Active Directory Sites and Services

Lync 2010 Authentication Issue

Posted by robd on September 04, 2013
Lync 2010 / 2 Comments

So a while back we had  quite a setup issue with Lync 2010 where two users couldn’t connect at a remote site couldn’t connect to Lync 2010, the setup:

Two Domains:

Domain one ( Contains the Lync and Exchange Servers also the Linked mailboxes (disabled),

Domain two ( Contains the users who connect to Outlook and Lync via linked mailboxes (we use the SID Mapping Tool to map the SID of a disabled user account).

External: connects via an edge server which works great.

The two users who can’t connect are getting the error:

 "cannot sign in because the server is temporarily unavailable"

So to trouble shoot I installed Snooper on the Lync 2010 server, which is a tool to debug connection issues.  The results were thus:

LogType: diagnostic
Severity: error
Text: The authentication authority is unavailable. Check connectivity to the KDC (Kerberos) or Domain Controller (NTLM).
SIP-Start-Line: REGISTER SIP/2.0


LogType: security
Text: Failed to validate user credentials
Result-Code: 0x80090311
SIP-Start-Line: REGISTER SIP/2.0

Well that’s odd as everyone else can authenticate without issue, so I replicated the users and tried to connect from the same site and ran into exactly the same issue.  Very odd.

I ran NSLOOKUP produces:

Default Server:

> set type=srv


Non-authoritative answer:  SRV service location:
          priority       = 0
          weight         = 0
          port           = 5061
          svr hostname   =


Well that looks fine. So at this point I was stuck.

So after some thought I decided to track the logon process via our firewalls, i.e. what does the client do when it tries to connect.  Note – you could do this with wire shark or similar.

Well what was interesting here was the client on the domain was connecting to the Lync server on the domain without issue but when the Lync 2010 server tried to authenticate the user on the domain it was referencing a domain controller hundreds of miles away that clearly seemed to have some issues with DNS and site connections hence the authentication problems.

Great I though, I’ll sort out the authentication and we should be good to go!!

Well no not quite, when a server tried to authenticate against another domain, Windows finds the closest domain controller by using DNS and SRV resource records, if these records are not correct or incorrectly configured the returning authentication server could be potentially any domain controller in the domain.  So how do we fix this?

Well firstly, make sure DNS is up to scratch.  In my case I made full use of Active Directory Conditional Forwarders i.e. set up a conditional forwarder that says – if you receive any requests for then forward them to this IP and vice versa.

Secondly and this is important too, rename the sites in Active Directory Sites and Services in both domains so they match this will allow DNS responses across domains and hence authentication to take place on the correct Domain Controller.

Lastly I rebooted Lync and the servers and the everything worked as it should!!

Here’s the article I gathered most of my information from, its brilliant:

Tags: , , ,

Service Pack 3 for Exchange 2010

Service Pack 3 for Exchange 2010

So I only recently got around to installing SP3 for Exchange 2010 (I’ve been on holiday for a few weeks and what not) and thought I’d share my experience around the experience!

Now you may or may not know this service pack updates the Active Directory Scheme which basically means when you install this update you must be a Schema or Enterprise Admin to run the installation!!

Now if like me your Exchange Server sits on a completely separate domain to your Root Active Directory servers you’ll need to do a little planning.

For example I have a domain, let’s call it and a sub domain called is where my root Active Directory Domain Controllers are installed which means that’s where the Schema settings are stored for Exchange, these settings then filter down to sub domains which in my case is where my Exchange servers are installed i.e

All this means in regards to this update is I’ll need to run /prepareAD from as an Enterprise Admin before I run the update from the actual Exchange servers.


So from the above you can see that all went very smoothly luckily for me (I won’t write about how I tried to run the SP2 update two or three times which produced soooo many errors)!  From here I waited 20 mins for the Schema update to replicate down, although you can force a update via Active Directory Sites and Services.


Next came the update for the servers but please note, install the update on the roles in this order:

Client Access servers,

Hub Transport (My HT and CAS roles are on the same server),

Edge Transport servers,

Mailbox servers,

Unified Messaging servers (I don’t have any, does anyone?),


Before I start talking about the install I should mention that you should only install the update on nodes or DAG servers that arnt active i.e. you need to fail an active server to a passive server and run the update, then fail back.  Here’s a very quick how to do this:


CAS/Hub Transport –

–  Stop the active node in the cluster via Network Load Balancing Manager by right clicking a node and click Clicking Control Host then Stop (or DrainStop if your worried users are connected still),

– In Network Load Balancing Manager right click the same node and choose properties and set the Default state to STOPPED, this will stop the node auto joining the cluser when once it reboots,

– Finally run the update, reboot the server and re-start the Default state.

– Do the above to the next node.


Mailbox Server  with a DAG –

–  Find the active database plus where the PAM role is and make a note:

get-databaseavailabilitygroup -identity DAG1 -status | fl name,primaryActiveManager

–          Check the cluster group:

Cluster group

–          The above is just an initial check to ensure that the environment is in a situation where it is ready for manual failover.  The next set of instructions will fail the DB over to the passive server, prevent DB automounts, and reconfigure the cluster.

–          Run DAG Maintenance script (run from C:\Program Files\Microsoft\Exchange Server\V14\Scripts):

.\StartDagServerMaintenance.ps1 -servername SERVERMB01 –overrideMinimumTwoCopies

(please note overrideMinimumTwoCopies, this is because I only have two servers in my DAG).

–          This fails the active DB over to MB02. A quick check of the Management Console will show this is correct.

–          Rerunning the PAM holder and Cluster owner commands will show the second server as the master,

–          You can now conduct your tasks on this server with no Exchange downtime,

–          Once your tasks are complete, it’s time to fail the services back,

–          From Exchange Powershell, run; (From C:\Program Files\Microsoft\Exchange Server\V14\Scripts)

.\StopDagServerMaintenance.ps1 -servername SERVERMB01

–          There is no output from this script as it simply allows us to now make changes. Fail databases back

.\RedistributeActiveDatabases.ps1 -DagName DAG1 –BalanceDbsByActivationPreference

–          Switch Cluster Master cluster group

"cluster group" /move

–          Finally run both the PAM and Cluster query commands to ensure both roles are back with the active server,


So run the install:




Exchang Start


The install will check if you’ve updated the schema and if your servers, click Upgrade and the install will start, be warned it can take a while to install, mine took about 30 mins which seemed to be mostly the language pack:



Fortunately for me the install went smoothly on all my servers but just be careful to only run the update on servers that are not active.  Also note that once you update a server with a database on you cant fail that database to a none updated server.

Finally make sure you run Exchange 2010 SP3 Rollup 3 as this will fix a heap of issues with Exchange 2010 SP3.

Tags: , , , , ,