Friday, February 5, 2016

Skype for Business Hybrid Remote PowerShell

I recently began to start working on a couple hybrid deployments both internally and for clients. One of the first things that noticed was it was not as straight forward to get connected to remote PowerShell as it was for Azure AD or Exchange Online. The first thing to note is that if you are in a hybrid and you have your lyncdiscover.domain.com pointed to your on-premise environment you will be greeted with the following error:



Get-CsPowerShellEndpoint : Unable to connect to the remote server
At C:\Program Files\Common Files\Skype for Business
Online\Modules\SkypeOnlineConnector\SkypeOnlineConnectorStartup.psm1:94 char:26
+             $targetUri = Get-CsPowerShellEndpoint -TargetDomain $adminDomain
+                          ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Get-CsPowerShellEndpoint], WebException
    + FullyQualifiedErrorId : System.Net.WebException,Microsoft.Rtc.Management.OnlineConnector.GetPowerShellEndpointCm

   Dlet

Normally the workaround that has been in place for this is to specify the -OverrideAdminDomain switch and specify your tenant. However I have recently learned that this does not always work. When I tried I was greated with the following error:


New-PSSession : [admin0b.online.lync.com] Processing data from remote server admin0b.online.lync.com failed with the
following error message: The specified tenant 'spscom.onmicrosoft.com' could not be found in current forest. Please
verify the tenant Identity and then try again. For more information, see the about_Remote_Troubleshooting Help topic.
At C:\Program Files\Common Files\Skype for Business
Online\Modules\SkypeOnlineConnector\SkypeOnlineConnectorStartup.psm1:118 char:16
+     $session = New-PSSession -ConnectionUri $ConnectionUri.Uri -Credential $webt ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : OpenError: (System.Manageme....RemoteRunspace:RemoteRunspace) [New-PSSession], PSRemotin
   gTransportException
    + FullyQualifiedErrorId : IncorrectProtocolVersion,PSSessionOpenFailed


I opened a ticket with Microsoft and we were able to get connectivity to work by specifying the -OverridePowerShellURI parameter, and then using the same URL that you access the control panel within O365:

New-CsOnlineSession –Credential $cred –OverridePowershellURI –OverridePowershellURI https://admin2a.online.lync.com/OcsPowershellLiveid”

We escalated this issue to the product group in which responded with the following:

There is a known issue currently where DomainUrlMap (what gets used for Autodiscovery) is only being populated with the domains of online enabled users. While our tenant does have some online enabled users, it would appear that those users are all on spscom.com – Autodiscover doesn’t know about the spscom.onmicrosoft.com domain so you get routed somewhat randomly when trying to resolve that domain.

There are two workarounds – 1) you could enable a user for spscom.onmicrosoft.com and subsequently disable it, once the domain is in the DomainUrlMap it should remain there, or 2) use “-OverrideAdminDomain spscom.com”, which is already in the DomainUrlMap.

Solution:

I created a new cloud only user with an onmicrosoft.com UPN, licensed them for Skype for Business Online, and then was able to sucessfully access remote PowerShell:


You can then remove the cloud only user it is only needed to add the onmicrosoft.com domain to the DomainUrlMap
Posted by at
Labels: , , ,

1 comment:

  1. NathenNodFebruary 17, 2016 at 10:16 PM

    Hey thanks man - you were the only article on the Internet that returned a result and you were spot on the money!

    ReplyDelete

Subscribe to: Post Comments (Atom)