Time to move from On-premises Hybrid to the cloud. What it takes and what could be the problems with the process?
Table of Contents
End of Life for On-premises versions
Skype for Business 2015 mainstream end date was October 13, 2020. However, the extended support is available until October 14, 2025. This means you will have to pay for technical support, and Microsoft will provide free security updates but not quality updates until October 14, 2025. The latest on-premises version of Skype for Business Server, Skype for Business Server 2019, is still going on mainstream support. The extended support of SfB Server 2019 will also end on October 14, 2025.
Process before converting to Teams Only mode
This post will include fixing the common problems that you could see during the migrations and decommissioning process.
These steps will lead the way but are not the absolute truth for all. Lync or Skype is a very complex install if done in a Enterprise pool, there will be a lot of moving parts.
So please keep this in mind when reading this post.
Moving users
First assign licenses for users both Teams and Skype For Business license as they will be needed for migrating users.
Move users with Move-CSUser command with switches of your choosing.
Or example with this script from Sathish Veerapandian
Modify DNS records
To point them Microsoft 365 or remove the Lync Server DNS records if the SIP domain is no longer used.
Internal DNS:
- Contains a DNS zone called contoso.com for which it is authoritative
- The internal contoso.com zone contains:
- DNS A and AAAA (if you are using IPv6 addressing) and SRV records for internal Lync Server 2013 client autoconfiguration (optional)
- DNS A and AAAA (if you are using IPv6 addressing) or CNAME records for automatic discovery of Lync Server 2013 Web Services (optional)
- DNS A and AAAA (if you are using IPv6 addressing) records for Front End pool name, Director or Director pool name, and all internal servers running Lync Server 2013 in the corporate network
- DNS A and AAAA (if you are using IPv6 addressing) records for the Edge internal interface of each Lync Server 2013, Edge Server in the perimeter network
- DNS A and AAAA (if you are using IPv6 addressing) records for the internal interface of each reverse proxy server in the perimeter network (optional for management of reverse proxy)
- All Lync Server 2013 Edge Server internal edge interfaces in the perimeter network use the internal DNS zone for resolving queries to contoso.com
- All servers running Lync Server 2013 and clients running Lync 2013 in the corporate network point to the internal DNS servers for resolving queries to contoso.com, or use of HOSTS file on each Edge server and list A and AAAA (if you are using IPv6 addressing) records for next hop server, specifically the Director or Director VIP, Front End pool VIP, or Standard Edition server
External DNS:
- Contains a DNS zone called contoso.com for which it is authoritative
- The external contoso.com zone contains:
- DNS A and AAAA (if you are using IPv6 addressing) and SRV records for Lync Server 2013 client autoconfiguration (optional)
- DNS A and AAAA (if you are using IPv6 addressing) or CNAME records for automatic discovery of Lync Server 2013 Web Services for use with mobility
- DNS A and AAAA (if you are using IPv6 addressing) and SRV records for the Edge external interface of each Lync Server 2013, Edge Server or hardware load balancer virtual IP (VIP) in the perimeter network
- DNS A and AAAA (if you are using IPv6 addressing) records for the external interface of the reverse proxy server or VIP for a pool of reverse proxy servers in the perimeter network
Custom domains
If you have *. name records in your domain then you should add these records to Public DNS.
DNS record | Purpose | Value to use |
---|---|---|
SRV (Skype for Business Online) | Allows your Office 365 domain to share instant messaging (IM) features with external clients by enabling SIP federation. Read more about Office 365 URLs and IP address ranges. | Service: sipfederationtls Protocol: TCP Priority: 100 Weight: 1 Port: 5061 Target: sipfed.online.lync.com Note: If the firewall or proxy server blocks SRV lookups on an external DNS, you should add this record to the internal DNS record. |
SRV (Skype for Business Online) | Used by Skype for Business to coordinate the flow of information between Lync clients. | Service: sip Protocol: TLS Priority: 100 Weight: 1 Port: 443 Target: sipdir.online.lync.com |
CNAME (Skype for Business Online) | Used by the Lync client to help find the Skype for Business Online service and sign in. | Alias: sip Target: sipdir.online.lync.com For more information, see Office 365 URLs and IP address ranges. |
CNAME (Skype for Business Online) | Used by the Lync mobile client to help find the Skype for Business Online service and sign in. | Alias: lyncdiscover Target: webdir.online.lync.com |
What if you don’t have access to the DNS-servers hosting the records, well then you have that much options.
You can remove the custom domain completely from Azure AD but if the users have email in use or other mandatory reasons why you cannot remove them.
Well then you have only one option and that is to disable the Sip Domain from Teams directly
This is an destructive command and should be run lightly. Microsoft Docs states.
Important: This cmdlet should not be run for domains that contain users hosted in Skype for Business Online. Any users in a sip domain that are already provisioned online will cease to function if you disable the online sip domain:
- Their SIP addresses will be removed.
- All contacts and meetings for these users hosted in Skype for Business Online will be deleted.
- These users will no longer be able to login to the Skype for Business Online environment.
- If these users use Teams, they will no longer be able to inter-operate with Skype for Business users, nor will they be able to federate with any users in other organizations.
Note: If the Tenant is enabled for Regionally Hosted Meetings in Skype for Business Online, Online SIP Domains must be disabled in all regions. You must execute this cmdlet in each region that is added in Allowed Data Location.
So this command will work for you if nothing else does and you can continue your journey to Teams.
Continuing the journey
Change the tenant mode to Teams Only Mode from GUI or Teams PowerShell.
1 |
Grant-CsTeamsUpgradePolicy -PolicyName UpgradeToTeams -Global |
To disable shared sip address space run the following command from a Teams PowerShell
1 |
Set-CsTenantFederationConfiguration -SharedSipAddressSpace $false |
To disable communication between the on-premises environment and Microsoft 365, run the following command from an on-premises PowerShell
1 |
Get-CsHostingProvider | Set-CsHostingProvider -Enabled $false |
Now you have a Teams Only environment, Hybrid (Shared Sip Address Space) removed.
What then?
Then you are happy with your Teams Only mode, you can continue with users attributes and their safe removal.
Clearing users attributes
If you run Get-CSuser | Disable-CSuser it won’t remove msRTCSIP-DeploymentLocator in many of the cases.
So the it will safer to remove all the existing attributes will be removed when we run the below PowerShell command.
The attributes can be managed from the on-premises AD. And you don’t have to worry about the msRTCSIP-PrimaryUserAddress as the users already have an Sip Address based on this attribute when they were licensed with Teams and a Skype For Business license when they were migrated.
msRTCSIP-Line attribute can be removed if the numbers will not be used in Teams for the Enterprise voice enabled users.
1 |
Get-ADUser -properties * -filter {msRTCSIP-PrimaryUserAddress -like "*"} | Set-ADUser -clear msRTCSIP-ApplicationOptions,msRTCSIP-DeploymentLocator,msRTCSIP-OwnerUrn,msRTCSIP-PrimaryUserAddress,msRTCSIP-UserEnabled,msRTCSIP-OptionFlags,msRTCSIP-FederationEnabled,msRTCSIP-InternetAccessEnabled,msRTCSIP-PrimaryHomeServer,msRTCSIP-UserPolicies,msRTCSIP-Line |
If there is later a requirement to provisioning phone numbers with a on-premises IAM solution, it is possible using msRTCSIP-Line attribute and populating international phone number to this attribute ex. +3589123123123
The scripts below can be used with the same CSV files that you did the migration with.
If you need to add SipAddress to users ProxyAddresses, you can do it with the below command.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
$csv=import-csv "c:\csv\Teams-Users.csv" foreach($user in $csv){ $userUpn=$user.SipAddress.Replace("sip:","") #Do not add proxyAddress if it is present already $proxies=Get-ADUser -Filter "UserPrincipalName -eq '$userupn'" -properties * | Select-Object @{Name=“proxyAddresses”;Expression={$_.proxyAddresses}} if(($null -eq $proxies) -or ($proxies.proxyAddresses -join ' ' -notmatch "sip:")) #empty list of ProxyAddresses { write-host "Adding sip" Get-ADUser -Filter "UserPrincipalName -eq '$userupn'" | Set-ADUser -Add @{"proxyAddresses"=$user.SipAddress} } else { write-host "No need to Add sip" } } |
Or to remove all but msRTCSIP-Line, use this.
1 2 3 4 5 6 7 8 9 |
$csv=import-csv "c:\csv\Teams-Users.csv" foreach($user in $csv){ $userUpn=$user.SipAddress.Replace("sip:","") #Clear all users msRTCSIP-* Attributes write-host "Clearing msRTCSIP-* Attributes for $userUpn" Get-ADUser -Filter "UserPrincipalName -eq '$userupn'" | Set-ADUser -clear msRTCSIP-ApplicationOptions,msRTCSIP-DeploymentLocator,msRTCSIP-OwnerUrn,msRTCSIP-PrimaryUserAddress,msRTCSIP-UserEnabled,msRTCSIP-OptionFlags,msRTCSIP-FederationEnabled,msRTCSIP-InternetAccessEnabled,msRTCSIP-PrimaryHomeServer,msRTCSIP-UserPolicies } |
Removing federated connections
Then you will contact the organizations that you had federation from, just to be nice. If they have on-premises Lync / Skype Edge configuration set to closed federation and they have your Access Edge defined, it will be still defined if they don’t remove it.
Decommissioning the On-premises topology
To check if there are any contacts or applications associated with the Lync on-premises deployment by running the following Lync PowerShell cmdlets.
- Get-CsMeetingRoom
- Get-CsCommonAreaPhone
- Get-CsAnalogDevice
- Get-CsExUmContact
- Get-CsDialInConferencingAccessNumber
- Get-CsRgsWorkflow
- Get-CsTrustedApplicationEndpoint
- Get-CsTrustedApplication
- Get-CsPersistentChatEndpoint
- Get-CsAudioTestServiceApplication
- Get-CsCallParkOrbit
- Get-CsUnassignedNumber
Then if objects can be removed, run the following Lync PowerShell cmdlets:
- Get-CsMeetingRoom | Disable-CsMeetingRoom
- Get-CsCommonAreaPhone | Remove-CsCommonAreaPhone
- Get-CsAnalogDevice | Remove-CsAnalogDevice
- Get-CsExUmContact | Remove-CsExUmContact
- Get-CsDialInConferencingAccessNumber | Remove-CsDialInConferencingAccessNumber
- Get-CsRgsWorkflow | Remove-CsRgsWorkflow
- Get-CsTrustedApplicationEndpoint | Remove-CsTrustedApplicationEndpoint
- Get-CsTrustedApplication | Remove-CsTrustedApplication -Force
- Get-CsPersistentChatEndpoint | Remove-CsPersistentChatEndpoint
- Get-CsCallParkOrbit | Remove-CsCallParkOrbit -Force
- Get-CsVoiceRoute | Remove-CsVoiceRoute -Force Get-CsUnassignedNumber | Remove-CsUnassignedNumber -Force
Logically remove the Lync / Skype deployment
Remove Edge pool associations and it’s dependencies and in the first run make a backup of possible CMS database if publish database to requires. If the SQL Database is fault-tolerant it could be needed before you can proceed.
Update your Skype for Business Server topology to have a single front-end pool:
Remove all the other Frontends but the primary that is hosting CMS, if you don’t you cannot remove the deployment.
- In Topology Builder, download a new copy and navigate to the Frontend pool.
- Right-click the pool, and then click Edit Properties.
- In Associations, uncheck Associate Edge Pool (for media components) and click OK.
- If there is more than one Frontend Pool, remove Associations for all remaining pools, we have only one Pool
- Select Action > Remove Deployment.
- Select Action > Publish Topology.
After publishing the topology, complete the additional steps described in the wizard.
Remove Skype for Business Server conference directories by running the following Skype for Business Server PowerShell cmdlet:
Get-CsConferenceDirectory | Remove-CsConferenceDirectory -Force
Finalize the uninstall of your Skype for Business Server deployment by running the following Skype for Business Server PowerShell cmdlet:
Publish-CsTopology -FinalizeUninstall
Or if these don’t work, you can always burn it away by running.
C:\Program Files\Microsoft Lync Server 2013\Deployment\
or
C:\Program Files\Skype for Business Server 2015\Deployment\
run “Bootstrapper.exe /Scorch”
Remove Central Management Store Service Control Point by running the following Skype for Business Server PowerShell cmdlet:
Get-CsConfigurationStoreLocation | Remove-CsConfigurationStoreLocation
This will remove the RTC groups from your AD permissions structure and domain level modifications to containers.
Disable-CsAdDomain
If you have something wrong with your decommissioning or left-overs from old installs inside the AD containers, you will this error.
“Cannot remove the Active Directory settings for the domain due to ‘FE’ still being activated”
And you cannot go forward then you have to use Disable-CsADomain -force
With force forest preparation is rolled back even if the Disable-CsAdForest cmdlet detects that at least one of the domains in the forest is still prepared for Skype for Business Server. Rollback is forced by including the Force parameter.
This will remove the CS* groups from your AD and RTC container contents from the Schema and it’s also has -force parameter. You needs Enterprise admin rights to run this command.
Disable-CsAdForest
Don’t forget the rest
- Virtual machines removal
- Internal and external certificate revocation
- Removing firewall rules
- Removing Load balancers and proxys
- Removing VPN-connections for Lync / Skype services.