Post on 04-Apr-2018
Deploying Lync Server 2010
How Microsoft IT Empowers Workers to Collaborate Anytime and Anywhere on Their Own Terms Technical White Paper
Published: December 2011
The following content may no longer reflect Microsoft’s current position or infrastructure. This
content should be viewed as reference documentation only, to inform IT business decisions
within your own company or organization.
CONTENTS
Executive Summary ............................................................................................................ 6
Lync Server 2010 Unified Communications Overview ..................................................... 7 Opportunities 7
Delivery 7
Lync Server 2010 Benefits .................................................................................................. 9 Reduce Costs through Converged Communications 9
Drive Adoption through Ease of Use and Microsoft Office Integration 9
Extend Lync to Custom Applications 9
Lync Server 2010 Infrastructure......................................................................................... 11 Topology and Geographic Distribution 11
Server Configuration 13
Remote Access 14
Enterprise Voice 15
PBX Replacement 15
Load Balancing 16
Security 17
Deployment and Migration ................................................................................................. 19 User Migration Process 19
Using Education and Support to Help Manage Change 19
Supporting and Managing Lync Server 2010 .................................................................... 21 Support Tools 21
Best Practices...................................................................................................................... 22
Appendix: Server Deployment Checklists ........................................................................ 23 Deployment Verification 24
For More Information .......................................................................................................... 26
Deploying Lync Server 2010 Page 6
EXECUTIVE SUMMARY
Microsoft workers participate in a culture where connected groups operate across
departmental and geographic boundaries to create products and solutions for customers.
This collaborative approach often requires forming virtual teams that include people in many
locations that work together on common projects. Microsoft IT makes it possible for teams to
collaborate anywhere and anytime on their own terms by using a suite of real-time
collaboration tools through Lync Server 2010 that include instant messaging (IM), voice and
video conferencing, Enterprise Voice, and Web collaboration.
Lync Server 2010 enables workers at Microsoft to move beyond mere communication and to
form connections with others. To take advantage of the efficiency and productivity gains of
the latest real-time collaboration tools, Microsoft IT migrated from Office Communication
Server 2007 R2 to Lync Server 2010. Lync Server 2010 also provides administration and
system management improvements, such as role-based access control, a tool for managing
Lync infrastructure components, and a configuration management store that serves as a
central data repository to define, administer, and operate a Lync Server 2010 infrastructure.
When migrating to Lync Server 2010, Microsoft IT followed a best-practices-based approach
to consider the design requirements, plan for deployment, verify configurations, and then
deploy gradually in phases. This approach minimized user impact while validating
configurations before migrating users to the production environment. The key deployment
considerations included the following:
Provide access for each type of user in a secure-by-design way by taking advantage of
the roles included in Lync Server 2010.
Leverage the existing network infrastructure and roll out new clients with a support
system that makes it possible to make adjustments during migration to ensure high user
satisfaction.
Build infrastructure that accommodates anticipated growth and scaling requirements, as
well as operational and support needs.
Support coexistence with Office Communication Server 2007 R2 until all dependencies
are migrated to the Lync Server 2010 production environment.
This technical white paper covers the details of how Microsoft IT deployed Lync Server 2010.
It assumes that you are already familiar with the basic concepts of messaging, telephony,
and TCP/IP networking. This paper provides IT Pros and Lync Server 2010 implementers
with guidance for deploying and migrating to Lync Server 2010. For more information about
Lync Server 2010, see http://technet.microsoft.com/en-us/library/gg398616.aspx
Note: For security reasons, the sample names of forests, domains, internal resources,
organizations, and internally developed security file names used in this paper do not
represent real resource names used within Microsoft and are for illustration purposes only.
Situation
Microsoft users rely on real-time
collaboration tools to communicate
with team members. Microsoft IT saw
an opportunity to improve the
communication capabilities by helping
workers to connect and collaborate
with a better user experience that
Lync Server 2010 provides.
Solution
Microsoft IT migrated to Lync Server
2010 to enable users to collaborate in
real time, improve its communications
infrastructure, and converge
traditional TDM services.
Benefits
Reduce costs through converged
communications.
Drive adoptions through ease of
use and Microsoft Office.
Ease deployment and migration
through interoperability and
extensibility.
Products & Technologies
Lync Server 2010
SQL Server 2008 R2
Windows Server 2008 R2
Active Directory
Office Communication Server
2007 R2
Enterprise Voice
Deploying Lync Server 2010 Page 7
LYNC SERVER 2010 UNIFIED COMMUNICATIONS OVERVIEW
The unified communications story at Microsoft goes back to the early 2000s when the
increase of available network bandwidth and improvements in processor and hardware
technology made it possible to realize the promise of unified communications. This promise
consisted of the idea that technology could help people form connections in real-time using
voice, video, and text. Since this time, Microsoft has invested heavily in unified
communication technologies in order to realize this promise within the enterprise. Microsoft is
able to deliver on real-time collaboration solutions through Lync Server 2010 desktop and
Web-based software clients, which provide the full spectrum of real-time collaboration
services. Exchange Server 2010 and SharePoint Server 2010 complete the unified
communication infrastructure to deliver additional collaboration capabilities for e-mail and
document sharing.
Opportunities
In addition to the real-time collaboration offerings in Lync Server 2010 Microsoft continues to
invest in opportunities across the business landscape such as the following:
For IT Optimize Lync 2010 deployments by taking advantage of PowerShell
automation, media bypass, and load balancing simplification.
For users By consolidating Live Meeting and Communicator clients into a single client,
Microsoft provides a more seamless end-user experience, reduces training and
deployment costs, and offers improved controls in audio and web collaboration
scenarios such as dual-tone multi-frequency (DTMF) conferencing controls, whiteboards,
and polling.
For developers Ability to take advantage of enhanced application programming
interface (API) capabilities and the creation of custom applications that extend the value
of Lync to a broader set of applications.
Delivery
Microsoft IT worked closely with the Lync Server product group as well as Microsoft Online
Services (BOSD) during the development of the new product to engineer and validate Lync
Server 2010 features and capabilities. Microsoft IT validates pre-release software in a test
environment using a small population of users at first, and then deploys major releases to all
users worldwide.
One way that Microsoft IT accomplishes service reliability is by componentizing the
architecture and design according to security boundaries and server roles. For example,
Microsoft IT places Lync Server 2010 roles according to security boundaries either inside the
corporate network or in a perimeter network used for hosting or communicating with Internet
hosts, as shown in Figure 1.
Deploying Lync Server 2010 Page 8
Figure 1. Communication Infrastructure
The Microsoft Lync 2010 infrastructure includes the following server roles:
Front-end Microsoft IT uses pools of front-end servers to provide core user features
and the communication logic for Lync Server 2010. These features include user
authentication and registration, and presence functionality.
Back-end Lync Server 2010 utilizes SQL Server 2008 R2 for the back-end database
functionality. Microsoft IT deployed back-end servers and databases to store information
such as contacts, presence status, conference state, and scheduling data.
A/V conferencing This role provides A/V conferencing and Web collaboration
functionality.
Edge Edge servers provide remote connectivity for employees, federated partners, and
public IM connectivity providers.
Mediation Microsoft IT uses Mediation servers to implement Enterprise Voice and
audio conferencing. Mediation servers have been moved to coexist with the Lync server
environment in the datacenter.
Monitoring Monitoring servers provide the necessary functionality to collect data
related to Lync interactions, including call detail record (CDR) and Quality of Experience
(QoE) data.
Director Microsoft IT uses directors to manage high amounts of internal and external
user authentication requests.
Archiving This role provides archiving capability of communication content such as
instant messaging, uploaded conference content, and event-related content.
Deploying Lync Server 2010 Page 9
LYNC SERVER 2010 BENEFITS
Lync Server 2010 offers Microsoft IT an opportunity to streamline its infrastructure, increase
interoperability, and reduce administrative overhead.
Reduce Costs through Converged Communications
Microsoft IT saves money with Lync Server 2010 by uniting disparate systems and offering a
mature unified communications service. In conducting a business analysis (that you can read
at http://technet.microsoft.com/en-us/library/cc982178.aspx), Microsoft IT made the following
discoveries about the cost savings realized by deploying Lync Server 2010:
Reduced travel costs of $92 million by reducing the need for 45,600 trips per year.
$8 million saved in audio-conferencing costs per year by using Lync audio conferencing.
Administrative overhead associated with office moves and voice infrastructure
management reduced by over one million USD annually.
In addition, the savings that are more difficult to quantify include increased team productivity
due to less travel, faster issue resolution, and faster project completion.
Drive Adoption through Ease of Use and Microsoft Office Integration
Office applications integrate with Lync in a consistent way to provide the same features and
capabilities across multiple applications. Users experience the same presence, contact card,
and click-to-communicate experience throughout Lync, Outlook, SharePoint, Word, Excel
and PowerPoint. The contact card shows details about presence, location, status, and
communication options across applications to provide an intuitive and predictable user
experience. The Lync 2010 client extends the capability of Office applications to enable
application sharing, and shows presence information for document owners and those who
have updated or changed a document to provide an easy method for collaborating on
documents.
Extend Lync to Custom Applications
Lync 2010 includes server and client side features that increase Microsoft IT's ability to make
conversations contextual, and extend communications into everyday business processes.
For example, one way that Microsoft IT uses Lync 2010 is the Ask an Expert application. This
is a custom application in which workers sign up to be an expert in a specific body of
knowledge to support others within the company to answer questions and collaborate on
projects. People with questions can locate the category for their question, and the Ask an
Expert application sends out an IM message of the question to all available relevant experts.
The first person to respond to the question may interface directly with the person asking the
question to enable a real-time contextual conversation. In previous solutions, a person with a
query would send it out to an e-mail distribution list, and often multiple people would respond,
resulting in a duplication of effort.
Lync 2010 APIs make the development of rich applications possible due to the following
client and server extensions:
Client—Lync 2010 Managed API This .NET API gives custom applications access to
all Lync capabilities, including contextual conversations, support for a controls class
library for creating Windows Presentation Foundation (WPF) applications, Silverlight,
Deploying Lync Server 2010 Page 10
and drag-and-drop feature integration. It supports the Lync user interface (UI) and
enables developers to extend it for custom line-of-business applications.
Server—UCMA 4.0 For custom development, Microsoft IT relies on a robust,
extensible, and scalable multi-layer managed API based on .NET.
To help industry participants who develop VoIP devices, IP-PBXs, and PSTN gateways,
Microsoft formed a non-profit vendor alliance named Unified Communications Open
Interoperability Program. This program aims to increase user adoption and industry
involvement by enabling interoperability of unified communication scenarios based on
existing standards. It is open to all unified communication hardware and software vendors,
service providers and network operators. For more information, see
http://technet.microsoft.com/en-us/lync/gg131938.aspx.
Deploying Lync Server 2010 Page 11
LYNC SERVER 2010 INFRASTRUCTURE
Lync Server 2010 relies on an updated architecture that places much of the server
configuration and other vital data within the Lync configuration database and not in Active
Directory. The Lync product group provides Microsoft IT with sizing recommendations and
capacity planning guidelines (found at http://technet.microsoft.com/en-
us/library/gg399017.aspx), which Microsoft IT uses as a starting point in designing the Lync
infrastructure.
Out of the design considerations and dependencies involved in planning for Lync
Server 2010, the following were especially important for Microsoft IT:
Relating user load to server sizing and distribution An important consideration for
any application is the number of users, and the server load that user behaviors generate.
This consideration is relevant for common sizing aspects such as processor speed, disk
capacity and disk throughput, as well as pool sizing, distribution of servers based on
user location, and the number of devices and connections per user.
Ensuring features function as expected Lync Server 2010 relies on many server
roles to deliver its key features. In planning for these features, Microsoft IT worked with
its core engineering team to consider each feature and its dependencies, satisfying the
dependencies, and verifying that each feature works per specification.
Maintaining high levels of security Microsoft IT deployed Edge server roles in Lync
to enable its users to connect to federated partners and public-IM-connected users.
Topology and Geographic Distribution
With Lync Server 2010, Microsoft IT distributed eight Lync server pools among four data
centers to accommodate users worldwide. The deployment consisted of new servers for each
pool, and the existing Office Communication Server 2007 R2 infrastructure remained in place
until all users and services were migrated to Lync Server 2010.
The goal of the Microsoft IT deployment design was to create a highly available infrastructure
that could scale up to accommodate additional users in each region. Regional Lync pool
distribution ensures better audio quality experiences for Microsoft’s user base. Figure 2
shows the topology and geographic distribution, including the configuration used in the
Americas region to support business continuity and disaster recovery. The Dublin and
Singapore data centers accommodate the remaining users throughout the rest of world. Each
data center deployment consists of two identical pools and users are evenly distributed
based on user load (number of users, devices, and conferencing load)
Deploying Lync Server 2010 Page 12
.
Figure 2 Topology and server distribution
Table 1 shows the server counts for each data center. The configuration for disaster recovery
in the Americas region consists of two identical pools running in an active/active configuration
where each pool can handle 100 percent of the expected traffic in case an event requires one
data center to handle the entire load for the Americas region. Additional capacity is included
in the design for increases in user population and new services such as Lync Mobile.
Table 1. Server distribution
Role Americas1 Americas2 Singapore Dublin
Director pool 4 4 2 2
Edge pool 4 4 2 2
Front-end pool 1 4 4 3 3
Front-end pool 2 4 4 3 3
Mediation pool 3 3 2 2
Audio/Video pool 4 4 2 2
Monitoring and Archiving 1 1 0 0
SQL back-end 2 2 2 2
Mediation servers 3 3 0 0
File server for content storage 1 1 1 1
Deploying Lync Server 2010 Page 13
As Table 1 suggests, the data centers accommodate different user loads.
Edge and Director pools Americas1 and Americas2 are the only data centers that
handles federation for external users. The other data centers support remote access
only.
Mediation servers for Enterprise Voice Each data center has a dedicated pool of
Mediation servers.
User load Americas1 and Americas2 include an additional front-end server in each
front-end pool to handle an increased number of users.
Server Configuration
Microsoft IT designed the server specifications to include two standardized server types: one
design for back-end servers with the required capacity and disk throughput, and one design
for all other server roles that provide balanced performance in terms of processing capability,
memory, and disks. As a starting point, Microsoft IT used the product group
recommendations found at http://technet.microsoft.com/en-us/library/gg398835.aspx.
While the product group in collaboration with Microsoft IT provides capacity and scalability
guidance for server requirements (such as the ones found at http://technet.microsoft.com/en-
us/library/gg398811.aspx), the initial starting point was simpler. Because Microsoft IT ran
Office Communication Server 2007 R2 in the corporate production environment, it was
relatively straightforward to project Lync Server 2010 server requirements using previous
designs as a starting point. To support Lync Mobile, Microsoft IT upgraded RAM in front-end
servers from 32 GB to 48 GB. Table 2 shows the configuration for front-end servers.
Table 2. Front-end server details
Component Specification
CPU 2 quad core Xeon L5520, 2.26 Ghz
RAM 48 GB
Disk SAS, 4x300 GB RAID10 (+1 spare)
Other Dual network interface controllers (NICs), redundant power supply
Consumption of real-time collaboration tools at Microsoft places heavy loads on back-end
database servers. These server loads require high throughput to meet performance
demands. Table 3 shows the initial disk configuration used for Lync Server 2010. In
practices, Microsoft IT discovered that the primary RAID10 array was performance-bound. As
a result, Microsoft IT added another identical 12x 146 GB RAID10 array to back-end servers.
Deploying Lync Server 2010 Page 14
Table 3. Server details for back-end servers
Component Specification
CPU 4 quad core 64-bit, 2.26 Ghz
RAM 48 GB
Disk
Logical Drive Hosted Resources
2x146 GB RAID1 OS, SQL, Swap, Support files
4x300 GB RAID10
(+1spare) rtcdyn.ldf
12x146 GB RAID10
rtcab.mdf, rtcab1.mdf, cpsdyn.mdf, rgsconfig.mdf,
rgsdyn.mdf, rtc.mdf, rtcdyn.mdf, lis.mdf, xds.mdf
2x146 GB RAID1 Tempdb
2x146 GB RAID1
rtcab.ldf, rtcab1.ldf, cpsdyn.ldf, rgsconfig.ldf,
rgsdyn.ldf, lis.ldf, xds.ldf
2x146 GB RAID1 rtc.ldf
Other Dual NICs, redundant power supply
Remote Access
Providing users outside of the corporate network with remote access to Lync Server is vital to
Microsoft’s culture. Microsoft IT currently supports more than 3,000 federated partner
connections as well as connections for anonymous users who join meetings. When planning
for remote access scenarios, Microsoft IT incorporates scalability requirements into the
design to handle special cases of high user load, such as 'snow day' events, when an
unusually high number of people connect remotely.
Remote access entails configuring firewalls to handle traffic, and enabling Lync servers to
traverse the firewalls and serve content to clients external to the corporate network without
requiring virtual private network (VPN). The key enablers of this architecture design include
the following:
Dual-homed NICs on Edge roles The Edge role includes services to handle Access,
Web, and A/V services. It is homed with a dual NIC configuration to handle traffic to the
external Internet-facing side and internal corporate-network-facing side. The external-
facing side has three IP addresses: one for Access, Web, and A/V. Federation traffic for
bidirectional Session Initiation Protocol (SIP) and Mutual Transport Layer Security
(MTLS) on port 5061, and inbound PSOM/TLS on port 443 is limited to only the external
IP address associated with Edge Access. In addition, inbound Persistent Shared Object
Model (PSOM)/ Transport Layer Security (TLS)/443 for Web conferencing is open on
only the Web Edge external IP address. Figure 3 shows the port configuration.
Deploying Lync Server 2010 Page 15
Edge Director pool As mentioned, Directors serve a vital function in handling
authentication traffic. This configuration mitigates the risk of denial-of-service (DoS)
attacks, and increases scalability.
Hardware load balancers Configuring firewall rules in combination with the load
balancer configuration proved to be somewhat challenging due to complex routing
requirements. There are nuanced configuration specifics Microsoft IT discovered in
designing load balancer details, which you can find at http://technet.microsoft.com/en-
us/library/gg398478.aspx.
Figure 3 Port configuration
Enterprise Voice
Microsoft deployed Enterprise Voice to more than 86 sites that include over 92,000 people.
Lync Server 2010 provided the opportunity to update the voice infrastructure to enable
workers to connect anytime and anywhere. Lync 2010 consolidates clients and provides a
better Enterprise Voice experience with improved audio quality.
The best practice for onboarding executives is to first migrate executive assistants one week
before migrating the managers they support. This practice provides assistants time to
become familiar with Enterprise Voice.
PBX Replacement
Microsoft IT has replaced nine total PBXs; three PBXs in each of the three deployment
regions to validate PBX replacement scenarios. This improvement entailed using gateways
Perimeter Network
Edge role
Access
Web
AV
Reverse proxy
AV
Access
Corporate
Network
Front-end
pool
Web
HTTPS/443 HTTPS/4443
HTTPS 4443
HTTPS 443
HTTP 8080
SIP/MTLS/TCP 5061
STUN/TCP 443
STUN/UDP 3478
SIP/TCP 5062
RCP/TCP 135 445 4443
STUN/TCP/443
STUN/UDP 3478
PSOM/SIP/MTLS 8057
DNS/TCP 53
HTTP/TCP 80
SIP/TCP 443
SIP/TCP 5061
PSOM/TCP 443
STUN/TCP 443
STUN/UDP 3478
TCP/UDP 50,000-59,999
Deploying Lync Server 2010 Page 16
and Aries phones for the majority of locations. For phone locations where network
connectivity was not available, Microsoft IT used analog telephone adaptors (ATAs) to
replace phones where only Category 3 connections were available. Media bypass was used
instead of deploying on-site mediation servers.
The PBX replacement and consolidation provides cost savings by reducing the cost of
infrastructure deployment and lower management overhead. Microsoft IT uses voice
gateways in new sites for a unified infrastructure, thus avoiding the need to support and
maintain traditional PBXs in the future. By migrating to Lync Server 2010, Microsoft IT
simplified its infrastructure and decommissioned 183 Mediation servers. In the future,
Microsoft IT is currently deploying SIP trunking in order to consolidate its PSTN infrastructure
and reduce operational overhead of managing PSTN gateways. (A future whitepaper
regarding Enterprise Voice will provide additional details.)
Load Balancing
Lync Server 2010 provides Microsoft IT with the capability to use both DNS and hardware
load balancing to balance traffic among front-end server pools, Edge Director pools, and
Edge pools. The topology and geographic distribution by design already homes users to their
regional data centers, which accomplishes regional load balancing among sites. Where
possible, DNS load balancing is used because it provides a technique to drain-stop front-end
servers, which decreases user impact from normal maintenance and patching activities.
The load balancing approach Microsoft IT uses relies on hardware devices that perform
firewall, reverse proxy, routing, and load balancing functions for the environment, as shown in
Figure 4.
Figure 4 Load balancer architecture
One of the challenging aspects of the configuration is ensuring that cookie persistence takes
place. Cookie persistence is required to ensure that multiple connections from a single client
session are always routed to the same server. HTTPS traffic is encrypted, and there is no
reliable way to ensure session persistence takes place without having a load balancer
decrypt traffic and re-encrypt it with the same certificate that the Edge Web service uses.
Deploying Lync Server 2010 Page 17
One additional configuration Microsoft IT made to enable load balancing is enabling host
header forwarding on the reverse proxy on port 4443.
Security
Microsoft developed Lync Server 2010 with security in mind by making it trustworthy by
default, by design, and by deployment. This approach is called Trustworthy Computing and is
part of Microsoft's Software Development Lifecycle (SDLC). During product development,
Microsoft identified common threat vectors such as eavesdropping, spoofing, man-in-the-
middle attacks, real-time transport protocol (RTP) replay attacks, exposure of personally
identifiable information (PII), as well as created tests to check code for vulnerabilities.
Microsoft IT in implementing Lync Server 2010 followed best practices around security at
every boundary (external, perimeter, internal network) to make the most of the security
features. Some of the configuration decisions relevant to Microsoft IT's implementation
include the following:
Architecture and topology Internet sources continue to represent the biggest threat
vector to Internet-enabled technologies, especially when they provide access of internal
resources to remote clients. The topology shown in Figure 4 uses a back-to-back firewall
configuration to protect internal hosts from attack. Edge servers that are accessible from
the Internet can only communicate securely with trusted hosts that are explicitly defined
and secured by common protocols and technologies such as MTLS, and Secure Real-
Time Transport Protocol (SRTP) with 128-bit or higher encryption. In effect, all servers
involved are trusted, all communication is encrypted, and all users are authenticated.
Conferencing and client permissions When external users do participate in
consuming Lync services, the built-in security model helps to minimize risk. For example,
only users with credentials can schedule conferences and start meetings.
Unauthenticated users who join meetings must have a valid invitation. Participant types
and roles also enable fine granularity of controls. This process prevents unauthorized or
fraudulent use of the conferencing platform.
Least-privilege Role-based access control (RBAC) Microsoft Lync Server 2010
gives Microsoft IT the capability to create RBACs and delegate administrative tasks
while maintaining high standards for security. With RBAC, Microsoft IT grants
administrative privileges as needed based on role, where each role is associated with a
specific list of Lync Server Management Shell cmdlets. In this way, administrators are
given only the permissions required to complete authorized tasks.
Authentication and authorization Microsoft IT relies on Kerberos and certificate
authentication for clients. Internal and federated clients with accounts in the internal
production environment or the perimeter network authenticate through Kerberos, and
anonymous users invited to a conference have a valid conference key that the
conference originator sends. An authenticated user must join before anonymous users
can join the bridge. The Edge pool offloads authentication requests from external users
to the Director pool in the data center, and routes user traffic to their home pools. In case
of outage, it is possible to move the traffic load from one data center to another.
Additionally, Microsoft IT follows standard operations best practices on all servers to help
ensure the configuration remains protected against risks. For example, all servers have
Deploying Lync Server 2010 Page 18
automatic updates configured, run antivirus software with scheduled scans, and are
hardened to remove unnecessary services.
To ensure protection against common Internet-based threats such as worms, viruses, and
Trojans, Microsoft IT deploys intelligent IM filtering that is part of Lync, disables clickable
hyperlinks from external parties, and blocks many types of files that can be transferred
through Lync. For additional control over SPAM over instant messaging (SPIM), users must
add a contact in Lync before accepting instant messages from PIC contacts.
Deploying Lync Server 2010 Page 19
DEPLOYMENT AND MIGRATION
The process to design and deploy Lync Server 2010 took place in several phases because of
the dependencies involved in implementing the infrastructure and taking time to test and
verify before onboarding users. Microsoft IT carried out the following deployment phases in
the project:
1. Prepare infrastructure dependencies Microsoft IT deployed the Lync Server
environment by using new servers in all the data centers, and migrated to a new
standard for hardware load balancing. Before deploying Lync, Microsoft IT carried out
strict quality assurance processes on all servers.
2. Deploy servers The deployment process involved using scripts to implement all server
roles. These scripts undergo security and other validation checks to ensure they conform
to best practices. Part of the audit process entails using checklists to verify functionality.
The appendix includes sample checklists that Microsoft IT used.
3. Validate environment The first group of users consisted of volunteers who signed up
to test pre-release versions of Lync Server 2010 and associated clients. These users
provided important feedback about their collaboration scenarios in order to validate the
product before it was released to the general market. This testing also included server
performance validation such as reliability, scalability, performance, and manageability.
4. Deploy final product company-wide After testing and validation completes, and after
fixing major and minor issues, Microsoft IT migrated users, features, and roles from
Office Communication Server 2007 R2 to Lync Server 2010.
5. Feedback from end users drives future features and improvements With the entire
company on Lync 2010 end users continue to provide feedback that is tracked and
submitted to the product team for opportunities to be considered for the next Lync
release.
User Migration Process
The technical details of migration are relatively straightforward because they entail migrating
batches of users from a server pool that runs a previous version to a server pool that runs the
latest version.
End users receive e-mail communications before they are migrated to Lync to ensure they
understand how the migration may affect them. Microsoft IT uses client version control (CVC)
to manage which client end users are able to use on the Lync Server environment. The
block with URL setting in CVC is used to inform users to upgrade their software client the first
time they log in. Although some concern existed that forcing upgrades would lead to user
dissatisfaction, Microsoft IT found that users generally preferred having the latest client to
take advantage of the full feature set of Lync Server 2010. For more information about
updating clients, see http://technet.microsoft.com/en-us/library/gg412977.aspx.
Using Education and Support to Help Manage Change
There are many approaches that Microsoft IT uses to help ensure a positive user experience
and to help educate users about the possibilities of Lync. One key strategy entails using the
Lync 2010 Adoption and Training kit that provides guidance about common Lync features
and best practices in the form of self-training guides and documents. The helpdesk support
Deploying Lync Server 2010 Page 20
personnel that handle Lync issues also received user adoption and training customized to
help them handle support issues related to Lync.
Microsoft IT creates many education opportunities for all users throughout the deployment of
Lync Server 2010, including the following options:
Self-guided Self-guided modules provide an effective learning method for users.
Online instructor-led Online instructor-led training is offered on Lync basics and
conferencing via the Microsoft IT Productivity Center in Fargo, ND.
In-person A team of four subject matter experts provide in-person, instructor-led
training. These experts deliver hands-on training to small groups. Similarly, Site IT
Managers hold sessions to explain usage scenarios and familiarize users with Lync
2010. If users miss a session, they may view a similar one online in a recorded session.
Resource kit document collection Many users also use the downloadable
documentation and quick reference materials included in the resource kit.
All of these education opportunities span the continuum of self-study to instructor-led study
available in multiple media formats, on demand, and in a scheduled way. Microsoft IT
purposefully created many education opportunities to ensure that users could easily obtain
critical training information in a time and format that works for them.
Deploying Lync Server 2010 Page 21
SUPPORTING AND MANAGING LYNC SERVER 2010
Microsoft IT uses a four-tier support structure split between a global support group that runs
helpdesk and desk-side support and the Lync Server 2010 engineering group. The following
tiers handle support for the environment:
Tier 1: Call center through global support desk Tier 1 answers front-line support
calls that are general in nature. It represents the first point of response for issues that
people have with Lync 2010 and cannot resolve by reading documentation or asking a
local expert. Support is available via phone and web chat.
Tier 2: Escalation and desk-side support For a small portion of support issues, a
group of Tier 2 technicians are available for Tier 1 escalations.
Tier 3: Escalation for server-side fixes In case the support issue is serious in nature
and cannot be resolved immediately, or is urgent, a staff member can route it directly to
the team that handles the specific issue, or route it directly to the last tier if it is clearly a
Lync-specific issue. This may involve escalation to sustaining engineering or to the
product teams via Customer Technical Support (CTS).
Tier 4: Engineering As the last tier, the engineering team handles issues related
directly to core the Lync infrastructure.
On average, during the initial deployment, the support staff handled 500-800 requests per
month. Most of the issues were related to client install and uninstall, authentication errors,
and online meeting or options. Tier 1 resolves over 80 percent of support tickets. Combined
Tier 1 and Tier 2 resolve approximately 95 percent of tickets.
Support Tools
Microsoft IT relies on a centralized System Center Operations Manager infrastructure and a
variety of tools to help carry out monitoring and support functions:
Operations Manager The Lync Server 2010 Monitoring Management Pack provides
end-to-end monitoring of Lync for Operations Manager, such as alerting operators when
Lync processes exceed a defined performance threshold. The management pack also
enables Microsoft IT to perform synthetic transactions that simulate user behaviors such
as joining a meeting or IM traffic.
SQL Server Reporting Services (SSRS) The Monitoring role included in Lync
Server 2010 enables Microsoft IT to utilize Lync standard reports based on CDR and
QoE data. Microsoft IT also creates custom SSRS reports with CDR and QoE data that
allows end users and teams to have additional reports for their business. Microsoft IT
administrators specify permissions for users and groups and access the built-in reports
on system usage, call diagnostics, and media diagnostics. The available reports show
system summary statistics, such as top failures and conference summary, as well as
detailed reports about server performance or per-user activity.
Perfmon For monitoring performance metrics, Microsoft IT uses Perfmon to monitor
concurrent connections to the Lync pools to ensure pools are properly load balanced.
Deploying Lync Server 2010 Page 22
BEST PRACTICES
In the course of designing, deploying, and operating Lync Server 2010, Microsoft IT learned
practical lessons from the many teams involved that have helped ensure a successful
deployment and excellent user experience. These best practices include the following:
Audit Edge role and firewall configuration Communication traffic takes place over
multiple protocols and ports, and with external user support, crosses a few security
boundaries. The traversal of traffic among boundaries may break with incorrect
configurations. Microsoft IT uses various manual and automatic configuration audits to
test end-to-end user scenarios to ensure everything functions as expected. For example,
Microsoft IT disables real-time antivirus scanning on Edge servers to ensure this process
does not affect audio quality.
Verify dual home configuration on Edge role A common configuration issue involves
the firewall rules, routing, and addressing of the network interfaces on Edge servers. The
auditing and verification process includes checks to ensure the configuration functions
as designed.
Test and verify session persistence for SSL Certificate configuration and session
persistence are crucial to the proper functionality of Lync Server 2010. Before deploying
in a production environment, Microsoft IT tested and verified stickiness and then again
verified it upon putting gateways in production. See Appendix A for more details.
Ensure back-end servers are not performance-bound In Microsoft IT's experience,
as users and end points increase on the pool, the Backend disk throughput needs to be
monitored to ensure process latency isn’t impacting the user experience.
Guide users through device choices The testing and verification program Microsoft
IT started to certify and test devices such as headsets helped to ensure a smooth user
experience by working out functionality issues, form factor, and compatibility early on. It
is a best practice for each organization to perform its own due diligence on devices and
select the best ones that meet organizational needs.
Create training, onboarding, and evangelism programs One key component to the
rapid adoption of Lync within Microsoft has been the strategy to onboard people who will
champion the product and be an evangelist for the technology, provide training in many
modalities in order to appeal to a broad set of users. Ensure that users have adequate
ability to provide feedback so that course corrections can be made as needed.
Shared commitments With infrastructure, operations, implementation, user adoption,
and other teams involved in deploying Lync Server 2010, it is vital for Microsoft IT to
share commitments among groups to remedy issues and achieve a high service quality.
Think of sizing and capacity in terms of end points, not users With users having
multiple devices, as user load increases, it is important to monitor server and load
balancer performance to fine-tune details such as database caching and disk
throughput.
Manage certificates Session persistence and certificate issues for dual-homed Edge
servers are common areas where issues may arise. It is a best practice to manage
certificate issuance to ensure a trusted authority grants certificates, and to create a
maintenance plan to replace certificates before they expire.
Deploying Lync Server 2010 Page 23
APPENDIX: SERVER DEPLOYMENT CHECKLISTS
During server deployment, Microsoft IT automates installation and configuration, making the
deployment process more about verifying and auditing tasks than following a systematic
process. There are three separate checklists: one used to ensure deployment readiness, one
for deployment, and one to verify successful completion of deployment processes. The
deployment checklist is short and consists of running a command to start the installation
routine and verifying that the routine completes. Table 4 lists the steps in the pre-deployment
checklist.
Table 4. Pre-deployment checklist
Task Details
Verify hardware meets
requirements
Check CPU, disk, memory and hardware against
design.
Confirm AD and networking
details
Verify AD site, OU, network IP address, server name,
NIC set to Auto for speed and duplexing, WINS/DNS
resolution, update NIC drivers if necessary.
Check swap file Ensure swap file is set to 16 GB.
Verify time sync Ensure time zone is correct and time syncs to DC
Configure external NIC Run batch file to configure, validate.
Configure and validate
certificates
Import certificates, install, validate and record expiration
dates.
Check NTLM Local Policy Encryption settings changed to 'No minimum'
Install pre-requisites and any
KBs KB981575, KB2028997, and KB981836
Verify tools installation
Install standard suite of management tools, such as
NetMon.
Install SQL Management
Studio on back-end servers Verify installation on all back-end servers
Install admin and Resource Kit Install on all servers
After deployment, Microsoft IT verifies security and other settings, as well as performs post-
deployment steps as shown in Table 5.
Table 5. Post-deployment checklist
Task Details
Install updates
Install Lync-specific updates, such as cumulative update 3 or
later. Also, install Office Communications Server 2007 R2 latest
cumulative update.
Verify installation path Should be D:\Program Files\Microsoft Lync Server 2010
Check file share Check permissions on E:\LyncFS, and D:\LyncFS
Deploying Lync Server 2010 Page 24
Verify IPSec
exception All servers should be exempted from global policy.
Federation router
For new site, create Federation Router between the new site and
the federated edge
Verify operations
details Use CollectSrvInfo to verify backup schedules and certificate info.
Validate CMS
Export the topology with Topology Builder, Push out pool-level
config and verify it exists on the Server
End-to-end
functionality
Validate functionality of core services (end-to-end with two Lync
clients). Ensure Topology Validator tests all pass.
Review logs App/System event logs, set log size to 30720
Update
documentation Record status of items, update records in tracking database
Deployment Verification
After deploying and configuring servers, Microsoft IT verifies the functionality and features to
ensure that core scenarios function as expected. Table 6 lists the functionality tests
performed.
Table 6. Feature validation checklist
Task Details
Check service installation Ensure services are running.
Peer to Peer IM Send IM message
Group IM Send IM to group
Presence Confirm presence works.
Peer to Peer AV Conference Initiate AV conference, 2 party
AV Conference Initiate multiparty AV conference
Peer to Peer PSTN call Place call to peer
Outbound PSTN call Place outbound call
Address Book Search contact in address book
Location Policy Verify policy application
Location Information Service
configuration Verify configuration per spec
Dial in Conferencing Call into conference/
Address Book Web Query Test address book
Client Authentication Ensure clients access in all scenarios
Federation Verify federation configuration
Phone Bootstrap Verify bootstrapping
Deploying Lync Server 2010 Page 25
Outlook Plugin meeting can be
scheduled
Schedule meeting from Outlook, verify
content, PSTN functionality
IM Filtering configuration Verify filters
Audio Call Place Enterprise Voice call
Desktop Sharing View, share control, check functionality
Outside User IM/Audio/Desktop Sharing
(Share Control) Verify desktop sharing for partner account
File Transfer Filtering configuration Verify filtering configuration for files
Device Update settings Check for windows update settings
Response Group Service configuration Check RGS settings
Edge connectivity
Verify the edge connectivity with both Office
Communications Server 2007 R2 (if
applicable) and Lync Server 2010.
Exchange UM validation Ensure Exchange integration works.
Microsoft IT conducts the deployment verification detailed in Table 6 for all server pools. In
the scenario when Lync Server 2010 coexists with Office Communication Server 2007 R2,
both versions of server pools are verified after deployment.
Deploying Lync Server 2010 Page 26
FOR MORE INFORMATION
For more information about Microsoft products or services, call the Microsoft Sales
Information Center at (800) 426-9400. In Canada, call the Microsoft Canada information
Centre at (800) 563-9048. Outside the 50 United States and Canada, please contact your
local Microsoft subsidiary. To access information through the World Wide Web, go to:
http://www.microsoft.com
http://www.microsoft.com/technet/itshowcase
The information contained in this document represents the current view of Microsoft Corporation on the issues
discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it
should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the
accuracy of any information presented after the date of publication.
This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or
transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights
covering subject matter in this document. Except as expressly provided in any written license agreement from
Microsoft, the furnishing of this document does not give you any license to these patents, trademarks,
copyrights, or other intellectual property.
Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses,
logos, people, places, and events depicted herein are fictitious, and no association with any real company,
organization, product, domain name, e-mail address, logo, person, place, or event is intended or should be
inferred.
© 2011 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, Excel, Lync, PowerPoint, SharePoint, Silverlight, SQL Server, Windows, and
Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries.
All other trademarks are property of their respective owners.