Lync 2013 Monitoring Server Versions Table

Quick and dirty post which I'll update as and when the monitoring server version gets incremented:


Lync 2013 - September 2015 CU - now with added security patch

On Friday (October 2nd) the downloadable CU that Microsoft publish as "the latest" (read only) update got moved to version 5.0.8308.933

There are some good updates in there for such things as high CPU usage on a topology publish and unable to join a meeting from iOS 9.

One of the confusing things is that the September security update still has the following text:

Now - leaving aside the copy and paste that has resulted in "Lync Server 2013" being on the line twice we have the confusion around should this be after the latest update (5.0.8308.933) or the latest update when the security article was first published (5.0.8308.920).

The security patch was actually 5.0.8308.927:

and as such versioning dictates that 5.0.8308.933 should contain all of the security goodness that was lacking in the July CU, and to find that out you have to drill deeper into the release notes 5.0.8308.933 of the web components server:

showing that yes - the latest CU does indeed contain the security update. Thus the only reason I can see for the security update to still be offered as its own download is if you are at the July (5.0.8308.920) CU (as that is a prerequisite) and do not want to move to the latest CU (5.0.8308.933) but do now want the security patch installing.....

When is a Cumulative Update not a Cumulative Update? When it's a security patch. #BadJoke #Lync2013 #SfB2015

Updated 22:21 BST, Skype for Business is now re-released as a full Cumulative Update - did this post help :-)

Updated 6th October - new FULL CU out for Lync 2013 that includes the security patch

Quick heads up that the September 2015 security update for Lync Server 2013 and Skype for Business Server 2015 is delivered as a CU installer *BUT* without previous updates included:

"Before installing any updates for Skype for Business Server 2015 or Microsoft Lync Server 2013, the latest publicly released Cumulative Updates for Skype for Business Server or Lync Server must be installed"

This does lead to an issue that has been seen already where CU's are getting out of step and indeed is called out in this update:

"Known issues:
After you install this security update on a system that is running Microsoft Lync Server 2013, you find that the Central Logging Service is not listening on designated ports.
This problem can occur if you install this security update on Lync Server 2013 before you install the August Update of Lync Server 2013.

If you already installed this security update without first installing August 2014 Update 5.0.8308.738, you must uninstall this security update, install August 2014 Update 5.0.8308.738, and then reinstall this security update."

(Unsupported fix:

So taking a brand new RTM install of Lync 2013 to get fully up to date you would need to:
  1. Install August 2014 Update 5.0.8308.738 OCSCore.msp (although that appears to have issues too!)
  2. Patch to July 2015 cumulative update 5.0.8308.920
  3. Patch to September 2015 Security update 5.0.8308.927
For Skype for Business Server 2015 the process is a little easier since there is just the one CU out at the moment:
  1. Patch to June 2015 cumulative update (6.0.9319.55)
  2. Patch to September 2015 Security update (6.0.9319.72) Updated as 10 hours later Microsoft revised their security update.
I would hope that the next *real* CU for both products Lync 2013 actually become true CUMULATIVE updates and include all previous versions with no requirement to uninstall/reinstall individual components..... but I'm not holding my breath!

    No T-Rex love in Skype for Business (sadface)

    Today the Skype for Consumer blog posted that a funky new emoticon was available to celebrate the launch of Windows 10 (and related to Ninja Cat of course).

    Unfortunately its not available in the stuffy Skype for Business client :-(

    Lync Server 2013 Updates - July 2015 (CU13)

    July's updates have the following new items in them:

    Participants cannot see your video when you join an online meeting through B2BUA in a Lync Server 2013 environment
    Response group usage report takes longer time to run or cannot complete in a Lync Server 2013 environment
    Call park orbit number is not displayed when you park a call in a Lync Server 2013-based environment
    Lync Mobile Client call is dropped immediately when you dial 0 for an operator
    Lost data when Lync Server 2013 directories move to Skype for Business
    Event ID 1000 is logged and RTCSrv.exe crashes when the process is selected in Resource Monitor tool in Lync Server 2013
    CPU usage percentage of the RTCSrv.exe process is high on a Lync Server 2013 front-end server

    Changing SQL Database Owner for Lync 2013

    When you install SQL back end the mirroring endpoint is set to the person who ran the installer (so in our case Domain\XXXXRichXXXX)

    If you use the following SQL:
    SELECT [PrincipalName] =, [PrincipalId] = sp.principal_id, me.*
    FROM sys.database_mirroring_endpoints me with(nolock)
    inner join sys.server_principals sp with(nolock)
    on me.principal_id = sp.principal_id

    SUSER_NAME(SPS.grantor_principal_id))AS [GRANTED BY],
    CONVERT(nvarchar(46),SUSER_NAME(SPS.grantee_principal_id))AS [GRANTED TO]
    FROM sys.server_permissions SPS , sys.endpoints EPS
    WHERE SPS.major_id = EPS.endpoint_id


    You will get back the current endpoint owner (PrincipalName), what other endpoints can interact with the mirror (GRANTED TO) and who granted those rights (GRANTED BY)
    This example is from XXX-SQL01 Principal, its partners are XXX-SQL02 mirror and XXX-SQL03 Witness:

    As the Domain\XXXXRichXXXXX account is being removed we created a new Service Account called “DOMAIN\svc-lync-sqlmirror” (standard windows user).

    Then on each endpoint in the SQL mirror (Principal, Mirror, Witness) ran the following (changing the server names as appropriate in the final SQL block):

    USE [master]
    ALTER SERVER ROLE [sysadmin] ADD MEMBER [DOMAIN\svc-lync-sqlmirror]

    ALTER AUTHORIZATION ON ENDPOINT::mirroring_endpoint TO [DOMAIN\svc-lync-sqlmirror]

    GRANT CONNECT ON ENDPOINT::mirroring_endpoint TO [DOMAIN\XXX-SQL02$]

    GRANT CONNECT ON ENDPOINT::mirroring_endpoint TO [DOMAIN\XXX-SQL03$]

    1. The first block adds the Service Account in as a SysAdmin
    2. Next block changes the owner to be the Service Account
    3. Last block grants permissions back to the other two SQL servers to be part of the mirror again (running the second block wipes this out -

    After running the above the owner has now changed:

    Once all three mirror partners changed rebooted the servers in the following order:

    1. Witness  -  (XXX-SQL03)
    2. Mirror  -  (XXX-SQL02)
    3. Principal  -  (XXX-SQL01)
    (note that your DB's will be on the Mirror at the end of this procedure so use Invoke-CsDatabaseFailover to fail back - or reboot the mirror again!)

    Ensure you wait between each reboot to allow the mirror state to become stable again (all green ticks):

    (to run this, Open SQL Server Management Studio > Right click a mirrored database > Tasks > Launch database Mirroring Monitor

    Edited 12/07/2015 to note that the db's will be on the mirror server after performing this procedure

    Remote Code Execution or Skype for Business 2015 client, you choose!

    Microsoft today released a patch that builds on the April 2015 client side patch. As such this means you need to have already taken the steps shown in my previous post if you want to block the new Skype for Business UI. After applying this patch there are some parts that will all reflect the new Skype branding even if you do make the previously advised changes:

    • the menu item in Windows

    In addition the sounds will change.

    Having run the new Skype UI for a while now I much prefer it to the Lync 2013 UI, my call out features are the Call Hover window when you are in a call and pass focus to another application, this stops your scrambling about trying to find the active call to mute/unmute, hangup!

    and the new emoticons :-D

    Performing a Consultative Transfer using Skype for Business 2015

    A consultative transfer is a common scenario where before transferring a call to someone you want to contact the person you’re transferring to first to ensure they are able to take the call. Let’s walk through this scenario to show how this is accomplished using Skype for Business 2015.

    Emma Fysh has called me and is inquiring about the project we are working on.

    As I don’t have the experience in this specific project, I start a new phone call with Jade Saunders from the Contact List, the project manager for this specific project.

    When I start the new call to Jade, Emma’s call is automatically put on hold.

    Jade has indicated that she is free to take the call, so from either call window I click the call controls button......

    .......and then transfer.

    The transfer menu automatically includes people I’m currently talking to, so I’m able to select Emma from here. 

    While the call is transferring I can see the status from both Jade’s and Emma’s conversation window. After the transfer has completed both windows are closed :)

    The beautiful part about Lync Skype for Business is that you are not just limited to consulting using a phone call. Next time you want to consult someone before transferring, try using an IM (for this you do need to go back to the original caller as the IM window does not have the Call Controls button).

    As you can see from this simple scenario, the ability to consult with someone before sending a phone call to them can be quite useful in ensuring that the person is available, and has the background required to help the caller.

    This blog post is an update of my previous one which I posted for the Lync 2010 client:

    which used the the text from

    Skype for Business 2015 Emoticons

    Just a quick post to show the dialog for emoticons in Skype for Business 2015:

    One thing I really like is that on the bottom left of the screen as you hover over a emoticon it shows what the "Official" name is and then on the bottom right is the key presses that are needed.

    I would like to know why the footballer (soccer for the Americans ;-) ) is called "Bartlett" and why the squirrel is "Heidy" :

    Update: Bartlett appears to be a tribute to Michael Bartlett, an ex-Skyper:

    And Heidy can now be found looking after the Microsoft Real Estate! For bonus points her Google Profile also has a member of the Sciuridae family as a profile picture:

    Mystery solved!

    Do you have the Lync 2013 client deployed? If so - DO THIS NOW!

    Today "Patch Tuesday" (14th April) Microsoft are pushing out an update(s) for the Lync 2013 client (KB2889853 and KB2889923).

    This will change the look and feel of the client from standard Lync 2013:

    To the Skype for Business 2015 client:

    In addition the sounds will change.

    There are three things you need to do in order of importance:
    1. Get a registry entry onto *EVERY* PC in your organisation so that your users do not see the new interface, this can best be configured with a GPO which sets the following reg key:

      In the [HKEY_CURRENT_USER\Software\Microsoft\Office\Lync] key, create a new Binary value.
      The Value name must be EnableSkypeUI, and the Value data must be set to 00000000.

      This will make sure that the first time that the new client runs (prior to getting the in-band policy we are going to look at in step 3 - but don't skip ahead, read this all!) then it loads in the familiar Lync 2013 interface.
    2. Ensure your Lync Servers are patched to:
      1. 2010 - Feb 2015 CU (4.0.7577.710)
      2. 2013 - Dec 2014 CU (5.0. 8308.857)
    3. Set the following policy on your Lync Servers:

      Get-CsClientPolicy | Set-CsClientPolicy -EnableSkypeUI $False

      This will set the in-band policy to also write the registry value as specified in point 1 above but in-band polices only apply after the end user has logged in, so if you do not set the registry value your end users will see the following:

      Which means end users can decide to run with the Skype for Business UI for as long as they are logged in (with the associated ServiceDesk calls "why does this look different?" et al.)
    One important note - if you have users who are on un-managed machines (Home Use Program, purchased the DVD from PC World, et al) then you cannot manage the first run experience. Those users can see the new Skype for Business until the registry key gets set by the in-band policy.

    Additional reading:

    Populating the Lync LIS database with Meraki BSSID's, but where are they hiding!?!

    If it’s never setup then you don’t miss it, but once you’ve started to use it and have it embedded in your culture it becomes invaluable. What am I talking about? Presence? Well of course – but what I’m talking about is the Lync Location Database.

    As I’m in the UK we don’t have to worry about the E911 service here and where I have seen it the most is for seeing where someone is within a building/campus.

    Usually the main thing that you use to differentiate the network you are on is the IP address your host has - different subnets for different buildings. But the other powerful area is to have your location automatically update as you move between wireless access points ("Tobie is in meeting room 5").

    This is achieved by finding the BSSID of the access points in you organisation and then using the Set-CsLisWirelessAccessPoint PowerShell cmdlet and supplying the relevant details.

    Recently a client moved from an HP ProCurve network to a new Meraki setup. This meant that all of the BSSID’s that where in the LIS database where now redundant and needed to be repopulated. But – where to get the BSSID’s from? In the ProCurve Wireless Edge Services controller you could see them but the Merkai dashboard does not show them (I’ve added it as a feature suggestions so hope it gets included in a future sprint), so instead you need to do some extra work.

    I emailed Meraki support a few times and didn’t get a satisfactory answer on how to ID the BBSID <> AP relationship so eventually picked up the phone and got through to a brilliant techie, who after explaining my problem found some information in an internal Cisco document that shows how the BSSID is created:

    2.4 Ghz (r0): +02x0 to 1st octet; +40x0 to 3rd octet
    5 Ghz (r1): +02x0 to 1st octet; +50x0 to 3rd octet
    1st: No change
    All others: +01x0 to 6th octet for each subsequent SSID

    2.4 Ghz Radio 5 GHz Radio
    SSID 0 02:00:40:00:00:00 02:00:50:00:00:00
    SSID 1 02:00:40:00:00:01 02:00:50:00:00:01
    SSID 2 02:00:40:00:00:02 02:00:50:00:00:02...

    So what does this mean? Well, first you go to your Meraki Dashboard, navigate to:

    Monitor - Access points

    and grab the following information:

    AP Name and MAC Address

    Access Points and MAC addresses in Meraki

    Now navigate to Configure - SSID and click Show all my SSIDs (you need to do this as this shows which slot your wireless network is in, the first page shows configured ones but not necessarily the slot that the wireless network occupies):

    SSID's shown
    You can now perform some old school masking by hand to try to sort out your network......

    ........or use my handy Excel Spreadsheet to do it for you automagically (thanks Daniel Mycock for helping to write the magic).

    Simply add in the names and MAC addresses into the table and select the "slot" that the SSID is in from the drop down (green box).

    Once you have done so you will now have the BSSID's to create your PowerShell with:

    Throw that onto a server and get it working by publishing the Communication Server Location Information Service Configuration.

    Now wait for the management store to replicate (thanks for the script Graham)

    and log into a client to see the resulting network working :-)

    Hopefully this gives enough information to get your LIS databases up to date with a Meraki network.

    Sophos UTM when running on clustered Hyper-V 2012 R2 (or why is Linux is different?)

    Originally my post was going to be about how painful it was working on a bug in the Sophos UTM virtual appliance. But after doing some digging I’ve realised I need to point the fingers in a different way!

    What caused me pain was this:

    Build a Highly Available VM using latest UTM download from Sophos (4x network cards and shared SMB storage in our case).

    After built go into the console (loginuser and then su to root):
    ifconfig | less

    Note the eth network cards that are available
    Live migrate the UTM to another host in the cluster
    ifconfig | less

    Note all eth network cards have now disappeared

    Live migrate back to initial hosts
    ifconfig | less

    Note eth network cards have not come back

    The system will continue to run and can be moved around hosts with no problems. The issue will only manifest itself once the UTM gets rebooted (in my case for an Up2date firmware fix).

    After building a new UTM VM I did some testing to replicate the problem:

    First thing - lets shut the VM down, move to the other host and bring it up, maybe the bug is in the Live migration.

    Unfortunately, no, exactly the same problem, no eth cards.

    A-ha I thought, so lets shut the VM down and move back to the initial host and bring it up, maybe it’s a bug in the network card stack so the cards will magically come back.

    No, cards still missing

    So at this point I was speaking to Donald at Sophos technical support (top guy, many thanks to him) and we had come to the conclusion it was a bug in the Linux kernel that the UTM uses.

    He was going to add a bug number in and I was going to leave the UTM sitting on a single host with instructions to never move it!

    And there might have ended the story and I would have gone away thinking that I’ve found a bug but I started to do some Googling Binging and hit the answer……

    Those of you who have been using Linux on Hyper-V will have seen the problem straight away.
    (for this part please forgive my lack of Linux knowledge, this is how I see the problem – but I really don’t want to start a flame war!)

    And it’s all down to how Linux binds its network cards to the MAC address of the virtual machine. Windows boxes will happily use any MAC address it is given on boot whereas the first MAC address that is given to a Linux box will get hard coded into the config files and will always be used. This means when the virtual appliance (because to me that what it is) migrates between hosts the MAC address changes and Linux gets unhappy.

    I’m sure that there are some people who will read this and say “surely you should have read up on the Microsoft documentation for running Linux in Hyper-V

    I’ll counter with, “nope, I was running an appliance. Not a Linux box so had not thought of even reading up on this, and don’t call me Shirley

    My plea to vendors who say that they have an appliance that will run in your virtual environment is that they make it clear in their documentation that this could happen so other hapless “Windoze” geeks like myself are not caught out in this way in the future.

    And me – I destroyed my VM (for the 5 time!) and rebuilt it – this time with the MAC address set to a static address (side note: if you do not type a MAC address after setting a static one then Hyper-V will assign you one automatically) and live migrated my Linux VM Appliance to my hearts content.......

    ……..or so I thought: By setting the MAC to a static MAC on our WAN interface stopped all traffic over the WAN, so with time against us we had to set the WAN back to being dynamic, this means if the UTM moves hosts it’ll need a reboot and config changes to get the WAN interface back onto a the virtual NIC……

    The story will continue if I get an answer back from Sophos prior to me moving to my new job!

    Cochlear Aqua+ Review

    Having a blog and being active on Twitter does occasionally pay off, as I had shown interest in Cochlear’s previous waterproofing solution (do not call it a bag) they contacted me asking if we would like to trial their new Aqua+ accessory for the N5 and N6 range of processors.
    We jumped at the chance and after supplying details (coil magnet strength and coil cable length) a massive package turned up:

    On opening it we got a surprise that there were two kits enclosed (makes sense I suppose as Josef is bilaterally implanted but I thought we would have only got one as a test):

    It turns out that the reason it is so large is that you get everything you need for a few weeks:

    You can see pictured, the guide (multiple languages, only the first 17 pages in English so not as daunting as it first looks!), The Aqua+ (part number Z463273), Nice carry case, Nucleus Aqua+ Coil (part numbers Z463263 – 6 cm length & Z463270 – 8 cm length), Nucleus Safety Line (part number Z467062), Mic Lock-Stirrup (part number Z368868) and a CP900 series magnet (too many part numbers to list!).
    As a side note: this appears to show that the coil cable and coil are compatible between the N5 and N6 processors.
    My initial comments on opening the kit are positive:
    • Very nicely packaged (positive impression),
    • In a single kit you get 2x of the Aqua+ sleeve’s and 4x of the Mic Lock- Stirrup’s (extras), 
    • The carry case is very useful for putting all the bits in that you need when going swimming
    In the accompanying documentation it says that the sleeve is usable for around 50 sessions so each pack of 2 could do you for up to 100 swims. As a pack of sleeves retails at around £34 (direct from Cochlear) I think this works out very economically. But a note here about the original Aqua Accessory

    The single use version launched in 2013 and picture above has now been withdrawn from sale and replaced with the new reusable Aqua Accessory; Connevans these new ones on sale at C£39 at the moment for a box of five, each of which can be used up to 20 times.
    This brings me to the first difference between the Aqua+ and the Aqua Accessory. With the previous version (non-reusable) we had no issues other than the air in the bag would cause the bag to float away if Josef tried to put his head underwater. As the bag was also bulkier and made the processor less movable around the cable it was harder for Josef to put back on himself so what would usually happen was after he had dived under water a few times the “ears” would be off, passed to us parents and he would happily play without sound.
    With the Aqua+ we have the opposite problem. Josef jumps underwater and or moves quickly with his head under the water and the force of the water against the processor causes it to detach from his head, it then sinks (no air in the sleeve). The first time this happened Josef was a bit worried (he was used to looking for the floating ear, the second time it turned into a game, let the ear sink to the bottom and then try to swim down to it!
    Thankfully Cochlear have supplied two bits of kit in the pack that can help with this. The first being the Mic Lock-Stirrup:
    This helps to keep the processor attached to the ear – as yet we have not had chance to use it with Josef as he complains that it squashes his ear, it’s very difficult to disagree as that is what its intended to do! I think with an older child you should be able to reason with them to say this will help to keep it on your head but not yet for Josef!
    The second part included by Cochlear is the Safety Line – this is for making sure that when the processor does come off that it stays attached to clothing. For that reason you need to be wearing something on the top half of your body to attach the line too. Females will be fine with swimming costumes/bikinis tops to clip to in a swimming pool but males will struggle to find somewhere near the neck line to clip it onto - maybe a fashion necklace?
    I can see that the main reason for the safety line is for when using the Aqua+ in the sea or open water when you would probably be wearing a wetsuit/top of some kind and in that scenario it will certainly save you expensive processor from sinking from sight! My only complaint is that the line is probably 2cm too short for an adult and wearing it and turning your head may pull the processor off unintentionally.
    There is one bit of preparation that you will need to do prior to using the Aqua+ for the first time and that is to make sure you have some spare earhooks to take with you. This is because you need to remove the earhook from the processor to insert it into the sleeve. In my experience the ear hooks get brittle over time so ensure that you take some spares with you in case removing them causes them to break. The manual again shows you what to do here:
    (Another note on the earhooks – if you have the small tamper resistant ones make sure you take the tool to remove them!)
    Now a couple of photos of Josef in the swimming pool actually using the Aqua+ (note, this is right at the beginning of the swimming session and he has not put his head under that water at this point. I’m taking photos at the side and getting nagged by both boys to get in and play, hopefully next time I’ll be able to get some better photos of them in-use!) 
    Finally – is it worth it?
    I would say whole heartedly: Yes. The sleeves are very thin and do not make the processor look any bulkier on the ear. It actually works and pricing is, IMHO, fair: Cochlear sell you the initial pack for either £160+VAT (mono) or £289+VAT (bilateral). This gets you the two sets as shown above. I do think that Cochlear could make a better bilateral kit which only has one of the carry cases and instruction manuals and maybe drop the bilateral price by £20 but understand carrying more product lines increases their costs. That being said each set is made up from the component parts (as you pick the magnet and coil cable length) so this would be an easy change to make.

    If you would like to find out more please visit the Cochlear website or call (0800 035 6317) or email them.

    I'm happy to take questions in the comments or via Twitter.

    Thanks to Cochlear for allowing us to trial their new kit.

    Exchange 2013 – The things they don’t tell you

    (This post is a work in progress, at the moment I’m still migrating things so I have the joy of moving to the new public folder architecture in a few weeks, I’m sure this post will grow after that!!)

    So the migration is all but done:
    One final server to remove (once we track down all the services using it for SMTP relay) but that has been a mostly painless experience. 

    • Your Content Index will fail and you’ll fix every-so-often by deleting the index and restarting the search services, but there is a proper fix:
    • Don't remove the Self Signed Certificate, it's used by the Back End services. After I had everything running I was getting a bit annoyed that I still had the Self Signed cert sitting there, it is still bound to IIS and SMTP. After a lot of reading I found the following KB article which basically says "leave it alone":
    • Make sure you receive connectors are scoped so voicemail does not start failing with "Event ID 1446, MSExchange Unified Messaging,
      The Microsoft Exchange Unified Messaging service on the Mailbox server failed to process the message with header file "FILENAME" within "11" minutes. The server will continue to process and deliver the message, but the "MSExchangeUMAvailability: % of Messages Successfully Processed Over the Last Hour" performance counter will be decreased.
    • Play on phone from the full fat Outlook 2010 client was failing for users still homed on the Exchange 2010 servers but working fine for users homed on Exchange 2013. Play on phone comes up with the following error:

      Strangely playing the same voicemail via OWA works fine
      I've done no further trouble shooting as the users will all be moved to 2010 within the week and we have the above work around in place. If anyone wants to jump in with a suggestion in the next few days I'll be glad to hear it.
    • Running the Public Folder upgrade script (Export-MailPublicFoldersForMigration.ps1) gives warnings about Property errors:

      "WARNING: The object Domain.local/Microsoft Exchange System Objects/Meeting Room 5 (10) has been corrupted, and it's in an inconsistent state. The following validation errors happened:
      WARNING: Property expression "Board Room" isn't valid. Valid values are: Strings formed with characters from A to Z (uppercase or lowercase), digits from 0 to 9, !, #, $, %, &, ', *, +, -, /, =, ?, ^, _, `, {, |, } or ~. One or more periods may be embedded in an alias, but each period should be preceded and followed by at least one of the other characters. Unicode characters from U+00A1 to U+00FF are also valid in an alias, but they will be mapped to a best-fitUS-ASCII string in the e-mail address, which is generated from such an alias."

      For me this was some of the Public Folders not having valid alias entries. It didn't cause a problem (as far as I can see) in all the time we have been running Exchange 2010 but needed to be fixed while moving to 2013 and its new PF architecture.

      I had an additional problem that I couldn't get into the item to edit it in the Public Folder Management Console without applying the following fix (the error was about "no existing publicfolderproxyinformation" sorry, didn't screenprint before fixing!): which turns out to be a problem with the homeMDB property of the Microsoft System Attendant!

      Then editing the item to remove the space fixed the issue:

    • While migrating the Public Folders we got to one of the final stages and the process appeared to hang.
      Running Get-PublicFolderMigrationRequest | Get-PublicFolderMigrationRequestStatistics gave the response "StalledDueToMailboxLock" and :
      Informational: The request has been temporarily postponed because the mailbox is locked. The Microsoft Exchange Mailbox Replication service will attempt to continue processing the request after 26/01/2015 17:21:07.

      The solution was to restart the Information Store Service on the Legacy Mailbox server and wait 10 minutes for the process to continue.

    And as a bonus feature - TLDR: Exchange Unified Messaging Certificates need simply be the server Fully Qualified Domain Name with no additional SAN names.

    For my pain simply read on...

    I have three new Exchange 2013 servers:
    • FCH-XS13-01.fch.local
    • FCH-XS13-02.fch.local
    • FCH-XS13-03.fch.local
    (and before someone complains that I’ve given away the names of the Exchange server in my organisation I counter with – “you’d get that simply by receiving an email from anyone in the organisation and looking at the headers” <sigh>)
    When I created the certificates I used the brilliant Digicert Tool and bashed the FQDN in:
    threw in the NetBIOS name for kicks
    sent the response off to my local CA, downloaded the response. Imported it and applied in the ECP (I know, no PowerShell, naughty me).

    After restarting the two UM services:
    No Voicemail – calls just hung up. And not simply for my test mailbox on the Exchange 2013 environment – this was effecting everyone as the Exchange 2013 servers proxy the 2010 traffic
    Looking in the event log we see Event ID 36884:
    The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is fch-xs13-03.fch.local. The SSL connection request has failed. The attached data contains the server certificate.
    Event ID 1649:
    The Microsoft Exchange Unified Messaging Call Router service failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS). Please check that the gateway is configured to operate in the correct security mode. If the gateway is required to operate in TLS mode, check that the certificates being used are correct. More information: "A TLS failure occurred because the remote server disconnected while TLS negotiation was in progress. The error code = 0x80131500 and the message = Unknown error (0x80131500).". Remote certificate:  (). Remote end point: [::1]:11346. Local end point: [::1]:5061.
    Event ID 1113:
    The Client Access server failed to exchange the required certificates with an IP gateway to enable Transport Layer Security (TLS). Please check that the gateway is configured to operate in the correct security mode. If the gateway is required to operate in TLS mode, check that the certificates being used are correct. More information: "A TLS failure occurred because the remote server disconnected while TLS negotiation was in progress. The error code = 0x80131500 and the message = Unknown error (0x80131500).". Remote certificate:  (). Remote end point: [::1]:11169. Local end point: [::1]:5063.
    On the Lync 2010 servers we see the following:
    Event ID 14366
    Multiple invalid incoming certificates. In the past 1 minutes the server received 1 invalid incoming certificates. The last one was from host This can happen if a remote server presents an invalid certificate due to an incorrect configuration or an attacker.Resolution:No action needed unless the number of failures is large. Contact the administrator of the host sending the invalid certificate and resolve this problem.
    So, I’m off on a hunt. And it take me hours. Finally after comparing everything I can think of I decide to recreate the certificates (for what feels like the 1 zillionth time) and while I’m doing so this comes to me:
    The server name we were expecting is fch-xs13-03.fch.local
    And the certificate I was giving out had two names, the Common Name and the Subject Alternative Name….. so sometimes the service was seeing the NetBIOS SAN name - BINGO. I guess I’ve been spoiled by SAN names on Lync and Exchange so just through “throw it in, what's the worse that’ll happen" - It turns out, a lot!