In Part 7 we will see how to troubleshoot Skype for Business Hybrid. This Blog Post Series consists of 7 parts. So if you missed one check them out as follows.


This post is split into multiple part

Part 1 will cover the prerequisites like synchronize your onPrem users to Office 365 with Azure AD Connect.

Part 2 will cover migration from Exchange onPrem to Exchange Online and here especially Exchange Hybrid classic full.

Part 3 will cover moving user mailboxes from onPrem to Exchange Online.

Part 4 … will cover troubleshooting Exchange Hybrid

Part 5 will cover migration from Skype for Business onPrem users to Skype for Business Online and Teams.

Part 6 will cover Skype for Business Hybrid Connectivity and Teams Direct Routing

Part 7 will cover troubleshooting Skype for Business Hybrid


Federation with Office 365 is not configured error



The Hybrid Setup wizard tells me that Federation with Office 365 and Shared SIP address space is not configured.

Further he kindly tells us, that if we select Next, he will configure our Skype for Business Server and Office 365 tenant with these required setting, so click on Next.


Hmmm, the Federation with Office 365 was not configured by the wizard.

You will find hints in the web, that the reason for this error will result from entries in the CSAllowedDomains or CSBlockedDomains list. In my case I didn’t configured any allowed or blocked domains and there were no entries in my environment, on-premise and online.

Under the following Federation requirements, they say that the Blocked domains and Allowed domains list in the on-premise deployment must exactly match with the online tenant.


Federation requirements
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/plan-hybrid-connectivity?toc=/SkypeForBusiness/toc.json&bc=/SkypeForBusiness/breadcrumb/toc.json#federation-requirements


So what’s the reason in my case?

After finishing the Hybrid configuration with PowerShell as described in Part 5 … , you will get the following entries for the Hosting Provider.

After running the Hybrid Setup wizard again, I get the same error with Federation with Office 365 was not configured by the wizard.

Further after checking it again with the Skype for Business Server Management Shell and the Get-CSHostingProvider Cmdlet, I will get the following output.


The Hybrid Setup wizard is setting IsLocal to False and deletes the AutodiscoverUrl.

So finally I configured Skype for Business hybrid with the PowerShell Cmdlets described in Part 5 …


Trying to run the Hybrid Setup wizard the next day will run fine without the Federation with Office 365 is not configured error message.



Further I discovered that the Hybrid Setup wizard in my version is setting a different new AutodiscoveryUrl and FQDN for the Hosting Provider as in the actual documentation from Microsoft under https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/configure-federation-with-skype-for-business-online

You will see below that also the Skype for Business Online admin center is running under this FQDN https://webdired4.online.lync.com/LSCP.


The reason for this different Autodiscover URL is tenant specific!

So for my tenant the Audiscover URL is

https://webdired4.online.lync.com/Autodiscover/AutodiscoverService.svc/root

and the Hybrid Setup wizard can determine this specific URL at logon to the Office 365 tenant.

You will see later how to determine this tenant specific URLs.



So no clue why the Hybrid Setup wizard now runs without issues. I suppose this was due to some Office 365 synchronisation delays.





Skype for Business Hybrid configuration will break Open Federation

In my production environment I have configured Open Federation which allows to communicate with each external SIP domain, so called SIP Federated Domains.

If you do not select this option, federated user access is enabled only for users in the domains that you include in the allowed domains list.

More about Open Federation at the end of this post.

But after configuring Skype for Business Hybrid, external contacts in my Skype for Business desktop client appears with Updating … and finally ends in Presence unknown status.

The external contacts in contrast can see my presence status, even they wil be able to call me.

So what happens and break my Federation?

By the way it doesn’t matter if the user was moved to Skype for Business Online or still homed in on-premise, federation is broken.


The following parameter configured from the Hybrid wizard in on-premise with True is one of the reasons for breaking the federation in my case but not the only one, we will see further down.

After changing it back to false, SIP federation starts working again. But this is no solution as it will break Hybrid configuration.

# Change it for testing back to false, can only be set in conjunction with HostsOCSusers parameter
Set-CsHostingProvider -Identity LyncOnline -EnabledSharedAddressSpace $false -HostsOCSUsers $false

EnabledSharedAddressSpace: True

The reason for broken federation was:

A missing DNS SRV record _sipfederationtls._tcp.<my sipdomain>, the Edge Server will requesting when EnabledSharedAddressSpace $True and Open Federation is configured.

My Edge Server is configured to request the DNS servers in the perimeter network.


Solution:

Adding the following DNS SRV record to the perimeter network DNS servers:
_sipfederationtls._tcp.braincourt.com 0 0 5061 sip.braincourt.com


Configured on DNS Servers in the perimeter network, the Edge Server will request.


EnabledSharedAddressSpace: True means that Sykpe for Business users with the same SIP domain can be homed in on-premise or Office 365 (Skype for Business Online or Teams).


Why does the Edge Server request it’s own SRV Record for SIP Federation in case EnabledSharedAddressSpace $True with Open Federation?

That’s because of the way we configured the Access Edge Configuration to federate with Office 365 described in the following link.

Set-CSAccessEdgeConfiguration -AllowOutsideUsers $True -AllowFederatedUsers $True –EnablePartnerDiscovery $True –UseDnsSrvRouting

If ‘-EnablePartnerDiscovery‘ value is set to $True, we also need UseDnsSrvRouting, here Skype for Business Server will use DNS records to try and discover partner domains not listed in the AllowedDomains list. If the value is set to $False , Skype for Business Server will only federate with domains found on the AllowedDomains list. This parameter is required if you use DNS service routing.

If you configure AllowedDomains list in contrast, you will enter the domain name (SIP Domain) and the corresponding FQDN of the Access Edge in charge for this domain, therefore the Edge doesn’t need to use DNS records.

So as we configured ‘-EnablePartnerDiscovery‘ with $True, what is so called Open Federation, and also configured Hybrid ‘-EnabledSharedAddressSpace‘ with $True, the Edge Server not only will use DNS records to discover foreign partner domains but also our Office 365 tenant federation domain which should resolved into our on-premises Access Edge public IP.




To see what happens under the hood, I tried to reproduce this in my lab environment.

Enclosed you will see a trace from my lab environment SIP user account john.doe@braintesting.net who adds the SIP user account mra-testing02@braincourt.com from my production environment.

Therefore I removed the concerned DNS SRV record in the lab environment. In the production environment the record is meanwhile set and everything works fine. 🙂

# explicitly removed DNS SRV record in lab environment
_sipfederationtls._tcp.braintesting.net 0 0 5061 sip.braintesting.net

The following trace shows the startup from the Skype for Business client for john.doe@braintesting.net in the lab environment.

In advance it doesn’t matter if the user account from John Doe is on-premise or in Skype for Business Online (or Teams). With the missing on-premise SRV record for the Edge Server and EnabledSharedAddressSpace with $true (mandatory for Hybrid), the external contact mra-testing02@braincourt.com first stuck at Updating … and ends in Presence unknown as follows.

Here you can see the trace with trying to subscribe the external contact mra-testing02@braincourt.com. (John Doe homed in Skype for Business online)

ms-diagnostics: 1008;reason=”Unable to resolve DNS SRV record“;domain=”braintesting.net“;dns-srv-result=”NegativeResult”;dns-source=”InternalCache”;source=”sip.braintesting.net”

# targetname is the FQDN from the Online front end pool .
targetname=”ne0ed402FES03.infra.lync.com”

ms-split-domain-info: ms-traffic-type=SplitFedIn;ms-remote-fqdn=sip.braintesting.net


As you can see, the Edge Server performs a lookup for this SRV record but failed and doesn’t go further to establish a connection with the federated domain resp. external contact.

Here the same (but John Doe homed on-premise)

ms-split-domain-info only if the user is home online!

# targetname is the FQDN from the on-premise front end pool.
targetname=”sfb.braintesting.de”


Okay, now the same procedure after adding the missing DNS SRV record

_sipfederationtls._tcp.braintesting.net 0 0 5061 sip.braintesting.net

in the lab environment and the DNS servers in the perimter network the Edge server requests.


ET Voila!


Here the corresponding trace from the successful SUBSCRIBE.


Enable Open Federation in Skype for Business on-premise

To enable Open Federation you have to check Enable partner domain discovery in the on-premise Skype for Business Server Control Panel or using a PowerShell Cmdlet using the Management Shell.


https://docs.microsoft.com/en-us/skypeforbusiness/manage/federation-and-external-access/access-edge/enable-or-disable-federation-and-public-im-connectivity

Enable partner domain discovery   If you enable this option, Skype for Business Server uses Domain Name System (DNS) records to try to discover domains not listed in the allowed domains list, automatically evaluating incoming traffic from discovered federated partners and limiting or blocking that traffic based on trust level, amount of traffic, and administrator settings. If you do not select this option, federated user access is enabled only for users in the domains that you include on the allowed domains list. Whether or not you select this option, you can specify that individual domains to be blocked or allowed, including restricting access to specific servers running the Access Edge service in the federated domain. For details about controlling access by federated domains, see Configure support for allowed external domains.




In contrast to Open Federation, you can configure Allowed Domains list as follows. The following on my lab environment (SIP Domain: braintesting.net) will add the production SIP Federated Domain.




Links

Plan hybrid connectivity between Skype for Business Server and Microsoft 365 or Office 365
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/plan-hybrid-connectivity

Set-CsAccessEdgeConfiguration
https://docs.microsoft.com/en-us/powershell/module/skype/set-csaccessedgeconfiguration

Enable or disable discovery of federation partners in Skype for Business Server
https://docs.microsoft.com/en-us/skypeforbusiness/manage/federation-and-external-access/access-edge/enable-or-disable-discovery-of-federation-partners

Configure your on-premises Edge service to federate with Microsoft 365 or Office 365
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/configure-federation-with-skype-for-business-online#configure-your-on-premises-edge-service-to-federate-with-microsoft-365-or-office-365

Configure Skype for Business hybrid
https://docs.microsoft.com/en-us/skypeforbusiness/hybrid/configure-federation-with-skype-for-business-online

DNS requirements for Skype for Business Server
https://docs.microsoft.com/en-us/skypeforbusiness/plan-your-deployment/network-requirements/dns