Did you deploy Lync or Skype for Business Online before deploying Skype for Business (Lync) Server on-premises? And now you’d like to move your online user accounts to your on-premises server deployment? Here’s how!
Disclaimer: this article is a work in progress, put together from lots of very untidy notes from the field. I will improve the article as I test it in the field, and welcome any feedback and experiences.
Assumptions
- Your Skype for Business users are homed in Skype for Business Online
- You have a fully deployed and working Skype for Business Server on-premises
- You have deployed AD Connect and are syncronising on-premises AD with Office 365 Azure AD, and are using password sync or Active Directory Federation Services (AD FS) for single sign-on
- Your solution is being backed up – once cut over, the on-premises deployment will manage SfB Online and On-Premises sign-in requests
Preparation
Management Tools
Install the following tools where you intend to run migrations from:
- Skype for Business Server Administration Tools
- Skype for Business Online, Windows PowerShell Module
Office 365
Determine Office 365 Federation settings to be replicated to on-premises, keeping the following in mind:
- Domain matching must be configured the same for your on-premises deployment and your Office 365 tenant
- If partner discovery is enabled on the on-premises deployment, then open federation must be configured for your online tenant. If partner discovery is not enabled, then closed federation must be configured for your online tenant
- The Blocked domains list in the on-premises deployment must exactly match the Blocked domains list for your online tenant
- The Allowed domains list in the on-premises deployment must exactly match the Allowed domains list for your online tenant
- Federation must be enabled for the external communications for the online tenant, which is configured by using the Skype for Business Online Control Panel
Certificates
- Confirm that the on-premises Edge Servers have the certificate chain that enables connection to Skype for Business Online. You can download this chain here: https://corp.sts.microsoft.com/Onboard/ADFS_Onboarding_Pack/corp_sts_2018.zip
Azure AD Connect
If you installed Azure AD Connect before Skype for Business Server, chances are some of the related attributes are not configured for syncronisation. This article details the attributes that you should be syncing.
You can check attributes configured for syncronisation as follows:
- Start the Synchronization Service Manager
- Go to the Connectors tab and select the Connector you want to edit
- Right click and select Properties
- Go to the Select Attributes section:
Once added make sure you run a full sync again:
1 |
Start-ADSyncSyncCycle -PolicyType Initial |
Hybrid Setup
There are two options when configuring Hybrid. In Skype for Business Server a wizard takes care of most if it for you, however there may be cases where you need to do this manually, for example if you are running Lync 2013 Server.
Option 1 – Wizard
Run the “Set up Hybrid with Skype for Business Online” wizard from the Skype for Business Control Panel:
Microsoft recommends you sign in with the admin account that was created when you signed up for Office 365, but in practice it appears any admin account will work as long as it is an onmicrosoft.com domain e.g. [email protected] The reason for this is a lyncdiscover lookup to SfB Online is used when connecting – some more info here. If you have an account using your real domain, this will fail since it resolves the on-premises deployment. This user may also need to have SfB Licence, but I havent 100% confirmed this.
Once you’ve signed in, the wizard will validate your configuration and attempt to resolve any issues it finds:
Option 2 – Manual
- Determine the Office 365 Admin URL:
- Determine the Office 365 Hosted Migration Service URL:
- Using the URL found in the step above we need to construct the Migration Server URL
- Take your URL where x is a letter specific to your tenant e.g. https://admin0x.online.lync.com
- Append the following string to the URL: /HostedMigration/hostedmigrationservice.svc.
- The resulting URL, which is the value of the HostedMigrationOverrideUrl, should look like the following, and will be used later in PowerShell commands when migrating users – https://admin0x.online.lync.com/HostedMigration/hostedmigrationservice.svc
- Enable Exchange Online integration (UM) for your on-premises SfB servers – see Configure integration between on-premises Skype for Business Server 2015 and Exchange Online
1 |
New-CsHostingProvider -Identity "Exchange Online" -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFqdn "exap.um.outlook.com" -IsLocal $False -VerificationLevel UseSourceVerification |
- Configure the Office 365 tenant for PowerShell access
- If you haven’t, install the Skype for Business Online connector module for Windows PowerShell
- Create a remote PowerShell session:
1 2 3 4 |
Import-Module SkypeOnlineConnector $cred = Get-Credential $CSSession = New-CsOnlineSession -Credential $cred Import-PSSession $CSSession –AllowClobber |
- Enable your tenant for Shared SIP Address Space:
1 |
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $True |
- Ensure on-premises is configured for federation
- Recreate Federation settings (Allowed/Blocked Federated Domains) in On-premises
- Remove default SfB Online hosting provider and recreate:
1 |
New-CSHostingProvider -Identity "Skype For Business Online" -ProxyFqdn "sipfed.online.lync.com" -Enabled $true -EnabledSharedAddressSpace $true -HostsOCSUsers $true -VerificationLevel UseSourceVerification -IsLocal $false -AutodiscoverUrl "https://webdir.online.lync.com/Autodiscover/AutodiscoverService.svc/root" |
Migrating
Cutting over from SfB Online to on-premises hybrid requires the that the on-premises deployment becomes authoritative. Once the redirection from on-premises to SfB Online occurs, sign-in details will be cached so the reliance on the Edge server for sign-in is not required each time the user logs in thereafter. Obviously the Edge server will be required to redirect federation requests and to communicate between on premises and SfB Online users.
- Update external DNS records to point to your on-premises deployment (Internal records will be updated later – by initially updating only external DNS records, internal users can continue to function without interruption while hybrid mode is validated) – we will test internally later
- Edge Server Services (SIP Access/Web Conference/ AV FQDNs) – Public A Records
- SRV _sipfederationtls._tcp.domain.com (Edge Server)
- SRV _sip._tls.domain.com (Edge Server)
- External Web Services FQDN – Public A Record (reverse proxy)
- Dialin FQDN – CNAME to Ext Web is OK (reverse proxy)
- Meeting FQDN – CNAME to Ext Web is OK(reverse proxy)
- LyncDiscover FQDN – CNAME to Ext Web is OK (reverse proxy)
- Enable a test user in SfB on-premises and set the HostingProviderProxyFqdn – this step is required regardless of whether the user will remain in SfB Online or be migrated to On-Premises:
1 |
Enable-CsUser -Identity <account> -SipAddress <sipaddress> -HostingProviderProxyFqdn "sipfed.online.lync.com" –verbose |
- Make sure the topology has replicated, in particular the Edge will need to be to-to-date
- Synchronise AADSync/DirSync
- Validate functionality of test user externally before moving on
- Get a list of all users enabled for SfB Online. The following command will export this list to CSV:
1 2 3 4 5 |
$credential = Get-Credential $session = New-CsOnlineSession -Credential $credential Import-PSSession $session –AllowClobber $RegexDeletedUsersWithGuidSipAddress = "sip:([0-9a-f]{32})" Get-CSOnlineUser | Where {$_.SipAddress -notlike $null -and $_.SipAddress -notmatch $RegexDeletedUsersWithGuidSipAddress -and $_.RegistrarPool -ne $null} | Select DisplayName, SipAddress, RegistrarPool | Export-CSV -Path C:\OnlineUsers.csv -NoTypeInformation |
- Review CSV for deleted users (these should be removed by above command); there SIPAddress will include GUID style login, and these lines can be removed as we do not wish to migrate them
- Using the CSV enable the remainder of your users in SfB on-premises – this step is required regardless of whether the user will remain in SfB Online or be migrated to On-Premises:
1 2 3 4 5 6 7 |
$Users = Import-Csv "C:\OnlineUsers.csv" ForEach($User in $Users) { $SipAddress = $user.sipaddress $UPN = $SipAddress.replace("sip:", "") $Enable = Enable-CsUser -Identity $UPN -SipAddress $SipAddress -HostingProviderProxyFqdn "sipfed.online.lync.com" } |
- Use the SfB Control Panel to validate SfB Online users are visible – you should see users homed to SfBOnline as we saw earlier in the article for our test user
- Test the process of migrating a user from SfB Online to SfB On-premises using the test account:
1 2 3 4 5 6 7 8 9 10 |
Import-Module LyncOnlineConnector $credential = Get-Credential $session = New-CsOnlineSession -Credential $credential Import-PSSession $session –AllowClobber $FePool = "pool01.domain.com" $o365AdminUrlPrefix = "admin0f" Move-CsUser -Identity $UserIdentity -Target $FePool -Credential $cred -HostedMigrationOverrideURL "https://$o365AdminUrlPrefix.online.lync.com/HostedMigration/hostedmigrationservice.svc" |
- Synchronise AADSync/DirSync
- Validate functionality of test user externally before moving on
- Once validated we need to update Internal DNS to point all associated SfB records to on-premises:
- SRV _sipinternaltls._tcp.domain.com (FE Pool)
- lyncdiscover.domain.com (FE Pool/Load Balancer)
- sip.domain.com (FE Pool)
- DNS internal records for federation should be the same internally as externally:
- access01.domain.com (Access Edge) -> public IP of Access Edge
- _sipfederationtls._tcp.domain.com-> access01.domain.com
- Validate functionality of test user internally
- Validate another SfB Online user internally – the test user has been moved to on-premises so we want to validate a user than will remain online from the internal network now we have updated those DNS records
- Move the SfB Online users to on-premises as required. The below example uses the same CSV output we used earlier to move ALL online users to on-premises:
1 2 3 4 5 6 7 8 |
$PoolToMoveUserTo = "pool01.domain.com" $o365AdminUrlPrefix = "admin0f" $users = Import-Csv "C:\OnlineUsers.csv" foreach ($user in $users) { Move-CsUser -Identity $user.SipAddress -Target $PoolToMoveUserTo -Credential $cred -HostedMigrationOverrideURL "https://$o365AdminUrlPrefix.online.lync.com/HostedMigration/hostedmigrationservice.svc" -Confirm:$false -Verbose } |
- Use the SfB Control Panel to validate SfB Online users are now homed to on-premises pool
- To get visual status while you move all the users, log into your Office 365 Skype for Business Administration Portal and view the details. Continually refresh the page to see the value for “users synced and homed online” go down as each user becomes enabled on-premises:
To check that a user has correct values for the attributes shown in the following table, type this cmdlet:
1 |
Get-CsUser | fl DisplayName,HostingProvider,SipAddress,Enabled |
Active Directory attribute | Attribute name | Correct value for Online user | Correct value for on–premises users |
msRTCSIP-DeploymentLocator | HostingProvider | sipfed.online.lync.com | SRV: |
msRTCSIP-PrimaryUserAddress | SIPAddress | sip:[email protected] | sip:[email protected] |
sRTCSIP-UserEnabled | Enabled | True | True |
Post Migration
Scheduled meetings are not migrated from online to on-premises. Users will need to reschedule these meetings after being moved or use the Meeting Migration Tool.
Migrating users from on-premises to online may utilise the Meeting Migration Service.
Errors & Issues
- Migrating a user on-premises <-> online – “Index was outside the bounds of the array when moving Online to On-prem”This is a result of not having the correct AD Attributes synced. Check the attributes are selected and a full sync has been completed since
- Hybrid Wizard Sign-in – “Get-CsWebTicket: Failed to connect to live id servers”
Check Microsoft Online Services Sign-in Assistance is running:
1 |
Get-Service "msoidsvc" |
Check permissions for NETWORK SERVICE are:
Read Attribute on %windir%\System32\config\systemprofile\AppData\Local
Full Control on %windir%\System32\config\systemprofile\AppData\Local\Microsoft\MSOIdentityCRL
If the permissions are not correct, resolve then recycle the LyncIntManagement IIS Application Pool to ensure it clears the MSOIDCLI state.
References
- https://technet.microsoft.com/en-us/library/dn689118.aspx
- https://technet.microsoft.com/en-us/library/dn689115.aspx
- https://technet.microsoft.com/en-us/library/jj205403.aspx
- https://support.office.com/en-us/article/Configure-Skype-for-Business-Server-2015-Hybrid-for-Office-365-operated-by-21Vianet-b06ee805-4349-4519-82fb-b06ed57c0bd0?ui=en-US&rs=en-US&ad=US&fromAR=1
- https://blog.kloud.com.au/2015/08/26/skype-for-business-online-to-on-premises-migration/
This is a masterpiece!
Thank you!
Thanks, glad it was helpful 🙂
Quick question – what if you just enabled the users on prem, rather than enable online first and then move? You would have an online account and on prem, but are there any downsides to that?
You would use Azure AD Connect to sync an on-prem user object to an O365 representation of that user. You can use SFB Hybrid to to make moving users to and from Online easier.