Now for something completely different: offline patching for IBM Cloud private expired product certificate

In case you were wondering why I’ve not posted any silly Skype tricks lately, I seem to have ended up in charge of Kubernetes at my company, and for reasons I won’t bore you with, we’ve decided to set up IBM Cloud private on-prem.

The product certificate expired on 22 August 2017, so there’s a patch:

However, the included bash scripts presume that all of the nodes have access to Docker Hub. Since ours don’t, because we are not heathens who allow our servers to talk to the Internet, I made a workaround:

1) Get the updated ibmcom/cfc-router:1.2.0 image using a machine that can connect to Docker Hub and pack it into a tarball:

docker pull ibmcom/cfc-router:1.2.0
docker save ibmcom/cfc-router:1.2.0 -o cfc-router-fix.tar

(rant about pushing an updated Docker image with THE SAME EXACT VERSION TAG goes here)

2) Copy this tarball to all of the nodes in your cluster

3) SSH into each node in the cluster and load the image:

docker load -i /wherever/you/put/it/cfc-router-fix.tar

4) Copy the script and remove the following lines, because they are the ones that wanted to go onto the scary Internet and pull the images directly. Leave in all the other docker commands! If you’re using Windows, copy it to a Linux machine and edit it there to avoid any weird linefeed stuff:

if [[ "$(uname -m)" == "x86_64" ]]; then
    docker pull ibmcom/cfc-router:1.2.0
    docker pull ppc64le/cfc-router:1.2.0

5) Copy your modified script to each of the nodes. You then need to set execute permission on it, and can finally run it:

chmod +x



Stupid CsAnalogDevice Tricks

No need to throw away all the old phones - you've got CsAnalogDevice!

Can be integrated into Skype for Business with CsAnalogDevice

Anthony Caragol recently set the Skype for Business community a little challenge:

Never dare a Texas girl.

Previously, a local admin at one of the sites we recently rolled out Skype for Business telephony at needed some mobile phones to be directly callable from the client AND to be identified by the same name when calling Skype for Business users. I vaguely recalled there being some way to integrate older phones and faxes and hit upon CsAnalogDevice.

Like CsCommonAreaPhone, a CsAnalogDevice is an Active Directory Contact object and is completely inaccessible from the web admin interface, but unlike CsCommonAreaPhone, is just a pointer to a phone number.

Here’s how you make one for a German mobile with 0151/12345678 – +49 (151) 1234678:

Wait a bit for address book propagation, and you can then click to make Skype calls like any other Skype for Business endpoint.

Back to Anthony’s question – you can only forward to a single number in the client and in SEFAUtil, and delegates and team members must be proper SIP addresses (will need to see if an external SIP address can be shoe-horned in those lists…)

I made CsAnalogDevices for my mobile and home phones, waited awhile, then used SEFAUtil to add their SIP addresses as my “delegates” and set immediate forwarding to delegates. Result! Both rang when I called my main number, and I was able to answer on either.

In the desktop client, I could see both display names as my delegates.

To test:

  1. Can Analog Devices be added as delegates and team members from the desktop client instead of SEFAUtil?
  2. Does this still work when the Analog Devices are on different PSTN gateways?
  3. Is this available in Skype for Business Online?

CsAnalogDevices can make any phone number, internal or external, a more integrated part of your Skype for Business environment.

What weird and/or wonderful use have you found for CsAnalogDevice? Any other obscure endpoint types?

What Version Are Your AudioCodes SBA Web Interfaces? A One-Liner.

How your AudioCodes SBA login pages should look, as of May 2016

How your AudioCodes SBA login pages should look, as of May 2016

Unlike the components the SBAs share with their big Front End Server brothers, like RTCSRV and RTCMEDSRV, the manufacturer-custom web interfaces are NOT updated in the Cumulative Updates. You need to check on these periodically with AudioCodes, Sonus or whoever else you got your SBAs from.

These management interface updates are for security and performance issues. If you’re running your SBAs the way the manufacturer recommended, though, there are a lot of remote operations that just won’t work, making version checking painful.

However, if you’ve got AudioCodes SBAs, here is a one-liner that only requires that you have a consistent naming convention (we have “sba” in all of our SBA names) and at least ViewOnlyAdmin access to Lync/Skype, using the magic of very simple webscraping:

(Get-CsPool).computers.where({$_ -like "*sba*"}) | foreach { (Invoke-WebRequest -Uri "http://$_/Home/LogOn").content -match "(1\.\d+\.\d+\.\d+)" | out-null; [pscustomobject]@{ComputerName = $_; Version = $matches[0] } }

Substitute whatever your SBAs have in common for “*sba*” (remember the asterisks!)

Or, here’s a version using nested Where() expressions that will work even if you have no naming conventions:

(Get-CsPool).where({$ -like "*registrar*" -and ${$_ -like "WebServer*"}).count -eq 0}).computers | foreach { (Invoke-WebRequest -Uri "http://$_/Home/LogOn").content -match "(1\.\d+\.\d+\.\d+)" | out-null; [pscustomobject]@{ComputerName = $_; Version = $matches[0] } }

I have no idea if a similar approach will work with other manufacturers’ SBAs.

Is that Skype for Business (Lync) Number Free?

Get-CsAdPrincipal is a tragically underused cmdlet. Absent a fully generic Get-CsEndpointObject, it’s the next best thing to Get-ADObject, and is killer when you have no idea what you’re looking for – a User, a Common Area Phone, Conference Dialin Number, Response Group or some crazy custom endpoint used in a Skype-enabled application, especially if all you care about is seeing if a number is available. If you see “485 Ambiguous” in a SIP trace, this will help you figure out who (and/or what) all has this number, and why Skype isn’t quite sure which one the caller wanted to reach.

There are several scripts for testing each of the Skype for Business object types one by one, and I give some of my favorites at the end of the post; the Get-CsAdPrincipal approach is faster in automation if you’re mostly interested in whether a number is consumed at all, and aren’t concerned with *what* exactly is consuming it.

Get-CsAdPrincipal -LDAPFilter '|(msrtcsip-line=tel:+499112224000*)(msrtcsip-privateline=tel:+499112224000*)'

The LDAP query is checking both the MsRTCSIP-Line and MsRTCSIP-PrivateLine attributes, and there is an asterisk at the end in case the extension was specified separately: tel:+499112224000 and tel:+499112224000;ext=4000 are functionally the same number, but do not look the same to Skype for Business! This is common in places where each line can be directly dialed from outside – that is, much of Europe. I used the attribute names in all lowercase because the mixed-case versions did not work.

If all you wanted was a quick way to check if a number is free or not, you can quit reading now and get back to writing your provisioning script 🙂 If you want to know a bit more about Skype for Business objects, as well as see some really nice stuff for viewing your number pool, stay with me…

Continue reading

ActiveRoles Performance Tip: Use Distinguished Name instead of Canonical Name in OrganizationalUnit Parameters

When making over 100 accounts today for some hard core Skype for Business monitoring, I (re-)discovered that the form of New-QADUser‘s -ParentContainer parameter makes a huge performance difference. I didn’t time it, but noticed that it took about as long to make five accounts using the Canonical Name ( as it did to make the rest of the batch using DN, or Distinguished Name (OU=Purpose,OU=City,OU=State,OU=Region,DC=mandie,DC=net).

This was with Quest ActiveRoles Management Shell for AD 1.7, which goes with ARS 6.9. It was an issue back in the QARMS 1.6/ARS 6.8 days, so hopefully Dell has fixed it for recently-released ARS 7.0. I say “hopefully,” because I can’t find QARMS 1.8(?) anywhere in the ARS 7.0 installation download, much less the Release Notes. Anyhow, it is something to do with how ActiveRoles checks your permissions on the Organizational Unit you are attempting to write to.

You might leave the team responsible for ActiveRoles Server at your company, but ActiveRoles Server never really leaves you…

Web Tiles are here! And really, really easy!

After I published this post, I read Scott Hanselman’s article about Web Tiles… the guy who had the idea in the first place. You should probably read that, too – or instead, it won’t hurt my feelings 🙂

Introducing Web Tiles for Microsoft Band

However, if you just want to throw together a Web Tile for your favorite newsfeed, this post is still useful.

The Web Tiles for Microsoft Band are here, and they’re even easier than I’d imagined they would be: Microsoft has provided an online generator that puts together the necessary JSON and packs up the icons into the .webtile package that your phone’s Microsoft Health app uses to load the Web Tile onto your Band. For a “Preview” product, it’s pretty slick.

What you need:

– An RSS or pure JSON data source. I used the RSS for the Lync News Tumblr feed:

– A transparent PNG that is 46×46 pixels for the main Tile icon, and 24×24 for the small “badge” icon that will be displayed when there is a count of new items in the feed. Paint included with Windows can’t do this for you, but Photoshop, GIMP or Paint.Net (what I used) can.

– Link to the Web Tile generator:


Continue reading

Hyper-V Switch from Internal to External While VMs Running… No Internets for you!

It’s not every day that you get taught new admin concepts using PowerShell by Jeffrey Snover  himself (the guy who invented PowerShell), but I had the privilege of taking part in the TechDays NL 2015 pre-conference workshop on OneGet PowerShell Package Manager and Desired State Configuration (DSC) that Jeff Wouters (PowerShell MVP) organized, and then led along with Mr. Snover. Both Jeffs patiently answered our (sometimes) silly questions and worked hard to make sure we got as much as possible out of the day.

However, no one was able to save me from myself when I learned that enabling External access for your Internal-only Hyper-V virtual switch while the VMs attached to it are running is apparently a bad idea – at least when your host OS is Windows 10 Technical Preview, Build 10122. This warning didn’t put me off:

Warning schmarning...

… and it appeared to work, but not really: it took out my Internet connection completely. Annoyingly enough, the WiFi claimed that it was connected, along with being bridged. Hyper-V added a nifty new generic Ethernet adapter that was supposed to act as a bridge between the virtual switch and my real WiFi. Note the missing vEthernet (External01) Hyper-V Virtual Ethernet Adapter.

A bridge too far...

Another hint was that Get-NetIPAddress only showed the loopback addresses for both IPv4 and IPv6, and nothing else.

There was no reverse – when I tried switching that virtual switch back to Internal, I got “Error applying Virtual Switch Properties changes”:


Disabling and re-enabling the WiFi connection also did no good; the WiFi was always connected, but traffic was not being passed from applications. Deleting and reinstalling the WiFi adapter was also not an option.

Note the grey text for the

Note the grey text for the “Delete” option.

However, I was able to delete the generic Ethernet adapter.


As soon as that finished, Get-NetIPAddress showed addresses for the WiFi adapter and the virtual switch I hadn’t meddled with. Voila, I had Internet again!

The virtual switch in question was left as a Private Network, and was easily switched back to being Internal. After that, IP addresses (IPv4 and IPv6) showed up for it, too, on Get-NetIPAddress.


The goofy-looking font is a special feature of the 10122 build of Windows 10 for Arial font in various contexts, and can be remedied by some simple method I have completely forgotten.

Wish I’d thought of trying this during the workshop, because package management is kind of hard to work with when you don’t have any way to get to a repository, but here it is for you, dear reader. And for Mr. Snover and Mr. Wouters the next time they teach OneGet… er, PowerShell Package Manager.