Road to Lync Hybrid Split-Domain with Shared SIP Address Space

8/29/2014

This article is intended for readers who are looking for guidance on how to deploy Lync 2013 Hybrid Split Domain with shared SIP address space. It documents the steps necessary to move from a fully on-premise Lync2013 deployment to a hybrid Office365 Lync split-domain deployment where some users are homed on-premise while some are homed on-line. Hopefully this serves as a useful reference to compliment the documentation already provided by TechNet. Do note that this is a very long article!

The starting point for this article is an already fully functional Lync2013 on-premise deployment complete with Edge server deployed with
federation enabled and all modalities working properly. All the necessary external and internal DNS records are already in-place and public SSL certificates are already assigned to the Lync Edge services and Reverse Proxy services. At the same time, an enterprise Office365 tenant to build the split domain topology on must also be available. In this setup an O365 E3 tenant is used for the hybrid deployment. Readers who do not have a tenant can sign up for a 30-day E3 trial here. Note also that the desired shared SIP address space must be a publicly verifiable domain therefore domain suffixes such as ".local" will not work. Ownership of the SIP domain is also required along with the ability to create public DNS records and purchasing of public SSL certificates. With all these in place, a quick overview of the steps involved is summarized below:

Add your domain and verify ownership
Install and Configure Active Directory synchronization
Install and Configure Active Directory Federation Services (AD FS)
Install and Configure Active Directory Federation Services Proxy (AD FS Proxy)
Configure Single Sign-on (SSO) with ADFS
Configure federation of Lync Server 2013 with Lync Online
Move user to Lync Online and test calls between Lync Online and Lync Onprem

1. Add your domain and verify ownership
With an O365 E3 tenant account setup with the default options, the Online Lync SIP address and AD UPN suffix will be like mydomain.onmicrosoft.com. It is also good to test logins to this account using Lync and Exchange to make sure everything is working. The first tenant online user is typically also the administrator this account will be used for administration and setup of the hybrid environment. At this stage, there is no need to create any additional users on the tenant as user accounts will be synchronized from your Onprem AD later in step 2. The Onprem Lync SIP address and AD UPN desired will be something like mydomain.com, and this will be the shared SIP address space. We now need to add this "vanity" domain to the online tenant so that online users will also use the shared SIP address space. On the O365 admin center home page, click the "setup" tab and then "Start":

Here we can see the default domain "mydomain.onmicrosoft.com". Click on "Add domain" to begin:

In the next screen click on "Start step 1":

Enter the desired SIP domain which in this case is the Onprem AD UPN domain and Lync SIP domain suffix "mydomain.com"

In the next screen we need to create the DNS record as specified in order to confirm domain ownership. At this point go to your DNS provider and create either the MX or TXT record. In this lab the TXT record was created, then wait a few minutes before clicking on the "done, verify now" button:

In the next screen we choose not to add users right now as these users will be synchronized from the Onprem AD later:

In the next window we select both check boxes for Exchange Online and Lync Online. Note there there is no Onprem Exchange server in this setup and all user mailboxes will be hosted on O365:

We now need to add the necessary public DNS records as shown below and then click "Done, go check" in order to proceed. Note that we actually should not change the records for Lync Online as shown below since we already have an Onprem Lync deployment. In a Lync Hybrid setup, the public CNAME and SRV records for Lync should point to the Onprem Edge server's access FQDN. So after verifying these records, we should change the DNS records back to point to the Onprem Edge server.

If the AD UPN is using a non publicly routable domain suffix like the AD used in the lab, eg "mydomain.local", then we need to add an alternative UPN suffix to the AD and configure users to use this UPN instead. O365 Directory Sync will not work properly with AD UPN suffixes like ".local" etc.. In this case we just use the same mydomain.com Shared SIP Address space for the alternative UPN. We add this using the AD Domains and Trusts:

For any existing accounts that were created before this alternative UPN was added, we need to go back to the account properties for the user and change the UPN to use the new alternative suffix. Once this is done we can proceed with the next step of directory synchronization with O365 Azure AD

2. Install and Configure Active Directory synchronization
When setting up hybrid environment, Directory Synchronization or DirSync is mandatory, while there are two options for access control: Password Sync and Single Sign-on. For simplicity Password Sync can be used along with DirSync but this means that although user's password hash will be synchronized from On-prem AD to Azure AD, the user must login again to O365 in addition to the On-prem AD. SSO with DirSync requires a more complex setup involving ADFS and is shown later in this walk-thru. To begin, on the O365 admin center click on "Users & Groups" then click "Set up" for AD synchronization:

In the next window, we click on the "Activate" button to activate dirsync between your Onprem AD and O365's Azure AD cloud. After that download the Directory Sync Tool and copy the installer file to your AD domain controller:

We start the DirSync tool installer on the domain controller and click Next to proceed:

We just install using the defaults and then click Finish to start the Configuration Wizard:

At the Welcome screen click "Next" to continue

Next, we need to specify the admin credentials for the O365 E3 tenant:

Following that we need to enter the credentials of the Onprem AD administrator account:

Next we see that the Enable Hybrid Deployment checkbox is automatically selected and click "Next" to continue. Note that account creation is one way from the Onprem AD to Azure's AD, but there are some attributes that do get synchronized back:

As mentioned, we will configure DirSync with Password Synchronization so the checkbox needs to be selected:

Once the configuration is complete, we can click "Next" to continue:

Ensure the checkbox is selected to start directory sync and click "Finish" to complete the wizard:

To verify that directory synchronization is successful, we can login to the O365 admin page and look at the users. From the diagram below we can see 5 new users that have been synced from the Onprem AD:

3. Install and Configure Active Directory Federation Services (AD FS)
With DirSync configured, we next proceed to install and configure ADFS on Windows 2012. Note that you can install ADFS on a separate server but in this walk thru we will just use the same DC. Before beginning the installation, we will need to obtain a public SSL server authentication certificate. The Common Name or Subject Name of this certificate needs to match the name of the federated service, for this example we are using "fedsvr.mydomain.com". For this lab we created a certificate request using IIS on the DC and used this to purchase a standard, not UCC, SSL certificate from GoDaddy. After getting the certificate we imported it back into IIS (refer to this TechNet page for the steps to do this).

After that is complete, we can proceed to add the ADFS role to the DC:

On the Role Services page, we only need to select "Federation Service" and click "Next" to continue:

Once installation completes start the ADFS Federation Server Configuration Wizard:

Click the first option to Create a new Federation Service:

Microsoft recommends creating a federation server farm but for this walk thru we will just create a stand-alone federation server:

Next from the drop down list we select the SSL certificate that was imported earlier. We also select the Federation Service name which matches the CN or SN of the certificate:

At the next window, we just click "Next" to finish:

After the AFDS Configuration Wizard has completed, we can verify that ADFS services are operational by browsing to https://fedsvr.ucprimer.com/adfs/fs/federationserverservice.asmx and obtain and XML service description:

4. Install and Configure Active Directory Federation Services Proxy (AD FS Proxy)
The ADFS proxy computer resides in the perimeter network and therefore cannot be collocated on the ADFS server. In this setup we installed a new Windows Server 2012 machine with 2 NIC cards for internal and external interfaces. The external interface has a NAT'ed public IP address which is assigned public DNS A Record that matches the FQDN of the ADFS service, which in this lab is fedsvr.ucprimer.com. Note that this computer is not joined to the domain. To begin, use the Roles and Features Wizard to add the Federation Service Proxy on the Windows 2012 computer:

Allow the installation to proceed with the defaults. Next, we export the ADFS certificate along with the private key from the AD FS server and import the certificate into the ADFS Proxy computer using IIS:

When the import is successful we should be able to see the certificate in IIS:

Now we need to bind the certificate to the https service in IIS. On the IIS home page click on "Bindings...":

Next, we start the AD FS Federation Server Proxy Configuration Wizard:

In the next step we specify the Federation Service name and click "Test Connection" to make sure the service can be contacted correctly. We also need to ensure that the ADFS Proxy server has a /etc/hosts file for the host record fedsvr.mydomain.com pointing to the AD FS server:

Then we establish a trust between this AD FS Proxy computer and the AD FS server which requires administrator credentials:

Now we are Ready to Apply Settings and click "Next" to proceed:

Allow the wizard to finish the configuration and click "Close" to complete:

5. Configure Single Sign-on (SSO) with ADFS
With the ADFS and ADFS Proxy setup, we can now configure SSO between the Onprem AD and O365's Azure AD. To begin, we download and install the Microsoft Azure Active Directory Module for Windows PowerShell on the ADFS computer. Once installed, open the module and run the following powershell commands to setup a trusted federation domain:
                $cred = get-Credential                // enter the tenant administrator credentials in the popup window
                Connect-MsolService -Credential $cred
                Convert-MsolDomainToFederated -DomainName <your AD domain>
                Get-MsolFederationProperty -DomainName <your AD domain>       // this is to verify successful setup

To test single sign-on connectivity, we can use the Microsoft Remote Connectivity Analyzer. Click the Office 365 tab, click Microsoft Single Sign-On, and then click Next. Follow the screen prompts to perform the test. The analyzer validates your ability to sign on to the cloud service with your corporate credentials. It also validates some basic AD FS 2.0 configuration:

6. Configure federation of Lync Server 2013 with Lync Online
These series of powershell cmdlets are run from Lync Management shell to configure the necessary properties of the Onprem Lync for federation with Lync Online:

                Set-CSAccessEdgeConfiguration -AllowOutsideUsers 1 -AllowFederatedUsers 1 -UseDnsSrvRouting
                Remove-CsHostingProvider -Identity LyncOnline            // Removes the default Lync Online Hosting Provider
                New-CSHostingProvider -Identity LyncOnline -ProxyFqdn "sipfed.online.lync.com" -Enabled $true
                     -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal
                        $false -AutodiscoverUrl https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root

Before moving users from Lync Onprem to Lync Online, we need to configure the O365 tenant to share the SIP address space with the on-premises deployment. If this is not configured, we may see the following error message:

Move-CsUser : HostedMigration fault: Error=(510), Description=(This user’s tenant is not enabled for shared sip address space.)

To configure a shared SIP address space, establish a remote PowerShell session with Lync Online, and then run the following cmdlet:
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

7. Move user to Lync Online and test calls between Lync Online and Lync Onprem
In the final stage, we move an existing Lync Onprem user to Lync Online. In this walk thru we move the user with SIP address Helen.Rodin@mydomain.com and AD UPN hrodin@mydomain.com. This user has already been enabled for Lync Onprem and is able to login from a Lync client. To begin the move process, we first login to the O365 admin page and assign a E3 license for this user:

Now we can proceed to use the Move-CsUser cmdlet in the Onprem Lync Management Shell: to move the user from Onprem to Online. The steps for how to determine the parameter for HostedMigrationOverrideUrl are provided here. The cmdlet is

Move-CsUser -Identity <user's AD UPN> -Target sipfed.online.lync.com -Credential $cred -HostedMigrationOverrideUrl <Hosted migration override URL for your tenant>

After the Move-CsUser command completes successfully with no errors, we can log in to O365 Lync admin center to see the user is now homed online:

On the Onprem Lync Control Panel we can see the same user is specified as homed online:

We can now test IM and video calls between hrodin who is homed Online and logged in from external network and jreacher who is homed Onprem and logged in from internal network:

This completes the walk thru for setting up Lync Hybrid Split-Domain with Shared SIP Address Space. As can be seen it was a long article with many steps involved but overall the process was not too difficult. Hopefully this article serves as a useful guide for those doing the same. Future articles will address configuring Polycom Room Endpoints and Infrastructure for Lync hybrid.

32 Comments

Vu Pham (VN) link

9/1/2014 08:34:16 pm

That's great. I've just done my lab with your guide.
Thanks so much!

Vu Pham

Huy Pham

10/1/2014 06:48:57 pm

Thank you so much...
Useful Article !!!

Steve

2/16/2015 06:18:29 pm

Great article... I have a few questions please...

a) am I correct in presuming that just a typical edge server is required in the topology that supports sip, webconf and Av?

b) what are the certificate requirements. Is it just sip.onpremdomain.com for federation?

c) do the external web services on the front end server get used in any lync online scenario?

Brennon link

2/25/2015 01:44:17 pm

Hi Steve

a) A fully functional edge server supporting SIP, WebConf and AV is required along with Federation enabled along with public certificates. I would also advice against using single IP addresses for these 3 services. A fully functional Reverse Proxy is also required for external Lync web services publishing.

b) The certificate requirements are as per typical Edge server for on-premise deployment: https://technet.microsoft.com/en-us/library/gg398920.aspx

c) Yes it does. Lync External Web Services are used by users hosted on-line. The relationship between users hosted on-premise and on-line is basically federation.

Shawn Harry link

4/13/2015 02:41:57 am

Thanks a lot for the great article! I did things slightly different and used WAP instead of ADFS proxy which is much easier for publishing ADFS.
A couple of questions though:-

1) I take it installation of ADFS is obviously mandatory as you have to set up SSO with the O365 tenant. If that's the case ticking the box in dir sync for password synchronisation has no effect as SSO to the O365 Portal by users is done using ADFS?

2) Clients logged into Lync Online authenticate seamlessly using ADFS\SSO against the on premise ADFS instance?

3)Does Dir Sync set up a scheduled task to re-sync the two AD's? As ran through the wizard manually to kick off the sync again.

Brennon link

4/13/2015 01:42:38 pm

Hi Shawn

1) Correct SSO is via ADFS and the password sync checkbox is not necessary

2) Correct

3) Sync is performed automatically every 24hrs by default. There should not be a need to do manual sync

Brennon Kwok link

4/21/2015 06:28:50 pm

My apologies. Directory Sync is performed every 3 hours by default

Jörgen Hjärtenflo link

4/28/2015 09:09:39 pm

The pwd sync checkbox is good to have in place, even when you use ADFS with SSO.Heres why - if you further on disable the Federated domain in o365 - the pwd will be the same as in the local AD. Pwd sync is done through dirsync directly, we dont need for the dirsync run. Also the Technet article sais that ADFS is optional for Lync Hybrid setup. But I do recommend to use ADFS and SSO.

Brennon Kwok link

5/12/2015 06:56:46 pm

Thanks Jörgen. I agree with you.

Afzal

5/17/2015 10:58:00 pm

Can we configure lync hybrid without ADFS? If yes, what are additional steps we would required to setup lync hybrid.

Brennon link

6/30/2015 07:41:07 pm

Technically it is possible but I would not recommend it. ADFS will provide a better SSO experience

Ssilva

6/30/2015 05:42:30 pm

Hi, one question, office 365 users in this topology can use On-Premise PBX?

Brennon link

6/30/2015 07:38:23 pm

No, currently it is not possible. However, Microsoft plans to support this in Skype4Business Server 2015 in a future update

Eric

8/24/2015 07:23:58 am

What if you've moved all users over to Office 365 Skype for Business and now want to decommission all the on-premise stuff and only use the O365 based service? Is it as simple as changing the DNS to point to the appropriate cloud based host names, and setting EnabledSharedAddressSpace to FALSE on the O365 side?

Brennon link

8/30/2015 06:22:28 pm

Hi Eric

I haven't tried this but based on what I've seen in the documentation the answer is yes.

Daniel

9/15/2015 08:56:02 am

Could you specify the best approach how to move from Office 365 with all features On-line to only host the Skype for Business On-Prem for hybrid solution? The reason it´s required is to integrate Skype with local PBX system and other prescience systems that requires topology modification. I guess the first requirement is a local Active Directory with AD-FS? Other vice you could not install the local Skype server. How about users. Is it all right to have Lync 365 users in the cloud even using local features in Skype On Prem?

Brennon link

9/16/2015 11:12:00 pm

Hi Daniel

For an existing online-only tenant, yes they would need to setup an on premise AD, ADFS and ADFS Proxy environment first, then install and configure an on-premise Skype4Business Server with Edge services enabled. Then they can configure a Hybrid environment and integrate the local PBX with the on-premise servers. However, at this stage the users homed online will not be able to make use of the local PBX yet, but this capability will be made available in a future update to Skype4Business.

Hope this helps

steve

10/7/2015 03:11:45 pm

Hello again its me!

so we have tried this on a few occasions, & have been slightly successful.

However our issue is; as soon as we enabled the Shared address space, we lose all communication with our federated partners (we have a open fed)

We are unable to see presence, or initiate an IM. However a user at a company we are federated with is able to IM us & we can then respond.

I did find another blog that mentioned it could be due to the way the edge is looking up the records. & they it should look them up externally ....

any insight to that?

Brennon link

10/19/2015 07:36:08 pm

Hi Steve

One-way only federation is usually the result of bad DNS records. Make sure your Edge server is able to successfully resolve to external SRV records. Remember that the Edge server needs to point to an external DNS, not your internal DNS and your SIP SRV records should point to your on-premise deployment, not the O365 servers.

steve link

10/19/2015 08:05:09 pm

Thanks, its funny because i was actually just testing this as i got your response.

So yes, i just confirmed that the edge can resolve externally...Well we have a internal SRV record in DNS as you have listed here.

I also tried to create some host entries but still no go.

when running OCS logger, 1 of the things that stuck out at me is i see it is I get a 5504 server time-out...the MSDisg line shows this..(i changed the txt in the domains a bit for sec. reasons. But its almost like it is trying to lookup the federated partner via my lync environment. I do have a office 365 ticket opened for the last week. but they are now telling us that it might be a Lync on prem issue & not Lync online. despite FEDS breaking when enabling the shared address space. other than that ALL onprem functionality works (external mobile clients can sign in, internal IM works, sharing, meetings etc)

ms-diagnostics: 1003;reason="User does not exist";TargetUri="tim.roley@cadgouphold.com";source="sip.ngesnephl.com"

As soon as i set the shared address space to False restart my lync client,, i can then IM TIm

Josh

10/19/2015 01:39:42 am

Hi Brennon,
thanks for the great article.
I have this situation here:

Office 365 E4 (so we can installa on premise S4B servers)
2 Separate Offices
Local PBX with SIP channels
300 users

Actually we are migrating Exchange to Office365
My idea on having the best layout to have Enterprise voice, WebConference, IM, and AV sessions is:

1 EDGE Server and a Proxy in local (on Premise) DMZ
1 Frontend (on Premise)
1 Mediation Server
Lync Online to have Unified Messaging to Exchange.

Do you think it might work? do you think we could install mediation server online?

Thanks and best regards
Josh

Brennon link

10/20/2015 11:57:17 pm

No Josh, you cannot install the Mediation Server online. It has to be on-premise, either standalone or collocated with your FE servers. Once you have the on-premise setup as shown, then configure hybrid and you should be able to get UM to ExchangeOnline for on-prem users. Note that users hosted online cannot have UM at this time.

Jim

10/22/2015 12:14:33 pm

For a Lync Server 2013 Federation/Hybrid to O365 (Skype for Business Online), is the Edge Server absolutely necessary? Or the proxy, if NO external access is needed? Can everything just point back to the front end? I cannot find any documentation on this. Thanks!

Brennon link

10/23/2015 01:38:07 am

Hi Jim

Yes for Hybrid deployment the Edge Server is mandatory. Proxy can be optional if no external access is required.

Brian

11/10/2015 06:06:51 pm

Hello
Do you know if this will work using Lync 2010?
Also I do not have the front end server published through a proxy but I do have an edge server?

Thank you

Hasan Reza link

2/16/2016 07:22:24 am

One of the most complete and comprehensive article on the subject..

Azu

5/13/2016 02:55:51 pm

Thanks for the very detailed Article.
Currently we have Skype Online only users (E3 License),we would like to build an on premise S4B infrastructure and move users back to integrate to make use our internal Telephony system.

Do i need to point all my external DNS points to On premise setup?
What are all the External/Internal DNS changes needed to achieve Hybrid setup and move users back to onpremise?

Brennon link

8/5/2016 12:10:44 am

Hi Azu

For hybrid setup, the external DNS records shoud point to your on-premise edge infrastructure. Users homed on-line on O365 will simply be redirected by the edge servers to O365. Details can be found here https://support.microsoft.com/en-sg/kb/2757450

Joe

8/25/2016 04:11:01 am

Hi,
great article.

Is it possible to have two s4b hybrid infrastructures, for two separate domains, both sync'd to same tenant?
ie: contoso.com is sync'd to cloud, and have s4b hybrid implemented (sip address space @contoso.com).
second domain, fabrikam.com, is sync'd to same tenant, users are enabled only on s4b Online, with another sip address (@fabrikam.com). In domain fabrikam.com are built s4b on-prem servers, and enabled hybrid for sip addresses @fabrikam.com

Joe

Brennon link

8/29/2016 02:29:42 am

Hi Joe

You can have multiple SIP domains belonging to a single on-premise instance of S4B configured as hybrid to a single O365 tenant. This is explained futher in https://skype4b.uk/2016/04/11/skype-for-business-hybridadditional-office-365-domain/

With Skype for Business, when using multiple forests on-premises then only the account-resource forest topology is supported. You may refer to this article https://azure.microsoft.com/en-us/documentation/articles/active-directory-aadconnect-topologies/

So the short answer is no.

Figo

6/23/2017 06:39:02 am

Whats the purpose of implimenting AD connect if you still have to move users over to skype for business online? after users are synced over to office 365 and licensed, wouldnt they already be in skype for business online server, so why move them?

Cant you just configure federation and shared sip address spacing between on prem with skype for business online and the users are already there?

Brennon link

7/11/2017 02:50:36 am

Hi Figo

AAD Connect is only for synchronizing accounts between an on-prem AD and the O365 tenant AD. It does not perform any Skype for Business related tasks. Once the user account has been sync'ed from on-prem to online, then the user can be moved back and forth between on-prem Skype for Business and Online Skype for Business. Hope this helps.

Your comment will be posted after it is approved.

Road to Lync Hybrid Split-Domain with Shared SIP Address Space

Leave a Reply.

Important Links

Archives

Categories