Admin Roles for office 365

September 7, 2017 Leave a comment

As Office 365 keep growing, Roles will be increased due to added services by Microsoft.

So to grant only the required role(s) for the Administrator to manage the service he/she responsible for, let’s summarize the Administration Roles we have on office 365 as of today.

Role Given Privileges
Global Administrator Full permission

Grant Admin Role to others

Billing Administrator Purchasing

Manage Subscriptions

Manage Support Tickets

Monitoring Service Health

Service Administrator * Open Request Tickets with Microsoft

View Service Dashboard & Message Center

Password Administrator Reset Password for others (if they don’t have privilege)

Manage Service Requests

Monitor Service Health

Exchange Administrator Manage Mailboxes

Manage Anti-Spam policies

SharePoint Administrator Manage SharePoint Online

Grant “Site Collection” & “Term Store” Administrators

Skype for Business Administrator Configure Skype for Business

View all Activity Reports in Office365 Admin Center

Power BI Administrator Access Office365 Power BI Usage Metrics

Control Organization’s usage of Power BI Features

Compliance Administrator Manage Security & Compliance in the Organization

Have permission on:

  • Office365 Admin Center.
  • Security & Compliance Center
  • Exchange Online Admin Center.
  • Azure AD Admin Portal.
User Management Administrator ** Reset User’s Password

Monitor Service Health

Add/Delete Some user accounts, Groups, and Service Requests.

Delegated Administrator User(s) from outside the Organization who perform administrative tasks on Office365 Tenant.

We have to create an account for this user in the Tenant and use it to manage this tenant and other tenants if needed.

Delegated Administrator can have:

  • Full Administration –>  Equal to Global Administrator
  • Limited Administration –> Equal to Password Administrator

* Exchange, SharePoint and Skype for Business Admins should be granted “Service Administrator” role to be able to Monitor the health of the service, changes and release information

** Member of this Role cannot delete Global Admin, create other Admin Roles or reset Passwords of Admins.

Advertisements

Office 365 Tenant Dial Plan

As it is already announced by Microsoft the General Availability of Tenant Dial Plan since April 2017, let’s walk through together to understand Types and Hierarchy of the new feature. Also, how to create and deal with it.

Firstly, let’s remember together what is the Dial Plan and Normalization Rule.

Simply, if you use your traditional desk phone to dial PSTN number, and you used to dial a prefix, assume 9, then dial the called number. You may see on the phone screen that some digits gone, e.g. 9, and others added (may be the Country and Area codes). Why? I don’t dial that! But finally, you hear your colleague voice and call established successfully.

So, what happened is your Engineering team in your company created special formula that accept your inputs and translate it to what you see on the screen.

This is what we called it Normalization Rules and Dial Plans.

Normalization Rule takes your input digits and transform it to the view appears on your screen and sent it to the PBX or the Gateway to reach your destination.

Dial Plan is set of normalization rules that translates phone numbers to a single standard (E.164) format for purposes of phone authorization and call routing.

We are dealing with the same concept for on-premises and cloud solutions.

As we are focusing on the cloud part, let’s discuss it.

Tenant Dial Plans applies to Cloud PBX for online and hybrid users as well as dial out for Cloud PSTN Conferencing

Types of Tenant Dial Plans:

  • Service Country: this is the default dial plan assigned to each user according to his / her location while creating the object on Azure. So, if your account created on US, you will be granted automatically the Service Country Dial Plan of US created by Microsoft.

This Dial Plan cannot be removed or changed.

  • Tenant Dial Plan:

Here we have 2 types:

1. Tenant Global Dial Plan:

This is the Dial Plan applied on all users in the Tenant.

2. Tenant User Dial Plan:

This is the customized Dial Plan you can create and grant it to specific users.

 

Dial Plans

Service Country

Tenant

Global

User

  • Always exist
  • Applied on the users based on his location
  • Not to be changed

 

  • Applies on all users on the tenant

 

  • Applies only on a specific user

 

 

Tenant Dial Plans Hierarchy:

Now we sort out 3 types of Dial plans, Service, Global, and User. The question is which one of them will be applied on user account?

If you remember from Lync / Skype On-Premises solution, if we have Global, Site, Pool, User level Dial plan, so the one will be applied on the user is the User Dial Plan.

In the cloud, it is different, it is merge the dial plans together. All users will have the Service Country Dial plan applied plus Global or User tenant dial plan.

If you created customized tenant Dial Plan and assigned it to user, so he/she will have Service Country &Tenant user Dial Plans. If no user dial plan created, so the user will have Service Country & Tenant Global Dial Plans.

Here is a screenshot to summarize how hierarchy applies:

11-06-17 11-03-16

Before go and create your own Tenant User Dial Plan, please consider below:

  • Do we really need custom tenant Dial Plan? Is the existing not enough?
  • Which type of tenant Dial Plans required?
  • Identify the valid number patterns required only.
  • Keep consistency of Dial Plans names.

Creating Tenant Dial Plan

Let’s put some limitations before start planning and creating Tenant Dial Plans:

  • Cmdlets only for now

Only PowerShell Cmdlets allowed for the time being. You cannot use the Skype for Business online admin console to create dial plans.

  • Support for External Access Prefix (EAP)

currently not available with Tenant Dial Plans, but will be enabled soon.

  • Not currently supported with certified IP phones

The current certification spec did not include support for tenant dial plans as this feature did not exist till now. Soon it will be available.

  • Maximum number of Normalization Rules

As per Microsoft, you are allowed to add “25” Normalization Rules for each Dial Plan.

If you exceed this number, you should get “Maximum Normalization Rules cannot    exceed 25” error message

During my testing, I successfully added 28 and got this error message while adding   number 29. But let’s agree we will follow what is announced by Microsoft. 25 is the maximum.

  • Working with Online Voice Policies not yet available
  • Working with Online Voice Routes not available yet

 

Creating Tenant User Dial plan:

After you already connected on your tenant, and of course you are granted Admin privileges on Skype for Business, you can use PowerShell to get that dealing with Tenant Dial Plans:

C:\> Get-Command *tenantdialp*

To summarize the creation of the Tenant User Dial Plan, let’s follow below guide:

Create a Tenant Dial Plan

  • Create the Normalization rules in Memory as Variable
  • Add Normalization Rules to the tenant Dial Plan.
  • Then, Grant the Dial Plan to a specific user.
  • Review the Normalization rules associated with a tenant Dial Plan
  • Test the effective tenant dial plans assigned to a specific user.
  • Test the outcome of a specific user dialing a number
  • Allow Hybrid users to consume tenant dial plans.

 

Below table show the Cmdlets required to create Tenant User Dial Plan

Task Cmdlets
 

 

 

Create a new dial plan and add normalization rules

New-CsTenantDialPlan -Identity RedmondDialPlan -Description “Dial Plan for Redmond” -SimpleName “Dial-Plan-for-Redmond”

 

$nr1=New-CsVoiceNormalizationRule -Parent RedmondDialPlan -Description “7 digit local dialing” -Pattern ‘^(\d{7})$’ -Translation ‘+1425$1’ -Name NR1 -IsInternalExtension $false –InMemory

 

Set-CsTenantDialPlan -Identity RedmondDialPlan -NormalizationRules @{add=$nr1}

 

Grant a dial plan to a specific user Grant-CsTenantDialPlan -Identity garthf@contoso.com -PolicyName RedmondDialPlan
View the normalization rules associated with a tenant dial plan (Get-CsTenantDialPlan RedmondDialPlan).NormalizationRules
Determine the effective dial plan for a specific user Get-CsEffectiveTenantDialPlan -Identity garthf@contoso.com
Test the outcome a specific user dialing a number Get-CsEffectiveTenantDialPlan -Identity garthf@contoso.com | Test-CsEffectiveTenantDialPlan -DialedNumber 5551234
Allow hybrid users to consume tenant dial plan Set-CsTenantHybridConfiguration -UseOnPremDialPlan $false

 

Then, user can use the granted dial plans to pace / receive PSTN Calls normally.

Note:  The cmdlet’s supports to commands modifying the PsList:

  • @{Add – Adding values
  • @{Remove – Removing values
  • @{Replace – Replacing values

 

If you want check the Normalization Rules applies on specific user, you can check Skype for Business User Log using Snopper and search for “LocationProfileDescription

You should see the whole Rules, tenant User & Service Country, appears on the log.

Tenant Global Dial plan:

Global tenant Dial Plan already exist and you can modify it. Let summarize the process in the below table:

Outcome Cmdlets
Add Normalization Rule to the default tenant Global Dial Plan $nr1=New-CsVoiceNormalizationRule -Parent Global -Description “5 digit local dialing” -Pattern ‘^7(\d{4})$’ -Translation ‘+17$1’ -Name NR1 -IsInternalExtension $false –InMemory

Set-CsTenantDialPlan -Identity Global -NormalizationRules @{add=$nr1}

View the normalization rules associated with a tenant Global dial plan (Get-CsTenantDialPlan RedmondDialPlan).NormalizationRules
Determine the effective dial plan for a specific user Get-CsEffectiveTenantDialPlan -Identity garthf@contoso.com
Test the outcome of dialing a number Get-CsEffectiveTenantDialPlan -Identity garthf@contoso.com | Test-CsEffectiveTenantDialPlan -DialedNumber 71234
Allow hybrid users to consume tenant dial plan Set-CsTenantHybridConfiguration -UseOnPremDialPlan $false

And you can check the result by checking client log as we discussed with Tenant user dial plan.

If you need more details, here are some references I used:

Tenant Dial Plans in Skype for Business Online

Tenant Dial Plans training

Skype for Business Online Cmdlets reference

Hope this is helpful for all of you.

 

 

 

 

 

Skype for Business 2015 Databases

October 14, 2016 Leave a comment

As we usually deal with the Databases own our Skype for Business information, it is better to refresh your mind with the DB name and functionality from time to time.

So, i listed below the DB and Functionality of each one:

Database Name Database Function
cpsdyn Maintains the dynamic information database for Call Park application.
LcsCDR Maintains the call detail recording data.
LcsLog Maintains data file for the retention of instant messaging and conferencing data on an Archiving Server.
lis Store location information (network subnets, ports, Switches…etc.) that is used by Lync Location services for E9-1-1 feature.
QoEMetrics Maintains the QoE data to provide best experience to SfB users
rgsconfig Maintains the response group configuration service data file.
rgsdyn Maintains the runtime data for response group configuration service data file.
rtcab Maintain the address book service information
rtcshared Hosts the conferencing directory
rtcxds Maintains the backup for user data
xds Main database of SfB Server and part of central management store which maintain the topology information, polices, configuration etc. and replicate a read only copy to each SfB server.
mgc Maintains user persistent chat data.
mgccomp Maintains compliance data persistent chat.

 

Note: Persistent Chat DBs are NOTsupported on SQL Always ON as per Microsoft:

If you plan to use SQL AlwaysOn Availability Groups for HA DR, note that it is not supported for Persistent Chat Server databases

https://technet.microsoft.com/en-us/library/gg398500.aspx

Hope this is informative for you

Restoring Private Key from Windows Certificate

September 5, 2016 Leave a comment

Normally, when you created a request, got the certificate and imported it to your server, you should see that the certificate has Private key.

But for any reason if you deleted this certificate and re-imported it again, you will be surprised that the Private key is missing from this certificate.This may be also the situation if you are renewing the certificate without creating new Certificate request.

To solve this issue, you should assign the private key to your certificate. Follow below steps and you will be in safe side:

1- From the MMC, Double click your certificate that missed the private key.

2- From Details tab, select Thumbprint

3- copy the content of the Thumbprint

4- open CMD as Administrator and run below command:

  certutil -repairstore my “thumbprint”

Where “thumbprint” is the content you copied in step 3

 certutil -repairstore my “‎e2 72 36 4c ec 19 57 3b f7 53 d1 59 f4 b2 20 f7 df a7 26 ef”

5- You should receive a message that “CertUtil: -repairstore command completed successfully.” and  the private key assigned to your certificate.

Hope this is informative for you.

Lync Server 2013 Pool Readiness Troubleshooting

August 30, 2016 2 comments

First of all I’d like to thank my Colleague Ramy MESSIHA for guiding me to have this solution. Without your search and advice, we may still having a Busy pool.

During our changes on Lync 2013 platform, we may spent most of change time waiting for the Lync pool to be ready to allow rebooting another Front-End server.

You may wait for 20, 30 minutes, 60 minutes and more with no Luck. I’m not kidding if I said we may wait for days and it will not come.

So let us deep dive and discover what happens in the background and how to overcome this issue.

Behind the Scenes:

We are used to check the pool readiness using Get-CSPoolUpgradeReadiness cmdlet

So, behind this CmdLet Lync checks Certain Performance counters to decide if the Pool is Stable and Ready for Upgrade or NOT

If Lync for any reason unable to read these counters, so we may spent our life waiting for READY and it will not appear.

Troubleshooting:

When we Restart any Front End server, we should normally wait for 20 to 30 minutes according to number of users on this pool before getting READY on the pool readiness.

So if we wait for 1 hour and more and status is still Busy, we can run below steps to get pool READY.

  1. Find Performance Counter

           As we agreed the Get-CSPoolUpgradeReadiness CmdLet, read performance counters.            It is named “WRTCESPF“. This counter Should be Enabled. To be sure do the                            following:

           a- On front-End server Run C:\> LODCTR /Q >Counters.txt

           b- Open Counters.txt using notpad and search for  “WRTCESPF

            c- Be sure it is Enabled

ScreenShot062

  1. Reload the Performance Counters

           a- on the Front-End server, go to “C:\program files\Microsoft Lync Server            2013\Server\Core”

           b- Run below command

               regsvr32.exe /i /n wrtcespf.dll

           c- This will reload and reset permission on the performance counter

ScreenShot063

  1. Set the Correct Permissions in the Registry

            a- On the Front-End server, open Registry Editor (Regedit), and go to

              HKLM\system\currentcontrolset\services\wrtcespf\performance\parameters

             b- Right Click “Parameters” and select “Permissions”

             c- Click Add and change the Location to be the name of your FE Server

             d- Enter “RTC Server Local Group” and Click Check Names, then click OK

001

          e- On the Permissions for Parameters page click Advanced

           f- Select RTC Server Local Group and click Edit

002

           g- In the Drop Down Box next to Apply to: Select This Key only

           h- Select checkbox to Allow Full Control

          i- Click OK

  1. Recycle RTCSrv service or Restart FE server

           a- on the FE Server, Run below CmdLets to stop and start Front-End service

             stop-cswindowsservice rtcsrv

              start-cswindowsservice rtcsrv

           b- You should notice after the service restarted that another Registry Key appears

                 as below screenshot.

004

  1. Do the same steps on ALL Front-End servers on the Pool
  1. Checking

          After completing all Front-End servers, check the readiness of the Pool using

               Get-CSPoolUpgradeReadiness

And hope you enjoy that pool is READY

Here is the complete reerence:

https://blogs.technet.microsoft.com/nexthop/2016/03/18/get-cspoolupgradereadinessstate-showing-not-ready-or-busy/ 

Enable RSS on Lync Environment

Recently I was reading about the Windows features that enhance the Skype for Business / Lync Environment, and one of Microsoft recommendation is Enable Receive Side Scaling (RSS).

Here is Microsoft recommendation:

Skype for Server 2015 capacity planning using the user models

To improve the media performance of the co-located A/V Conferencing and Mediation Server functionality on your Front End Servers, you should enable receive-side scaling (RSS) on the network adapters on your Front End Servers. RSS enables incoming packets to be handled in parallel by multiple processors on the server. For details, see Receive Side Scaling (RSS) in the Windows Server 2012 documentation. For details about how to enable RSS, you’ll need to refer to your network adapter documentation.

While planning to deploy it on environment, i thought to apply it per site as a precaution to not impact all sites in case any thing happened. So i developed a Script to apply and test the status of RSS on Domain Controllers, Front-End, Mediation, SQL, Office Web App Servers per site. You can use or customer below script if you have same situation. ############################################################### #Script Developed by Fady Naguib, will Enable Receive-side scaling (RSS) feature on DC, FE, MED, WAC and SQL Servers per site

###############################################################

#Defining Global Variables
$Site = Read-Host “Enter Site Name”
$site_Name = “Site:$Site”
# Updating Domain Controllers in the site selected#
Write-Host “Updating Domain Controllers in $Site” -ForegroundColor Cyan
$ADSItes= Get-ADDomainController -Filter {Site -eq “$Site”} | Select HostName
foreach ($ADSite in $ADSItes.HostName) {
$NIC_Status = get-netadapterrss -cimsession $ADSite | Enable-NetAdapterRss -NoRestart

# Checking Status of Domain Controllers
Write-Host “Checking Status of Domain Controllers on $Site” -ForegroundColor Yello
if ( ($NIC_Status).Enabled -eq $true ){
Write-Host “$ADSite has been Updated” -ForegroundColor Green
}
else {
Write-Host “Failed to Update $ADSite” -ForegroundColor Red
get-netadapterrss -cimsession $ADSite | select PSComputerName, Name, Enabled
}
}

#updaing Front-End servers in the Selected Site

Write-Host “Updating Front-End Servers in $Site” -ForegroundColor Cyan
$Computers = @()
$Pools = Get-CsService -Registrar | where {$_.siteId -like “$Site_Name*”}
foreach ($pool in $pools.PoolFQDN) {
$Computers += (Get-CsComputer -Pool $pool).FQDN }

foreach ($Computer in $Computers) {
Get-netadapterrss -cimsession $Computer | Enable-NetAdapterRss -NoRestart }

# Checking Status of Front-End servers
Write-Host “Checking Status of Front-End servers on $Site” -ForegroundColor Yello
$FE_Status = Get-netadapterrss -cimsession $Computers
if ( ($FE_Status).Enabled -eq $true ){
Write-Host “$Computer has been Updated” -ForegroundColor Green
}
else {
foreach ($Computer in $Computers) {
Write-Host “Failed to Update $Computer” -ForegroundColor Red
get-netadapterrss -cimsession $Computer
}
}

#updaing Mediation servers in the Selected Site
Write-Host “Updating Mediation Servers in $Site” -ForegroundColor Cyan
$MED_Pools = Get-CsService -MediationServer | where {$_.siteId -like “$Site_Name*”}
foreach ($MED_Pool in $MED_pools.PoolFQDN) {
$MED_Computers += (Get-CsComputer -Pool $MED_Pool).FQDN }

foreach ($MED_Computer in $MED_Computers) {
Get-netadapterrss -cimsession $MED_Computer | Enable-NetAdapterRss -NoRestart }

# Checking Status of Mediation servers
Write-Host “Checking Status of Mediation servers on $Site” -ForegroundColor Yellow
Write-Host “===========================================” -ForegroundColor Yellow
$MED_Status = Get-netadapterrss -cimsession $MED_Computers
if ( ($MED_Status).Enabled -eq $true ){
Write-Host “$MED_Computer has been Updated” -ForegroundColor Green
}
else {
foreach ($MED_Computer in $MED_Computers) {
Write-Host “Failed to Update $MED_Computer” -ForegroundColor Red
get-netadapterrss -cimsession $MED_Computer
}
}
#updaing SQL servers in the Selected Site
Write-Host “Updating SQL Servers in $Site” -ForegroundColor Cyan
$DB_Computers += Get-CsService -ApplicationDatabase | where {$_.siteId -like “$Site_Name*”}
foreach ($DB_Computer in $DB_Computers.PoolFQDN) {
Get-netadapterrss -cimsession $DB_Computer | Enable-NetAdapterRss -NoRestart }
# Checking Status of DB servers
Write-Host “Checking Status of SQL servers on $Site” -ForegroundColor Yellow
Write-Host “===========================================” -ForegroundColor Yellow
$DB_Status = Get-netadapterrss -cimsession $DB_Computers.PoolFQDN
if ( ($DB_Status).Enabled -eq $true ){
Write-Host “$DB_Computer has been Updated” -ForegroundColor Green
}
else {
foreach ($DB_Computer in $DB_Computers.PoolFQDN) {
Write-Host “Failed to Update $DB_Computer” -ForegroundColor Red
get-netadapterrss -cimsession $DB_Computer
}
}

#updaing WAC servers in the Selected Site
Write-Host “Updating WAC Servers in $Site” -ForegroundColor Cyan
$WAC_Pools = Get-CsService -WacServer | where {$_.siteId -like “$Site_Name*”}
foreach ($WAC_Pool in $WAC_pools.PoolFQDN) {
$WAC_Computers += (Get-CsComputer -Pool $WAC_Pool).FQDN }

foreach ($WAC_Computer in $WAC_Computers) {
Get-netadapterrss -cimsession $WAC_Computer | Enable-NetAdapterRss -NoRestart }

# Checking Status of WAC servers
Write-Host “Checking Status of WAC servers on $Site” -ForegroundColor Yellow
Write-Host “===========================================” -ForegroundColor Yellow
$WAC_Status = Get-netadapterrss -cimsession $WAC_Computers
if ( ($WAC_Status).Enabled -eq $true ){
Write-Host “$WAC_Computer has been Updated” -ForegroundColor Green
}
else {
foreach ($WAC_Computer in $WAC_Computers) {
Write-Host “Failed to Update $WAC_Computer” -ForegroundColor Red
get-netadapterrss -cimsession $WAC_Computer
}
}

###############################################################

 

And here is a script to Enable RSS on Edge servers. you should Run the script on each Edge server or if you can use Remote PowerShell, it will be nice idea.

 

########################################################
# Script Developed by Fady Naguib, will Enable Receive-side scaling (RSS) feature on Lync Edge Servers. You should run it on each server or use Remote PoewerShell.

########################################################

# Updating Edge Server
$Edge_Name = (Get-WmiObject -Class Win32_ComputerSystem).Name
$Edge_FQDN = $Edge_Name + “.zo1jti.local”
Write-Host “Updating $Edge_FQDN Server” -ForegroundColor Cyan
Get-netadapterrss -cimsession $Edge_FQDN

#Checking Status of Edge Server
Write-Host “Checking Status of $Edge_FQDN serve”
$ED_Status = Get-netadapterrss -cimsession $Edge_FQDN
if ( ($ED_Status).Enabled -eq $true ){
Write-Host “$ED_FQDN has been Updated” -ForegroundColor Green
}
else {

Write-Host “Failed to Update $Edge_FQDN” -ForegroundColor Red
get-netadapterrss -cimsession $Edge_FQDN
}

###############################################################

Hope this is useful for you 🙂

 

Categories: Lync 2013, Skype for Business Tags: , ,

Useful PowerShell Cmdlets for Administrators

To list all Domain Controllers in your Environment:

Get-ADDomainController -Filter *

To list Domain Controllers in specific site:

Get-ADDomainController -Filter {Site -eq “AD_Site_Name”}

List Lync / Skype for Business Front-End Servers in a site:

Get-CsService -Registrar | where {$_.siteId -like “Site_Name”}

Get Lync Pool that computer related:

Run below Cmdlets on the Computer you want to get its Lync pool and you may use it inside a script:

$Compinfo = Get-WmiObject -Class Win32_ComputerSystem
$server = $Compinfo.Name + “.” + $Compinfo.Domain
$pool = (Get-CsComputer | Where-Object {$_.identity -eq $server}).pool
$pool
To Get SQL Server related to this Pool:

$sysinfo = Get-WmiObject -Class Win32_ComputerSystem
$server = $sysinfo.Name + “.” + $sysinfo.Domain
$FEpool = (Get-CsComputer | Where-Object {$_.identity -eq $server}).pool
$sql = ((get-csservice -identity UserServer:$FEPool).UserDatabase).split(“:”)[1]

List Host Name for Registrars in Lync Environment:

(Get-CSService -Registrar).PoolFQDN -Replace “.Domain_FQDN“,””

Get Number of Lync / Skype for Business Enabled users:

(Get-CsUser -Filter {enabled -eq $true}).count

To Get Number of Enabled users per pool:

(Get-CsUser -Filter {enabled -eq $true -and Registrarpool -eq “Pool_FQDN“}).count

To Get Enabled Enterprise Voice users:

(Get-CsUser -Filter {enabled -eq $true -and EnterpriseVoiceEnabled -eq $True}).count

To Get Remote Call Control (RCC) Enabled users:

(Get-CsUser -Filter {enabled -eq $true -and RemoteCallControlTelephonyEnabled -eq $True}).count

To Get Server Name and Domain using PowerShell:

$Name = (Get-WmiObject -Class Win32_ComputerSystem).Name
$Dom = (Get-WmiObject -Class Win32_ComputerSystem).Domain
$FQDN = $Name + “.” + $Dom

 

%d bloggers like this: