M365 and AZURE Blog: December 2018

Wednesday, December 26, 2018

Lync Front Service hangs on "starting" status on Lync 2013 Servers.

The common cause of Lync FE servers service to hang is related to non self-assigned certificates found on the Trusted Root Certificate store. Lync servers does use HTTP/s to communicate each other and the issue mentioned will break this behavior. Until such certs removed, FE service wont come back to its health state.

Step # 1
Identify the certs causing this issue, run below PS from problem Lync FE Server.

.NOTES

#=============================================

# Script : Non_Self_Assigned_Certs-Scan.ps1

# Created : ISE 3.0

# Author(s) : casey.dedeal

# Date : 12/26/2018

# Org : ETC Solutions

# File Name :

# Comments :

# Assumptions :

#==============================================

SYNOPSIS :

DESCRIPTION :

Acknowledgements : Open license

Limitations : None

Known issues : None

Credits : None

.EXAMPLE

.\Non_Self_Assigned_Certs-Scan.ps1

MAP:

-----------

(1)_.Adding Vars

(2)_.Check Log Folder create one if ! exist

(3)_.Scan Local Machine Trusted Root Certs Store

(4)_.Open File

Cleanup all Certs listed on the log file.

Certs could be pushed via GPO, if that is the case

You will have find the GPO and make sure, problems

Cers have been removed from Policy.

#(1)_.Adding Vars

$Fname = "None-Self-Certs-Report.txt"

$TargetFolder = "C:\temp\Logs\"

$file = $TargetFolder + $Fname

#(2)_.Check Log Folder create one if ! exist

if(!(Test-Path -Path $TargetFolder))

{

write-host "()_Creating Target Folder" -f Yellow

New-Item -ItemType directory -Path $TargetFolder

}

#(3)_.Scan Local Machone Trusted Root Certs Store

$Report = Get-Childitem cert:\LocalMachine\root -Recurse |`

?{$_.Issuer -ne $_.Subject} | fl *

$Report | Out-File

Step # 2
Delete the problem certificates from Trusted root store, it is easy to identify these certificates as
"Issued From" and "Issues To" wont match. Check to make sure these certs are not getting pushed via GPO if so, you will need to make sure such GPO is cleared out.

Step # 3
Reboot FE server and make sure FE service comes up. Check event logs to make sure related event logs are cleared.

Related KB

Casey, Dedeal

Principal Systems Engineer

https://simplepowershell.blogspot.com/ (blog)

https://smtp25.blogspot.com/ (blog)

https://telnet25.wordpress.com/ (blog)

https://twitter.com/Message_Talk (Twitter)