Deploying Lync Server 2010

How Microsoft IT Empowers Workers to Collaborate Anytime and Anywhere on Their Own Terms Technical White Paper

Published: December 2011

The following content may no longer reflect Microsoft’s current position or infrastructure. This

content should be viewed as reference documentation only, to inform IT business decisions

within your own company or organization.

CONTENTS

Executive Summary ............................................................................................................ 6

Lync Server 2010 Unified Communications Overview ..................................................... 7 Opportunities 7

Delivery 7

Lync Server 2010 Benefits .................................................................................................. 9 Reduce Costs through Converged Communications 9

Drive Adoption through Ease of Use and Microsoft Office Integration 9

Extend Lync to Custom Applications 9

Lync Server 2010 Infrastructure......................................................................................... 11 Topology and Geographic Distribution 11

Server Configuration 13

Remote Access 14

Enterprise Voice 15

PBX Replacement 15

Load Balancing 16

Security 17

Deployment and Migration ................................................................................................. 19 User Migration Process 19

Using Education and Support to Help Manage Change 19

Supporting and Managing Lync Server 2010 .................................................................... 21 Support Tools 21

Best Practices...................................................................................................................... 22

Appendix: Server Deployment Checklists ........................................................................ 23 Deployment Verification 24

For More Information .......................................................................................................... 26

Deploying Lync Server 2010 Page 6

EXECUTIVE SUMMARY

Microsoft workers participate in a culture where connected groups operate across

departmental and geographic boundaries to create products and solutions for customers.

This collaborative approach often requires forming virtual teams that include people in many

locations that work together on common projects. Microsoft IT makes it possible for teams to

collaborate anywhere and anytime on their own terms by using a suite of real-time

collaboration tools through Lync Server 2010 that include instant messaging (IM), voice and

video conferencing, Enterprise Voice, and Web collaboration.

Lync Server 2010 enables workers at Microsoft to move beyond mere communication and to

form connections with others. To take advantage of the efficiency and productivity gains of

the latest real-time collaboration tools, Microsoft IT migrated from Office Communication

Server 2007 R2 to Lync Server 2010. Lync Server 2010 also provides administration and

system management improvements, such as role-based access control, a tool for managing

Lync infrastructure components, and a configuration management store that serves as a

central data repository to define, administer, and operate a Lync Server 2010 infrastructure.

When migrating to Lync Server 2010, Microsoft IT followed a best-practices-based approach

to consider the design requirements, plan for deployment, verify configurations, and then

deploy gradually in phases. This approach minimized user impact while validating

configurations before migrating users to the production environment. The key deployment

considerations included the following:

Provide access for each type of user in a secure-by-design way by taking advantage of

the roles included in Lync Server 2010.

Leverage the existing network infrastructure and roll out new clients with a support

system that makes it possible to make adjustments during migration to ensure high user

satisfaction.

Build infrastructure that accommodates anticipated growth and scaling requirements, as

well as operational and support needs.

Support coexistence with Office Communication Server 2007 R2 until all dependencies

are migrated to the Lync Server 2010 production environment.

This technical white paper covers the details of how Microsoft IT deployed Lync Server 2010.

It assumes that you are already familiar with the basic concepts of messaging, telephony,

and TCP/IP networking. This paper provides IT Pros and Lync Server 2010 implementers

with guidance for deploying and migrating to Lync Server 2010. For more information about

Lync Server 2010, see http://technet.microsoft.com/en-us/library/gg398616.aspx

Note: For security reasons, the sample names of forests, domains, internal resources,

organizations, and internally developed security file names used in this paper do not

represent real resource names used within Microsoft and are for illustration purposes only.

Situation

Microsoft users rely on real-time

collaboration tools to communicate

with team members. Microsoft IT saw

an opportunity to improve the

communication capabilities by helping

workers to connect and collaborate

with a better user experience that

Lync Server 2010 provides.

Solution

Microsoft IT migrated to Lync Server

2010 to enable users to collaborate in

real time, improve its communications

infrastructure, and converge

traditional TDM services.

Benefits

Reduce costs through converged

communications.

Drive adoptions through ease of

use and Microsoft Office.

Ease deployment and migration

through interoperability and

extensibility.

Products & Technologies

Lync Server 2010

SQL Server 2008 R2

Windows Server 2008 R2

Active Directory

Office Communication Server

2007 R2

Enterprise Voice

Deploying Lync Server 2010 Page 7

LYNC SERVER 2010 UNIFIED COMMUNICATIONS OVERVIEW

The unified communications story at Microsoft goes back to the early 2000s when the

increase of available network bandwidth and improvements in processor and hardware

technology made it possible to realize the promise of unified communications. This promise

consisted of the idea that technology could help people form connections in real-time using

voice, video, and text. Since this time, Microsoft has invested heavily in unified

communication technologies in order to realize this promise within the enterprise. Microsoft is

able to deliver on real-time collaboration solutions through Lync Server 2010 desktop and

Web-based software clients, which provide the full spectrum of real-time collaboration

services. Exchange Server 2010 and SharePoint Server 2010 complete the unified

communication infrastructure to deliver additional collaboration capabilities for e-mail and

document sharing.

Opportunities

In addition to the real-time collaboration offerings in Lync Server 2010 Microsoft continues to

invest in opportunities across the business landscape such as the following:

For IT Optimize Lync 2010 deployments by taking advantage of PowerShell

automation, media bypass, and load balancing simplification.

For users By consolidating Live Meeting and Communicator clients into a single client,

Microsoft provides a more seamless end-user experience, reduces training and

deployment costs, and offers improved controls in audio and web collaboration

scenarios such as dual-tone multi-frequency (DTMF) conferencing controls, whiteboards,

and polling.

For developers Ability to take advantage of enhanced application programming

interface (API) capabilities and the creation of custom applications that extend the value

of Lync to a broader set of applications.

Delivery

Microsoft IT worked closely with the Lync Server product group as well as Microsoft Online

Services (BOSD) during the development of the new product to engineer and validate Lync

Server 2010 features and capabilities. Microsoft IT validates pre-release software in a test

environment using a small population of users at first, and then deploys major releases to all

users worldwide.

One way that Microsoft IT accomplishes service reliability is by componentizing the

architecture and design according to security boundaries and server roles. For example,

Microsoft IT places Lync Server 2010 roles according to security boundaries either inside the

corporate network or in a perimeter network used for hosting or communicating with Internet

hosts, as shown in Figure 1.

Deploying Lync Server 2010 Page 8

Figure 1. Communication Infrastructure

The Microsoft Lync 2010 infrastructure includes the following server roles:

Front-end Microsoft IT uses pools of front-end servers to provide core user features

and the communication logic for Lync Server 2010. These features include user

authentication and registration, and presence functionality.

Back-end Lync Server 2010 utilizes SQL Server 2008 R2 for the back-end database

functionality. Microsoft IT deployed back-end servers and databases to store information

such as contacts, presence status, conference state, and scheduling data.

A/V conferencing This role provides A/V conferencing and Web collaboration

functionality.

Edge Edge servers provide remote connectivity for employees, federated partners, and

public IM connectivity providers.

Mediation Microsoft IT uses Mediation servers to implement Enterprise Voice and

audio conferencing. Mediation servers have been moved to coexist with the Lync server

environment in the datacenter.

Monitoring Monitoring servers provide the necessary functionality to collect data

related to Lync interactions, including call detail record (CDR) and Quality of Experience

(QoE) data.

Director Microsoft IT uses directors to manage high amounts of internal and external

user authentication requests.

Archiving This role provides archiving capability of communication content such as

instant messaging, uploaded conference content, and event-related content.

Deploying Lync Server 2010 Page 9

LYNC SERVER 2010 BENEFITS

Lync Server 2010 offers Microsoft IT an opportunity to streamline its infrastructure, increase

interoperability, and reduce administrative overhead.

Reduce Costs through Converged Communications

Microsoft IT saves money with Lync Server 2010 by uniting disparate systems and offering a

mature unified communications service. In conducting a business analysis (that you can read

at http://technet.microsoft.com/en-us/library/cc982178.aspx), Microsoft IT made the following

discoveries about the cost savings realized by deploying Lync Server 2010:

Reduced travel costs of $92 million by reducing the need for 45,600 trips per year.

$8 million saved in audio-conferencing costs per year by using Lync audio conferencing.

Administrative overhead associated with office moves and voice infrastructure

management reduced by over one million USD annually.

In addition, the savings that are more difficult to quantify include increased team productivity

due to less travel, faster issue resolution, and faster project completion.

Drive Adoption through Ease of Use and Microsoft Office Integration

Office applications integrate with Lync in a consistent way to provide the same features and

capabilities across multiple applications. Users experience the same presence, contact card,

and click-to-communicate experience throughout Lync, Outlook, SharePoint, Word, Excel

and PowerPoint. The contact card shows details about presence, location, status, and

communication options across applications to provide an intuitive and predictable user

experience. The Lync 2010 client extends the capability of Office applications to enable

application sharing, and shows presence information for document owners and those who

have updated or changed a document to provide an easy method for collaborating on

documents.

Extend Lync to Custom Applications

Lync 2010 includes server and client side features that increase Microsoft IT's ability to make

conversations contextual, and extend communications into everyday business processes.

For example, one way that Microsoft IT uses Lync 2010 is the Ask an Expert application. This

is a custom application in which workers sign up to be an expert in a specific body of

knowledge to support others within the company to answer questions and collaborate on

projects. People with questions can locate the category for their question, and the Ask an

Expert application sends out an IM message of the question to all available relevant experts.

The first person to respond to the question may interface directly with the person asking the

question to enable a real-time contextual conversation. In previous solutions, a person with a

query would send it out to an e-mail distribution list, and often multiple people would respond,

resulting in a duplication of effort.

Lync 2010 APIs make the development of rich applications possible due to the following

client and server extensions:

Client—Lync 2010 Managed API This .NET API gives custom applications access to

all Lync capabilities, including contextual conversations, support for a controls class

library for creating Windows Presentation Foundation (WPF) applications, Silverlight,

Deploying Lync Server 2010 Page 10

and drag-and-drop feature integration. It supports the Lync user interface (UI) and

enables developers to extend it for custom line-of-business applications.

Server—UCMA 4.0 For custom development, Microsoft IT relies on a robust,

extensible, and scalable multi-layer managed API based on .NET.

To help industry participants who develop VoIP devices, IP-PBXs, and PSTN gateways,

Microsoft formed a non-profit vendor alliance named Unified Communications Open

Interoperability Program. This program aims to increase user adoption and industry

involvement by enabling interoperability of unified communication scenarios based on

existing standards. It is open to all unified communication hardware and software vendors,

service providers and network operators. For more information, see

http://technet.microsoft.com/en-us/lync/gg131938.aspx.

Deploying Lync Server 2010 Page 11

LYNC SERVER 2010 INFRASTRUCTURE

Lync Server 2010 relies on an updated architecture that places much of the server

configuration and other vital data within the Lync configuration database and not in Active

Directory. The Lync product group provides Microsoft IT with sizing recommendations and

capacity planning guidelines (found at http://technet.microsoft.com/en-

us/library/gg399017.aspx), which Microsoft IT uses as a starting point in designing the Lync

infrastructure.

Out of the design considerations and dependencies involved in planning for Lync

Server 2010, the following were especially important for Microsoft IT:

Relating user load to server sizing and distribution An important consideration for

any application is the number of users, and the server load that user behaviors generate.

This consideration is relevant for common sizing aspects such as processor speed, disk

capacity and disk throughput, as well as pool sizing, distribution of servers based on

user location, and the number of devices and connections per user.

Ensuring features function as expected Lync Server 2010 relies on many server

roles to deliver its key features. In planning for these features, Microsoft IT worked with

its core engineering team to consider each feature and its dependencies, satisfying the

dependencies, and verifying that each feature works per specification.

Maintaining high levels of security Microsoft IT deployed Edge server roles in Lync

to enable its users to connect to federated partners and public-IM-connected users.

Topology and Geographic Distribution

With Lync Server 2010, Microsoft IT distributed eight Lync server pools among four data

centers to accommodate users worldwide. The deployment consisted of new servers for each

pool, and the existing Office Communication Server 2007 R2 infrastructure remained in place

until all users and services were migrated to Lync Server 2010.

The goal of the Microsoft IT deployment design was to create a highly available infrastructure

that could scale up to accommodate additional users in each region. Regional Lync pool

distribution ensures better audio quality experiences for Microsoft’s user base. Figure 2

shows the topology and geographic distribution, including the configuration used in the

Americas region to support business continuity and disaster recovery. The Dublin and

Singapore data centers accommodate the remaining users throughout the rest of world. Each

data center deployment consists of two identical pools and users are evenly distributed

based on user load (number of users, devices, and conferencing load)

Deploying Lync Server 2010 Page 12

.

Figure 2 Topology and server distribution

Table 1 shows the server counts for each data center. The configuration for disaster recovery

in the Americas region consists of two identical pools running in an active/active configuration

where each pool can handle 100 percent of the expected traffic in case an event requires one

data center to handle the entire load for the Americas region. Additional capacity is included

in the design for increases in user population and new services such as Lync Mobile.

Table 1. Server distribution

Role Americas1 Americas2 Singapore Dublin

Director pool 4 4 2 2

Edge pool 4 4 2 2

Front-end pool 1 4 4 3 3

Front-end pool 2 4 4 3 3

Mediation pool 3 3 2 2

Audio/Video pool 4 4 2 2

Monitoring and Archiving 1 1 0 0

SQL back-end 2 2 2 2

Mediation servers 3 3 0 0

File server for content storage 1 1 1 1

Deploying Lync Server 2010 Page 13

As Table 1 suggests, the data centers accommodate different user loads.

Edge and Director pools Americas1 and Americas2 are the only data centers that

handles federation for external users. The other data centers support remote access

only.

Mediation servers for Enterprise Voice Each data center has a dedicated pool of

Mediation servers.

User load Americas1 and Americas2 include an additional front-end server in each

front-end pool to handle an increased number of users.

Server Configuration

Microsoft IT designed the server specifications to include two standardized server types: one

design for back-end servers with the required capacity and disk throughput, and one design

for all other server roles that provide balanced performance in terms of processing capability,

memory, and disks. As a starting point, Microsoft IT used the product group

recommendations found at http://technet.microsoft.com/en-us/library/gg398835.aspx.

While the product group in collaboration with Microsoft IT provides capacity and scalability

guidance for server requirements (such as the ones found at http://technet.microsoft.com/en-

us/library/gg398811.aspx), the initial starting point was simpler. Because Microsoft IT ran

Office Communication Server 2007 R2 in the corporate production environment, it was

relatively straightforward to project Lync Server 2010 server requirements using previous

designs as a starting point. To support Lync Mobile, Microsoft IT upgraded RAM in front-end

servers from 32 GB to 48 GB. Table 2 shows the configuration for front-end servers.

Table 2. Front-end server details

Component Specification

CPU 2 quad core Xeon L5520, 2.26 Ghz

RAM 48 GB

Disk SAS, 4x300 GB RAID10 (+1 spare)

Other Dual network interface controllers (NICs), redundant power supply

Consumption of real-time collaboration tools at Microsoft places heavy loads on back-end

database servers. These server loads require high throughput to meet performance

demands. Table 3 shows the initial disk configuration used for Lync Server 2010. In

practices, Microsoft IT discovered that the primary RAID10 array was performance-bound. As

a result, Microsoft IT added another identical 12x 146 GB RAID10 array to back-end servers.

Deploying Lync Server 2010 Page 14

Table 3. Server details for back-end servers

Component Specification

CPU 4 quad core 64-bit, 2.26 Ghz

RAM 48 GB

Disk

Logical Drive Hosted Resources

2x146 GB RAID1 OS, SQL, Swap, Support files

4x300 GB RAID10

(+1spare) rtcdyn.ldf

12x146 GB RAID10

rtcab.mdf, rtcab1.mdf, cpsdyn.mdf, rgsconfig.mdf,

rgsdyn.mdf, rtc.mdf, rtcdyn.mdf, lis.mdf, xds.mdf

2x146 GB RAID1 Tempdb

2x146 GB RAID1

rtcab.ldf, rtcab1.ldf, cpsdyn.ldf, rgsconfig.ldf,

rgsdyn.ldf, lis.ldf, xds.ldf

2x146 GB RAID1 rtc.ldf

Other Dual NICs, redundant power supply

Remote Access

Providing users outside of the corporate network with remote access to Lync Server is vital to

Microsoft’s culture. Microsoft IT currently supports more than 3,000 federated partner

connections as well as connections for anonymous users who join meetings. When planning

for remote access scenarios, Microsoft IT incorporates scalability requirements into the

design to handle special cases of high user load, such as 'snow day' events, when an

unusually high number of people connect remotely.

Remote access entails configuring firewalls to handle traffic, and enabling Lync servers to

traverse the firewalls and serve content to clients external to the corporate network without

requiring virtual private network (VPN). The key enablers of this architecture design include

the following:

Dual-homed NICs on Edge roles The Edge role includes services to handle Access,

Web, and A/V services. It is homed with a dual NIC configuration to handle traffic to the

external Internet-facing side and internal corporate-network-facing side. The external-

facing side has three IP addresses: one for Access, Web, and A/V. Federation traffic for

bidirectional Session Initiation Protocol (SIP) and Mutual Transport Layer Security

(MTLS) on port 5061, and inbound PSOM/TLS on port 443 is limited to only the external

IP address associated with Edge Access. In addition, inbound Persistent Shared Object

Model (PSOM)/ Transport Layer Security (TLS)/443 for Web conferencing is open on

only the Web Edge external IP address. Figure 3 shows the port configuration.

Deploying Lync Server 2010 Page 15

Edge Director pool As mentioned, Directors serve a vital function in handling

authentication traffic. This configuration mitigates the risk of denial-of-service (DoS)

attacks, and increases scalability.

Hardware load balancers Configuring firewall rules in combination with the load

balancer configuration proved to be somewhat challenging due to complex routing

requirements. There are nuanced configuration specifics Microsoft IT discovered in

designing load balancer details, which you can find at http://technet.microsoft.com/en-

us/library/gg398478.aspx.

Figure 3 Port configuration

Enterprise Voice

Microsoft deployed Enterprise Voice to more than 86 sites that include over 92,000 people.

Lync Server 2010 provided the opportunity to update the voice infrastructure to enable

workers to connect anytime and anywhere. Lync 2010 consolidates clients and provides a

better Enterprise Voice experience with improved audio quality.

The best practice for onboarding executives is to first migrate executive assistants one week

before migrating the managers they support. This practice provides assistants time to

become familiar with Enterprise Voice.

PBX Replacement

Microsoft IT has replaced nine total PBXs; three PBXs in each of the three deployment

regions to validate PBX replacement scenarios. This improvement entailed using gateways

Perimeter Network

Edge role

Access

Web

AV

Reverse proxy

AV

Access

Corporate

Network

Front-end

pool

Web

HTTPS/443 HTTPS/4443

HTTPS 4443

HTTPS 443

HTTP 8080

SIP/MTLS/TCP 5061

STUN/TCP 443

STUN/UDP 3478

SIP/TCP 5062

RCP/TCP 135 445 4443

STUN/TCP/443

STUN/UDP 3478

PSOM/SIP/MTLS 8057

DNS/TCP 53

HTTP/TCP 80

SIP/TCP 443

SIP/TCP 5061

PSOM/TCP 443

STUN/TCP 443

STUN/UDP 3478

TCP/UDP 50,000-59,999

Deploying Lync Server 2010 Page 16

and Aries phones for the majority of locations. For phone locations where network

connectivity was not available, Microsoft IT used analog telephone adaptors (ATAs) to

replace phones where only Category 3 connections were available. Media bypass was used

instead of deploying on-site mediation servers.

The PBX replacement and consolidation provides cost savings by reducing the cost of

infrastructure deployment and lower management overhead. Microsoft IT uses voice

gateways in new sites for a unified infrastructure, thus avoiding the need to support and

maintain traditional PBXs in the future. By migrating to Lync Server 2010, Microsoft IT

simplified its infrastructure and decommissioned 183 Mediation servers. In the future,

Microsoft IT is currently deploying SIP trunking in order to consolidate its PSTN infrastructure

and reduce operational overhead of managing PSTN gateways. (A future whitepaper

regarding Enterprise Voice will provide additional details.)

Load Balancing

Lync Server 2010 provides Microsoft IT with the capability to use both DNS and hardware

load balancing to balance traffic among front-end server pools, Edge Director pools, and

Edge pools. The topology and geographic distribution by design already homes users to their

regional data centers, which accomplishes regional load balancing among sites. Where

possible, DNS load balancing is used because it provides a technique to drain-stop front-end

servers, which decreases user impact from normal maintenance and patching activities.

The load balancing approach Microsoft IT uses relies on hardware devices that perform

firewall, reverse proxy, routing, and load balancing functions for the environment, as shown in

Figure 4.

Figure 4 Load balancer architecture

One of the challenging aspects of the configuration is ensuring that cookie persistence takes

place. Cookie persistence is required to ensure that multiple connections from a single client

session are always routed to the same server. HTTPS traffic is encrypted, and there is no

reliable way to ensure session persistence takes place without having a load balancer

decrypt traffic and re-encrypt it with the same certificate that the Edge Web service uses.

Deploying Lync Server 2010 Page 17

One additional configuration Microsoft IT made to enable load balancing is enabling host

header forwarding on the reverse proxy on port 4443.

Security

Microsoft developed Lync Server 2010 with security in mind by making it trustworthy by

default, by design, and by deployment. This approach is called Trustworthy Computing and is

part of Microsoft's Software Development Lifecycle (SDLC). During product development,

Microsoft identified common threat vectors such as eavesdropping, spoofing, man-in-the-

middle attacks, real-time transport protocol (RTP) replay attacks, exposure of personally

identifiable information (PII), as well as created tests to check code for vulnerabilities.

Microsoft IT in implementing Lync Server 2010 followed best practices around security at

every boundary (external, perimeter, internal network) to make the most of the security

features. Some of the configuration decisions relevant to Microsoft IT's implementation

include the following:

Architecture and topology Internet sources continue to represent the biggest threat

vector to Internet-enabled technologies, especially when they provide access of internal

resources to remote clients. The topology shown in Figure 4 uses a back-to-back firewall

configuration to protect internal hosts from attack. Edge servers that are accessible from

the Internet can only communicate securely with trusted hosts that are explicitly defined

and secured by common protocols and technologies such as MTLS, and Secure Real-

Time Transport Protocol (SRTP) with 128-bit or higher encryption. In effect, all servers

involved are trusted, all communication is encrypted, and all users are authenticated.

Conferencing and client permissions When external users do participate in

consuming Lync services, the built-in security model helps to minimize risk. For example,

only users with credentials can schedule conferences and start meetings.

Unauthenticated users who join meetings must have a valid invitation. Participant types

and roles also enable fine granularity of controls. This process prevents unauthorized or

fraudulent use of the conferencing platform.

Least-privilege Role-based access control (RBAC) Microsoft Lync Server 2010

gives Microsoft IT the capability to create RBACs and delegate administrative tasks

while maintaining high standards for security. With RBAC, Microsoft IT grants

administrative privileges as needed based on role, where each role is associated with a

specific list of Lync Server Management Shell cmdlets. In this way, administrators are

given only the permissions required to complete authorized tasks.

Authentication and authorization Microsoft IT relies on Kerberos and certificate

authentication for clients. Internal and federated clients with accounts in the internal

production environment or the perimeter network authenticate through Kerberos, and

anonymous users invited to a conference have a valid conference key that the

conference originator sends. An authenticated user must join before anonymous users

can join the bridge. The Edge pool offloads authentication requests from external users

to the Director pool in the data center, and routes user traffic to their home pools. In case

of outage, it is possible to move the traffic load from one data center to another.

Additionally, Microsoft IT follows standard operations best practices on all servers to help

ensure the configuration remains protected against risks. For example, all servers have

Deploying Lync Server 2010 Page 18

automatic updates configured, run antivirus software with scheduled scans, and are

hardened to remove unnecessary services.

To ensure protection against common Internet-based threats such as worms, viruses, and

Trojans, Microsoft IT deploys intelligent IM filtering that is part of Lync, disables clickable

hyperlinks from external parties, and blocks many types of files that can be transferred

through Lync. For additional control over SPAM over instant messaging (SPIM), users must

add a contact in Lync before accepting instant messages from PIC contacts.

Deploying Lync Server 2010 Page 19

DEPLOYMENT AND MIGRATION

The process to design and deploy Lync Server 2010 took place in several phases because of

the dependencies involved in implementing the infrastructure and taking time to test and

verify before onboarding users. Microsoft IT carried out the following deployment phases in

the project:

1. Prepare infrastructure dependencies Microsoft IT deployed the Lync Server

environment by using new servers in all the data centers, and migrated to a new

standard for hardware load balancing. Before deploying Lync, Microsoft IT carried out

strict quality assurance processes on all servers.

2. Deploy servers The deployment process involved using scripts to implement all server

roles. These scripts undergo security and other validation checks to ensure they conform

to best practices. Part of the audit process entails using checklists to verify functionality.

The appendix includes sample checklists that Microsoft IT used.

3. Validate environment The first group of users consisted of volunteers who signed up

to test pre-release versions of Lync Server 2010 and associated clients. These users

provided important feedback about their collaboration scenarios in order to validate the

product before it was released to the general market. This testing also included server

performance validation such as reliability, scalability, performance, and manageability.

4. Deploy final product company-wide After testing and validation completes, and after

fixing major and minor issues, Microsoft IT migrated users, features, and roles from

Office Communication Server 2007 R2 to Lync Server 2010.

5. Feedback from end users drives future features and improvements With the entire

company on Lync 2010 end users continue to provide feedback that is tracked and

submitted to the product team for opportunities to be considered for the next Lync

release.

User Migration Process

The technical details of migration are relatively straightforward because they entail migrating

batches of users from a server pool that runs a previous version to a server pool that runs the

latest version.

End users receive e-mail communications before they are migrated to Lync to ensure they

understand how the migration may affect them. Microsoft IT uses client version control (CVC)

to manage which client end users are able to use on the Lync Server environment. The

block with URL setting in CVC is used to inform users to upgrade their software client the first

time they log in. Although some concern existed that forcing upgrades would lead to user

dissatisfaction, Microsoft IT found that users generally preferred having the latest client to

take advantage of the full feature set of Lync Server 2010. For more information about

updating clients, see http://technet.microsoft.com/en-us/library/gg412977.aspx.

Using Education and Support to Help Manage Change

There are many approaches that Microsoft IT uses to help ensure a positive user experience

and to help educate users about the possibilities of Lync. One key strategy entails using the

Lync 2010 Adoption and Training kit that provides guidance about common Lync features

and best practices in the form of self-training guides and documents. The helpdesk support

Deploying Lync Server 2010 Page 20

personnel that handle Lync issues also received user adoption and training customized to

help them handle support issues related to Lync.

Microsoft IT creates many education opportunities for all users throughout the deployment of

Lync Server 2010, including the following options:

Self-guided Self-guided modules provide an effective learning method for users.

Online instructor-led Online instructor-led training is offered on Lync basics and

conferencing via the Microsoft IT Productivity Center in Fargo, ND.

In-person A team of four subject matter experts provide in-person, instructor-led

training. These experts deliver hands-on training to small groups. Similarly, Site IT

Managers hold sessions to explain usage scenarios and familiarize users with Lync

2010. If users miss a session, they may view a similar one online in a recorded session.

Resource kit document collection Many users also use the downloadable

documentation and quick reference materials included in the resource kit.

All of these education opportunities span the continuum of self-study to instructor-led study

available in multiple media formats, on demand, and in a scheduled way. Microsoft IT

purposefully created many education opportunities to ensure that users could easily obtain

critical training information in a time and format that works for them.

Deploying Lync Server 2010 Page 21

SUPPORTING AND MANAGING LYNC SERVER 2010

Microsoft IT uses a four-tier support structure split between a global support group that runs

helpdesk and desk-side support and the Lync Server 2010 engineering group. The following

tiers handle support for the environment:

Tier 1: Call center through global support desk Tier 1 answers front-line support

calls that are general in nature. It represents the first point of response for issues that

people have with Lync 2010 and cannot resolve by reading documentation or asking a

local expert. Support is available via phone and web chat.

Tier 2: Escalation and desk-side support For a small portion of support issues, a

group of Tier 2 technicians are available for Tier 1 escalations.

Tier 3: Escalation for server-side fixes In case the support issue is serious in nature

and cannot be resolved immediately, or is urgent, a staff member can route it directly to

the team that handles the specific issue, or route it directly to the last tier if it is clearly a

Lync-specific issue. This may involve escalation to sustaining engineering or to the

product teams via Customer Technical Support (CTS).

Tier 4: Engineering As the last tier, the engineering team handles issues related

directly to core the Lync infrastructure.

On average, during the initial deployment, the support staff handled 500-800 requests per

month. Most of the issues were related to client install and uninstall, authentication errors,

and online meeting or options. Tier 1 resolves over 80 percent of support tickets. Combined

Tier 1 and Tier 2 resolve approximately 95 percent of tickets.

Support Tools

Microsoft IT relies on a centralized System Center Operations Manager infrastructure and a

variety of tools to help carry out monitoring and support functions:

Operations Manager The Lync Server 2010 Monitoring Management Pack provides

end-to-end monitoring of Lync for Operations Manager, such as alerting operators when

Lync processes exceed a defined performance threshold. The management pack also

enables Microsoft IT to perform synthetic transactions that simulate user behaviors such

as joining a meeting or IM traffic.

SQL Server Reporting Services (SSRS) The Monitoring role included in Lync

Server 2010 enables Microsoft IT to utilize Lync standard reports based on CDR and

QoE data. Microsoft IT also creates custom SSRS reports with CDR and QoE data that

allows end users and teams to have additional reports for their business. Microsoft IT

administrators specify permissions for users and groups and access the built-in reports

on system usage, call diagnostics, and media diagnostics. The available reports show

system summary statistics, such as top failures and conference summary, as well as

detailed reports about server performance or per-user activity.

Perfmon For monitoring performance metrics, Microsoft IT uses Perfmon to monitor

concurrent connections to the Lync pools to ensure pools are properly load balanced.

Deploying Lync Server 2010 Page 22

BEST PRACTICES

In the course of designing, deploying, and operating Lync Server 2010, Microsoft IT learned

practical lessons from the many teams involved that have helped ensure a successful

deployment and excellent user experience. These best practices include the following:

Audit Edge role and firewall configuration Communication traffic takes place over

multiple protocols and ports, and with external user support, crosses a few security

boundaries. The traversal of traffic among boundaries may break with incorrect

configurations. Microsoft IT uses various manual and automatic configuration audits to

test end-to-end user scenarios to ensure everything functions as expected. For example,

Microsoft IT disables real-time antivirus scanning on Edge servers to ensure this process

does not affect audio quality.

Verify dual home configuration on Edge role A common configuration issue involves

the firewall rules, routing, and addressing of the network interfaces on Edge servers. The

auditing and verification process includes checks to ensure the configuration functions

as designed.

Test and verify session persistence for SSL Certificate configuration and session

persistence are crucial to the proper functionality of Lync Server 2010. Before deploying

in a production environment, Microsoft IT tested and verified stickiness and then again

verified it upon putting gateways in production. See Appendix A for more details.

Ensure back-end servers are not performance-bound In Microsoft IT's experience,

as users and end points increase on the pool, the Backend disk throughput needs to be

monitored to ensure process latency isn’t impacting the user experience.

Guide users through device choices The testing and verification program Microsoft

IT started to certify and test devices such as headsets helped to ensure a smooth user

experience by working out functionality issues, form factor, and compatibility early on. It

is a best practice for each organization to perform its own due diligence on devices and

select the best ones that meet organizational needs.

Create training, onboarding, and evangelism programs One key component to the

rapid adoption of Lync within Microsoft has been the strategy to onboard people who will

champion the product and be an evangelist for the technology, provide training in many

modalities in order to appeal to a broad set of users. Ensure that users have adequate

ability to provide feedback so that course corrections can be made as needed.

Shared commitments With infrastructure, operations, implementation, user adoption,

and other teams involved in deploying Lync Server 2010, it is vital for Microsoft IT to

share commitments among groups to remedy issues and achieve a high service quality.

Think of sizing and capacity in terms of end points, not users With users having

multiple devices, as user load increases, it is important to monitor server and load

balancer performance to fine-tune details such as database caching and disk

throughput.

Manage certificates Session persistence and certificate issues for dual-homed Edge

servers are common areas where issues may arise. It is a best practice to manage

certificate issuance to ensure a trusted authority grants certificates, and to create a

maintenance plan to replace certificates before they expire.

Deploying Lync Server 2010 Page 23

APPENDIX: SERVER DEPLOYMENT CHECKLISTS

During server deployment, Microsoft IT automates installation and configuration, making the

deployment process more about verifying and auditing tasks than following a systematic

process. There are three separate checklists: one used to ensure deployment readiness, one

for deployment, and one to verify successful completion of deployment processes. The

deployment checklist is short and consists of running a command to start the installation

routine and verifying that the routine completes. Table 4 lists the steps in the pre-deployment

checklist.

Table 4. Pre-deployment checklist

Task Details

Verify hardware meets

requirements

Check CPU, disk, memory and hardware against

design.

Confirm AD and networking

details

Verify AD site, OU, network IP address, server name,

NIC set to Auto for speed and duplexing, WINS/DNS

resolution, update NIC drivers if necessary.

Check swap file Ensure swap file is set to 16 GB.

Verify time sync Ensure time zone is correct and time syncs to DC

Configure external NIC Run batch file to configure, validate.

Configure and validate

certificates

Import certificates, install, validate and record expiration

dates.

Check NTLM Local Policy Encryption settings changed to 'No minimum'

Install pre-requisites and any

KBs KB981575, KB2028997, and KB981836

Verify tools installation

Install standard suite of management tools, such as

NetMon.

Install SQL Management

Studio on back-end servers Verify installation on all back-end servers

Install admin and Resource Kit Install on all servers

After deployment, Microsoft IT verifies security and other settings, as well as performs post-

deployment steps as shown in Table 5.

Table 5. Post-deployment checklist

Task Details

Install updates

Install Lync-specific updates, such as cumulative update 3 or

later. Also, install Office Communications Server 2007 R2 latest

cumulative update.

Verify installation path Should be D:\Program Files\Microsoft Lync Server 2010

Check file share Check permissions on E:\LyncFS, and D:\LyncFS

Deploying Lync Server 2010 Page 24

Verify IPSec

exception All servers should be exempted from global policy.

Federation router

For new site, create Federation Router between the new site and

the federated edge

Verify operations

details Use CollectSrvInfo to verify backup schedules and certificate info.

Validate CMS

Export the topology with Topology Builder, Push out pool-level

config and verify it exists on the Server

End-to-end

functionality

Validate functionality of core services (end-to-end with two Lync

clients). Ensure Topology Validator tests all pass.

Review logs App/System event logs, set log size to 30720

Update

documentation Record status of items, update records in tracking database

Deployment Verification

After deploying and configuring servers, Microsoft IT verifies the functionality and features to

ensure that core scenarios function as expected. Table 6 lists the functionality tests

performed.

Table 6. Feature validation checklist

Task Details

Check service installation Ensure services are running.

Peer to Peer IM Send IM message

Group IM Send IM to group

Presence Confirm presence works.

Peer to Peer AV Conference Initiate AV conference, 2 party

AV Conference Initiate multiparty AV conference

Peer to Peer PSTN call Place call to peer

Outbound PSTN call Place outbound call

Address Book Search contact in address book

Location Policy Verify policy application

Location Information Service

configuration Verify configuration per spec

Dial in Conferencing Call into conference/

Address Book Web Query Test address book

Client Authentication Ensure clients access in all scenarios

Federation Verify federation configuration

Phone Bootstrap Verify bootstrapping

Deploying Lync Server 2010 Page 25

Outlook Plugin meeting can be

scheduled

Schedule meeting from Outlook, verify

content, PSTN functionality

IM Filtering configuration Verify filters

Audio Call Place Enterprise Voice call

Desktop Sharing View, share control, check functionality

Outside User IM/Audio/Desktop Sharing

(Share Control) Verify desktop sharing for partner account

File Transfer Filtering configuration Verify filtering configuration for files

Device Update settings Check for windows update settings

Response Group Service configuration Check RGS settings

Edge connectivity

Verify the edge connectivity with both Office

Communications Server 2007 R2 (if

applicable) and Lync Server 2010.

Exchange UM validation Ensure Exchange integration works.

Microsoft IT conducts the deployment verification detailed in Table 6 for all server pools. In

the scenario when Lync Server 2010 coexists with Office Communication Server 2007 R2,

both versions of server pools are verified after deployment.

Deploying Lync Server 2010 Page 26

FOR MORE INFORMATION

For more information about Microsoft products or services, call the Microsoft Sales

Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information

Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your

local Microsoft subsidiary. To access information through the World Wide Web, go to:

http://www.microsoft.com

http://www.microsoft.com/technet/itshowcase

The information contained in this document represents the current view of Microsoft Corporation on the issues

discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it

should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the

accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under

copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for

any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights

covering subject matter in this document. Except as expressly provided in any written license agreement from

Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,

copyrights, or other intellectual property.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses,

logos, people, places, and events depicted herein are fictitious, and no association with any real company,

organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be

inferred.

© 2011 Microsoft Corporation. All rights reserved.

Microsoft, Active Directory, Excel, Lync, PowerPoint, SharePoint, Silverlight, SQL Server, Windows, and

Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States

and/or other countries.

All other trademarks are property of their respective owners.