locked
OCS 2007 R2 Front-End Validation problems RRS feed

  • Question

  • Heres my setup: AD, DNS, CA, and DHCP are all running on a Windows Server 2003 SP 32 Bit machine, I am installing OCS 2007 R2 Standard Edition, WITH OUT Edge Server on a Windows Server 2008 Standard 64 Bit Virtual Server. I had some issues getting a certificate to work with OCS but i was finally able to do it by creating one manually and importing it to OCS. I have been able to finish the install but when I go to validate the install, everything validates with out problems except for Front-End Configuration.

    I should also mention that we are running ISA Server 2006

    Here are the errors I am getting:

    Execute Action       Failure
    [0xC3FC200D] One or more errors were detected
    Diagnose Server       Failure
    [0xC3FC200D] One or more errors were detected
    Check Configuration       Failure
    [0xC3FC200D] One or more errors were detected
    Check Pool Configuration   Pool Name: CMSOCS.doctornetwork.com
      Failure
    [0xC3FC200D] One or more errors were detected
    Check Pool Hosted User Setting   AD search filter: (&(msRTCSIP-PrimaryHomeServer=CN=LC Services,CN=Microsoft,CN=CMSOCS,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=doctornetwork,DC=com)(!(msRTCSIP-OptionFlags:1.2.840.113556.1.4.803:=256)))
    All users enabled for enhanced presence: False
    AD search filter: (&(msRTCSIP-PrimaryHomeServer=CN=LC Services,CN=Microsoft,CN=CMSOCS,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=doctornetwork,DC=com)(msRTCSIP-OptionFlags:1.2.840.113556.1.4.803:=128))
    Any user enabled for voice routing: True
    AD search filter: (&(msRTCSIP-PrimaryHomeServer=CN=LC Services,CN=Microsoft,CN=CMSOCS,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=doctornetwork,DC=com)(msRTCSIP-FederationEnabled=TRUE))
    Any user enabled for federation: False
    AD search filter: (&(msRTCSIP-PrimaryHomeServer=CN=LC Services,CN=Microsoft,CN=CMSOCS,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=doctornetwork,DC=com)(msRTCSIP-InternetAccessEnabled=TRUE))
    Any user enabled for remote access: False
    AD search filter: (&(msRTCSIP-PrimaryHomeServer=CN=LC Services,CN=Microsoft,CN=CMSOCS,CN=Pools,CN=RTC Service,CN=Microsoft,CN=System,DC=doctornetwork,DC=com)(msRTCSIP-OptionFlags:1.2.840.113556.1.4.803:=1))
    Any user enabled for public IM connectivity: False
    Warning: One or more pool hosted users are enabled for telephony, federation or remote access, but no audio-video edge server is specified for the pool.
    Error: One or more pool hosted users are enabled for telephony, but default location profile hasn't been specified for the pool.
      Failure
    [0xC3FC200D] One or more errors were detected
    Internal Server MAIN.doctornetwork.com   DNS Resolution succeeded: 192.168.0.10 192.168.0.9
    TLS connect failed: 192.168.0.10:5061 Error Code: 0x274d No connection could be made because the target machine actively refused it 192.168.0.10:5061
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
    Suggested Resolution: Ensure that the DNS records have been setup correctly. If this server is an Access Edge Server, make sure outside user access is enabled.
    TLS connect failed: 192.168.0.9:5061 Error Code: 0x274d No connection could be made because the target machine actively refused it 192.168.0.9:5061
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
    Suggested Resolution: Ensure that the DNS records have been setup correctly. If this server is an Access Edge Server, make sure outside user access is enabled.
      Failure
    [0xC3FC200D] One or more errors were detected
    Attempting to login user using Kerberos   Maximum hops: 2
    Failed to register user: User sip:robin@doctornetwork.com @ Server MAIN.doctornetwork.com
    Failed to send SIP request: No connection could be made because the target machine actively refused it 192.168.0.10:5061
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected
    Attempting to login user using NTLM   Maximum hops: 2
    Failed to register user: User sip:robin@doctornetwork.com @ Server MAIN.doctornetwork.com
    Failed to send SIP request: No connection could be made because the target machine actively refused it 192.168.0.10:5061
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected
    Attempting to login user using Kerberos   Maximum hops: 2
    Failed to register user: User sip:jkirk@doctornetwork.com @ Server MAIN.doctornetwork.com
    Failed to send SIP request: No connection could be made because the target machine actively refused it 192.168.0.10:5061
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected
    Attempting to login user using NTLM   Maximum hops: 2
    Failed to register user: User sip:jkirk@doctornetwork.com @ Server MAIN.doctornetwork.com
    Failed to send SIP request: No connection could be made because the target machine actively refused it 192.168.0.10:5061
    Suggested Resolution: Make sure that the server is listening on the specified IP address/Port/Transport. If you have a firewall make sure that this port is open. Make sure that the server is running. If this is an Edge Server, ensure that remote user access has been enabled. This can be ignored if you have not enabled the transport on the target server.
      Failure
    [0xC3FC200D] One or more errors were detected
    Check two-party IM    Check two-party IM: Skipped due to user registration failure
      Failure
    [0xC3FC200D] One or more errors were detected
    Friday, May 22, 2009 6:57 PM

All replies

  • I presume the services have started OK? I can't be sure but I'd lay odds that you have an issue with the certificate given that you 'created one manually' (How? What template did you use? In my experience OCS is fussy around certs) As you're using an internal CA, try rerunning the certificates wizard from within OCS Admin console (right-click the server) and requesting / assigning a cert from there. Make sure you have the FQDN (server if SE or pool if EE) as sn and sip domains in the SAN field. And check out the users enabled for federation - if you're not doing it, then don't enable them - select all users and run through the configure wizard. If that all fails, then you could d-check Windows Firewall isn't your issue by disabling it temporarily, but this isn't normally the problem...

    HTH, cheers...


    Tim
    Saturday, May 23, 2009 10:12 AM
  • Yes the services started with out a problem. I tryed to rerun the certificate wizard and it says that it was unable to contact the CA. I have double and triple checked the FQDNs. As far as users go, its not recogizing any, if i select users in the OCS Admin console nothing is in the list and when i select find users it says that it could not create the query dialog. Also both windows firewalls are off, but we are running ISA 2006, for our external firewall... We used the web server template.
    Tuesday, May 26, 2009 2:33 PM
  • OK. The first error is not Federation (my mis-read of the log, sorry) - it is regarding some users being enabled for Enterprise Voice - that's what the check for the msRTCSIP-OptionFlags property value is - 128 = Enterprise Voice. Whether this has come from something in your environment from a previous install or LCS, or some accidental admin I don't know, but it seems you have a user enabled for Enterprise Voice. You can configure OCS users in AD users and computers as well - select all users, right-click and choose 'Configure Communications Server Users' - on about the 4th screen you can choose to disable Enterprise Voice. Or you could set a default location profile in forest properties if you're going to use Enterprise Voice.

    The second error is more of a problem I guess. Can Communicator connect to the server? If not, do you get errors in the event log on the client?

    I believe your problems are down to MTLS authentication not happening. One reason could still likely be down to your certificate. Does the web server cert allow for subject alternative names? I didn't think it did.. I remember reading somewhere that the OCS wizard creates a template on the fly and I've certainly had more success using this than any other certreq mechanism. If you can't contact your online CA (troubleshoot? can you browse to http://servername/certsrv?) try it as an offline request, then copy the contents of the file to the cert server and  process it that way?

    Another possibility could be DNS. I see you have two IP addresses (192.168.0.9 and 192.168.0.10) and the validation wizard is trying to connect on both on port 5061. I have seen validation wizard complain when I've had multiple IPs but in practice this didn't cause any issues. Doublecheck the SRV and host records.

    Anyone else feel free to chime in and correct me if you have better ideas :-)

    Cheers,

    Tim
    Wednesday, May 27, 2009 11:02 AM
  • Im not exactly sure what happened, but suddenly the clients were able to connect... im not sure exactly what fixed it, but i appreciate your response... now im just trying to figure out how to do PIC
    Wednesday, May 27, 2009 2:03 PM