We are running Lync Sever 2010 but I am running Lync 2013 (Office Pro Plus) as my client. Lync Server 2010 has never had that DNS name so I knew that the problem was different to what the event log was showing. As I was external (Direct Access on the laptop but as per best practice Lync runs outside the VPN) the first place to look was the Lync Edge server.
Logging onto the Edge server the first place to look is the event log and the following was a glaring problem:
As there had been no DNS, Firewall or Proxy changes that only left credentials. I connected into the Front End server and the following two errors give some big clues:
So it appears that a certificate has expired (as a side note we use the DigiCert Discovery Tool - you need a DigiCert account - to check for any certificates on the estate that are going to expire, the reason that this one was not picked up was because even thought we where scanning the Edge server we were not checking port 4443 this has now been added as a change) Anyway, checking the certs on the Edge Server with the command Get-CSCertitificate gave the following:
Both Internal and AudioVideoAuthentication have expired, next checking the certificates in the computer personal store we can see the following:
This is showing two certificates that have expired and ties into what PowerShell is telling us (for a good pointer of what you need on the Edge check Jeff Schertz's Blog: http://blog.schertz.name/2012/07/lync-edge-server-best-practices/).
So, simple fix. Renew the certificates using the Enterprise CA and then assign (I’m not going to document how as again Jeff has done a great job of this here: http://blog.schertz.name/2012/01/simple-certificate-requests-in-lync/).
While I was here I thought I might as well tidy up the old Root CA that the Edge Server had imported so deleted that - the new certificates don’t use it so what’s the harm........
.........This proved to be a mistake, even though the Edge server didn’t host any certificates that needed the old Root CA there were some certificates on the Front End servers that couldn’t be verified as they had been signed by the previous Root CA certificate, this can be seen here:
Simply downloading the old Root CA Cert from the Enterprise Root CA (https://<
My lesson learned, don’t “tidy” until you have fixed the underlying problem!