Decommissioning Skype for Business Hybrid and Going Cloud Only

There is a lot of documentation out on the internet on the benefits of Skype for Business and Skype for Business Hybrid, how to configure, how to move users etc. However, there appears to be little information about what to do when Hybrid is no longer required. We have become so focused on what benefits hybrid gives us now and in the future with Skype Broadcast Meetings, Cloud PBX etc that perhaps we have forgotten not everyone needs it. There are still businesses out there who made a heavy investment in on premises infrastructure for Instant Messaging and Presence services only who are now looking at Skype for Business Online as a cheaper alternative due to its OPEX pricing model. For these businesses, they simply want to use hybrid to move users from on premises to the cloud and that’s it. So what to do once we no longer need hybrid – just turn off on premises servers? No.

Unlike Microsoft Exchange Hybrid where the integration is more heavily woven together, Skype for Business Hybrid is actually nothing more than 2 independent federated domains with the additional configuration that they share a common namespace. The sharing of the namespace allows administrators to move users between the two deployments with their data and redirect sign-in requests to the correct deployment. With any Hybrid configuration, the on premises deployment is the source of authority for that service. Therefore, sign-in requests will come to the on premises front end servers using lyncdiscover and SRV records. The on premises front end server is clever enough to realise that the user’s SIP identity and service lives (courtesy of AD) in Office 365 and will issue a redirect to the cloud service from the discovery phase. This allows the user’s client to sign in directly to the online tenant using Microsoft Office 365 URLs.

Sign in workflow of Office 365 user from External

Sign in workflow of Office 365 user from Internal


Once we understand the logic of how the system handles requests in hybrid we can begin to plan our move to cloud only delivery.

Getting Ready

Step 1. First we must ensure that all users have been moved from on premises Skype for Business / Lync to Skype for Business Online. If you have users still on premises then move them across using the following PowerShell

Move-CsUser –Identity user@domain.com -Target sipfed.online.lync.com -Credential -HostedMigrationOverrideUrl <URL>
 

Step 2. Ensure that your business does not rely on any on premises feature of Skype for Business / Lync and you are ready to start the decommissioning process.

Step 3. Plan for some disruption – There may be some outage where clients sign out and back in, so be mindful this may happen and inform your users, managers and team of what to expect.

Execution

Step 1. Modify your external DNS zone to point to Skype for Business Online using the following table as reference

Modify Values

Record Name

Type

Port

TTL

Destination

sip

CNAME

N/A

N/A

sipdir.online.lync.com

lyncdiscover

CNAME

N/A

N/A

webdir.online.lync.com

_sipfederationtls._tcp

SRV

5061

3600

sipfed.online.lync.com

Delete Values

Record Name

Type

dialin

A

meet

A

lyncweb

A

_xmpp-server

SRV

_sip._tls

SRV

Please note that global DNS propagation could take up to 48 hours to complete, so once this step has been completed, do not move to step 2 until 48 hours has passed otherwise clients may stop working externally

Step 2. Modify your internal DNS SIP domain zone to point to Skype for Business Online using the following tables

Add Values

Record Name

Type

Port

TTL

Destination

_sipfederationtls._tcp

SRV

5061

3600

sipfed.online.lync.com

Modify Values

Record Name

Type

Port

TTL

Destination

sip

CNAME

N/A

N/A

sipdir.online.lync.com

lyncdiscover

CNAME

N/A

N/A

webdir.online.lync.com

Delete Values

Record Name

Type

lyncdiscoverinternal

A

dialin

A

meet

A

lyncweb

A

_sipinternaltls._tcp

SRV

Wait for the DNS zone to replicate between domain controllers and then clear the Active Directory DNS Caches using the following PowerShell

Clear-DnsServerCache –ComputerName dc01.domain.local –Force
 

Step 3. Clearing the Client machine DNS Cache

Clearing the internal domain joined client DNS cache can be tricky for you. You can either remote on to everyone’s machine and perform an ipconfig /flushdns (if UAC is installed – needs to be with admin priveleges), tell users to reboot their machine. Or preferred way is to administratively execute this on demand using windows remote management features. The following PowerShell command will flush the DNS cache of client machines by iterating through Active Directory for computer objects

$objects = Get-AdComputer –Filter * -Properties OperatingSystem | Where {$_.OperatingSystem –match 8}
Foreach ($machine in $objects){
Invoke-Command –Cn $_.Name –Script {
Clear-DnsClientCache
Register-DnsClient}
}

Above command assumes Windows Operating System is Windows 8 and Remote Management must be enabled on the client workstation. User executing this must have local machine administrative rights (Domain Admin would be best).

Step 4. Disable Shared SIP Address Space

On Skype for Business Online disable Shared SIP address space using the Lync Online PowerShell command

Set-CsTenantFederationConfiguration –SharedSipAddressSpace $false
 

On your on premises Lync / Skype for Business deployment run the following commands in the respective Management Shell

Set-CsAccessEdgeConfiguration –AllowOutsideUsers $false –AllowFederatedUsers $false
Remove-CsHostingProvider –Identity LyncOnline
 

And that’s it – a nice and easy process. Your hybrid has been removed in a managed way. All that is left for you to do now is to remove your on premises Lync deployment from your infrastructure.

Hope this helps someone.

Advertisements

40 comments

  1. Thanks for the great write up. It was very helpful and I was able to move to an online only install. My only question is that on my Skype dashboard my users are still showing as synced and homed online. Is there anyway to move them all so that they just show up as Users in the cloud?

    Like

    1. Hi
      If there is no need to synchronize accounts from your AD anymore then you simply need to stop directory synchronization. This will convert them to “in-cloud” identities. However, if you need password sync, same sign on or single sign on, then you cannot do this, the accounts will always show as synchronized.
      thanks

      Like

      1. We will be decommissioning on-premise lync system after everything is moved. We do want to keep Directory Sync running, how will this work since we won’t have the console to manage the users locally?

        Like

      2. Hi
        AADSync is a separate application. That will continue to synchronise your AD to the cloud as synched accounts. Without hybrid you would simply use the skype for business online control panel for edits
        thanks

        Like

      1. I’m thinking about either do a simple cutover from Lync 2013 to S4b online or setup a hybrid which I will probably break once all finished..The most important thing to migrate to o365 is the Contacts…The Exchange 2013 is on-prem and do not run UCS..Will the contacts be migrated?

        Like

      2. If you perform a sfb hybrid and move users to the cloud, then their custom contact groups and contacts in Lync will remain. If you just enable them in the cloud without moving them, the contacts will be lost. The only other way of keeping contacts in that situation is to export and import contacts the client side using the SDK.

        Like

      3. Ok! Thanks! IF the scenario where the same except that UCS is used. Will the contactlist be migranted to online users when exchange is on premise? IF so, do I have to inactivate ucs before I Break the hybrid ( to decommision the on- prem lync servers )

        Like

  2. Ok! I guess ucs in Office 365 is only working with exchange online then?

    So, what i need to do is:
    Remove ucs.
    Create hybrid and move users online
    Break hybrid and decomission on prem lync?

    Like

  3. Hi, it worked all the way except for the very last command…

    Remove-CsHostingProvider –Identity LyncOnline

    (in my case it is Remove-CsHostingProvider –Identity SkypeForBusiness)

    and I got this error message:

    This hosting provider is enabled for shared address space and there are “1” (SIP enabled)

    not sure why… and google is not helping me much….

    Like

    1. Hi

      In Skype Online PowerShell, turn off shared SIP address space Set-CsTenantFederationConfiguration -SharedSipAddressSpace $False wait for 15 minutes for replication and then remove your hosting provider settings. This setting should be the last thing you do, after this your on-prem deployment is ready for decom.

      thanks

      Like

      1. thanks for your reply… I ran the Set-CsTenantFederationConfiguration -SharedSipAddressSpace $False 3 hours ago and made sure all the sync occured.. still getting the same error message…

        Will open a service request with MS and will let you know what’s up.

        Liked by 1 person

    2. I got this error as well, the cause was our on-prem lync server was still seeing all the lync users as enabled LyncOnline users homed to sipfed.online.lync.com. To correct I had to remove all the msRTCSIP-* AD attributes for all users. If we tried to disable the users using the on-prem LyncAdmin page it would disable them in Office365 as soon as a DirSync\ADConnect ran, this resulted in Office365 disabling their Lync access. So, the fix was to clear (set to ) the AD attributes, I used a powershell script to do this against a file. To use:

      1. Create an csv with the name of lyncusers.csv with the column heading of alias and list all usernames to be removed under that alias column.
      2.Run the script
      3. Wait for dirsync\ADconnect to run
      4. Verify you no longer have any on-prem lync users by running get-csusers in powershell
      5. Retry Remove-CsHostingProvider -Identity LyncOnline

      Powershell script(use at your own risk)

      $(foreach ($i in (Import-Csv .\lyncusers.csv)){set-aduser $i.Alias -clear msRTCSIP-UserEnabled,msRTCSIP-PrimaryUserAddress,msRTCSIP-DeploymentLocator,msRTCSIP-FederationEnabled,msRTCSIP-InternetAccessEnabled,msRTCSIP-OptionFlags,msRTCSIP-PrimaryHomeServer,msRTCSIP-Line})

      One note about the above powershell script is to verify that your environment has the same msRTCSIP attributes set, you may find that additional attributes are set or not set and you need to adjust the script accordingly, the above attributes are just what was set in my environment.

      Like

      1. Hi RK,

        Query on your process, thanks for sharing by the way. I had the same issue as others when running the command:
        Remove-CsHostingProvider –Identity SkypeforBusiness
        Then getting the error:
        This hosting provider is enabled for shared address space and there are “1” (SIP enabled)

        This was overcome using the -force switch on the above command to remove the hosting provider. However when trying to then disable users after removing the Hybrid relationship as per Marks article, in order to decommission the on premise environment, users are still being disabled within SfBO after AADSync runs a delta sync.

        After the above was complete, I removed an individuals msRTCSIP attributes (set to ) and synced. This removed the user from SfBO.

        Am I missing something here? Anybody else tried the suggested solution and had the same issue?

        @Mark – quick one, if I remove the Hybrid and don’t disable the users on premise the decomm process wont work, is that correct?

        I decommissioned an environment last week and never had these issues (SfB on premise > Hybrid > SfBO. All users migrated to SfBO). So stuck as to why Im having these issues now.

        Thanks All.

        Like

  4. Hi Mark, Thanks for writing the doc as I was not able to find this info anywhere. Just one question if we already have AD Sync in place then do we still need to run the move user command? or Is the command required to move the contact list for the users?

    Like

    1. Hi yes, you will still need to run the move command, this will move all sfb settings over to sfb online. the AD sync is just synchronising identities, this will be telling sfb online that the sfb identity is homed on-prem otherwise.
      thanks

      Like

  5. Hi Mark, did you ever find out from Microsoft why you could not run the command Remove-CsHostingProvider –Identity LyncOnline ? Did you just have to wait longer for replication or was there another step that had to be done? I received the same error…thanks!

    Like

  6. Hi Mark,

    Thanks for this article.
    I have exactly the same

    Set-CsAccessEdgeConfiguration –AllowOutsideUsers $false –AllowFederatedUsers $false

    OK

    Remove-CsHostingProvider –Identity SkypeforBusiness

    and I got this error message:

    This hosting provider is enabled for shared address space and there are “1” (SIP enabled)
    I checked all users and they are all cloud

    I already ran the disable shared space online..4 hours ago
    I forced Azure Connect to run.

    What I am planning to do is just to remove the on premise environment and unprep the domain and forest.

    BUT will this not break anything for instance removing the SIP address of users in the cloud?

    John

    Like

  7. Hi Mark, what is the best practice to remove the on premises Lync deployment from our infrastructure? Uninstall each application using Programs/Features? Re-run Setup? Any extra clean-up commands which need to be manually ran?

    Like

    1. Hi,

      The best approach first make sure that there are no users enabled for your on-prem deployment. if there are, disable these.

      Then you need to remove any trusted application pools from the topology and also any trusted application endpoints from the configuration. Remove-Cstrustedapplicationendpoint command will help.

      Then you will need to remove the dialin conferencing endpoint using remove-csdialinconferencingaccessnumber

      Then remove the conference directories remove-csconferencedirectory

      then, remove the following, common area phone accounts, all voice configuration, all analog devices, all rgs config, all call park settings, any exchange um contact object you have.

      then remove all servers but the one that holds the cms and publish the topology

      run export-csconfiguration command on the last front end and copy the zip file to your edges. The run deployment wizard (step 3) and supply the zip file when prompted. This will remove components from the servers. On all other front end servers, pchats, directors run the deployment wizard (step 3) to remove the components.

      Once done, run publish-cstopology -finalizeuninstall

      then on the cms server run c:\prog files\lync\bootstrapper.exe /scorch to remove the components

      once done, you can remove the cms database, uninstall-csdatabase -centralmanagementdatabase -sqlserverfqdn -sqlinstancename

      Remove the scp from AD once the above has completed remove-csconfigurationlocation command

      than finally disable-csaddomain and disable-csadforest

      hope this helps

      thanks

      Like

      1. Shouldn’t this comment be part of the main article? lol. I am using your document as a foundational template for my process to decom Skype onprem and be Online only. I am going to steal your work and use it as means for a pay raise. Anyways, back to the point, thanks for the article. As I was going through the main article I was wondering where your info on “what do to w/ the topology” and found this comment gem)

        Like

  8. Hi. I only have a handful of users onprem using SFB. Can i simply decommission onprem and start new (switch over all the DNS records) with Skype online without going through Hybrid config? I’m not confident hybrid would work bc this was more or less an “unfinished” Skype deployment for testing the instant messenger. Therefore no Edge, no external access, phones, meetings, etc. I’d rather start new. Is this possible for allowing my onprem users to just access Skype online?

    Like

  9. Microsoft states that there should be an SRV record for
    _sip._tls

    but you state that record should be deleted. What are your thoughts on that srv record? when I run a Lync connectivity test its looking for _sip._tls but fails since we have deleted per this article.

    Like

  10. After having the same problem as other users when attempting to run Remove-CSHostingProvider, I used the -force parameter when running Remove-CSHostingProvider and this worked.

    Like

  11. Hi Mark

    I have a quick question on the decommissioning process and attributes. Say you have remove your on premise Lync system and are now enabling users directly in Office 365 with a Skype licence. Let’s say a new user starts and is enabled in Office365. In the local AD that is currently sync’ed to 365 the attribute “msRTCSIP-PrimaryUserAddress” will be blank as you would expect.

    What happens to the uses SIP address if a Full resync is done? Do the existing users in Azure lose their SIP address as the blank value overwrite the Online attribute.

    many thanks
    Chris

    Like

    1. Hi

      If the msRTCSIP-PrimaryUserAddress is empty, then when synched to 365 the proxyAddresses attribute is looked at. If this does not contain SIP:

      then the UPN is used as te primary SIP in 365.

      thanks

      Like

      1. Thank you Mark, was my understand as well but could not find it documented anywhere (very well) 🙂

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s