3. Install Server
At this point the target server should be fully prepared and meet all prerequisites.
Cache Installation Files
The first step of the Lync installation process will be to cache the setup files locally on the server.
1. Insert the Lync Server 2013 media on the server to be used as a Director and launch Setup.exe found in the Setup\amd64 folder.
2. Enter a location for the installation files to be cached and click Install. The default location is C:\Program Files\Microsoft Lync Server 2013.
3. Select I Accept the Terms in the licensing agreement and click OK.
Note
After you’ve browsed to the setup
folder using Windows Explorer, the install window might appear behind
the current Explorer window. It can be easy to miss this fact, so check
the taskbar for the Lync install icon if some time has passed without
any screen activity.
Install Local Configuration Store
To install any server role in Lync Server
2013, the target server must first have a local configuration store
installed and populated with the topology information. The Lync
Deployment Wizard will automatically open after the installation files
have been cached on the system.
1. Click Install or Update Lync Server System.
2. Under Step 1: Install Local Configuration Store, click Run.
3. Select Retrieve Configuration Automatically from the Central Management Store, and click Next.
4. Click Finish after the local store is successfully created.
Install Lync Server Components
The following steps will allow the server to
read the topology information from the local configuration store and
then install the server roles matching its own FQDN.
1. Under Step 2: Setup or Remove Lync Server Components, click the Run button.
2. Click Next to begin the Director installation published in the topology.
3. Click Finish when the installation completes.
Create and Install Certificates
Like all other roles in Lync Server, the
Director communicates to other servers in the organization using Mutual
Transport Layer Security (MTLS). To leverage MTLS, the Director needs
at least one certificate installed meeting a few requirements. A
separate certificate can be used for each function, or a single
certificate for MTLS and web services meeting the following
requirements can be used:
• The subject name should contain the pool’s fully qualified domain name (FQDN).
• The server name should be included as a subject alternative name.
• If the internal or external web
services FQDN differs from the pool name, it should also be included as
a subject alternative name.
• All supported SIP domains must be entered as a subject alternative name in the format sip.<SIP domain>.
• Any simple URLs that terminate at the Director should be included as a subject alternative name. These will typically be the meet, dialin, lyncdiscover, and admin URLs.
Note
The certificate wizard in Lync Server 2013
will automatically populate the subject name and any required subject
alternative names based on the published topology, which greatly
simplifies certificate confusion created by prior versions. If only one
certificate will be used for the default, internal web services, and
external web services, then the subject alternative names must be
manually added when the wizard is run.
Use the following steps to request and assign the necessary certificates:
1. Under Step 3: Request, Install, or Assign Certificate, click the Run button.
2. Highlight the Default certificate and click the Request button to start the Certificate Request Wizard.
Note
It is possible to expand the Default
certificate option and individually request the server default, web
services internal, and web services external certificates. This is
generally not required, and using a single certificate for all three
functions is sufficient and saves on management overhead.
3. Click Next to continue.
4. Select either an
online certificate request and certificate authority, or an offline
certificate request and file path for the request. Click Next. The
following steps here assume that an internal certificate authority is
used to generate the request.
5. If user credentials
other than the logged-on user are required to create the certificate
request, check the box Specify Alternate Credentials for the
Certification Authority. Enter a username and password and click Next.
This is typically used in large environments where the Lync
administrator does not have rights to request certificates.
6. If the default
WebServer template will not be used, check the box Use Alternate
Certificate Template for the Selected Certification Authority and enter
the certificate template name. The template name, not the template
display name, should be entered here. The template should already be
published and available on the certificate authority issuing the
certificate. In most cases the default WebServer template will be
sufficient and there is no need to check this box.
7. Enter a friendly name for the certificate for identification purposes.
8. Select a key bit length of either 1024, 2048, or 4096.
9. If the certificate
should be exportable, select the check box Mark Certificate Private Key
as Exportable. This should be selected for Director pools with multiple
members so that the same certificate can be installed on each pool
member.
10. Enter an organization name, typically the name of the business.
11. Enter an organizational name, typically the name of a division or department, and click Next.
12. Select a country, enter a state or province, enter a city or locality, and click Next.
13. Review the automatically populated subject name and subject alternative names. Click Next.
14. Check the box for
each configured SIP domain that will use the Director pool. Each
selected SIP domain will add a subject alternative entry name for
sip.<SIP Domain> to the certificate. Click Next.
15. Add additional
subject alternative names if necessary; or if the pool configuration
has been published, all required subject alternative names will be
automatically added and the step can be skipped. Click Next.
16. Review the certificate request summary screen for accuracy and when satisfied click Next.
17. The Lync
Management Shell commands will be displayed and the user can optionally
review the certificate request log. Unless the request failed, this is
not necessary. Click Next.
18. Leave the Assign
This Certificate to Lync Server Certificate Usages check box selected
to skip straight to the certificate assignment wizard. Click Finish to
complete the request process.
Note
It might not seem intuitive, but to process a
response to an offline certificate request, use the Import Certificate
button found at the bottom of the Certificate Wizard. If a request to
an online certificate authority is in a pending state, the Process
Pending Certificates button will be available to complete those
requests.
Certificates issued from an online
certificate authority will be installed automatically. If an offline
request was performed, first copy the certificate authority response to
the server. Then use the Import Certificate button found at the bottom
of the wizard to complete the process.
1. Click Browse and select the certificate authority response.
2. Uncheck the Certificate File Contains the Certificate’s Private Key check box. Click Next.
3. Review the import certificate summary and click Next.
4. Click Finish to complete the process of associating the private key and certificate authority response.
Assign Certificates
After the necessary certificates have been
created, the Director services must have certificates assigned to them.
This process binds each certificate to either the Front End service or
IIS websites, depending on selection. To assign a certificate use the
following steps:
1. Under Step 3: Request, Install, or Assign Certificate, click the Run button.
2. Highlight the Default certificate and click the Assign button to start the Certificate Request Wizard.
3. Click Next to continue.
4. Select the
certificate to be assigned and click Next. It’s possible to view each
certificate in more detail by highlighting and selecting the View
Certificate Details button.
Note
If a certificate is not available on this
screen, that usually means a private key is not associated with the
certificate. Be sure to complete any pending or offline requests before
this step.
5. Click Next on the Certificate Assignment Summary screen.
6. The Lync Management
Shell commands are displayed and the user can optionally review the
certificate request log. Unless the request failed, this is not
necessary. Click Next.
7. Click Finish to complete the wizard.
If separate certificates were used for the
WebServicesInternal and WebServicesExternal certificates, the preceding
steps must be repeated for each use. Be sure to select the correct
certificate for each function if unique certificates were generated.
Note
The Certificate Wizard also displays
an OAuthTokenIssuer certificate option. If this has already been
generated on another server in the environment, it should already be
installed and assigned automatically. The location field will show
Global as opposed to Local as with other certificates. Do not request
another OAuthTokenIssuer certificate unless it needs to be replaced.
Start Services
After the necessary certificates have been requested and assigned, the Lync Server 2013 Director services can be started.
1. Under Step 4: Start Services, click the Run button.
2. Click Next to begin starting all the Lync Server services.
3. Click Finish to complete the wizard.
The wizard does not actually wait for the services to complete startup. Use the Services MMC to view the actual service state.
At this point the Director
installation is complete and it should be functional. The Director pool
will not be used automatically by internal clients, so the DNS SRV
records for automatic client sign-in must be updated to point users to
the new Director pool.
