Category Archives: Lync

Lync Online and External Contacts

Update 3/9/2015: I just updated this article to include a previously undocumented dependency, that both Lync and Outlook must be on the same version for this to work.

Here is an interesting scenario that reveals a lot about how Lync Online operates. Let’s assume that two companies plan to merge and they want to have Instant Messaging and Presence between the two companies.

One company, ABC Corp has Lync 2010 on-premises and the other company, XYZ Corp has Lync Online. Both companies have enabled federation.

Both companies would like a shared Global Address List (GAL), and they plan to use Microsoft FIM 2010 R2 GALSync, so that user objects in one forest are copied as contact objects in the other forest.

The last requirement is to have the ability to search for the Lync external contacts within the Lync client itself.


  1. By default GALSync does not replicate the SIP address attribute “msRTCSIP-PrimaryUserAddress”, so GALSync must be modified to include this attribute. Additionally, mailnickname and targetaddress is required for Azure Active Directory Synchronization to export the object to Office 365 so that it is accessible for the Lync Online users. For a list of which attributes are synced by DirSync, click (here).
  2. When populating the msRTCSIP-PrimaryUserAddress field, make sure to pre-pend with the sip: in front of the address.
  3. When the targetaddress field is populated, be sure to pre-pend with SMTP: in front of the email address. For more info, see this article
  4. mailNickname can be populated with the contents of sAMAccountName
  5. sAMAccountName, displayname, and CN cannot be blank.

Brajesh Panda wrote a fantastic walkthrough for modifying GALSync to include the msRTCSIP-PrimaryUserAddress attribute. However, it does not mention Lync Online. I wanted to write this blog article to add clarity on how external contacts can appear in Lync Online in a very limited scenario:

1. Outlook must be configured for cached Exchange Mode (this is the default configuration for Exchange Online).

[Update 3/9/2015] 2. Outlook and Lync must be on the same version (ex: Lync 2013 and Outlook 2013). Crossing versions is not supported and will not work (ex: Lync 2013 and Outlook 2010).

Additionally, external contact search is not available for Lync Mobile, OWA or Lync for Mac. The rest of this article explains why.

Unified Contact Store (UCS)

Lync Online is a “wave 15” product, and therefore is written to take advantage of the new Unified Contact Store (UCS).  This is significant because according to my test results, search lookups in Lync Online appear to only query the UCS, and the UCS does not include information from the Global Address List (GAL) according to this MSFT article.


Therefore, when Lync Online is formatting its EWS query, it appears to exclude external contacts and only include licensed Lync Online users.  This applies to the following Lync Online clients that exclusively rely on EWS for lookups: Lync Mobile, Lync for Mac OSX, and Lync presence when integrated into OWA. The only Lync client that can search and find external contacts is the Lync client for Windows when installed on a computer with Outlook configured for cached mode, with a local copy of the Offline Address Book. This is because Lync is designed to supplement the EWS query with an additional MAPI query to Outlook when Outlook is configured for cached exchange mode.

Note: When troubleshooting, remember that the OAB does not download immediately after a fresh Outlook profile is created, so it can take some time before external contacts will appear (see below for more information on how to check for this).

Goodbye Lync Address Book

Lync Online does not download a Lync address book. This is the opposite behavior of the Lync on-premises Server. Instead, Lync Online clients that want to lookup a contact will perform a web services query in two parts. The first query depends on whether an EWS connection is available and established (note: this requires the Exchange autodiscover record to be correctly configured to point to Exchange Online). Then, Lync Online is also configured to query the local Outlook via a MAPI connection to the local Outlook profile installed on the same local workstation that Lync is installed on, and it passes the query to Exchange on behalf of Lync. It is worth noting that when Outlook is configured for Online mode, then the MAPI connection that Lync makes to Outlook then uses the same EWS query against the UCS instead of the GAL (and therefore does not return external contacts). Again, cached mode is required.

Lync Online can only query external contacts in the GAL when the local Outlook client is configured for cached mode. Additionally, the SIP address of the user performing the search should match their email address otherwise the EWS and MAPI connection will fail and the user may receive authentication prompts. Also keep in mind that any updates to external contacts in the GAL will not be visible in Lync until the next time the Offline Address Book (OAB) is downloaded by the Outlook client (approximately once per day).  This can take as long as 48 hours in a worst case scenario, consider the behavior by design:

  1. Exchange Online mailbox server generates a new OAB at 5:00 AM (once every 24 hours)
  2. Exchange distributes the OAB to the CAS servers (Default distribution schedule: 480 minutes)
  3. Outlook downloads the OAB (Default update schedule: 24 hours)

This means that in the worst possible scenario, an update to the Address Book won’t become available to the user until 48 hours after the change.


Monday at 09:00 – Outlook client downloads the OAB

Monday at 14:00 – A new mailbox is created

Tuesday at 05:00 – Exchange OAB Generation runs

Tuesday at 09:00 – Outlook client checks for new OAB

Tuesday at 11:00 – OABVirtualdirectory is updated

Wednesday at 09:00 – Outlook client downloads the new updates.


So yes, all of the stars must align in order for the Lync client to search for external contacts. But it does work!

Here is evidence of an external contact replicating and being searchable with Lync Online:

The local contact “Jed Hill” was created in on-premises Active Directory:


Here is the DirSync export showing this object was copied to Lync Online


Next, download the Offline Address Book. You can check to see if the offline address book was downloaded by checking the timestamps in this directory:
C:\Users\(UserName)\appdata\local\microsoft\Outlook\Offline Address Books\ (long number)
Go into the subfolder and you should see several .OAB files:

And here is a screen shot of me searching for the external contact by first name and it returning Jed Hill. Ignore the fact that it says presence unknown, because I picked a fake SIP address for testing.


You can force the Outlook client to update more frequently by the methods described in this blog article here:

Search Limitations

The limitations have already been mentioned, but to recap, external contacts will not be searchable within Lync Mobile, Lync for Mac. Also, keep in mind that when Outlook is in Online Mode, then the regular Lync client for Windows won’t be able to search for external contacts. The work-around for all these scenarios is for each user to type in the full SIP address to communicate with each external contact that is not already pinned or saved as a favorite in their Lync contact list.

IM/Presence Limitations

Here is a screen shot that shows Exchange Online OWA integration with Lync Online does not show presence or IM button for the External Contact. Whereas the full Outlook client will show the IM button when responding to an email with an external contact with a SIP address.


  • Lync Online users can pin up to 250 contacts to their Lync Contacts list.

  • Lync Online users each have a total of 200 concurrent presence subscriptions. Once that limit is reached, users can still send and receive instant messages and add users to a Contacts list, but they cannot see any additional presence information and will see a “Maximum Followers Reached” message when attempting to view a user’s presence

For more information on Lync Online features and limitations, see the Lync Online Services Descriptions here:


Lync Phone edition tls handshake fail with usb tethering out of box

MSFT support engineers have identified a bug with the USB tethering on Lync Phone Edition. They compared the packet traces of the PIN authentication successful TLS handshake and compared it with the failed USB tethering TLS handshake.

They observed that during PIN authentication, the Lync phone connects to the Lync server over port 80 to download the intermediary certificate whereas during USB authentication, the phone skips that step and immediately attempts to handshake on SSL 443. The problem is the handshake fails because the phone does not yet have the intermediate certificate.

Quick conceptual background: A certificate chain is commonly composed of a Root certificate, followed by an intermediate certificate, and finally the issued certificate.

So in summary, there is a bug in the Lync Phone Edition firmware that is preventing the intermediate cert download from occurring during the USB tethering.

This is why the USB tethering works successfully following the PIN authentication, because during the PIN authentication, it successfully downloads the intermediate certificate.

MSFT is going to document this issue into a Knowledge Base Article and then inform the product engineering team. There is no guarantee that the product group will fix this behavior since there is a reasonable work-around to use PIN authentication.

Another potential fix is to find a different certificate authority that may skip the intermediate authority and issue device certs directly from the root authorities that come pre-loaded on each phone as described at the bottom of (this) MS Technet article.

This is not very practical because you would first have to purchase the certificate from Comodo, Verisign, Entrust, etc to find out whether they issue certs directly from the root and skip the intermediate. Also, it is highly unlikely that we would find a CA provider that does not have an intermediate authority because best practice is to mask/shield the root from direct contact by issuing certs from the intermediate rather than the root.

Assign lync policies based on ad group

I adapted a script I found online to run within a scheduled task to assign a Conferencing Policy based on the membership of a global group named “CSLyncRecordingUsers.” Originally the script accepted paramters, but I wanted to just force the scheduled task to run with as few paramters as possible. I commented out the lines requiring arguments.

The service account needs to have the Logon as Service right assigned, and it needs to be a member of RTCUniversalServerAdmins.

The scheduled task just needs to reference powershell.exe and then a single parameter with the location of the script.


_________BEGIN Assign-ToGroup.ps1____________________

import-module ‘C:\Program Files\Common Files\Microsoft Lync Server 2013\Modules\Lync\Lync.psd1’

#Note: The above quotes must be single ticks and not double quotes or the task scheduler will not fire.

#Purpose: Assign the Recording Policy to all members of the global Group CSLyncRecordingUsers

#Syntax C:\Scripts\Assign-ToGroup.ps1 CSLyncRecordingUsers”RecordingAllowed”

#$strFilter = “(&(objectCategory=Group)(SamAccountName=” + $args[0] +”))”
$strFilter = “(&(objectCategory=Group)(SamAccountName=CSLyncRecordingUsers))”

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.Filter = $strFilter

$objSearcher.SearchScope = “Subtree”

$colProplist = “member”

foreach ($i in $colPropList)

    {[void] $objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)

    {$objItem = $objResult.Properties; $group = $objItem.member}

foreach ($x in $group)


#        Grant-CsConferencingPolicy $x -PolicyName $args[1]
        Grant-CsConferencingPolicy $x -PolicyName “RecordingAllowed”


Windows Update December 2012–KB931125 Causes issues with Lync replication

We have had customers experience a problem with replication between the Lync FE’s and the Edge services. You can check status by running this command:


We discovered that a MSFT patch issued in December was the culprit. (Root Certificates Optional Windows Update December 2012 – KB931125). Looks like the patch added over 300 Trusted Root CA’s to the Trusted Root List. Anything over 120 apparently stops the replication service from being successful.


Option 1:  Edit the registry on the Edge server to add a DWord value, SendTrustedIssuerList, to the


key and assign it a value of 0.  This will prevent schannell.dll from truncating the Root CA list from the edge server, and allow validation tests to pass.

Option 2:  Open the Trusted Root CA store on the edge server.  If there are more than 120 certificates, delete unnecessary certificates until there are less than 120 certs in any of the trusted CA stores.

Once we added the registry key and restarted, replication began to work again