none
Can't get the Skype pool to start RRS feed

  • Question

  • I am trying to migrate from an existing Lync 2013 enterprise pool to s Skype for Business enterprise pool.  Our environment uses Lync and will use Skype for local IM, presence, and local conferencing only.  We do not integrate it with our phone system.  We no longer allow communication outside our environment, so there is no Edge server.

    We have an internal domain (local.mycorp) and an external domain (mycorp.com).

    I have created and published a topology with three Skype for Business 2019 servers in a 2019 FE pool.  I have installed Skype 2019 Server to those three servers.  I tried using an existing wildcard cert from a known company, but I could not get the FE service to start.  It apparently could not use a wildcard cert.  I then used the the Skype Deployment Wizard to create a certificate request file. It created a certificate request with a subject name mycorp.com.  I used that to get a certificate from our internal CA (since we are strictly internal with our Lync/Skype, I used the internal CA).  The Lync FE pool still uses a cert from a certificate company.  When I used the Deployment Wizard to import and assign the certificate, I saw an error that it was expecting the certificate subject name to be the name of the Skype FE pool.  However, since the Deployment Wizard itself created the CSR with the subject mycorp.com and did not allow me to specify any different, I assume that this is OK.

    The Skype FE service will not start on FE1 and FE3, and none of the Skype services start on FE2.  On FE1 and FE3, there is an event ID 7024 error "The Skype for Business Server Front-End service terminated with the following server-specific error %%2147949760."  On FE2, the Microsoft Service Fabric Host Service will not start.  There are repeated event ID 7031 errors " The Microsoft Service Fabric Host Service terminated unexpectedly.  It has done this xx times.  The following action will be taken in 5000 milliseconds: Restart the service."

    Does anyone have an idea of what is wrong and what I need to do to correct it?

    Thank you very much for your help with this.

    Tuesday, September 17, 2019 12:04 AM

Answers

  • Hi Logan Burt,

    Which domain do you use in Front End server FQDN, such as fe.domain.local or fe.domain.com?

    The certificate needs the following SANs. Please check if your certificate has these SANs.

    For more details about Front End service cannot start, you could refer to this article:

    https://social.technet.microsoft.com/Forums/lync/en-US/d1df7ea9-56d4-496b-a35f-75d0e2096d31/troubleshooting-skype-for-business-server-frontend-service-cannot-start?forum=sfbfr



    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Marked as answer by Logan Burt Friday, September 20, 2019 10:53 AM
    Tuesday, September 17, 2019 6:21 AM
    Moderator
  • Hi,

    As Sharon suggests, I would say your internal cert isn't correct.

    However as your Enterprise Edition, then your certificate should consist as following:

    The Subject should be the FQDN that is defined in your topology (under Enterprise Edition Front End Pools). This may be different than the FQDN's of the servers. So could be FEPOOL.mycorp.com

    The SAN's will include the FQDN's of the servers so will be FE1.mycorp.local,FE2.. FE3....

    Along with sip.mycorp.com, lyncdiscoverinternal.mycorp.com, 

    Internal and External Web Services names

    Lyncdiscover

    Dialin,Meet URL's

    The Deployment Wizard should do most of these automatically if your topology is correct.

    Hope above helps.

    • Marked as answer by Logan Burt Friday, September 20, 2019 10:53 AM
    Tuesday, September 17, 2019 8:57 AM

All replies

  • Hi Logan Burt,

    Which domain do you use in Front End server FQDN, such as fe.domain.local or fe.domain.com?

    The certificate needs the following SANs. Please check if your certificate has these SANs.

    For more details about Front End service cannot start, you could refer to this article:

    https://social.technet.microsoft.com/Forums/lync/en-US/d1df7ea9-56d4-496b-a35f-75d0e2096d31/troubleshooting-skype-for-business-server-frontend-service-cannot-start?forum=sfbfr



    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    • Marked as answer by Logan Burt Friday, September 20, 2019 10:53 AM
    Tuesday, September 17, 2019 6:21 AM
    Moderator
  • Hi,

    As Sharon suggests, I would say your internal cert isn't correct.

    However as your Enterprise Edition, then your certificate should consist as following:

    The Subject should be the FQDN that is defined in your topology (under Enterprise Edition Front End Pools). This may be different than the FQDN's of the servers. So could be FEPOOL.mycorp.com

    The SAN's will include the FQDN's of the servers so will be FE1.mycorp.local,FE2.. FE3....

    Along with sip.mycorp.com, lyncdiscoverinternal.mycorp.com, 

    Internal and External Web Services names

    Lyncdiscover

    Dialin,Meet URL's

    The Deployment Wizard should do most of these automatically if your topology is correct.

    Hope above helps.

    • Marked as answer by Logan Burt Friday, September 20, 2019 10:53 AM
    Tuesday, September 17, 2019 8:57 AM
  • Thank you both for your replies.  

    The certificate in place for Default, WebServicesInternal, and WebServicesExternal was issued by our internal CA.  the subject is like "C=US, S=TX, L=Dallas, O=MyCorp, OU=IT, CN=mycorp.com".  The Subject Alternative Names are MyCorpSkypeFE.mycorp.com, SkypeFE1.local.mycorp, SkypeFE2.local.mycorp, SkypeFE3.local.mycorp, dialin.mycorp.com, meet.mycorp.com, skypeweb-int.mycorp.com, LyncdiscoverInternal.mycorp.com, skypeweb-ext.mycorp.com, Lyncdiscover.mycorp.com, sip.mycorp.com, admin.mycorp.com, and mycorp.com.

    MyCorpSkypeFE.mycorp.com is the name of the 2019 front end pool, and SkypeFE1, SkypeFE2, and SkypeFE3 are the individual front end servers.

    To obtain this, I used the Skype Deployment Wizard on SkypeFE1 to create a certificate request file.  This wizard did not allow me to specify a subject name; the wizard decided what the subject name would be.  It listed a number of alternative names, and I added more (including the names of the other two FE servers).  Once I got the certificate back, I used the deployment wizard to install it on SkypeFE1.  After I was unable to put it directly on FE2 and FE3, I exported it out from FE1 as a .pfx file and successfully imported it into FE2 and FE3 and assigned it using the deployment wizard.

    Is there something else I need to do in the deployment wizard to specify the correct subject name?

    I'm not sure how to generate a certificate request to get a certificate with the subject name MyCorpSkypeFE.mycorp.com.  Looking at the documentation for Request-CsCertificate, it says I should use the computer name for "-ComputerFqdn" even when requesting a certificate for a pool, and that the cmdlet will automatically add the pool name to the subject name.  But that didn't work pout too well from the deployment wizard.

    Finally, am I wrong to think that this certificate needs to be the same across all 3 servers?  Or since it is from the internal CA, can I have a seperate request from each server?

    Thank you very much for your help.
    Tuesday, September 17, 2019 12:16 PM
  • Can you please check your topology. The subject name should come from what you have specified as the FQDN under Enterprise Edition Front End Pools.

    You can manually create a certificate using a free tool such as Digicert Certificate for Windows Utility. There, you can create your CSR and submit to the local CA. More info can be found here: http://blog.schertz.name/2016/03/skype-for-business-2015-edge-server-deployment/

    It relates to the EDGE but can be used for Front Ends. However, it's still strange why the deployment wizard isn't picking up your Pool FQDN.

    You can have 1 certificate for all servers as long as the private key is exportable with it. Or you can have separate certificates as long as the Server FQDN is specified as a SAN.



    • Proposed as answer by K_S_C Wednesday, September 18, 2019 7:39 AM
    Tuesday, September 17, 2019 12:38 PM
  • Thank you very much.

    I got a certificated manually generated with the pool name as the subject name and with all the Subject Alternative Names in it.  After installing that and restarting, All the services except for the Front-End service started on all 3 servers.  In looking through the event log, there are new errors that indicated a problem contacting the SQL instance.  I then discovered that I had mistyped the SQL instance name.

    To correct this, do I edit the topology to correct the instance name and then publish that?  If so, do I need to be logged in to the Skype server as the service account for that SQL instance (like I did when I originally published the topology)?  Or is there another way to correct this.

    Thank you again for all your help.

    Tuesday, September 17, 2019 2:13 PM
  • Actually, this SQL problem is different enough that I will open a new thread on it.  I would welcome your input.

    Thank you both very much for your help with the certificate issue.  The new thread I started is at https://social.technet.microsoft.com/Forums/lync/en-US/be418f83-9c2b-4902-8e31-9f9e814d1afd/wrong-sql-instance-specified-in-topology?forum=sfbfr

    Thank you again for your help.

    Tuesday, September 17, 2019 3:39 PM
  • Hi Logan Burt,

    I am checking the status of this case. Please let us know if you would like further assistance.

    Meanwhile, if the reply is helpful to you, please try to mark it as an answer to close the thread, it will help others who encounter the same issue and read this thread.

    Thank you for your understanding and patience!


    Best Regards,
    Sharon Zhao


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Wednesday, September 18, 2019 4:09 AM
    Moderator
  • Thank you all for your help.  The first problem was that the wildcard vcert didn't work; it seems to demand all the specific subject alternative names.  The second problem was then that the cert request generated by the deployment wizard didn't specify the pool name as the subject name, nor did it allow me to specify the sn manually.  Once I manually generated a cert (not usung the wizard) with the pool FQDN as the subject name, the cert worked.  I'm not sure why the wizard wouldn't use the pool fqdn or allow me to specify the sn.  Maybe because this is a migration and so had two pools in the topology (Lync and Skype)?  Whatever, I'm glad it worked.

    Thank you both for all your help with this certificate issue.

    Friday, September 20, 2019 11:01 AM