I’ve found a number of articles that discuss setting up Lync Room System (LRS) with Exchange and Lync On-Premise and with Exchange Online but none that dealt with a Hybrid Exchange deployment. Below are the steps I used to get LRS configured with Skype for Business Online and Exchange Online with a Hybrid deployment. For more information on Lync Room System, check on the following link…
Create Room Mailbox in Office 365
- Connect to Exchange Online via PowerShell
- To create the Room Mailbox, run “New-Mailbox -room -name “Skype Room Test” -RoomMailboxPassword (ConvertTo-SecureString ‘Password’ -AsPlainText -Force) -EnableRoomMailboxAccount $true”
- To configure the required calendar processing, run “Set-CalendarProcessing “Skype Room Test” -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -DeleteSubject $false”
- Log into the Office 365 Portal. Click on Active Users and find the Skype Room Test.
- Change the accounts Email Address / UPN to be “firstname.lastname@example.org” (where domain.com is your primary UPN suffix).
- Assign both a license for Both Exchange and Skype for Business to the account
Create Remote Mailbox On-Premise
- Log into the Exchange Admin Center on-premise
- Click on Recipients –> Mailboxes
- Click on the drop down next to the + sign and select “Office 365 mailbox”
- Enter the appropriate account information
- Open the new account in AD Users and Computers and verify that the UPN and the primary Mail value match what you set in Office 365
- Force or wait for a directory synchronization to run
- Verify that the account in the Office 365 Portal shows as “Synced” versus “Cloud”
Enable Lync Room Account
- Connect to Skype for Business via PowerShell
- Determine an existing accounts Registrar Pool by running “Get-CSOnlineUser email@example.com | FL Name,RegistrarPool”
- To enable LRS, run “Enable-CsMeetingRoom –Identity firstname.lastname@example.org -SipAddressType EmailAddress –RegistrarPool pool.infra.lync.com” where “pool.infra.lync.com” is the RegistrarPool value determined in Step 2
The following steps should be performed when the SSL certificate on your ADFS Server is close to expiring…
- Make sure you know the username and password for the main domain.onmicrosoft.com Administrator account.
- Install the new certificate on the ADFS Server. If you have a primary and secondary ADFS Server, make sure to install the certificate on both servers.
- Launch the standard “blue” PowerShell on the ADFS Server as an Administrator.
- Run “Get-ChildItem -path cert:\LocalMachine\My” to determine the Certificate Thumbprint. Make a note of the thumbprint value.
- Run “Set-AdfsSslCertificate -Thumbprint Thumbprint” where Thumbprint is the value from Step 2.
- Run “Update-AdfsCertificate –Urgent”.
- Run “Connect-MsolService” and enter your Office 365 credentials from Step 1 in the Preliminary Steps section.
- Run “Update-MsolFederatedDomain -DomainName “domain.com”” where domain.com is the appropriate domain name. Note you may need to add the “-SupportMultipleDomain” if you have multiple federated domains.
- Restart the “Active Directory Federation Service” service.
- Attempt to login with an ADFS account and verify the certificate warning is gone.
A new version of the Azure Active Directory Module for PowerShell was released in mid September 2014. You can find the link to it here…
That’s great except if you are trying to install it on Windows Server 2008 R2. If you read the link it looks like all you need is the version of .NET and PowerShell that comes with Windows 2008 R2 (3.51 and 2.0 respectively).
When you install the updated version of the AAD Module for PowerShell on a vanilla machine and launch it though you are greeted with this message…
That doesn’t look good! I could never find any official support article but I found a couple of hints that it needed PowerShell 3.0. So I installed Windows Management Framework 3.0 on my system and tested again and it worked. You can download it here…
Note, if you are installing this on a production server, make sure you aren’t running any of the unsupported products listed under the System Requirements section.
Hope this helps!
The following steps should be performed when the SSL certificate on your ADFS Server is close to expiring. You will start to receive a warning in the Office 365 Portal about 30 days prior to expiration…
- Make sure you know the username and password for the main domain.onmicrosoft.com Administrator account
- Install the new certificate on the ADFS Server
- Make a note of its thumbprint value
- Bind the new certificate to the Default Web Site in IIS
- Launch the “Microsoft Online Services Module for Windows PowerShell” PowerShell
- Run “Add-PSSnapin Microsoft.Adfs.Powershell”
- Run “Set-ADFSCertificate -CertificateType Service-Communications -Thumbprint ThumbPrint” where ThumbPrint is the value from Step 3 in the Preliminary Steps section
- Run “Update-AdfsCertificate –Urgent”
- Run “Connect-MsolService” and enter your Office 365 credentials from Step 1 in the Preliminary Steps section
- Run “Update-MsolFederatedDomain -DomainName “domain.com”” where domain.com is the appropriate domain name. Note you may need to add the “-SupportMultipleDomain” depending on how things were initially setup
- Restart the AD FS 2.0 Windows Service
- Run “IISRESET” to restart IIS and its services
- Attempt to login with an ADFS account and verify the certificate warning is gone
If you receive the error “Not Authorized: HTTP Error 401. The requested resource requires user authentication” when trying to connect to your ADFS Server from inside the network here’s what you need to do to reset permissions in IIS…
- Launch the IIS Management Console and browse to Default Website
- Disable all Authentication options for the Default Web Site as well as the ADFS and LS Virtual Directories
- Enable Windows Authentication on the Default Web Site. Set Extended Protection to “Accept”
- Enable Anonymous Authentication on the ADFS Virtual Directory
- Enable Windows Authentication on the LS Virtual Directory. Set Extended Protection to “Accept”
- Run an IISRESET
To setup your browser to automatically authenticate you while connected to the internal network do the following…
- Open Internet Options in IE and click on the Security tab
- Click Local Intranet
- Click Custom
- Under the User Authentication section enable “Automatic logon with current user name and password”
- Click on the Advanced tab
- Under the Security section enable “Enable Integrated Windows Authentication”
More information on this can be found at the following Office 365 Forum post…