Recently, I stumbled into a scenario where Lync Online accounts appeared to get crunched by a series of enabling and disabling DirSync within the Office 365 tenant. Getting the issue resolved was enough a puzzle that I figured it was worth sharing.
- Office 365 Plan Enterprise Plan (E1 E3 E4)
- Directory Synchronization (DirSync)
- On-Premises Active Directory
- On-Premises Exchange Server 2010
- Lync Online
In this case, the users had been assigned Lync Online licenses within Office 365 and had been successfully using the Lync client for several months until DirSync was re-enabled for the tenant. Once DirSync had been re-established, the users immediately lost the ability to log into the Lync client and were no longer visible as Lync Users in the Lync Online Admin panel.
Despite not appearing as Lync Users, the “Edit Lync properties” link found under quick steps on the Office 365 Users & Groups page was active for the affected users (as shown below). When clicked, an error is displayed:
“This feature has not been set up or is unavailable at this location”
Users may also experience the following error when attempting to sign in to the Lync client:
“Cannot sign in to Lync because this sign-in address was not found”
Office 365 Users & Groups – Affected User
Office 365 / Lync Online Error Page – (after clicking “Edit Lync properties)
The first thought was that SIP entries had gotten overwritten or misconfigured in the properties of the on-prem AD user, but all SIP-related addresses, proxies and DNS entries all appeared to be correct.
It turned out that Lync Server 2010 had been deployed (and later decommissioned) on-premises at some point, extending the local Active Directory schema with Lync attributes. The users that were affected by this issue each had multiple attributes defined in the properties of their local Active Directory that correlated to the internal implementation of Lync Server – a fact that should have prevented the users from accessing Lync Online since the initial DirSync was performed. In this case, no on-prem Lync deployments were present (or planned in the future), so these attributes (beginning with msRTCSIP) could be removed.
More information regarding the attributes that are added / modified when Office Communications Server (OCS) or Lync Server is deployed to the on-premises environment can be found here: http://support.microsoft.com/kb/2705378 . The full list of schema class and descriptions for Lync Server can be found here: http://technet.microsoft.com/en-us/library/gg398625.aspx
To restore Lync Online usage, several attributes had to be cleared for the internal AD accounts, a full DirSync synchronization was performed and lastly Lync Online licenses were removed and reassigned to the affected users.
- Clean up user attributes using ADSI-Edit
- Force a full DirSync synchronization job
- Remove Lync Online license from each affected user
- Add Lync Online license for each affected user
Step 1 – Clean up user attributes using ADSI-Edit
Using ADSI-Edit, the properties of each affected user were viewed and all attributes beginning with “msRTCSIP” were cleared, setting the values to <not set>.
The msRTCSIP attributes are listed below:
- msRTCSIP-AcpInfo
- msRTCSIP-ApplicationOptions
- msRTCSIP-ArchivingEnabled
- msRTCSIP-DeploymentLocator
- msRTCSIP-FederationEnabled
- msRTCSIP-GroupingID
- msRTCSIP-InternetAccessEnabled
- msRTCSIP-Line
- msRTCSIP-LineServer
- msRTCSIP-OptionFlags
- msRTCSIP-OriginatorSid
- msRTCSIP-OwnerUm
- msRTCSIP-PrimaryHomeServer
- msRTCSIP-TargetHomeServer
- msRTCSIP-TargetUserPolicies
- msRTCSIP-TenantId
- msRTCSIP-UserEnabled
- msRTCSIP-UserExtension
- msRTCSIP-UserLocationProfile
- msRTCSIP-UserPolicies
- msRTCSIP-UserPolicy
ADSI-Edit – User Properties, Attributes beginning with msRTCSIP
One by one, select each attribute that begins with msRTCSIP and click the “Edit” button. Skip those attributes that are already defined as “<not set>”
Once the String Attribute Editor window appears, click the “Clear” button.
At that point, the value should be reset to “<not set>“, as shown below.
Click the “Ok” button.
Repeat this process for each msRTCSIP attribute that contains a value other than not set.
Step 2 – Force a full DirSync synchronization job
To force a synchronization using DirSync, you can follow the TechNet guidance here: http://technet.microsoft.com/en-us/library/jj151771.aspx#BKMK_SynchronizeDirectories
Unfortunately, the server running DirSync in this environment had some issues loading the DirSync module, so it was run manually by running the DirSyncConfigShell.PSC1 file from its native location:
C:\ProgramFiles\Windows Azure Active Directory Sync\DirSyncConfigShell.psc1
Once the DirSyncConfigShell is located, right-click and select “Open“, as shown below.
File Location – DirSyncConfigShell
Next, trigger the synchronization by entering the following command:
Start-OnlineCoexistenceSync
Press enter.
Executing Full Synchronization
The script should run and you will be returned to the prompt as seen above.
Step 3 – Remove Lync Online license from each affected user
From the Office 365 Admin – Users & Groups screen, click on the display name of the affected user.
Next, Click “licenses” from the left menu.
Remove the checkmark next to “Lync Online“, and click the “save” button at the bottom of the page (as depicted below).
Step 4 – Add Lync Online license for each affected user
Repeat the steps show in the previous step, but this time you will select (check) the Lync Online license for the user.
Once the license is re-assigned, the user will be provisioned for Lync Online. This process may take several hours.
When the process is complete, the user will appear in the Lync Admin – Users screen and they will be able to sign in using the Lync client.
If you have a large number of users affected by this issue (or similar), the removal and re-assignment of licenses can be performed via PowerShell. More info and specifics can be found here: http://www.powershellmagazine.com/2012/04/23/provisioning-and-licensing-office-365-accounts-with-powershell/