none
Lync Edge Server replication problem

    Allgemeine Diskussion

  • my lyncserver is a standard edition,and I have a front-end server and a edge server.

    but the problem is the the edge server can't replicae from the front-end server after I excuting the cmdlet command Invoke-CsManagementStoreReplication.

    I run the Get-CsManagementStoreReplicationStatus ,it also response me like this:

    UpToDate           : True
    ReplicaFqdn        : lyncserver.ucsoftware.com.cn                                (Front-End Server)
    LastStatusReport   : 2012/2/20 11:16:38
    LastUpdateCreation : 2012/2/20 11:16:35
    ProductVersion     : 4.0.7577.0

    UpToDate           : False
    ReplicaFqdn        : win2008-wang.ucsoftware.com.cn                         (Lync Edge Server)
    LastStatusReport   :
    LastUpdateCreation : 2012/2/20 11:48:36
    ProductVersion     :

    I have close the firewall both in the Front-End Server and the Lync Edge Server,and i can telnet from  Lync Edge Server to Front-End Server via 4443 ,but can't telnet from Front-End Server to Lync Edge Server via 4443,so how can i solve the problem, thanks.....

    Montag, 20. Februar 2012 03:57

Alle Antworten

  • You have your 4443 rule opposite.  You need to be able to communicate from the FE server to the Edge server on port 4443 for replication.  Looks like from your telnet test, you have it configured the opposite way.

    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Lync 2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

    Montag, 20. Februar 2012 04:07
  • thanks for you answer,so how can i configure it ....I don't konw where to configure.

    Montag, 20. Februar 2012 06:16
  • There is really nothing to configure on the Lync side.  You need to make sure the services on the Edge server are started (for this issue the Lync Server Replica Replicator Agent service).  Also, make sure that the Windows firewall or a hardware firewall is not blocking incoming 4443 to the Edge server.

    If all of this is configured (if so you should be able to telnet from the FE to the Edge), then you can also continue to troubleshoot using the Lync Logging Tool on the FE server and log the XDS components.


    Tim Harrington | MVP: Exchange | MCITP: EMA 2007/2010, MCITP: Lync 2010, MCITP: Server 2008, MCTS: OCS | Blog: http://HowDoUC.blogspot.com | Twitter: @twharrington

    Montag, 20. Februar 2012 14:29
  • thanks again,I have checked that the Server Replica Replicator Agent service both in the FE and Edge are running well and their windows firewalls are also closed,in the XDS log(FE Server) it just like this:

    TL_INFO(TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.410.000000be (XDS_File_Transfer_Agent,ReplicaTaskContainer<T>.Execute:replicataskcontainer.cs(122))(00000000003F4F80)Task is about to be executed. Task: [FileTransferTask(5, 2012/2/21 9:43:44): {FILES_MOVED_TO_TMP_DIR, toReplica, [win2008-wang.ucsoftware.com.cn, FileCopy, 0], 0}]

    TL_INFO(TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.410.000000bf (XDS_File_Transfer_Agent,FileTransferTask.ExecuteImpl:filetransfertask.cs(293))(0000000001656EC9)Executing file transfer task. direction:[toReplica], replicafqdn:[[win2008-wang.ucsoftware.com.cn, FileCopy, 0]], source:[\\lyncserver.ucsoftware.com.cn\lyncshare\1-CentralMgmt-1\CMSFileStore\xds-master\replicas\win2008-wang.ucsoftware.com.cn\to-replica], target:[\\win2008-wang.ucsoftware.com.cn\xds-replica\from-master], tmpDir:[\\lyncserver.ucsoftware.com.cn\lyncshare\1-CentralMgmt-1\CMSFileStore\xds-master\working\fta\win2008-wang.ucsoftware.com.cn\to-replica], state:[FILES_MOVED_TO_TMP_DIR], transferMode:[FileCopy]

    TL_WARN(TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.466.000000c0 (XDS_File_Transfer_Agent,FileTransferTask.CopyFiles:filetransfertask.cs(528))(0000000001656EC9)Failed to copy files from temp directory. Exception: [System.UnauthorizedAccessException: ]
    TL_WARN(TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.466.000000c1 (XDS_File_Transfer_Agent,FileTransferTask.IsUnhandledException:filetransfertask.cs(814))(0000000001656EC9)Exception occured. Task execution will be retried. Exception: [System.UnauthorizedAccessException: ]

    TL_INFO(TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.466.000000c2 (XDS_File_Transfer_Agent,ReplicaTaskContainer<T>.OnError:replicataskcontainer.cs(171))(00000000003F4F80)Task error callback is about to be called.
    TL_INFO(TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.466.000000c3 (XDS_File_Transfer_Agent,PerReplicaTaskManager<T>.HandleTaskError:perreplicataskmanager.cs(234))(0000000000E36229)Task encountered an error: [ReplicaTaskContainer<FileTransferTask>{FileTransferTask(6, 2012/2/21 9:43:44): {FILES_MOVED_TO_TMP_DIR, toReplica, [win2008-wang.ucsoftware.com.cn, FileCopy, 0], 0}, FileTransferTask(0, 2012/2/21 9:45:44): {TASK_NOT_STARTED, toReplica, [win2008-wang.ucsoftware.com.cn, FileCopy, 0], 0}}]
    TL_INFO(TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.466.000000c4 (XDS_File_Transfer_Agent,PerReplicaTaskManager<T>.HandleTaskError:perreplicataskmanager.cs(240))(0000000000E36229)Task error callback is about to be called.
    TL_INFO(TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.466.000000c5 (XDS_File_Transfer_Agent,FileDistributionTracker.UpdateFileDistributionFailures:filedistributiontracker.cs(75))(0000000003FC2C45)Received file distribution event. win2008-wang.ucsoftware.com.cn (FAILURE Access denied. (\\win2008-wang.ucsoftware.com.cn\xds-replica\from-master\data.zip)).
    TL_INFO(TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.466.000000c6 (XDS_File_Transfer_Agent,TaskManager<T>.QueueTaskToExecute:taskmanager.cs(335))(00000000031984C3)Queuing task execution, waitSecs=64, task=ReplicaTaskContainer<FileTransferTask>{FileTransferTask(6, 2012/2/21 9:43:44): {FILES_MOVED_TO_TMP_DIR, toReplica, [win2008-wang.ucsoftware.com.cn, FileCopy, 0], 0}, FileTransferTask(0, 2012/2/21 9:45:44): {TASK_NOT_STARTED, toReplica, [win2008-wang.ucsoftware.com.cn, FileCopy, 0], 0}}
    TL_INFO(TF_COMPONENT) [1]08A8.08E0::02/21/2012-01:46:53.313.000000c7 (XDS_Replica_Replicator,XdsDBAccess.Heartbeat:xdsdbaccess.cs(142))(0000000000B7AB7B)Heartbeating... - lyncserver.ucsoftware.com.cn:replica

    Dienstag, 21. Februar 2012 01:49
  • Hi,

    It seems to me that you have access related issue between the EDGE and the FE

    (TF_COMPONENT) [3]05C4.2338::02/21/2012-01:46:47.466.000000c5 (XDS_File_Transfer_Agent,FileDistributionTracker.UpdateFileDistributionFailures:filedistributiontracker.cs(75))(0000000003FC2C45)Received file distribution event. win2008-wang.ucsoftware.com.cn (FAILURE Access denied. (\\win2008-wang.ucsoftware.com.cn\xds-replica\from-master\data.zip)).

    make sure that the FE server can access the Edge and it has the admin rights on the Edge server to transfer the .zip file.


    Thamara. MCTS, MCITP Ent Admin, Specialized in U.C Voice OCS 2007 R2 Z-Hire -- Automate IT Account creation process ( AD / Exchange / Lync )

    Dienstag, 21. Februar 2012 02:01
  • the Lync server now can access the (\\win2008-wang.ucsoftware.com.cn\xds-replica\from-master\),but after excuting the cmdlet

    Invoke-CsManagementStoreReplication –ReplicaFqdn win2008-wang.ucsoftware.com.cn,

    it still response me with this: 

    UpToDate           : False
    ReplicaFqdn        : win2008-wang.ucsoftware.com.cn                         (Lync Edge Server)
    LastStatusReport   :
    LastUpdateCreation : 2012/2/20 11:48:36
    ProductVersion     :

    the log is :

    TL_INFO(TF_COMPONENT) [3]05C4.2338::02/21/2012-06:37:26.705.000000ff (XDS_File_Transfer_Agent,Utils.TryGetConnectionPointFromAD:utils.cs(42))CMS backend pointer found from AD connection point: LyncServer.ucsoftware.com.cn\rtc
    TL_INFO(TF_COMPONENT) [3]05C4.2338::02/21/2012-06:37:26.705.00000100 (XDS_File_Transfer_Agent,ConnectionPointWatcher.EnqueueReadConnectionPointFromAD:connectionpointwatcher.cs(133))(0000000003973ABB)Queuing read connection point task execution, waitSecs=00:00:30
    TL_INFO(TF_COMPONENT) [0]06A0.205C::02/21/2012-06:37:26.720.00000101 (XDS_Master_Replicator,Utils.TryGetConnectionPointFromAD:utils.cs(42))CMS backend pointer found from AD connection point: LyncServer.ucsoftware.com.cn\rtc
    TL_INFO(TF_COMPONENT) [0]06A0.205C::02/21/2012-06:37:26.720.00000102 (XDS_Master_Replicator,ConnectionPointWatcher.EnqueueReadConnectionPointFromAD:connectionpointwatcher.cs(133))(00000000037A456E)Queuing read connection point task execution, waitSecs=00:00:30
    TL_INFO(TF_COMPONENT) [7]05C4.1354::02/21/2012-06:37:38.979.00000103 (XDS_File_Transfer_Agent,XdsDBAccess.Heartbeat:xdsdbaccess.cs(142))(0000000001400C58)Heartbeating... - lyncserver.ucsoftware.com.cn:fta
    TL_INFO(TF_COMPONENT) [2]06A0.1338::02/21/2012-06:37:39.438.00000104 (XDS_Master_Replicator,XdsDBAccess.Heartbeat:xdsdbaccess.cs(142))(00000000028F1359)Heartbeating... - lyncserver.ucsoftware.com.cn:master


    and I still can't telnet 4443 from FE  server to Edge server........
    • Bearbeitet Wang_ODX Dienstag, 21. Februar 2012 08:49
    Dienstag, 21. Februar 2012 08:48
  • I am facing same problem with a Lync enterprise pool on internal side and Lync edge server in DMZ. Currently checking the internal FW settings. The port 4443 is open from FE to Edge server. However, FE machine do not have read/write access to Edge server diretly. Always required to sign in with valid credentials.

    I am unable to connect from edge server to FE with name or IP Address. I think this is normal. But want to confirm from experts here.

    Thanks,

    Mittwoch, 22. Februar 2012 18:06
    • yes. Replication over 4443 is one way from FE -> edge.  
    • You dont' really  need R/W access to the edge ... frequenctly an edge server isn't even domain connected (workgroup) or in another DMZ domain. So, if you're talking about something like NTFS permissions - it's not applicable here
    • Make sure that you have your domain CA and whatever intermediate certificates installed on your EDGE servers CA store.  Make sure that you're exporting the certs correctly from your server.  Make sure that you're making the key EXPORTABLE and that when you import on the EDGE server that you are prompted for a password.  
    • In my experience, replication problems (during initial setup) are firewall or certificate issue.  I imagine that you can telnet from FE -> Edge via 4443.  
    • ALSO, make sure that your static route is set to route traffic appropriately through the internal interface NIC.
    • ALSO.  Make sure that DNS is configured in the host files of your FE servers (as, it's assumed that your edge servers aren't in DNS as they're in the DMZ.  eh?

    _G


    • Bearbeitet Greg Seeber Mittwoch, 22. Februar 2012 21:28 adf
    Mittwoch, 22. Februar 2012 21:27
  • Dear "LyncEdgeRepilcationProblem" 

    If you can't telnet to 4443 from the FE -> EDGE server  ... you don't have a LYNC problem.  You have an infrastructure issue.  Go to the EDGE server and "telnet localhost 4443" ... if it connects , then your EDGE is listening.  It's just that you can't get to it.  

    You need to figure out your firewall issue, your routing issue, your dns issue - it's not cert at this point nor anything Lync related.  

    BTW, LyncEdgeReplicationProblem - I just love your screenname - but after you resolve this.  What will you call yourself?  Your name will just be a reminder of the hard times.

    Mittwoch, 22. Februar 2012 21:34
  • Thanks Greg.

    I have port 4443 open on the internal firewall. I can confirm it using PortQry tool from FE to check for port 4443. Also telnet from FE to edge over port 4443 is working as well.

    We also checked the internal firwall and put a packet checking. Interstingly, no packets from FE hitting internal firewall on port 4443. We watched for over 1 hour and using Invoke-CsManagementStoreReplication -ReplicaFqdn <Edge Internal NIC FQDN> few times (waited 20 min between two request). Not sure what this means. It seems that the Master replica is not sending anything.

    Wireshark on the FE shows that packets are sent to Edge internal IP on port 4443. However, no TCP ack seen.

    Investigating further. If no headway tomorrow than will open a case with Microsoft.

    Donnerstag, 23. Februar 2012 22:58
  • now that you can actually telnet from FE -> Edge you have a fighting chance at getting this to work.

    I have previously asked about certificates.   Can you please refer back to that post?  This is likely a certificate issue now.  Have you installed the certificates that are on the FE server on the Edge server (assuming that your edge is has a different CA or DMZ'ed from the CA that serves the FE network.

    Export the certificates (mark as exportable) from FE and import them into Edge.

    Freitag, 24. Februar 2012 16:48
  • Thanks Greg.

    Here is my setup.

    Internal NIC/interface on the Edge Server is assigned with internal CA issued certificate from customer. Both Enterprise root and subordinate CA are in Trusted Root and Intermediate certificate authorities for internal CA.

    The Front End certificate is also issued by same enterprise CA, Subordinate CA pair.

    The external access is working from the edge server and I can see certificate exchange is done correctly between FE and Edge.

    I will double check for the certificate again to make sure for the replication.

    Thanks again.


    Ketan Shah Sr. Lync Support Engineer Lync Managed Services Catapult Systems

    Freitag, 24. Februar 2012 16:53
  • Also.... your FE can resolve the FQDN of the edge as well, right?  Please ensure that your host file is correct and/or DNS is working correctly.  Jsut trying to cover the bases and brainstorm with you.  

    Is your Internal EDGE Nic on a different subnet then your external EDGE NIC?

    Are you certain that both ingress/egress traffic is routing to/from the correct NIC?  Asking about your static route that you put in the edge server (as it's multihomed)

    Freitag, 24. Februar 2012 16:58
  • Also, 

    please refer to this link:

    http://ocsguy.com/2011/09/07/troubleshooting-cms-replication/

    If you do the logging on XDS and find that it may be a certificate issue ... please post back.  

    Freitag, 24. Februar 2012 17:29
  • Hello Greg,

    Thanks very much. My issue was related to certificates. (not exactly same as in the link above). When I run the certutil -verify on the FE certificate in Edge server, I found the following error:

    The signature of the certificate cannot be verified. 0x80096004 (-2146869244)
    ------------------------------------
    CertUtil: -verify command FAILED: 0x80096004 (-2146869244)
    CertUtil: The signature of the certificate cannot be verified.

    For internal offline enterprise root CA. Next I exported the chain from the FE and imported in the edge server and run the certutil -verify command again on the FE cert. I waited for 2 minutes and than run the Invoke-SsManagementStoreReplication cmdlet on the FE. After 5 minutes when I checked the status, the replication is successful and status changed to "True".

    I do not know exactly what was missing on certificate chain from internal CA as edge server internal interface has same internal root CA issued certificate. But problem is now solved.


    Ketan Shah Sr. Lync Support Engineer Lync Managed Services Catapult Systems

    Freitag, 24. Februar 2012 18:40
  • Dear Greg,

    What if we are not able to telnet 4443 from the Edge Server itself, even if all the replication services are running?
    What should be the troubleshooting path in this case.

    Any thought or idea will be appreciated.

    Thanks.


    Junaid Ahmed

    Sonntag, 13. Mai 2012 13:12
  • Dear Ketan, I mentioned certificate at least 10 times in this thread.  Please mark thread as answered - as, indeed it was certificates (frequent issue in replication setup issues)

    I have previously asked about certificates.   Can you please refer back to that post?  This is likely a certificate issue now.


    if my post is helpful - please click on the green arrow. (please excuse, in advance, any perceived sarcasm/humor - as I often forget it does not translate through text) :)

    Montag, 21. Mai 2012 19:26
  • Hello Greg,

    Thanks. I am unable to set your reply as answer in this thread. It is not available to me somehow. The first answer on Feb 24th provide me direction and second answer on Feb 24th actually indicates to me how to check the certificate.

    Moderator: Can you please mark it as an answered.

    Thanks again,

    Ketan Shah


    Ketan Shah Sr. Lync Support Engineer Lync Managed Services Catapult Systems

    Montag, 21. Mai 2012 19:33
  • Hello Junaid,

    Please use portqry tool from Microsoft. This is a great tool to test the ports without telnet.

    Thanks,

    Ketan Shah


    Ketan Shah Sr. Lync Support Engineer Lync Managed Services Catapult Systems

    Montag, 21. Mai 2012 19:35
  • Well guys,

    Issue is resolved now and replication is working fine. this was a certificate issue on the internal interface of Edge Server.

    I renewed the certificate from internal CA using the default values suggested by certificate wizard and all gone well. Replication started happening immediately.

    Thanks.


    Junaid Ahmed

    Montag, 21. Mai 2012 21:04