Decommissioning Skype for Business Hybrid and Going Cloud Only

There is a lot of documentation out on the internet on the benefits of Skype for Business and Skype for Business Hybrid, how to configure, how to move users etc. However, there appears to be little information about what to do when Hybrid is no longer required. We have become so focused on what benefits hybrid gives us now and in the future with Skype Broadcast Meetings, Cloud PBX etc that perhaps we have forgotten not everyone needs it. There are still businesses out there who made a heavy investment in on premises infrastructure for Instant Messaging and Presence services only who are now looking at Skype for Business Online as a cheaper alternative due to its OPEX pricing model. For these businesses, they simply want to use hybrid to move users from on premises to the cloud and that’s it. So what to do once we no longer need hybrid – just turn off on premises servers? No.

Unlike Microsoft Exchange Hybrid where the integration is more heavily woven together, Skype for Business Hybrid is actually nothing more than 2 independent federated domains with the additional configuration that they share a common namespace. The sharing of the namespace allows administrators to move users between the two deployments with their data and redirect sign-in requests to the correct deployment. With any Hybrid configuration, the on premises deployment is the source of authority for that service. Therefore, sign-in requests will come to the on premises front end servers using lyncdiscover and SRV records. The on premises front end server is clever enough to realise that the user’s SIP identity and service lives (courtesy of AD) in Office 365 and will issue a redirect to the cloud service from the discovery phase. This allows the user’s client to sign in directly to the online tenant using Microsoft Office 365 URLs.

Sign in workflow of Office 365 user from External

Sign in workflow of Office 365 user from Internal


Once we understand the logic of how the system handles requests in hybrid we can begin to plan our move to cloud only delivery.

Getting Ready

Step 1. First we must ensure that all users have been moved from on premises Skype for Business / Lync to Skype for Business Online. If you have users still on premises then move them across using the following PowerShell

Move-CsUser –Identity user@domain.com -Target sipfed.online.lync.com -Credential -HostedMigrationOverrideUrl <URL>
 

Step 2. Ensure that your business does not rely on any on premises feature of Skype for Business / Lync and you are ready to start the decommissioning process.

Step 3. Plan for some disruption – There may be some outage where clients sign out and back in, so be mindful this may happen and inform your users, managers and team of what to expect.

Execution

Step 1. Modify your external DNS zone to point to Skype for Business Online using the following table as reference

Modify Values

Record Name

Type

Port

TTL

Destination

sip

CNAME

N/A

N/A

sipdir.online.lync.com

lyncdiscover

CNAME

N/A

N/A

webdir.online.lync.com

_sipfederationtls._tcp

SRV

5061

3600

sipfed.online.lync.com

Delete Values

Record Name

Type

dialin

A

meet

A

lyncweb

A

_xmpp-server

SRV

_sip._tls

SRV

Please note that global DNS propagation could take up to 48 hours to complete, so once this step has been completed, do not move to step 2 until 48 hours has passed otherwise clients may stop working externally

Step 2. Modify your internal DNS SIP domain zone to point to Skype for Business Online using the following tables

Add Values

Record Name

Type

Port

TTL

Destination

_sipfederationtls._tcp

SRV

5061

3600

sipfed.online.lync.com

Modify Values

Record Name

Type

Port

TTL

Destination

sip

CNAME

N/A

N/A

sipdir.online.lync.com

lyncdiscover

CNAME

N/A

N/A

webdir.online.lync.com

Delete Values

Record Name

Type

lyncdiscoverinternal

A

dialin

A

meet

A

lyncweb

A

_sipinternaltls._tcp

SRV

Wait for the DNS zone to replicate between domain controllers and then clear the Active Directory DNS Caches using the following PowerShell

Clear-DnsServerCache –ComputerName dc01.domain.local –Force
 

Step 3. Clearing the Client machine DNS Cache

Clearing the internal domain joined client DNS cache can be tricky for you. You can either remote on to everyone’s machine and perform an ipconfig /flushdns (if UAC is installed – needs to be with admin priveleges), tell users to reboot their machine. Or preferred way is to administratively execute this on demand using windows remote management features. The following PowerShell command will flush the DNS cache of client machines by iterating through Active Directory for computer objects

$objects = Get-AdComputer –Filter * -Properties OperatingSystem | Where {$_.OperatingSystem –match 8}
Foreach ($machine in $objects){
Invoke-Command –Cn $_.Name –Script {
Clear-DnsClientCache
Register-DnsClient}
}

Above command assumes Windows Operating System is Windows 8 and Remote Management must be enabled on the client workstation. User executing this must have local machine administrative rights (Domain Admin would be best).

Step 4. Disable Shared SIP Address Space

On Skype for Business Online disable Shared SIP address space using the Lync Online PowerShell command

Set-CsTenantFederationConfiguration –SharedSipAddressSpace $false
 

On your on premises Lync / Skype for Business deployment run the following commands in the respective Management Shell

Set-CsAccessEdgeConfiguration –AllowOutsideUsers $false –AllowFederatedUsers $false
Remove-CsHostingProvider –Identity LyncOnline
 

And that’s it – a nice and easy process. Your hybrid has been removed in a managed way. All that is left for you to do now is to remove your on premises Lync deployment from your infrastructure.

Hope this helps someone.

26 thoughts on “Decommissioning Skype for Business Hybrid and Going Cloud Only

  1. Thanks for the great write up. It was very helpful and I was able to move to an online only install. My only question is that on my Skype dashboard my users are still showing as synced and homed online. Is there anyway to move them all so that they just show up as Users in the cloud?

    Like

    1. Hi
      If there is no need to synchronize accounts from your AD anymore then you simply need to stop directory synchronization. This will convert them to “in-cloud” identities. However, if you need password sync, same sign on or single sign on, then you cannot do this, the accounts will always show as synchronized.
      thanks

      Like

      1. We will be decommissioning on-premise lync system after everything is moved. We do want to keep Directory Sync running, how will this work since we won’t have the console to manage the users locally?

        Like

      2. Hi
        AADSync is a separate application. That will continue to synchronise your AD to the cloud as synched accounts. Without hybrid you would simply use the skype for business online control panel for edits
        thanks

        Like

      1. I’m thinking about either do a simple cutover from Lync 2013 to S4b online or setup a hybrid which I will probably break once all finished..The most important thing to migrate to o365 is the Contacts…The Exchange 2013 is on-prem and do not run UCS..Will the contacts be migrated?

        Like

      2. If you perform a sfb hybrid and move users to the cloud, then their custom contact groups and contacts in Lync will remain. If you just enable them in the cloud without moving them, the contacts will be lost. The only other way of keeping contacts in that situation is to export and import contacts the client side using the SDK.

        Like

      3. Ok! Thanks! IF the scenario where the same except that UCS is used. Will the contactlist be migranted to online users when exchange is on premise? IF so, do I have to inactivate ucs before I Break the hybrid ( to decommision the on- prem lync servers )

        Like

  2. Ok! I guess ucs in Office 365 is only working with exchange online then?

    So, what i need to do is:
    Remove ucs.
    Create hybrid and move users online
    Break hybrid and decomission on prem lync?

    Like

  3. Hi, it worked all the way except for the very last command…

    Remove-CsHostingProvider –Identity LyncOnline

    (in my case it is Remove-CsHostingProvider –Identity SkypeForBusiness)

    and I got this error message:

    This hosting provider is enabled for shared address space and there are “1” (SIP enabled)

    not sure why… and google is not helping me much….

    Like

    1. Hi

      In Skype Online PowerShell, turn off shared SIP address space Set-CsTenantFederationConfiguration -SharedSipAddressSpace $False wait for 15 minutes for replication and then remove your hosting provider settings. This setting should be the last thing you do, after this your on-prem deployment is ready for decom.

      thanks

      Like

      1. thanks for your reply… I ran the Set-CsTenantFederationConfiguration -SharedSipAddressSpace $False 3 hours ago and made sure all the sync occured.. still getting the same error message…

        Will open a service request with MS and will let you know what’s up.

        Liked by 1 person

  4. Hi Mark, Thanks for writing the doc as I was not able to find this info anywhere. Just one question if we already have AD Sync in place then do we still need to run the move user command? or Is the command required to move the contact list for the users?

    Like

    1. Hi yes, you will still need to run the move command, this will move all sfb settings over to sfb online. the AD sync is just synchronising identities, this will be telling sfb online that the sfb identity is homed on-prem otherwise.
      thanks

      Like

  5. Hi Mark, did you ever find out from Microsoft why you could not run the command Remove-CsHostingProvider –Identity LyncOnline ? Did you just have to wait longer for replication or was there another step that had to be done? I received the same error…thanks!

    Like

  6. Hi Mark,

    Thanks for this article.
    I have exactly the same

    Set-CsAccessEdgeConfiguration –AllowOutsideUsers $false –AllowFederatedUsers $false

    OK

    Remove-CsHostingProvider –Identity SkypeforBusiness

    and I got this error message:

    This hosting provider is enabled for shared address space and there are “1” (SIP enabled)
    I checked all users and they are all cloud

    I already ran the disable shared space online..4 hours ago
    I forced Azure Connect to run.

    What I am planning to do is just to remove the on premise environment and unprep the domain and forest.

    BUT will this not break anything for instance removing the SIP address of users in the cloud?

    John

    Like

  7. Hi Mark, what is the best practice to remove the on premises Lync deployment from our infrastructure? Uninstall each application using Programs/Features? Re-run Setup? Any extra clean-up commands which need to be manually ran?

    Like

    1. Hi,

      The best approach first make sure that there are no users enabled for your on-prem deployment. if there are, disable these.

      Then you need to remove any trusted application pools from the topology and also any trusted application endpoints from the configuration. Remove-Cstrustedapplicationendpoint command will help.

      Then you will need to remove the dialin conferencing endpoint using remove-csdialinconferencingaccessnumber

      Then remove the conference directories remove-csconferencedirectory

      then, remove the following, common area phone accounts, all voice configuration, all analog devices, all rgs config, all call park settings, any exchange um contact object you have.

      then remove all servers but the one that holds the cms and publish the topology

      run export-csconfiguration command on the last front end and copy the zip file to your edges. The run deployment wizard (step 3) and supply the zip file when prompted. This will remove components from the servers. On all other front end servers, pchats, directors run the deployment wizard (step 3) to remove the components.

      Once done, run publish-cstopology -finalizeuninstall

      then on the cms server run c:\prog files\lync\bootstrapper.exe /scorch to remove the components

      once done, you can remove the cms database, uninstall-csdatabase -centralmanagementdatabase -sqlserverfqdn -sqlinstancename

      Remove the scp from AD once the above has completed remove-csconfigurationlocation command

      than finally disable-csaddomain and disable-csadforest

      hope this helps

      thanks

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s