Sep 14

Migrate users and/or change SIP addresses

Possible situation

You might have started to deploy Lync or OCS 2007 R2 in a pilot/Proof of Concept environment. When you were deploying the clients and enabling users, you decided to have the SIP addresses identical to the logon names, also known as User Principal Names.

Reasons might be that it was easy because you are managing all the internal DNS zones and could use automatic configuration for the clients.

2nd to this, you started your environment using a Standard Edition, as it offers all the functionality and is easy to deploy.

Best Practices regarding SIP address and Email addresses

Now, the OCS 2007 R2 or Lync Pilot/Proof of concept environment has started to grow and was taken into production without you knowing it… You’ve now read that for best practices, you should be having the SIP addresses and E-mail addresses identical…

Challenges

  1. After experiencing the Lync functionalities, business asks you to build a high available environment.
  2. You do not have Split-Brain/Split Horizon DNS because you have a lot of SIP/Email domains that you would like to support, but no different DNS servers for internal and external zones that could provide different answers. In the screenshot below, sip.contoso.net is referring to IP nr. 1 and would be your Access Edge server. IP nr.2 would be your Front-end Pool or Director Pool when people are internal.;

  3. How are you going to change all the SIP addresses to match the E-mail address.
  4. You would like to change the SIP addresses, but you have two types of users (I know that you might have more…) :
    1. People that come into the office every day, using a domain joined machine;
    2. People that have a laptop and only connect from time to time using VPN;

Possible solutions

  1. When you’re building the High Available environment, you are requested to request certificates… Question comes up… Do I really need the SAN entries for all additional SIP domains I want to support? You need to if you are using Automatic client configuration. Otherwise, you don’t need to. You need to make sure your meet the certificates requirements that are documented here: http://technet.microsoft.com/en-us/library/gg398094.aspx
  2. If you don’t have split-brain, you need to make usage of Manual configuration. You can do this using Group Policy to bootstrap the Lync Client: http://technet.microsoft.com/en-us/library/gg425941.aspx. Make sure you only configure the Poolname, don’t limit the User functionalities here. You need to do that using in-band provisioning. Well documented here: http://technet.microsoft.com/en-us/library/gg398814.aspx. Downside if manual client configuration is that automatic failover only works on specific situations… Remark: If the client is manually configured to connect to a specific pool and his account has a different registrar (like a Survivable Branch Server or Survivable Branch Appliance) then the Pool, failover will be available.
  3. Changing the SIP addresses is pretty easy when you are capable of running the following Powershell command: get-csuser -DomainController $DomainController | Enable-csuser -Registrarpool <REGISTRARPOOLFQDN> -SipAddressType EmailAddress
  4. All the accounts are now modified… You find out that the clients are not automatically lookup the signin name for the Office Communicator or Lync.. How are you going to make sure that all users notice the SIP domain change on the client side…
    1. For the users that are always connected, you can use the script I’ve posted here: http://www.reijling.nl/wp-content/plugins/download-monitor/download.php?id=1 . You need to rename the .txt file to a .cmd file and it can be added in the GPO. In XP, you’ll be able to use this KB: http://support.microsoft.com/kb/314488 or with Windows 7 use: http://technet.microsoft.com/en-us/library/cc731892(WS.10).aspx
    2. When you want to reach all the VPN users and you don’t have Direct Access deployed, you can use this download: http://www.reijling.nl/wp-content/plugins/download-monitor/download.php?id=2 .

      It consists of two files:

      1. Cmd file that closes the client, removes the signin address, call Gpupdate.vbs, starts Communicator.
      2. VBscript that calls the gpupdate with the focus on the user part; writes down the username and computername in a logfile and a status file.

      Just modify the Gpupdate.vbs parameters for the output file. Send out the link to the users that the SIP address change is being announced and that the users should run the script when they are not able to sign in.

Hopefully this is helps you to migrate your environment. If you have any questions regarding this topic or scripts, feel free to contact me.

Permanent link to this article: http://www.reijling.nl/?p=733

3 comments

    • Koen on 18/07/2012 at 11:14

    Thanks Jeroen, this helped me a great deal. I have one addition though. The default SIP login is populated based on UPN as far as I can tell, so if your UPN is the old style .local and you need to set a domain.com SIP address it does not work. I’ve added the following reg add cmd:
    reg add HKCU\Software\Microsoft\Shared\UcClient /v ServerSipUri /t REG_SZ /d %username%@domain.com /f

    • Jeroen on 21/07/2012 at 06:03
      Author

    Thank you for the tip of the registry key! There is only one thing, the default SIP login is determined at creation of the user accounts. If you have a format that matches the %username%@domain.com, that is great!

    • Mahmoud on 29/01/2014 at 15:52

    That was a super cool! i liked the fact you tackled the client side issue for updating

    i’ll have to try that :) thanks

Leave a Reply

Your email address will not be published.