The following process defines what is required to get Lync Room Systems (LRS) devices working at a company within the confines of their on-premises Active Directory (AD) and Office 365 Exchange Online. This process assumes that your organization has a working setup between your on-premises AD and Office 365 Tenant.
While this process is documented here, I have found that these steps simplify what is required to make it work in this very specific but common scenario.
The order of operations of these steps is critical and the steps MUST be followed as specified or the LRS units will fail to connect to their corresponding Exchange Online resource mailbox. In large organizations it is recommended that the Lync/Skype for Business Support team control the process so the respective teams can execute their tasks in the correct order.
Expert Note
The generally accepted good practice is to match users' UPN with their SMTP and SIP address to make Directory Synchronization Process (DirSync) easier to manage. This is not always possible for every customer, especially larger organizations. This process assumes that the on premise Active Directory UPN does not match the SMTP address to articulate the required setup in situations where you cannot have everything matching. In the event you have UPN that matches the SMTP and SIP address, the process below is simplified and you will be able to skip Step 4. You would also be use .com where .ca has been specified as an example.
The Setup
LRS Name/Alias: LRS.Toronto
SMTP Address: [email protected]
SIP Address (Lync): [email protected]
Password used: S4BRocks!
Active Directory UPN: LRS.Toronto@domain.ca
Please Note that because of the way AD syncs accounts with Office 365, an initial set of values is first used to ensure a 'soft match' in Office 365. Once this occurs the final values are set. This is clearly documented below.
Step 1 – Resource Mailbox Creation in Office 365
Create a resource mailbox in Exchange Online by running the following cmdlets in the Exchange Tenant. This must be done using a remote powershell into the Office 365 domain.onmicrosoft.com Tenant:
- New-Mailbox -room -name "LRS.Toronto" -RoomMailboxPassword (ConvertTo-SecureString 'S4BRocks!' -AsPlainText -Force) -EnableRoomMailboxAccount $true
- Set-CalendarProcessing LRS.Toronto -AutomateProcessing AutoAccept -AddOrganizerToSubject $false -DeleteSubject $false
- In the Office 365 Exchange admin center, add an e-mail address [email protected] (on-prem domain) and set it as the reply address.
- Assign a license to this resource.
If the above two cmdlets were executed properly you should now be able to sign onto the account in OWA by going to https://portal.office.com and specifying [email protected] and specifying the password given. You can then choose the Mail App and get into the mailbox. Ensure you can do this before moving onto the next step.
Step 2 - Create On Premise Active Directory User Account
Create the on premise AD User Account LRS.Toronto@domain.com and set the following attributes:
UPN: [email protected] (notice this is .ca)
Mail: [email protected]
ProxyAddresses: SMTP:[email protected]
Password: S4BRocks!
The Mail Attribute is AD is what you see in the General Tab in AD Users & Computers. The ProxyAddresses Attribute is a multi-byte attribute that needs to be edited using ADSIEdit or any Attribute editor. It is important that the value added is with all capitals as shown above "SMTP:[email protected]" which will set the email address to the default Reply To address.
Wait at least 15 minutes to allow for AD Replication before moving onto the next step
Step 3 – Force a DirSync or wait 3 hours for DirSync to complete
You can force a DirSync by running the following from the DirSync Server
C:\Program Files\Windows Azure Directory Sync\DirSyncConfigShell.psc1
Start-OnlineCoexistenceSync
To validate that DirSync has occurred you should now be able to do the following things:
- Sign onto portal.office.com using [email protected] – You should be able to access the mailbox directly by launching outlook.
-
As well, you should NOT be able to modify or change SMTP settings in the tenant. If you can then DirSync has not soft-matched the accounts properly.
Step 4 – Change Mail Attribute and ProxyAddresses (not required if UPN already matches SMTP)
Make the following changes within your on premise Active Directory:
- Set AD Mail Attribute to [email protected]
- Add to the list of ProxyAddresses SMTP:[email protected] (note that SMTP is in all caps)
- Note: [email protected] should be left in the list (it should appear as smtp:[email protected]) (Note that smtp is in small letters)
Step 5 – Enable Lync Meeting Room Account
Using a Lync 2013 management Shell run the following cmdlet to enable the account as a Lync Meeting Room:
- Enable-CsMeetingRoom –Identity [email protected] -SipAddress sip:[email protected] –RegistrarPool LyncPoolName.domain.com
If you would like to allow Enterprise Voice functionality run the following:
Set-CsMeetingRoom -Identity LRS.Toronto -EnterpriseVoiceEnabled $true
If you currently restrict access through Lync Client Policies then you may need to grant the appropriate policies to the LRS account as follows:
Grant-CsConferencingPolicy "YourConferencePolicyName" -Identity LRS.Toronto
Grant-CsVoicePolicy "YourVoicePolicyName" -Identity LRS.Toronto
Grant-CsExternalAccessPolicy "YourExternalAccessPolicy" -Identity LRS.Toronto
Again, the above would only be necessary if the default policies are restrictive in terms of allowing things like Meeting White Boarding, adding users via PSTN into your meeting and allowing federateed users into your meetings.
Wait at least 15 minutes to allow for AD Replication before moving onto the next step
Step 6 – Force a DirSync or wait 3 hours for DirSync to complete
Either wait 3 hours or force a dirsync as in step 3.
After DirSync has completed have the Office365 team validate the resource mailbox is now properly set to the default address of SMTP:[email protected]
Step 7 – Setup LRS
Enter Admin Mode on LRS and specify the Lync Credentials. Apply and Reboot into User Mode.
Enter account as you would on Lync/SfB Client
SIP is sip:[email protected]
Creds are [email protected]
Validating it all works
If all the steps were followed correctly once the LRS unit start up in User mode, the unit should both sign onto Lync/Skype for Business and show you calendaring information for the room you set it up for. You should see a screen similar to the one below:
Troubleshooting:
If you followed the steps as above and it's still not working have the Office 365 Team dump the resource mailbox attributes by connecting to a remote powershell and running the following:
Get-mailbox LRS.Toronto | FL
Check that the PrimarySmtpAddress attribute is [email protected]
Check that the EmailAddresses attribute looks similar to the following:
{SMTP:[email protected], smtp:[email protected], smtp:[email protected], SIP:[email protected]}
Log onto a Lync/Skype for Business client using the sip address [email protected] and user creds of [email protected]
Check the configuration info by CTRL right clicking the Lync/SfB system tray icon and ensuring that the EWS External URL is populated as shown in the following screenshot