NOTE:
I was asked a few time, what acually is happened if the SQL Server shows a Red Corss.
This is failed topolgy configuration and should be validated.
I post a correct few.
 

 

You should also validated your Get-CsManagementStoreReplicationStatus. There should be not SQL Server shown.



Comments

  1. LynciverseJanuary 10, 2014 at 1:39 PM

    Thanks Thomas. I didn't even know I had this issue until I checked today after applying the January 2014 CU.

    ReplyDelete
  2. Anil Kumar NudurupatiJanuary 13, 2014 at 2:34 PM

    Hi Thomas, I have checked my topology and found for the SQL server it shows red cross. How to resolve this issue

    ReplyDelete
    Replies
    1. Thomas PoettJanuary 13, 2014 at 5:03 PM

      Hi Anil,

      this should not eb happend, SQL must show N/A.
      Since it has NO Lync services installed.
      Can you double check this.
      Cheers
      Thomas

      Delete
  3. Neeranjan ShettarJanuary 14, 2014 at 1:36 PM

    Hello Thomas,

    Cross Checked, SQL showing with RedCross. do you have any resolution for the same.

    Regards,
    Neeranjan !!

    ReplyDelete
    Replies
    1. Thomas PoettJanuary 14, 2014 at 4:42 PM

      Hi Neeranjan,

      i have updated the article regarding the SQL Servers. This is a Enterprise Configuration with SQL Mirroring.
      As seen, there are no red cross.
      This is normal, due to, Lync need some Lync Componets to be installed and on any SQL Server this cannot be happend, even would not be supported.
      Therefor, if a red cross is shown, the lync topology is in an incorrect state.
      You need to validate the installation and have to move back to an supported topology.

      Delete
  4. UnknownJanuary 16, 2014 at 10:41 PM

    Thanks so much! This did the trick for me.

    ReplyDelete
  5. UnknownMarch 23, 2014 at 5:11 PM

    Thank you

    ReplyDelete
  6. Fady NaguibApril 14, 2014 at 9:38 AM

    Many thanks for your Great solution. It solved my issue after Jan 2014 CU

    ReplyDelete
  7. Kai StenbergSeptember 26, 2014 at 3:13 PM

    Solved my problem, thanks for shareing

    ReplyDelete
  8. AnonymousJanuary 18, 2015 at 6:07 PM

    This saved my job - Thank you so much

    ReplyDelete
  9. ArifMarch 2, 2015 at 7:42 AM

    I have faced the same issue with my second edge server in the pool. Issue resolved after modifying the registry as per your article. Thank much Thomas..

    ReplyDelete
  10. Thomas PoettMarch 2, 2015 at 10:02 AM

    To all my fellow friends, thank you for all your comments, they much appreciated.

    ReplyDelete
  11. UnknownApril 22, 2015 at 7:04 PM

    Any idea why this would have suddenly occurred? We discovered the issue when setting up a hybrid Lync environment and presence would not work between on-prem and online. Why would we need to add a registry key to the edge servers that didn't exist before when replication worked fine?

    ReplyDelete
    Replies
    1. Thomas PoettApril 23, 2015 at 8:13 AM

      Hi Chris,
      you asked a good question.
      In your case it was different. As I wrote the replication was still working and a secure channel was need just querying the status.
      In your case, it seem something else was fix, if the presence between the cloud and on-prem isn't working. there are other things you needed to fix, possible as you did.
      Hope this helps

      Delete
  12. UnknownSeptember 24, 2015 at 6:27 PM

    Hi Thomas, I'm having this problem with Skype for Business, and I applied this regedit workaround but I'm still having the "X" on the Control Panel for the EDGE replication.

    I don't know if there is anything else I can do on Skype for Business 2015.

    PD: My servers are Windows 2012 R2 completely updated.

    Cheers,
    Saul

    ReplyDelete
    Replies
    1. Thomas PoettOctober 12, 2015 at 9:55 AM

      Hi Soul, in Skype for Business it is the same solution. It is part of the OS, not of Skype or Lync. Therefor it should have solved you problem.
      Please check if the firewall inside (LAN) is setup correctly if you still experience a red X. If you have set the regkey, it might be the problem on the firewall.

      Delete
  13. UnknownMarch 2, 2016 at 2:48 PM

    Thanks for posting this! It fixed my issue.

    Doing a trace of replication in OCSLogger, I was getting '403 forbidden' errors after the cert was verified. Your reg hack worked like a charm.

    ReplyDelete
  14. UnknownNovember 7, 2016 at 2:02 PM

    Hi I'm new to lync, I have a replication issue. I think I have a cert issue but all the certs seem fine. anything I can try to get it working again. Please help

    ReplyDelete
  15. UnknownNovember 7, 2016 at 2:04 PM

    Hi Im new to lync, from where do I generate the cert to get the replication working again.
    Please advice

    ReplyDelete
    Replies
    1. Thomas PoettNovember 9, 2016 at 10:39 AM

      Hi Ruaan
      you two cerficates on the Edge.
      Internal, this you request on you internal CA.
      External, this you request on an public CA, e.g. DigiCert or GoDaddy. (any other CA is possible too)
      Us the Certificate Wizard on the Edge an save the request in a file. Than you proceed as usual.

      Delete

Post a Comment

Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

-
Image
How to hide and un-hide users from Global Address List (GAL) in Exchange Online if they are AD Connect synchronized Hiding User from GAL isn't possible if those are synchronized form On-Premises Active Directory. The local AD is the leading system for all important attributes, like SMTP, UPN and hiding from GAL. Especially during a cross-tenant migration, you do not want to see not migrated user in the GAL. Those User aren't actively working until their cut-over day. Since the Exchange Online attribute  msExchHideFromAddressList s is an AD on-premises parameter, we have two possible ways hiding user in BME from GAL.   Modify the AD Connect for your teant with a custom rule, by using a extensionAttribute to set the HidefromGAL. In this rule, for users which have an entry in the extensionAttribute, hiding / un-hiding will be controlled by AD Connect This is the best option for Cross-Tenant Migration, if you run 2 or more AD Connect system We direct modif...
Read more

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

-
Image
Lync Edge Server FQDN and IP PORTS (Version 1.2, Update 26.11.2014) As we all know, we can configure Lync Edge Server in several way. 1) Single Edge Server with a SINGLE IP ADDRESS 2) Single Edge Server with MULTIPLE IP ADDRESSES (3x IPs) 3) Multiple Edge Server in a Pool, with MULTIPLE IP ADDRESSES (Zx 3 IPs) Regardless what we are going to configure, there are common / well-known TCP Port necessary making Lync work, which are: Access: Port: 443 and 5061 Conferencing: Port: 443 and (444) AV: Port: 443 (I have not listed other ports, e.g. STUN or the dynamic port range. This is not required for the topic discussed here) External FQDN with single IP address: What can we see here? If we are going to choose a single IP address, we would have TCP Port overlapping. Therefore the only way avoiding this is assigning other ports. Additionally we will also see and are reminded that Lync highly depends on DNS. If we have single IP, we must have use single, uniqu...
Read more

MFA with Guest Access and different tenants settings

-
Image
There is an update regarding MFA Multi Factor Authentication. If you are guest with a different Tenant, the MFA Settings are now reflecting the settings of all tenants in a different way. Each MFA setting is reflected and you can setup your MFA device as per tenant and the admin settings allow. Login to your Profile in Office 365/ Azure AD: https://account.activedirectory.windowsazure.com/r/#/profile or https://myapps.microsoft.com Go to your PROFILE: Sign in to https://myapps.microsoft.com Select your account name in the top right, then select profile. Select Additional security verification. If might be happen, your admin hast configured MFA, so you wouldn't see this menu. Simply switch the tenant to the guest tenant where you need to configure MFA. Once you go back to your profile and you will find the MFA device and other settings a usual:
Read more