LCS Diagnostics Tool The LCS Diagnostics tool (LCSDiag.exe)

Figure 9-7 Flat File Logging Tool The Flat File Logging utility is useful if you need more verbose logging details about each of your LCS servers. Server logs are extremely useful when debugging an LCS server. The log files show client connections from start to finish and include all of the SIP methods that are used during the session. The Flat File Log utility also enables you to customize the server log file to your liking by updating WMI (Windows Management Instrumentation) settings on an LCS server.

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

LCS Diagnostics Tool The LCS Diagnostics tool (LCSDiag.exe)

LCS Diagnostics Tool The LCS Diagnostics tool (LCSDiag.exe) is probably the best utility in the resource kit. I use this tool on a regular basis for testing a configuration of an LCS infrastructure, as well as to simulate client connectivity tests before I add any users to the environment. This tool is also useful when debugging an LCS deployment for common occurrences such as users not being able to log in. Figure 9-6 shows the Live Communications Diagnostics Console. Figure 9-6 Certificate Request Tool If you still do not understand how to request and configure certificates for LCS servers after reading this book, do not fear! The LCS Resource Kit includes a nifty utility called the Certificate Request tool. This utility eases the pain of requesting a certificate for an LCS server by naming the certificate correctly and embedding the required properties of the certificate for its use. Figure 9-7 shows a snapshot of the Certificate Request tool. LCS Ping Utility The LCS Ping utility is useful for checking the connectivity of an LCS server. With simple commands, you can confirm that the LCS server you have deployed can be accessed through the network. 206 Chapter 9

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Only closing the conversation window sends the SIP

Figure 9-5 Live Communications Server 2005 Support Resources The LCS 2005 SP1 Resource Kit can be downloaded from the Microsoft Office Live Communications Server website at microsoft.com/lcs. Live Communications Server Resource Kit The resource kit contains valuable tools for testing and verifying the validity of your LCS deployment within a lab, test, or production environment. The following utilities are a few of the many utilities available in the kit. 205 Troubleshooting

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Only closing the conversation window sends the SIP

Only closing the conversation window sends the SIP BYE method, so even if User 1 and User 2 have their conversation windows open from a day ago, it will still be lumped under the original CALLER ID record, but you will also see the difference in time stamps. In addition, note that by design, every eight hours the client will re-sign in. This does not initiate a SIP BYE method either. . What if my client hibernates during this period? In this case, hibernation equals a SIP BYE method and the conversation ends. Any new messages are stored under a new CALLER ID record. . What happens if User 1 is set to be archived and User 2 is set to not be archived because of reasons such as international privacy laws? In the current version of the LCS IM Archiving Service, if User 1 is messaging with User 2, then the message is not archived even if User 1 is set to be archived. Aproposed change in the next version of LCS would change that behavior, and User 1 s side of the conversation would be logged. . What reports can I use to show archived IM messages? With LCS, there is not a solution to provide a search or reporting of archived instant messages from the IM Archiving database. To remedy this, my team at Connected Innovation, www .connectedinnovation.com, has developed a solution called LCSpy. This tool will enable you to query the IM Archiving database based on keywords, dates, or sign-in names, and it includes capabilities for exporting to Adobe PDF, Microsoft Word, and Microsoft Excel document formats. Figure 9-3 shows the IM Archiving query page. Figure 9-3 203 Troubleshooting

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Using LcsCmd.exe with CreateLcsOuPermissions In a locked down

Error Message: The certificate you selected is issued for a subject that differs from the fully qualified domain name (FQDN) of this pool. If you continue, clients and other servers may not be able to connect to this server. Do you wish to proceed with this certificate? This error message occurs when you are applying a certificate to an LCS server connection entry and it does not match the name of the pool. Try these fixes: . Some organizations have a pool name that consists of the full domain or subdomain of a network, but have DNS host A records that are flat. For example, if an LCS pool s actual FQDN is Pool1.SubDomain.Company.com, but the DNS host A record and SRV records point to Pool1.Company.com, then the certificate name should be Pool1.Company.com to match the record, which does not match the FQDN of the pool. In this case, ignore the error message by clicking the Yes button. . If the previous scenario does not apply and the name of your certificate is invalid, click the No button, request a new certificate as described in the steps listed in Chapter 4, and then re-apply the certificate to the connection entry. IM Archiving FAQs Many new LCS customers have questions about how the LCS IM Archiving Service works, including both technical and scenario-based inquiries. This section provides responses to some of these frequently asked questions . Which LCS pool server kicks off the archiving process during a one-to-one conversation? LCS uses Session Initiation Protocol (SIP) as its communication protocol. SIP has two methods that are of significant use to the LCS IM Archiving Service: INVITE and BYE. If User 1 fires up their client (Communicator or Windows Messenger) and begins a conversation with User 2, User 1 initiates the SIP INVITE method. The INVITE method, if both users are set to be archived, kicks off the entry into the LCS IM Archiving database by CALLER ID. All subsequent messages during this session are grouped under this CALLER ID and TIME STAMP record. User 2 s pool server again, if the user is set to be archived will also archive User 2 s messages, but will not duplicate the insert of User 1 s message. User 2 s pool server is intelligent in that it notices the CALLER ID entry, posting its messages under that record. This is a major difference from that of IM Logic s solution, whereby duplicates are stored and then eventually removed. The LCS IM Archiving Service s solution enables you to appropriately follow the conversation in the IM Archiving database. . What if the initiating user (User 1 in the previous scenario) closes their conversation window and User 2 is still hanging there, and then User 1 comes back online? When a user closes their conversation window, and only the conversation window, it initiates a SIP BYE method. The BYE method closes the CALLER ID record, so even if User 2 is hanging there with all of the previous messages and User 1 signs back in and starts messaging again, this is considered a new conversation. . What if User 1 and User 2 both have their clients open for days? 202 Chapter 9

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Using LcsCmd.exe with CreateLcsOuPermissions In a locked down

LCS Certificate Troubleshooting This section will help you troubleshoot LCS certificate problems. There was a problem verifying the certificate from the server. This error message is usually shown when there is a conflict with a certificate on a specific LCS server. To resolve this problem, ensure that the following settings are correctly configured: . Friendly Name/Common Name of the Certificate: If you are deploying an LCS Standard Edition server, make sure that the certificate applied to the TLS connection in the LCS properties of the server has the following settings: . The name of the certificate should match the FQDN (fully qualified domain name) of the server. For example, if the server name is Server1.Domain.Company.com, the certificate name should be the same. If the name does not match, the connection will not work. If you are deploying an LCS Enterprise Edition server and it is the only server in the pool, make sure that the certificate applied to the TLS connection in the LCS properties of the server has the following settings: . The name of the certificate must match the FQDN (fully qualified domain name) of the server. For example, if the server name is Server1.Domain.Company.com, the certificate name should be the same. If the name does not match, the connection will not work. It is best practice, however, to use the FQDN of the pool in preparation for the addition of other pool servers in the environment. For example, if the pool name is Pool1.Domain.Company.com, the certificate name should be the same. If the name does not match, the connection will not work. If you are deploying an LCS Enterprise Edition pool, make sure that the certificate applied to the TLS connection in the LCS properties of each pool server has the following settings: . The name of the certificate should match the FQDN (fully qualified domain name) of the pool. For example, if the pool name is Pool1.Domain.Company.com, the certificate name should be the same. If the name does not match, the connection will not work. . EKU (Enhanced Key Usage): The EKU requirement for an LCS server or pool server certificate is a Server Authentication EKU. You can use a Server and Client Authentication EKU type as well, but this is not required. If your certificate EKU type is not a Server Authentication EKU type or a Server and Client Authentication EKU type, the certificate will be unusable. . Validity Period: Ensure that your certificate has not expired. If it is expired, follow the steps provided in Chapter 4 to request and configure a new certificate for your LCS server or pool server. . Certificate Chain: Another reason why you would not be able to connect is because your client machine does not trust against the root certificate authority. If your client machine and LCS server or pool server certificate do not all match the same CA chain, the certificates used are invalid and the connection will not work. 201 Troubleshooting

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

Using LcsCmd.exe with CreateLcsOuPermissions In a locked down

Using LcsCmd.exe with CreateLcsOuPermissions In a locked down environment, one of the options for creating the necessary rights on an organizational unit level is to use LcsCmd.exe with the CreateLcsOuPermissions switch. The following paragraphs demonstrate how to do that. If you are unsure whether the permissions are set correctly or not, you can use the CheckLcsOuPermissions switch to check that. Following is the syntax for the CreateLcsOuPermissions switch: LcsCmd.exe /domain [:{FQDN}] /action:CreateLcsOuPermissions /ou: /objectType: [/refdomain: ] The following table describes the parameters used with the CreateLcsOuPermissions action: Parameters Required? Usage /ou:{distinguishedname} Yes Indicates the container for which permissions should be created. This is the container in which inheritance is disabled or authenticated user permission is removed the so-called locked down container. /objectType:{User | Yes Indicates the type of objects stored in the container InetOrgPerson | and for which you want to create permissions Computer | Contact} /refdomain:{FQDN} Optional This action gives permissions on the container to that same domain s Live Communications Server groups. If you specify /refdomain:, then this action overrides the default by giving permissions on the container to the specified domain s Live Communications Server groups instead of the domain where the container is located. Example: LcsCmd.exe /domain /action:CreateLcsOuPermissions /ou: OU=Dept1Users,OU=UsersOU /objectType:user The following guidelines describe some prerequisites and notes: . You have to be logged on to the computer using Domain Admins credentials for the domain with the organizational unit containers that will receive permissions. . Verify that this task was successful by running the CheckLcsOuPermissions command-line switch. . Alternatively, you could verify that this task was successful by checking the HTML log files that were created by LcsCmd.exe; the final result has to be Success. This part of Chapter 9 should have helped you to find the right tools and ways to implement Microsoft Live Communications Server in a locked-down environment. You should have all the information you need to set permissions correctly and continue with your installation. 200 Chapter 9

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services

. Remote users are unable to connect even

Enabling LCS When AD Permissions Inheritance Is Blocked Companies often lock down their environment to control who can do what on a forest and/or domain level. Lockdown means an administrator does not rely on the settings and options that Microsoft specified during the forest and domain preparation steps, for security reasons. The administrator deletes a set of entries and stops the OU structure from self-replicating its settings from the top down. Active Directory permission inheritance can also be blocked when you are using tools that set the Active Directory permissions, such as NetIQ s Directory and Resource Administrator or bv-Control for Microsoft Active Directory. Both tools hold their information in a central database and just apply it to the Active Directory. The tools do that from the top down, so there is no need to have that inherited automatically from the Active Directory. The following sections cover deployment issues you may face and how to overcome them. Authenticated Users ACE Removed The authenticated users ACE is removed from a domain s default container, such as System, Users, Computer, or Domain Controllers. Microsoft Office Live Communications Server 2005 Prep Domain adds direct ACEs on relevant default containers on that domain to remove the reliance of Live Communications Server 2005 on these authenticated users ACEs. However, note that removing authenticated users Read ACEs on the forest root main containers blocks the deployment of Live Communications Server 2005 in a child domain. This scenario cannot be addressed by LCS in its default configuration. The workaround is to add Read ACEs on these root domain containers for the Domain Admins from the child domains that will be activating the Live Communications Server. Custom Organizational Unit Custom organizational unit (OU) containers are created to hold user and computer objects with permission inheritance disabled. Live Communications Server provides an optional CreateLcsOuPermissions procedure, available from the LcsCmd.exe command-line deployment tool. This procedure enables an administrator to add the remaining Live Communications Server ACEs to objects in specified OU containers to which the inheritance is blocked. In order to successfully accomplish this, you must specify the type of objects in the OU container (e.g., computer, user, InetOrgPerson) so that the procedure adds only the relevant ACEs for that object type. There is also an option for selecting OU type of contacts for supporting the central forest topology scenario. You have to run this procedure, CreateLcsOuPermissions, on every OU with users enabled for Live Communications Server 2005, and every OU with computers hosting Live Communications Server 2005. This is required for the successful deployment, operation, and administration of Live Communications Server 2005. Figure 9-1 shows the Security tab of the Computers Properties dialog, which indicates the default permission set on that OU. To access the Security tab in Active Directory Users and Computers, select Advanced Settings from the View menu. 198 Chapter 9

Note: If you are looking for good and high quality web space to host and run your jsp application check Lunarwebhost jsp web hosting services