Hi, so I had an implementation for Lync 2013, consist of an FE and Edge server, of course the front-end went smooth and was ready in no time, but I had an annoying problem on the Edge after I installed it, that kept me busy for 2 days, until I found out what was going on, on it…

The replication was not working between my FE and the Edge server, and when I type:

Get-CsManagementStoreReplicationStatus

I see false on the Edge server, even if I run Invoke-CsManagementStoreReplication many times, I still don’t get anything on the Edge…

Because internal certificates are internal only, I used a local CA to issue the certificates on FE, and on the private side of the Edge as well, my CA was an intermediate one for a root CA on the same domain, so the certificate chain had 2 certificates in it, (one for intermediate, and above it was the root)… and because Windows Server 2012 does not like certificates in their wrong place, that might cause a lot of problems later…

My FE worked with no problem, and the certificate was installed and recognized correctly… however, the Edge was on a different stand…

The certificate itself was showing that it was OK, and it is trusted, but it seems that the Edge was still unable to validate it… of course there was no indication that was the error, so I needed to dig around for a while…

I finally came to knowing the problem and fixing it, so first here is the summary of the issue:

  • Problem 1: Because my CA chain contained 2 certificates, the root certificate should be in Trusted Root Certification Authorities, and the intermediate one, should be in Intermediate Certification Authorities… however, that was not the case (and Windows Server 2012 did not like that).
  • Problem 2: Root CA list was being truncated from the Edge server, thus not allowing it to validate the certificates installed on it! (schannell.dll was doing that!).

My solution was:

  • I have put the correct CA certificate in it’s container, and made sure no container have the wrong certificate in it:
    • The root CA certificate should be located in Trusted Root Certification Authorities ONLY, and must be removed from any other container.
    • The intermediate CA certificate should be located in Intermediate Certification Authorities AND Trusted People ONLY, and must be removed from any other container.
  • I then created 2 registry values in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL as follows (to prevent schnnell.dll from interfering with validating the certificates by Edge server):

Value 1:
Name: SendTrustedIssuerList
Type: DWord
Value: 0

Value 2:
Name: ClientAuthTrustMode
Type: DWord
Value: 2

After rebooting the Edge server, I have ran Invoke-CsManagementStoreReplication, and all worked like a charm.

Hope this help solving your issue!


I found the solution to my problem through the following reference: http://ocsguy.com/2011/09/07/troubleshooting-cms-replication/

Categories:

No responses yet

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.