Solved

Cannot connect to Lync Online (Office 365)

Posted on 2016-10-07
10
110 Views
Last Modified: 2016-10-24
Hello experts,

We were using an on-premise Lync 2013 Server for the last 2 years. Now that our group has merged with another group, we chose to go 'cloud' with them.

So what we did was to change our local split-DNS and external DNS entries, according to documentations found on some office365 websites.

BTW Exchange works fine for everyone.

Most of our users are connecting to Skype for Business Online, but at some locations, our employees cannot. They are all getting the same error regarding DNS

(I'll replace our external domain name for contoso)

"Can't sign in to Skype for Business"

"Skype for Business couldn't find a Skype for Business Server for contoso.ca. There might be an issue with the Domain Name System (DNS) configuration for your domain. See KB2566790 for details and contact your system admin."

Every locations has a DC with DNS server role. So I've checked our internal DNS servers, to make sure everything was replicating fine, and it does. All our DNS servers have the following entries regarding Lync

Forward Lookup Zones

- contoso.ca
name: lyncdiscover    Type: CNAME     Data: webdir.online.lync.com
name: sip    Type: CNAME     Data: sipdir.online.lync.com

- _tcp
name: _sipfederationtls    Type: SRV     Data: sipfed.online.lync.com (5061)

- _tls
name: _sip    Type: SRV     Data: sipdir.online.lync.com (443)


If I run a ‘lync connectivity analyzer’ on problematic workstation, I get the following error:

Server discovery failed for unsecured external channel against http://lyncdiscover.contoso.ca/

I attached the log file.

Thanks for any help you could provide
LCAT.log
0
Comment
Question by:deewave
  • 6
  • 4
10 Comments
 
LVL 40

Expert Comment

by:Vasil Michev (MVP)
ID: 41834127
The easiest way to confirm whether it's a DNS issue is to configure SfB manually. So File -> Personal -> Advanced -> Manual config -> set sipdir.online.lync.com:443 for both internal/external -> confirm -> restart the client. Cleaning your sign-in info or directly the profile dir (under C:\Users\XXXX\AppData\Local\Microsoft\Office\16.0\Lync) can also help in some situations.

If you are able to connect, focus on finding out why the DNS lookup is failing. If you still cannot connect, might be a firewall/proxy issue or something else entirely. Another common situation is when the SIP address doesnt match the UPN and user confuse what to enter where, the error message you get in such cases can sometimes be a bit convoluted...
0
 

Author Comment

by:deewave
ID: 41834199
Hi Vasil

I've tried sipdir.online.lync.com:443 for both internal and external server name, now I get the error
"The server is temporarily unavailable. If the problem continues, please contact your support.team."

I've also try to browse https://sipdir.online.lync.com from a working location and the other.
From the working one, I browse a page with some text

Status: 404 Not Found
Server: RTC/7.0
FQDN: BN11A01EDG08.infra.lync.com

From a problematic location, I simply cannot get to the page: "The webpage cannot be found"

Also, I've test with Google's DNS as primary nameserver, and I can connect on Lync!
0
 
LVL 40

Expert Comment

by:Vasil Michev (MVP)
ID: 41834282
Looks like a firewall/proxy issue on top of the DNS one? Better check with your network guys.
0
Simplifying Server Workload Migrations

This use case outlines the migration challenges that organizations face and how the Acronis AnyData Engine supports physical-to-physical (P2P), physical-to-virtual (P2V), virtual to physical (V2P), and cross-virtual (V2V) migration scenarios to address these challenges.

 

Author Comment

by:deewave
ID: 41834371
Well, I'm the network guy ;)

I'm 99% sure it's not a firewall issue. We have SonicWall router everywhere, with same security config for each locations (except our datacenter which is not part of this matter). I gave a try though, with no security (antivirus, app control, etc...), same result

I've noticed the locations that are not a full /24 subnet all have the problem. Simple coincidence?
0
 

Author Comment

by:deewave
ID: 41838867
If I log on my user's computer with his credentials, I can't open SfB as mentioned above. But if I log on his computer with the domain admin account, and put my user's credentials in SfB, it works perfect!

I tried to give my user local admin rights to his pc, but it doesn't resolve the problem.

I also tried to log on his pc with my credentials (I'm member of Domain Admin group), but it gave the same error as above.

So, that being said, what could cause this issue? Obviously it has something to do with rights.

Thanks for any help you could provide

Martin
0
 
LVL 40

Expert Comment

by:Vasil Michev (MVP)
ID: 41838925
Are you perhaps using mandatory profiles or similar? Or restricting access to the registry? SfBO uses certificate-based auth and the user must have enough permissions to create a certificate and store it in the registry. You can check whether there are any "communications server" certificates under certmgr.msc -> Personal.
0
 

Author Comment

by:deewave
ID: 41840223
I'm not quite sure what mandatory profiles are, and how to verify if we have any. All I know is that Skype is working fine for that same user with DNS 8.8.8.8 or logging from another location.

No there are no certificates in his Personal\Certificates store.
I tried to export the one created with the domain admin account, and import it in his store. It imported succesfully (so I guess he can create a cert and write to registry), but it' still failing to connect to SfB
0
 
LVL 40

Expert Comment

by:Vasil Michev (MVP)
ID: 41840442
Not sure, you seem to have few issues contributing to this. The manual configuration should bypass any issues with the local DNS servers, but apart from there seems to be something else in play. Perhaps you are forcing a proxy or different firewall rules for the different profile types?
0
 

Accepted Solution

by:
deewave earned 0 total points
ID: 41850054
After more than a week, finally found the culprit.

Some of our divisions have a VPN tunnel to our HeadOffice. These divisions were not in problem. When I set the tunnel also from the other divisions, Lync started to work again.
Even if Lync Online is on the cloud, authentication has to be made against our AD. This authentication is done from the Head Office.
I don't know what suddenly cause the issue (surely something on the Head Office side), but having a tunnel from each location to the Head Office resolved the issue

Thanks Vasil for your time.
0
 

Author Closing Comment

by:deewave
ID: 41856718
found my own solution
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
Find out what you should include to make the best professional email signature for your organization.
In a previous video Micro Tutorial here at Experts Exchange (http://www.experts-exchange.com/videos/1358/How-to-get-a-free-trial-of-Office-365-with-the-Office-2016-desktop-applications.html), I explained how to get a free, one-month trial of Office …
A company’s greatest vulnerability is their email. CEO fraud, ransomware and spear phishing attacks are the no1 threat to a company’s security. Cybercrime is responsible for the largest loss of money to companies today with losses projected to r…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question