Solved

Cannot connect to Lync Online (Office 365)

Posted on 2016-10-07
10
20 Views
Last Modified: 2016-10-24
Hello experts,

We were using an on-premise Lync 2013 Server for the last 2 years. Now that our group has merged with another group, we chose to go 'cloud' with them.

So what we did was to change our local split-DNS and external DNS entries, according to documentations found on some office365 websites.

BTW Exchange works fine for everyone.

Most of our users are connecting to Skype for Business Online, but at some locations, our employees cannot. They are all getting the same error regarding DNS

(I'll replace our external domain name for contoso)

"Can't sign in to Skype for Business"

"Skype for Business couldn't find a Skype for Business Server for contoso.ca. There might be an issue with the Domain Name System (DNS) configuration for your domain. See KB2566790 for details and contact your system admin."

Every locations has a DC with DNS server role. So I've checked our internal DNS servers, to make sure everything was replicating fine, and it does. All our DNS servers have the following entries regarding Lync

Forward Lookup Zones

- contoso.ca
name: lyncdiscover    Type: CNAME     Data: webdir.online.lync.com
name: sip    Type: CNAME     Data: sipdir.online.lync.com

- _tcp
name: _sipfederationtls    Type: SRV     Data: sipfed.online.lync.com (5061)

- _tls
name: _sip    Type: SRV     Data: sipdir.online.lync.com (443)


If I run a ‘lync connectivity analyzer’ on problematic workstation, I get the following error:

Server discovery failed for unsecured external channel against http://lyncdiscover.contoso.ca/

I attached the log file.

Thanks for any help you could provide
LCAT.log
0
Comment
Question by:deewave
  • 6
  • 4
10 Comments
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
The easiest way to confirm whether it's a DNS issue is to configure SfB manually. So File -> Personal -> Advanced -> Manual config -> set sipdir.online.lync.com:443 for both internal/external -> confirm -> restart the client. Cleaning your sign-in info or directly the profile dir (under C:\Users\XXXX\AppData\Local\Microsoft\Office\16.0\Lync) can also help in some situations.

If you are able to connect, focus on finding out why the DNS lookup is failing. If you still cannot connect, might be a firewall/proxy issue or something else entirely. Another common situation is when the SIP address doesnt match the UPN and user confuse what to enter where, the error message you get in such cases can sometimes be a bit convoluted...
0
 

Author Comment

by:deewave
Comment Utility
Hi Vasil

I've tried sipdir.online.lync.com:443 for both internal and external server name, now I get the error
"The server is temporarily unavailable. If the problem continues, please contact your support.team."

I've also try to browse https://sipdir.online.lync.com from a working location and the other.
From the working one, I browse a page with some text

Status: 404 Not Found
Server: RTC/7.0
FQDN: BN11A01EDG08.infra.lync.com

From a problematic location, I simply cannot get to the page: "The webpage cannot be found"

Also, I've test with Google's DNS as primary nameserver, and I can connect on Lync!
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Looks like a firewall/proxy issue on top of the DNS one? Better check with your network guys.
0
 

Author Comment

by:deewave
Comment Utility
Well, I'm the network guy ;)

I'm 99% sure it's not a firewall issue. We have SonicWall router everywhere, with same security config for each locations (except our datacenter which is not part of this matter). I gave a try though, with no security (antivirus, app control, etc...), same result

I've noticed the locations that are not a full /24 subnet all have the problem. Simple coincidence?
0
 

Author Comment

by:deewave
Comment Utility
If I log on my user's computer with his credentials, I can't open SfB as mentioned above. But if I log on his computer with the domain admin account, and put my user's credentials in SfB, it works perfect!

I tried to give my user local admin rights to his pc, but it doesn't resolve the problem.

I also tried to log on his pc with my credentials (I'm member of Domain Admin group), but it gave the same error as above.

So, that being said, what could cause this issue? Obviously it has something to do with rights.

Thanks for any help you could provide

Martin
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Are you perhaps using mandatory profiles or similar? Or restricting access to the registry? SfBO uses certificate-based auth and the user must have enough permissions to create a certificate and store it in the registry. You can check whether there are any "communications server" certificates under certmgr.msc -> Personal.
0
 

Author Comment

by:deewave
Comment Utility
I'm not quite sure what mandatory profiles are, and how to verify if we have any. All I know is that Skype is working fine for that same user with DNS 8.8.8.8 or logging from another location.

No there are no certificates in his Personal\Certificates store.
I tried to export the one created with the domain admin account, and import it in his store. It imported succesfully (so I guess he can create a cert and write to registry), but it' still failing to connect to SfB
0
 
LVL 38

Expert Comment

by:Vasil Michev (MVP)
Comment Utility
Not sure, you seem to have few issues contributing to this. The manual configuration should bypass any issues with the local DNS servers, but apart from there seems to be something else in play. Perhaps you are forcing a proxy or different firewall rules for the different profile types?
0
 

Accepted Solution

by:
deewave earned 0 total points
Comment Utility
After more than a week, finally found the culprit.

Some of our divisions have a VPN tunnel to our HeadOffice. These divisions were not in problem. When I set the tunnel also from the other divisions, Lync started to work again.
Even if Lync Online is on the cloud, authentication has to be made against our AD. This authentication is done from the Head Office.
I don't know what suddenly cause the issue (surely something on the Head Office side), but having a tunnel from each location to the Head Office resolved the issue

Thanks Vasil for your time.
0
 

Author Closing Comment

by:deewave
Comment Utility
found my own solution
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
This article explains how to prepare an HTML email signature template file containing dynamic placeholders for users' Azure AD data. Furthermore, it explains how to use this file to remotely set up a department-wide email signature policy in Office …
The view will learn how to download and install SIMTOOLS and FORMLIST into Excel, how to use SIMTOOLS to generate a Monte Carlo simulation of 30 sales calls, and how to calculate the conditional probability based on the results of the Monte Carlo …
This is Part 3 in a 3-part series on Experts Exchange to discuss error handling in VBA code written for Excel. Part 1 of this series discussed basic error handling code using VBA. http://www.experts-exchange.com/videos/1478/Excel-Error-Handlin…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now