Search This Blog

Monday, December 17, 2018

SFB does not deliver a call due to a duplicate

We had a case where, a duplicate prevented call being delivered to Poycom VVX. As you can imagine we spent some time to take logs and understand the issue. but it is simply not visible on that level. When we got traces from the SBA mediation server, it was clear that call is rejected by SFB due to a duplicate.

ms-diagnostics: 4002;reason="Multiple users associated with the source phone number";

Checking in powershell revealed nothing, however in SQL resources table on SBA we discovered records that were deleted, but never left SQL.

Here is how to check this:    and

Thursday, August 30, 2018

Select Windows 2016 with GUI right from the begining

Do not forget to select Windows 2016 with Desktop experience, unless you want to have server core flavour.  You can not convert from core to GUI. You have to reinstall.

Monday, July 2, 2018

Sonus SBC 1000 SNMP traps and SNMP GET

To setup SNMP for Sonus, please use the follwing reference:

Note also that community string should be low case, check firewall settings for UDP 162 and 161.

Use MIB browser to crack OID code for specific interface you want to monitor.

As example:

Monday, June 18, 2018

Web analytics SP2013 vs SP2010

Reminder Web site analytics of SP2010 is accessible via Central Administration, but in SP2013 it is on each site administration level

SQL alias for SharePoint Database

Few words about creating SQL Alias for SharePoint - imagine you want to move SharePoint DB to another server, if you hardcode it as FQDN you will need to manage it on DNS level and point to another server. But you can also use SQL aliases and define them locally to point to SQL server by alias thather than FQDN:

Thursday, June 14, 2018

Tuesday, May 29, 2018

Skype for Business Hybrid one way

We have a problem of one way presence in hybrid deployment. From one Prems, we can not see online users in the same domain. Here is subscribe ok we get on onprem side:

TL_INFO(TF_PROTOCOL) [EDGE01\EDGE01]0E00.1480::05/25/2018-19:37:29.817.0000BB79 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(261)) [2044151173] Trace-Correlation-Id: 2044151173
Instance-Id: F3
Direction: incoming;source="external edge";destination="internal edge"
Message-Type: response
Start-Line: SIP/2.0 200 OK
From: "Test Skype1";tag=b8040a09ec;epid=ff13667dd7
To: ;tag=5C4D0080
Call-ID: f7f33e99902d45488e4b2c76924d00a5
Via: SIP/2.0/TLS;branch=z9hG4bK9FE0F169.F3E35464A2AA98C9;branched=FALSE;ms-internal-info="aaDSMbd_7l0a4U9R6npyIrDBxYlV2GUNocfizAJ2ScR15kVOPzyc4VHQAA";received=;ms-received-port=49186;ms-received-cid=B6C95E00
Via: SIP/2.0/TLS;branch=z9hG4bKB46E0708.870D177F11B578C8;branched=FALSE;ms-received-port=61901;ms-received-cid=300
Via: SIP/2.0/TLS;branch=z9hG4bK7D7D836D.E605002CA2AA98C9;branched=FALSE;ms-received-port=49176;ms-received-cid=4DBD00
Via: SIP/2.0/TLS;received=;ms-received-port=55348;ms-received-cid=1400
Record-Route: ;tag=6B374769C547A54AF3927B7A63EC325B
Content-Length: 470
Content-Type: multipart/related; type="application/rlmi+xml";start=resourceList; boundary=1550b37c575843dbb98e18be4e840f3d
ms-split-domain-info: ms-traffic-type=SplitIntra
ms-telemetry-id: D31CB29B-EEE7-56FB-A1C5-7F04353D74C3
Expires: 0
Require: eventlist
Event: presence
subscription-state: terminated;expires=0
ms-piggyback-cseq: 1
Supported: ms-piggyback-first-notify
--1550b37c575843dbb98e18be4e840f3dContent-Transfer-Encoding: binaryContent-ID: resourceListContent-Type: application/rlmi+xml--1550b37c575843dbb98e18be4e840f3d--

Solution, refresh directory schema in AADconnect.

Monday, May 28, 2018

How to check user attributes in Azure AD


login with a user who has access to Azure AD

then type url:

Monday, May 7, 2018

Windows 7 WebDAV client requires SHA protocol

If you have a Sharepoint site that provides Open with explorer functionality make sure you do not disable SHA (hash) protocol on your server.  Otherwise some clients with Windows 7 will not be able to open shares in Explorer.

Thursday, April 12, 2018

Exchange and Skype for Business error 14563: Two servers cannot be configured at the same FQDN with different server version numbers.

Event ID 14563
Source LS Protocol Stack

Two servers cannot be configured at the same FQDN with different server version numbers.

Cannot configure a server at FQDN [] because another server is already configured there with a different server version number.
Cause: This is a configuration problem.
Review the server roles that are configured at this FQDN and ensure that they have identical version numbers.

Please review

It seems that you have trustedapplicationpool defined in Topology and also UM server is assigned for a dial plan.  This will push twice server name to Skype.

Remove from topology or if you have several servers, do it in the way that it is popolated without a conflict.

Wednesday, April 11, 2018

Microsoft-Windows-Windows Fabric/Admin warning 4097 in Skype for Business


if you have this error (actually warning) in Skype for Business FrontEnd, you most probably  can ignore it.


check settings.xml in C:\ProgramData\Windows Fabric\\Fabric\Fabric.Config.1.0.0

you can see

   Parameter Name="IgnoreCrlOfflineError" Value="true" 
   Parameter Name="CrlCheckingFlag" Value="3221225476"

So the setting is set to ignore the error. The description of CrlCheckingFlag  you can find in
C:\Program Files\Skype for Business Server 2015\Server\Core\ClusterManifest.Xml.Template

CrlCheckingFlag setting follows the rest of the Lync Server components (sipstack, web) which
        set the following flags:
               CERT_CHAIN_CACHE_ONLY_URL_RETRIEVAL           =0x00000004 |  // do not go on the wire for cert retrieval
               CERT_CHAIN_REVOCATION_CHECK_CACHE_ONLY        =0x80000000 |  // do not go on the wire for cert revocation check

                                                              0xC0000004=3221225476 (unsigned int)

as you see  CrlCheckingFlag equal 0xC0000004

means - check cache only - exclude root - we must be checking only intermediate CRL and if it is locally cached.

to check local cache (of current user) use command

certutil -urlcache CRL

to chache a specific CRL - use command

certutil -f -urlfetch -verify gvasfe1.cer
where cer is a file with a certificate

Fabric run as network service, so you can check that also, but it would require hacking:

Summary: as you can see SFB Windows fabric is set up to ignore the error and continue, the error may come from issues retrieving CRL or absence of CRL in local cache. In most cases you should also ignore this error.   If you want to fix it (not recommended), replace in ClusterManifest.Xml.Template %CRLCHECKINGFLAG% as 0 and reboot

Thursday, March 15, 2018

ExMon - a tool to measure Exchange 2016 usage

Wednesday, March 14, 2018

Windows 2008 R2 TLS Poodle vulnerability

Install KB2655992 and reboot server

Exchange 2016 Prefered Architecture

Microsoft has designed a Prefered Architecture model (PA) which sounds more like Sci-fi for real world installation - companies want to use Virtualisation, PA talk about physical servers, companies want SAN, PA - DAS, etc.

Get more information here:

few more session dedicated to PA:

And the epic one:    realworld non-PA implementations.

Friday, January 26, 2018

Integration with Exchange Online breaks Skype for Business federation


if you follow this article to setup your  integration with Exchange online (for voicemail)

you may kill your sfb federation. If this is a case, please note a following specificity of SFB:

when you set up Edge, you will be confronted with a choice, where to set your DNS. You can set it to external DNS, such as  or your internal DNS.

If you select external, you might need to define some hosts file entry like for FrontEnd pool, etc. Not ideal, right?

then you select internal DNS. However once you run

New-CsHostingProvider -Identity UMonline-Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFQDN "" -IsLocal $False -VerificationLevel UseSourceVerification

you cut all federation. This is due to the fact that after this powershell , the edge will try to look for it's own SRV _sipfederationtls._tcp   and because it is usually not defined internally, it will fail.

Solution is to check what is defined externally and in internal split DNS zone create exactly the same (SRV pointing to A record of to external public IP of edge access (SIP) interface.