I have been testing out the Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting (that’s a long name) and comparing it to how things are done in Lync Server 2010. One of the things I need to do is to add domains to the list of domains that a tenant can federate with. That turned out to be a little harder than I thought it would be.
The documentation is somewhat vague on how to do this but you normally see something like this:
$t = Get-CsTenant | Where-Object {$_.DisplayName –eq “Tenant1″}
Get-CsTenantFederationConfiguration –Tenant $t.TenantId
$d1 = New-CsEdgeDomainPattern -Domain “fabrikam.com”
$d2 = New-CsEdgeDomainPattern -Domain “contoso.com”
$a = New-CsEdgeAllowList -AllowedDomain @{replace=$d1,$d2}
Set-CsTenantFederationConfiguration –Tenant $t.TenantId -AllowedDomains $a
I tried that and it worked but it is somewhat limiting and confusing. First off the code above will set things up so that the only domains in Tenant1’s allow list will be “fabrikam.com” and “contoso.com”. That may be okay in some cases but what about the domains that were already in the allowed list for Tenant1? We just replaced them with our two new domains. And to make matters worse if you try to look at the federation configuration for Tenant1 using Get-CsTenantFederationConfiguration you get something like this:
Identity : Global
AllowedDomains : Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowList
BlockedDomains : {}
AllowFederatedUsers : True
AllowPublicUsers : True
SharedSipAddressSpace : False
Where are our new domains? What the heck is a Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowList and how do I see the allowed domains?
How to use Set-CsTenantFederationConfiguration
It’s not obvious since there is no documentation (that I have found) and the Get-Help cmdlet doesn’t give me anything other than a parameter list. It turns out that it is fairly easy to do; just store the results to a variable then you can look at the AllowedDomains like this:
$tenant = Get-CsTenant | Where-Object {$_.Name –eq “$OU”}
$x = Get-CsTenantFederationConfiguration –Tenant $tenant.TenantId
$x.AllowedDomains
This will give you the following:
AllowedDomain : {Domain=fabrkam.com, Domain=contoso.com}
So we can now see our domains in the allowed list but what about the overwriting of the allowed list contents. Somehow we need to make sure we simply append the new domains and not replace existing domains in the allowed list. Its not hard but also not readily apparent how you go about this.
The Code
I wrote the following function to add a domain to the list and perserve the existing domains in the allowed list. After getting the configuration we check to see if the domain we are adding is already in the list. If it is not in the list we add otherwise we throw an error. In order to add a domain (i.e. “GotSpeechGuy.com”) we first have to prepare the domain name (which is just a string) by using New-CsEdgeDomainPattern. Then we take advantage of the fact that AllowedDomain has an Add() method. After we do that we have a list that contains all the original domains and the new one we are adding so we simply call Set-CsTenantFederationConfiguration passing in the AllowedDomains. That is all there is to it and when we put it all together it looks like this:
function Set-AllowedDomain ( [Parameter(Mandatory = $true)][string]$OU, [Parameter(Mandatory = $false)][array]$domainName ) { $tenant = Get-CsTenant | Where-Object {$_.Name –eq "$OU"} $x = Get-CsTenantFederationConfiguration –Tenant $tenant.TenantId $domain = $x.AllowedDomains.AllowedDomain | ?{$_.Domain -eq $domainName} if($domain -eq $null) { $d1 = New-CsEdgeDomainPattern -Domain "$domainName" $x.AllowedDomains.AllowedDomain.Add($d1) Set-CsTenantFederationConfiguration -Tenant $tenant.tenantID -AllowedDomains $x.AllowedDomains } else { #Write-Host "ERROR: $domainName already in allowed list for $container" Throw (new-object Exception("ERROR: $domainName already in allowed list for $OU")) } }
I hope this helps you and if you have any questions feel free to ping me.
Thanks for the explanatory post Marshall! I will alert the authors of the white paper to the issues with the paper and see if they can fill the gaps. Appreciate the feedback as always.
Thanks DrRez!
I was able to gleam some of the info I need from the scripts at the bottom of the Deployment Guide. The rest I had to get from exploring the objects themselves.
Strangely enough, BlockedDomains works differently than the AllowedDomains. And, I am curious what would happen if the same domain is in both lists.
So exactly where would you write this script, and where would you paste it?
Larry,
The code is a PowerShell script and can be run in the Lync Server Mangement Shell. Actually I create script files which I import into the Shell so that I can do whatever I need to do. I’ve got over 100 of these PowerShell methods that I use.
You can also run them in one of the PowerShell editors such as PowerShell Plus by Idera which is my favorite editor. Just import Lync and ActiveDirectory modules (using Import-Module) and then you can execute your script.
Hi Marshall,
Thanks for the post. It helped me alot.
I was wondering, how can i remove a specific domain from the AllowList.
For example, i added two domains initailly {DomainA, DomainB}
Now i want to remove DomainA from the AllowList. I just want to remove not add to the Block List.
Waiting for your kind reply.
Thanks agian.
Regards,
ABSIALS
This will do it for you:
$tenant = Get-CsTenant | Where-Object {$_.Name –eq “$OU”}
$x = Get-CsTenantFederationConfiguration –Tenant $tenant.TenantId
# Check to see if the domain is in the allowed list
$domain = $x.AllowedDomains.AllowedDomain | ?{$_.Domain -eq $domainName}
if($domain -ne $null)
{
$x.AllowedDomains.AllowedDomain.Remove($domain) > $Null
Set-CsTenantFederationConfiguration -Tenant $tenant.TenantId -AllowedDomains $x.AllowedDomains
}
else
{
#Write-Host “ERROR: $domainName already in allowed list for $container”
Throw (new-object Exception(“ERROR: $domainName not in in allowed list for $OU”))
}
Note that I pipe the output of $x.AllowedDomains.AllowedDomain.Remove($domain) to null as I want to hide the response that gets echoed from the command. You can remove the pipe to null if you wish but my script is called by a web service so I didn’t want the extra output.
Thanks Marshall for your reply.
I came to know about another issue while retrieving Allowed Domains.
If the number of allowed domains exceeds from certain number like 4 or 5 then the command $x.AllowedDomains returns the following with (…) at the end, after displaying few domains:
AllowedDomain : {Domain=domain1.com, Domain=domain2.com, Domain=domain3.com, Domain=domain4.com, Domain=domain5.com…}
It is not displaying any domain after “domain5.com”, but i need a complete list of Allowed Domains.
I will really appreciate your help in this regard.
I’ver noticed that too. Seems like it onlyshows so many characters. But if you want all the domains then ForEach is your friend. I just print them one at teh time to the console but you can build your own string that contains all of them if that is what works best for you.
$tenant = Get-CsTenant | Where-Object {$_.Name –eq “$OU”}
$x = Get-CsTenantFederationConfiguration –Tenant $tenant.TenantId
foreach($domain in $x.AllowedDomains.AllowedDomain)
{
$domain
}
I hope that helps.
Thanks Marshall, it solved my problem.
Thanks again for your great help.
Hi Marshall,
What scenario would exist that would cause me get the following error message when running the Get-CsTenant cmdlet from the Lync Server Managemnet Shell:
The term ‘Get-CsTenant’ is not recognized as the name of a cmdlet
That is a MultiTenant Pack for Parner Hosting command and it isn’t in the normal Lync commands. If you have the hosting pack installed you need to import it seperately.
Try “Import-Module LyncOnLine”
Hi Marshall
Have you maned to get federation to work with Lync Online customers. We seem to be experiencing issues. We have a tenant who has their federation list to AllKnownDomains and dynamic federation works as expected. However this doesn’t seem to work with Lync Online customers. We end up having to add these globally at the Edge servers, which shouldn’t have to be done I would think. Interested to hear what your experience is here.
Many thanks
Rich
Hi Richard,
I haven’t heard of any issues but I will ask around to see if anyone has had problems. Basically I federate with all domains. This post was a result of some experimentation with allowing customers to choose their own federation.
I checked and we have it working. If it is set up correctly it should work. Not sure what to tell you about debugging the issue.
Appreciate your effort on this. Seems very strange, other federation seems to work without any issues but we always seem to have issues with Lync Online even though we have the required hosting provider configuration etc. We will carry on investigating.
Thanks
Rich
Good luck. Please let us know what you find out.
I truly figure this out post. I’ve been searching
everywhere in this! Thank goodness I recently found it on Bing.
You’ve made my day! Thank you again