Moving from SfB Hybrid to Teams-only

Upgrading to Microsoft Teams from Skype for Business at Microsoft

Time to move from On-premises Hybrid to the cloud. What it takes and what could be the problems with the process?

End of Life for On-premises versions

Skype for Business 2015 mainstream end date was October 13, 2020. However, the extended support is available until October 14, 2025. This means you will have to pay for technical support, and Microsoft will provide free security updates but not quality updates until October 14, 2025. The latest on-premises version of Skype for Business Server, Skype for Business Server 2019, is still going on mainstream support. The extended support of SfB Server 2019 will also end on October 14, 2025.

Process before converting to Teams Only mode

This post will include fixing the common problems that you could see during the migrations and decommissioning process.

These steps will lead the way but are not the absolute truth for all. Lync or Skype is a very complex install if done in a Enterprise pool, there will be a lot of moving parts.

So please keep this in mind when reading this post.

Moving users

First assign licenses for users both Teams and Skype For Business license as they will be needed for migrating users.

Move users with Move-CSUser command with switches of your choosing.

Or example with this script from Sathish Veerapandian

Modify DNS records

To point them Microsoft 365 or remove the Lync Server DNS records if the SIP domain is no longer used.

Internal DNS:

  • Contains a DNS zone called contoso.com for which it is authoritative
  • The internal contoso.com zone contains:
    • DNS A and AAAA (if you are using IPv6 addressing) and SRV records for internal Lync Server 2013 client autoconfiguration (optional)
    • DNS A and AAAA (if you are using IPv6 addressing) or CNAME records for automatic discovery of Lync Server 2013 Web Services (optional)
    • DNS A and AAAA (if you are using IPv6 addressing) records for Front End pool name, Director or Director pool name, and all internal servers running Lync Server 2013 in the corporate network
    • DNS A and AAAA (if you are using IPv6 addressing) records for the Edge internal interface of each Lync Server 2013, Edge Server in the perimeter network
    • DNS A and AAAA (if you are using IPv6 addressing) records for the internal interface of each reverse proxy server in the perimeter network (optional for management of reverse proxy)
    • All Lync Server 2013  Edge Server internal edge interfaces in the perimeter network use the internal DNS zone for resolving queries to contoso.com
    • All servers running Lync Server 2013 and clients running Lync 2013 in the corporate network point to the internal DNS servers for resolving queries to contoso.com, or use of HOSTS file on each Edge server and list A and AAAA (if you are using IPv6 addressing) records for next hop server, specifically the Director or Director VIP, Front End pool VIP, or Standard Edition server

External DNS:

  • Contains a DNS zone called contoso.com for which it is authoritative
  • The external contoso.com zone contains:
    • DNS A and AAAA (if you are using IPv6 addressing) and SRV records for Lync Server 2013 client autoconfiguration (optional)
    • DNS A and AAAA (if you are using IPv6 addressing) or CNAME records for automatic discovery of Lync Server 2013 Web Services for use with mobility
    • DNS A and AAAA (if you are using IPv6 addressing) and SRV records for the Edge external interface of each Lync Server 2013, Edge Server or hardware load balancer virtual IP (VIP) in the perimeter network
    • DNS A and AAAA (if you are using IPv6 addressing) records for the external interface of the reverse proxy server or VIP for a pool of reverse proxy servers in the perimeter network

Custom domains

If you have *. name records in your domain then you should add these records to Public DNS.

DNS recordPurposeValue to use
SRV
(Skype for Business Online)
Allows your Office 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation. Read more about Office 365 URLs and IP address ranges.Service: sipfederationtls
Protocol: TCP
Priority: 100
Weight: 1
Port: 5061
Target: sipfed.online.lync.com
Note: If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record.
SRV
(Skype for Business Online)
Used by Skype for Business to coordinate the flow of information between Lync clients.Service: sip
Protocol: TLS
Priority: 100
Weight: 1
Port: 443
Target: sipdir.online.lync.com
CNAME
(Skype for Business Online)
Used by the Lync client to help find the Skype for Business Online service and sign in.Alias: sip
Target: sipdir.online.lync.com
For more information, see Office 365 URLs and IP address ranges.
CNAME
(Skype for Business Online)
Used by the Lync mobile client to help find the Skype for Business Online service and sign in.Alias: lyncdiscover
Target: webdir.online.lync.com

What if you don’t have access to the DNS-servers hosting the records, well then you have that much options.

You can remove the custom domain completely from Azure AD but if the users have email in use or other mandatory reasons why you cannot remove them.

Well then you have only one option and that is to disable the Sip Domain from Teams directly

This is an destructive command and should be run lightly. Microsoft Docs states.

Important: This cmdlet should not be run for domains that contain users hosted in Skype for Business Online. Any users in a sip domain that are already provisioned online will cease to function if you disable the online sip domain:

  • Their SIP addresses will be removed.
  • All contacts and meetings for these users hosted in Skype for Business Online will be deleted.
  • These users will no longer be able to login to the Skype for Business Online environment.
  • If these users use Teams, they will no longer be able to inter-operate with Skype for Business users, nor will they be able to federate with any users in other organizations.

Note: If the Tenant is enabled for Regionally Hosted Meetings in Skype for Business Online, Online SIP Domains must be disabled in all regions. You must execute this cmdlet in each region that is added in Allowed Data Location.

So this command will work for you if nothing else does and you can continue your journey to Teams.

Continuing the journey

Change the tenant mode to Teams Only Mode from GUI or Teams PowerShell.

To disable shared sip address space run the following command from a Teams PowerShell

To disable communication between the on-premises environment and Microsoft 365, run the following command from an on-premises PowerShell

Now you have a Teams Only environment, Hybrid (Shared Sip Address Space) removed.

What then?

Then you are happy with your Teams Only mode, you can continue with users attributes and their safe removal.

Clearing users attributes

If you run Get-CSuser | Disable-CSuser it won’t remove msRTCSIP-DeploymentLocator in many of the cases.

So the it will safer to remove all the existing attributes will be removed when we run the below PowerShell command.

The attributes can be managed from the on-premises AD. And you don’t have to worry about the msRTCSIP-PrimaryUserAddress as the users already have an Sip Address based on this attribute when they were licensed with Teams and a Skype For Business license when they were migrated.

msRTCSIP-Line attribute can be removed if the numbers will not be used in Teams for the Enterprise voice enabled users.

If there is later a requirement to provisioning phone numbers with a on-premises IAM solution, it is possible using msRTCSIP-Line attribute and populating international phone number to this attribute ex. +3589123123123

The scripts below can be used with the same CSV files that you did the migration with.

If you need to add SipAddress to users ProxyAddresses, you can do it with the below command.

Or to remove all but msRTCSIP-Line, use this.

Removing federated connections

Then you will contact the organizations that you had federation from, just to be nice. If they have on-premises Lync / Skype Edge configuration set to closed federation and they have your Access Edge defined, it will be still defined if they don’t remove it.

Decommissioning the On-premises topology

To check if there are any contacts or applications associated with the Lync on-premises deployment by running the following Lync PowerShell cmdlets.

  • Get-CsMeetingRoom
  • Get-CsCommonAreaPhone
  • Get-CsAnalogDevice
  • Get-CsExUmContact
  • Get-CsDialInConferencingAccessNumber
  • Get-CsRgsWorkflow
  • Get-CsTrustedApplicationEndpoint
  • Get-CsTrustedApplication
  • Get-CsPersistentChatEndpoint
  • Get-CsAudioTestServiceApplication
  • Get-CsCallParkOrbit
  • Get-CsUnassignedNumber

Then if objects can be removed, run the following Lync PowerShell cmdlets:

  • Get-CsMeetingRoom | Disable-CsMeetingRoom
  • Get-CsCommonAreaPhone | Remove-CsCommonAreaPhone
  • Get-CsAnalogDevice | Remove-CsAnalogDevice
  • Get-CsExUmContact | Remove-CsExUmContact
  • Get-CsDialInConferencingAccessNumber | Remove-CsDialInConferencingAccessNumber
  • Get-CsRgsWorkflow | Remove-CsRgsWorkflow
  • Get-CsTrustedApplicationEndpoint | Remove-CsTrustedApplicationEndpoint
  • Get-CsTrustedApplication | Remove-CsTrustedApplication -Force
  • Get-CsPersistentChatEndpoint |  Remove-CsPersistentChatEndpoint
  • Get-CsCallParkOrbit | Remove-CsCallParkOrbit -Force
  • Get-CsVoiceRoute | Remove-CsVoiceRoute -Force Get-CsUnassignedNumber | Remove-CsUnassignedNumber -Force

Logically remove the Lync / Skype deployment

Remove Edge pool associations and it’s dependencies and in the first run make a backup of possible CMS database if publish database to requires. If the SQL Database is fault-tolerant it could be needed before you can proceed.

Update your Skype for Business Server topology to have a single front-end pool:

Remove all the other Frontends but the primary that is hosting CMS, if you don’t you cannot remove the deployment.

  • In Topology Builder, download a new copy and navigate to the Frontend pool.
    1. Right-click the pool, and then click Edit Properties.
    2. In Associations, uncheck Associate Edge Pool (for media components) and click OK.
    3. If there is more than one Frontend Pool, remove Associations for all remaining pools, we have only one Pool
    4. Select Action > Remove Deployment.
    5. Select Action > Publish Topology.

After publishing the topology, complete the additional steps described in the wizard.

Remove Skype for Business Server conference directories by running the following Skype for Business Server PowerShell cmdlet:

Get-CsConferenceDirectory | Remove-CsConferenceDirectory -Force

Finalize the uninstall of your Skype for Business Server deployment by running the following Skype for Business Server PowerShell cmdlet:

Publish-CsTopology -FinalizeUninstall

Or if these don’t work, you can always burn it away by running.

C:\Program Files\Microsoft Lync Server 2013\Deployment\
or
C:\Program Files\Skype for Business Server 2015\Deployment\
run “Bootstrapper.exe /Scorch”

Remove Central Management Store Service Control Point by running the following Skype for Business Server PowerShell cmdlet:

Get-CsConfigurationStoreLocation | Remove-CsConfigurationStoreLocation

This will remove the RTC groups from your AD permissions structure and domain level modifications to containers.

Disable-CsAdDomain

If you have something wrong with your decommissioning or left-overs from old installs inside the AD containers, you will this error.

“Cannot remove the Active Directory settings for the domain due to ‘FE’ still being activated”

And you cannot go forward then you have to use Disable-CsADomain -force

With force forest preparation is rolled back even if the Disable-CsAdForest cmdlet detects that at least one of the domains in the forest is still prepared for Skype for Business Server. Rollback is forced by including the Force parameter.

This will remove the CS* groups from your AD and RTC container contents from the Schema and it’s also has -force parameter. You needs Enterprise admin rights to run this command.

Disable-CsAdForest

Don’t forget the rest

  1. Virtual machines removal
  2. Internal and external certificate revocation
  3. Removing firewall rules
  4. Removing Load balancers and proxys
  5. Removing VPN-connections for Lync / Skype services.
KEEP CALM AND USE MICROSOFT TEAMS - Keep Calm and Posters Generator, Maker  For Free - KeepCalmAndPosters.com
Author: Harri Jaakkonen

Leave a Reply

Your email address will not be published.

*

code