There are many ways to provision Lync Server, each with varying degrees of capability and flexibility. It’s important to be familiar with all of them.
Everyone communicates differently, so when using a platform like Microsoft Lync Server 2010, users need different capabilities. Lync includes several workloads, such as instant messaging (IM), conferencing, mobility and enterprise voice. These provide a connected user experience through Lync client applications. With a product as complex as Lync Server 2010, it’s important to have a means by which to control the features and capabilities available to the user community through Lync client applications.
Lync Server 2010 gives you the versatility to use several means to configure Lync client applications—commonly referred to as provisioning mechanisms. It’s important to understand each of these provisioning mechanisms because they differ in their capabilities. Lync Server 2010 includes four provisioning mechanisms to manage Lync client applications:
Registry Keys You can use registry keys in both the HKey_Local_Machine (HKLM) and HKey_Current_User (HKCU) hives to manage Lync client applications. Registry keys give you more capabilities for managing Lync client applications than other provisioning mechanisms, but there’s limited flexibility because you must set registry keys on a per-computer basis.
Group Policy You can use Group Policy to set Lync client bootstrapping policies, which are settings configured before users sign in to Lync. Group Policy provides fewer capabilities for managing Lync applications than previous versions of Office Communications Server (OCS), mostly because the remaining capabilities have been moved to in-band provisioning. However, Group Policy does offer more flexibility than registry keys, because you can apply it to multiple computers and users.
DNS DNS is mostly applicable for retrieving the name of the connection server. Therefore, DNS is limited in both capability and flexibility as a provisioning mechanism for Lync client applications and actually serves a more specific purpose.
In-Band Provisioning In-band provisioning can send configuration information from Lync Server2010 to Lync client applications through the Session Initiation Protocol (SIP). In-band provisioning is not new to Lync Server 2010. It was around in previous versions of OCS. However, the capabilities for managing Lync client applications are significantly greater in Lync Server 2010. In-band provisioning is also flexible because you can apply in-band provisioning policies at various levels.
Microsoft Lync Server 2010 includes multiple provisioning mechanisms, some of which can include multiple instances. You can use any combination of these mechanisms to manage Lync client applications, so it’s important to understand the order of processing. Figure 1 outlines the order of processing used for Lync Server 2010 provisioning.
Figure 1 There’s a specific processing order for Lync Server 2010 provisioning.
|1||Registry Keys (HKLM)||The Lync client application reads the applicable registry keys from HKLM\Software\Microsoft\Communicator.|
|2||Registry Keys (HKCU)||The Lync client application reads the applicable registry key from HKCU\Software\Microsoft\Communicator.|
|3||Group Policy (Computer Settings)||The Lync client application reads the applicable registry keys from the HKLM\Software\Policies\Microsoft\Communicator, which is where settings defined in Group Policy Computer Settings are stored.|
|4||Group Policy (User Settings)||The Lync client application reads the applicable registry keys from the HKCU\Software\Policies\Microsoft\Communicator, which is where settings defined in Group Policy User Settings are stored.|
|5||DNS||The Lync client application will use DNS to retrieve the connection server name.|
|6||In-Band Provisioning||Once a connection is established, the Lync client application will receive applicable in-band provisioning rules.|
Using registry keys to manage Lync client applications provides sufficient capability but limited flexibility. You can manually edit registry keys to configure Lync client applications, and, as with most applications, there’s quite a bit you can control through registry keys. However, using registry keys is fairly tedious and not something you’d use frequently.
Like previous versions of OCS, you can still use Group Policy to manage Lync client applications. However, in Lync Server 2010, you can also use Group Policy to manage client bootstrapping settings. These settings are required before users sign in to the Lync client.
There’s an administrative template file (available from Microsoft) that you can use with Group Policy for client bootstrapping policies. Group Policy uses administrative template files (also called ADM files) to describe where it stores registry-based policy settings. Administrative template files (see Figure 2) also describe the UI that administrators see in the Group Policy Object Editor snap-in.
Figure 2 The administrative template file for Lync Server 2010 client bootstrapping.
Most of the settings within this administrative template file are specific to configuration before a user would sign in using Lync client applications. It’s important to note that with Group Policy, you can apply multiple Group Policy Objects (GPOs) to a user or computer. You can also override previously applied settings. Therefore, you must be aware of the Group Policy processing order:
In-band provisioning is a more robust mechanism with which to manage Lync client applications. It doesn’t take effect until after the Lync client application has connected to Lync Server 2010, and the user is authenticated. Once connection and authentication have occurred, front-end Lync servers send the configuration information. This is organized into XML structures and sent to the Lync client application through SIP. Lync Server 2010 in-band provisioning includes five XML structures, which are sent to the client. Figure 3 details the five XML structures, as well as the type of content within each XML structure.
Figure 3 The five types of XML structures and the content each contains.
|ms-location-profile-definition||· Location Profile Related|
|vnd-microsoft-roaming-contacts||· User Contacts|
· Endpoint Configuration
· Location Policy
· Media Configuration
· Meeting Policy
· Presence Policy v2
· Privacy Publication Grammar
· Publication Grammar
· Server Configuration
· UC Phone Settings
· UC Policy
· User Settings
|vnd-microsoft-roaming-self||· General User Properties|
|Conferencing||· Conferencing Capabilities|
There’s a significant amount of information you can configure through Lync Server 2010 in-band provisioning. It’s also useful for more than Lync Server 2010 policies. Each of the XML structures listed in Figure 3 includes XML structure parameters, which are comparable to Lync properties. You can manage each parameter—all of which also have default values—with the Lync Management Shell.
The parameters associated with in-band provisioning are organized into policies. These policies exist at different levels, including Global, Site, Pool and User. You can’t create all policies at all levels. For example, you can create Client policies at the Site, Pool and Tag level. You can only create External User Access policies at the Site and User level. Tags are user-level policies with settings you can apply to a single user or group of users.
You can manage policies with the Lync Server Control Panel and the Lync Server Management Console. You can’t manage all policies within the Lync Server Control Panel, however. This is by design. Policies with widespread effect aren’t shown in the Lync Server Control Panel. You have to manage these with the Lync Management Shell.
You can view in-band provisioning policies with the Lync Server Control Panel and the Lync Server Management Shell. The relevant policy will be shown within each workload. For example, to view the File Filter Configuration policies through the Lync Server Control Panel, you’d perform the following tasks:
The File Filter Configuration policies will be visible in the details pane (see Figure 4).
Figure 4 File Filter Configuration policies seen in the Lync Server 2010 Control Panel.
You can also view policies with the Lync Server Management Shell. To view the File Filters Configuration policies with the Management Shell (see Figure 5), run the following command:
Figure 5 One File Filter Configuration policy as viewed in the Lync Server Management Shell.
You would use different Lync Management Shell cmdlets to create different types of in-band provisioning policies. For example, you’d use the CsFileTransferFilterConfigurationcmdlet to create a new File Transfer Filter policy; the New-CsDialInConferencingConfigurationcmdlet to create a new Dial-In Conferencingpolicy; the New-CsImFilterConfigurationcmdlet to create a new IM Filter Configuration policy and so on. The same applies to modifying and deleting in-band provisioning policies.
To use the Lync Management Shell to create a new IM Filter Configuration policy called Hub Site, use the following command:
New-CsImFilterConfiguration-Identity site:"Hub Site"
When the new IM Filter Configuration policy is created, it has a set of default settings because the command used to create the policy didn’t specify any settings (see Figure 6).
Figure 6 Creating an IM Configuration policy in Lync Server Management Shell.
To use the Lync Management Shell to modify an IM Filter Configuration policy called Hub Site, use the following command:
Set-CsImFilterConfiguration -Identity site:"Hub Site" -Enabled $True
This modifies the IM Filter Configuration policy previously created to scan IMs for hyperlinks. It will also apply the rules in this configuration.
To use the Lync Management Shell to delete an IM Filter Configuration policy called Hub Site, use the following command:
Remove-CsImFilterConfiguration -Identity site:"Hub Site"
Tags are settings you can apply to a single user or to a group of users. Create a new Presence policy and apply it to a specific user. Then apply that policy to all users within a particular OU.
To use the Lync Management Shell to create the new Presence policy called Toronto Presence Policy (see Figure 7), use the following command:
New-CsPresencePolicy -Identity "Toronto Presence Policy" -MaxPromptedSubscriber 400 -MaxCategorySubscription 500
Figure 7 Creating a new Presence policy in Lync Server Management Shell.
To use the Lync Management Shell to grant this new Presence policy to a user named LyncTest1, use the following command:
Grant-CsPresencePolicy -Identity "LyncTest1" -PolicyName "Toronto Presence Policy"
To use the Lync Management Shell to grant the Toronto Presence policy to all users within an OU, called Toronto, use the following command:
Get-CsUser -OU "OU=Toronto,dc=lynclab2,dc=local" | Grant-CsPresencePolicy -PolicyName "Toronto Presence Policy"
Because this user account was already granted the Toronto Presence policy in the previous command, you’ll see a warning (see Figure 8) that the LyncTest1 user account was not changed.
Figure 8 The Lync Server Management Shell warning message states the user account was not changed because it was already granted the Toronto Presence policy.
In a lab or testing environment, you may be playing around with in-band provisioning policies and find yourself wanting to reset the values back to their default configuration. There’s no built-in way to simply reset a policy back to default. There is, however, a workaround you can use to reset Global policies. It consists of removing the Global policy, which will cause Lync Server 2010 to reset the policy. For example, to reset the File Filters Configuration at the Global level, use the following command:
You’ll receive notification that you can’t remove the policy, but it has been reset to the default (See Figure 9). Removing non-Global-level policies won’t reset the policies.
Figure 9 You’ll be notified when you can’t remove policies.
There are several provisioning mechanisms available in Microsoft Lync Server 2010. It’s a good idea to be familiar with all of them, as they have different capabilities and will be useful for different situations.
John Policelli (MVP for Directory Services) is a solutions-focused IT consultant with Avanade Canada. He has designed and implemented dozens of complex directory service, collaboration, Web, networking and enterprise security solutions, and has spent years focused on identity and access management. He’s also an author, technical reviewer and SME for more than 75 training, certification and technical white paper projects.