Search This Blog

Thursday, April 12, 2018

Exchange and Skype for Business error 14563: Two servers cannot be configured at the same FQDN with different server version numbers.

Event ID 14563
Source LS Protocol Stack

Two servers cannot be configured at the same FQDN with different server version numbers.

Cannot configure a server at FQDN [exchange.doamin.com] because another server is already configured there with a different server version number.
Cause: This is a configuration problem.
Resolution:
Review the server roles that are configured at this FQDN and ensure that they have identical version numbers.


Please review https://blogs.technet.microsoft.com/jenstr/2012/11/13/when-to-have-a-lync-trusted-application-pool-for-exchange-owa-im-integration/


It seems that you have trustedapplicationpool defined in Topology and also UM server is assigned for a dial plan.  This will push twice server name to Skype.

Remove from topology or if you have several servers, do it in the way that it is popolated without a conflict.


Wednesday, April 11, 2018

Microsoft-Windows-Windows Fabric/Admin warning 4097 in Skype for Business

Hello,

if you have this error (actually warning) in Skype for Business FrontEnd, you most probably  can ignore it.

Investigation:

check settings.xml in C:\ProgramData\Windows Fabric\GVASFE1.domain.com\Fabric\Fabric.Config.1.0.0

you can see

   Parameter Name="IgnoreCrlOfflineError" Value="true" 
   Parameter Name="CrlCheckingFlag" Value="3221225476"


So the setting is set to ignore the error. The description of CrlCheckingFlag  you can find in
C:\Program Files\Skype for Business Server 2015\Server\Core\ClusterManifest.Xml.Template

CrlCheckingFlag setting follows the rest of the Lync Server components (sipstack, web) which
        set the following flags:
               CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL           =0x00000004 |  // do not go on the wire for cert retrieval
               CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY        =0x80000000 |  // do not go on the wire for cert revocation check
               CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT=0x40000000

                                                              0xC0000004=3221225476 (unsigned int)
     
     


as you see  CrlCheckingFlag equal 0xC0000004

means - check cache only - exclude root - we must be checking only intermediate CRL and if it is locally cached.

to check local cache (of current user) use command

certutil -urlcache CRL

to chache a specific CRL - use command

certutil -f -urlfetch -verify gvasfe1.cer
where cer is a file with a certificate
refer https://blogs.technet.microsoft.com/pki/2006/11/30/basic-crl-checking-with-certutil/ 

Fabric run as network service, so you can check that also, but it would require hacking: https://windoh.wordpress.com/2011/04/23/crl-caching-in-windows-and-a-little-bit-about-ocsp-caching-too/


Summary: as you can see SFB Windows fabric is set up to ignore the error and continue, the error may come from issues retrieving CRL or absence of CRL in local cache. In most cases you should also ignore this error.   If you want to fix it (not recommended), replace in ClusterManifest.Xml.Template %CRLCHECKINGFLAG% as 0 and reboot

Thursday, March 15, 2018

ExMon - a tool to measure Exchange 2016 usage

https://blogs.technet.microsoft.com/exchange/2016/02/16/exchange-2013-and-2016-exmon-tool-is-now-available/

Wednesday, March 14, 2018

Windows 2008 R2 TLS Poodle vulnerability

Install KB2655992 and reboot server

Exchange 2016 Prefered Architecture

Microsoft has designed a Prefered Architecture model (PA) which sounds more like Sci-fi for real world installation - companies want to use Virtualisation, PA talk about physical servers, companies want SAN, PA - DAS, etc.

Get more information here: http://video.ch9.ms/sessions/ignite/2015/decks/BRK3197_Smith.pptx

few more session dedicated to PA: https://blogs.technet.microsoft.com/nawar/2017/10/04/ignite-2017-exchange-sessions/

And the epic one: https://www.youtube.com/watch?v=i5rsxynRI4E    realworld non-PA implementations.