Last week I blogged on Setting Up a Tenant’s Allowed Domains for Federation concerning things I learned (some the hard way) while using PowerShell to setup federation for a Lync tenant using the Microsoft Lync Server 2010 Multitenant Pack for Partner Hosting. Today’s blog post will cover some other things I’ve learned since the last post and will cover some oddities I encountered.
First thing that I noticed was this line in the Deployment Guide: “You should use the Lync Server Control Panel only in read-only mode. You should make all changes to the topology, server configuration, or user configuration by using cmdlets in the Lync Server Management Shell. “ which is all right with me. I love PowerShell and do all of my administration and provisioning from PowerShell so I have no problem with this. But if you are used to using the Control Panel then you are going to have to change the way you operate. There are other differences too but I’ll blog about them in the weeks to come. Now lets get on to the federation goodies.
I wrote last week about how to get the tenant allowed list and when you look at the federation configuration for Tenant1 using Get-CsTenantFederationConfiguration you get something like this:
Identity : Global
AllowedDomains : Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowList
BlockedDomains : {}
AllowFederatedUsers : True
AllowPublicUsers : True
SharedSipAddressSpace : False
And I showed how to get the list of allowed domains form the Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowList so I thought that the Blockedlist would work the same way. Surprise! It doesn’t work the same. If you look at the type of the objects you will see that they differ:
PS C:\> $x.AllowedDomains.GetType()
IsPublic IsSerial Name BaseType
——– ——– —- ——–
True False AllowList System.ObjectPS C:\> $x.BlockedDomains.GetType()
IsPublic IsSerial Name BaseType
——– ——– —- ——–
True False ListWithEvents`1 System.Object
I’m not exactly sure yet what all of that means (still working it out) but the main thing is that to Add() to the list of Allowed Domains you have call the add method like this:
$x.AllowedDomains.AllowedDomain.Add($d1)
But to add to the Blocked List you call an Add() method directly on the the BlockedDomains object like this:
$x.BlockedDomains.Add($d1)
The Code
Other than what I mentioned above the code is almost identical to last weeks code. As a side note you will notice that I have added some try/catch error handling logic to this version which I also retro fitted into my code for the Set-AllowedDomain. Also, the documentation has the same overwrite bug I mention previously which is why I use the Add method of $x.BlockedDomains.
function Set-BlockedDomain ( [Parameter(Mandatory = $true)][string]$OU, [Parameter(Mandatory = $false)][array]$domainName ) { try { $tenant = Get-CsTenant | Where-Object {$_.Name –eq "$OU"} $x = Get-CsTenantFederationConfiguration –Tenant $tenant.TenantId # Check to see if the domain is already in blocked list $domain = $x.BlockedDomains | ?{$_.Domain -eq $domainName} if($domain -eq $null) { $d1 = New-CsEdgeDomainPattern -Domain "$domainName" $x.BlockedDomains.Add($d1) Set-CsTenantFederationConfiguration -Tenant $tenant.tenantID -BlockedDomains $x.BlockedDomains } else { #Write-Host "ERROR: $domainName already in allowed list for $container" Throw (new-object Exception("ERROR: $domainName already in blocked list for $OU")) } } catch [Exception] { Write-Error "Exception Set-BlockedDomain: $_" Throw $_ } }
More Confusion Around Allowed Domains List
I was trying out my New-AllowedDomain function when I got this error:
Set-AllowedDomain : Exception Set-AllowedDomain: You cannot call a method on a null-valued expression.
At line:1 char:20 + Set-AllowedDomain <<<< -OU ‘marshall55′ -domain ‘nextuc.com’ + CategoryInfo : NotSpecified: (:) [Write-Error], WriteErrorException
+ FullyQualifiedErrorId : Microsoft.PowerShell.Commands.WriteErrorException,Set-AllowedDomain
My first thought is what is happening? I didn’t pass in a any null parameters. This doesn’t make any sense. Stupid PowerShell error messages. But then I started digging deeper into the code (seen here) and found that this line was causing the problem.
# Check to see if the domain is in the allowed list
$domain = $x.AllowedDomains.AllowedDomain | ?{$_.Domain -eq $domainName}
Hmm, that hasn’t caused any errors in the past and I had code to handle it if it wasn’t there so why the references to a null valued expression? Time to dig deeper. So I looked at the federation info for the client and this is what I got:
$x = Get-CsTenantFederationConfiguration –Tenant $tenant.TenantId
PS C:\Users\Administrator.S01> $xIdentity : Global
AllowedDomains : Microsoft.Rtc.Management.WritableConfig.Settings.Edge.AllowAllKnownDomains
BlockedDomains : {}
AllowFederatedUsers : True
AllowPublicUsers : True
SharedSipAddressSpace : False
It seems that the tenant was set to federate with all known domains (known by who?) and since it was essentially federated with everybody there is no need (and it is impossible) to add a domain. Now I understand the problem and what the weird error message means but I’m not particularly fond of the error.
I’ll continue this discussion in a follow up blog post (this one is getting too long) next week and explain how I got into this mess as well as explain the different levels/types of federation a tenant can have. In the meantime I didn’t want you to be confused if you encountered this error.
Let me know if you have questions.
