How Azure AD Sync Password write back works

Tags

,


Password writeback: how to configure Azure AD to manage on-premises passwords

Updated: February 10, 2015

Use the links below to jump to the information about password writeback that interests you most.

Password writeback is an Azure Active Directory Sync component that can be enabled and used by the current subscribers of Azure Active Directory Premium. For more information, see Azure Active Directory Editions. It allows you to configure your cloud tenant to write passwords back to you on-premises Active Directory. It obviates you from having to set up and manage a complicated on-premises self-service password reset solution, and it provides a convenient cloud-based way for your users to reset their on-premises passwords wherever they are. Read on for some of the key features of password writeback:

  • Zero delay feedback. Password writeback is a synchronous operation. Your users will be notified immediately if their password did not meet policy or was not able to be reset or changed for any reason.
  • Supports resetting passwords for users using AD FS or other federation technologies. With password writeback, as long as the federated user accounts are synchronized into your Azure AD tenant, they will be able to manage their on-premises AD passwords from the cloud.
  • Supports resetting passwords for users using password hash sync. When the password reset service detects that a synchronized user account is enabled for password hash sync, we reset both this account’s on-premises and cloud password simultaneously.
  • Supports changing passwords from the access panel and O365. When federated or password sync’d users come to change their expired or non-expired passwords, we’ll write those passwords back to your local AD environment.
  • Supports writing back passwords when an admin reset them from the Azure Management Portal. Whenever an admin resets a user’s password in the Azure Management portal, if that user is federated or password sync’d, we’ll set the password the admin selects on your local AD, as well. This is currently not supported in the Office Admin Portal.
  • Enforces your on-premises AD password policies. When a user resets his/her password, we make sure that it meets your on-premises AD policy before committing it to that directory. This includes history, complexity, age, password filters, and any other password restrictions you have defined in your local AD.
  • Doesn’t require any inbound firewall rules. Password writeback uses an Azure Service Bus relay as an underlying communication channel, meaning that you do not have to open any inbound ports on your firewall for this feature to work, only 443 outbound.
  • Is not supported for user accounts that exist within protected groups in your on-premises Active Directory. For more information about protected groups, see Appendix C: Protected Accounts and Groups in Active Directory.

Password writeback has three main components:

  • Password Reset cloud service (this is also integrated into Azure AD’s password change pages)
  • Tenant-specific Azure Service Bus relay
  • On-prem password reset endpoint

    password writeback

When a federated or password hash sync’d user comes to reset or change his or her password in the cloud, the following occurs:

  1. We check to see what type of password the user has. If we see the password is managed on premises, then we ensure the writeback service is up and running. If it is, we let the user proceed, if it is not, we tell the user that their password cannot be reset here.
  2. Next, the user passes the appropriate authentication gates and reaches the reset password screen.
  3. The user selects a new password and confirms it.
  4. Upon clicking submit, we encrypt the plaintext password with a public key that was created during the writeback setup process.
  5. After encrypting the password, we include it in a payload that gets sent over an HTTPS channel to your tenant specific service bus relay (that we also set up for you during the writeback setup process). This relay is protected by a randomly generated password that only your on-premises installation knows.
  6. Once the message reaches service bus, the password reset endpoint automatically wakes up and sees that it has a reset request pending.
  7. The service then looks for the user in question by using the cloud anchor attribute. For this lookup to succeed, the user object must exist in the AD connector space, it must be linked to the corresponding MV object, and it must be linked to the corresponding AAD connector object. Finally, in order for sync to find this user account, the link from AD connector object to MV must have the sync rule “Microsoft.InfromADUserAccountEnabled.xxx” on the link. This is needed because when the call comes in from the cloud, the sync engine uses the cloudAnchor attribute to look up the AAD connector space object, then follows the link back to the MV object, and then follows the link back to the AD object. Because there could be multiple AD objects (multi-forest) for the same user, the sync engine relies on the “Microsoft.InfromADUserAccountEnabled.xxx” link to pick the correct one.
  8. Once the user account is found, we attempt to reset the password directly in the appropriate AD forest.
  9. If the password set operation is successful, we tell the user their password has been modified and that they can go on their merry way.
  10. If the password set operation fails, we return the error to the user and let them try again. The operation might fail because the service was down, because the password they selected did not meet organization policies, because we could not find the user in the local AD, or any number of reasons. We have a specific message for many of these cases and tell the user what they can do to resolve the issue.

The table below describes which scenarios are supported for which versions of our sync capabilities. In general, it is highly recommended that you install the latest version of AADSync if you want to use password writeback. You can find the latest version of AAD Sync at http://www.microsoft.com/en-us/download/details.aspx?id=44225.

password writeback scenarios

Password writeback is a highly secure and robust service. In order to ensure your information is protected, we enable a 4-tiered security model that is described below.

  • Tenant specific service-bus relay – When you set up the service, we set up a tenant-specific service bus relay that is protected by a randomly generated strong password that Microsoft never has access to.
  • Locked down, cryptographically strong, password encryption key – After the service bus relay is created, we create a strong asymmetric key pair which we use to encrypt the password as it comes over the wire. The private key of this key pair lives only in your on-premises environment and Microsoft never has access to it. The public key gets placed into your tenant’s secret store in the cloud, which is a heavily locked down.
  • Industry standard TLS – When a password reset or change operation occurs in the cloud, we take the plaintext password and encrypt it with your public key. We then plop that into an HTTPS message which is sent over an encrypted channel using Microsoft’s SSL certs to your service bus relay. After that message arrives into Service Bus, your on-prem agent wakes up, authenticates to Service Bus using the strong password that had been previously generated, picks up the encrypted message, decrypts it using the private key we generated, and then attempts to set the password through the AD DS SetPassword API. This step is what allows us to enforce your AD on-prem password policy (complexity, age, history, filters, etc) in the cloud.
  • Message expiration policies – Finally, if for some reason the message sits in Service Bus because your on-prem service is down, it will be timed out and removed after several minutes in order to increase security even further.

This section walks you through configuring password reset to write passwords back to an on-premises Active Directory.

Before you can enable and use the password writeback, you must make sure you complete the following prerequisites:

  • You have an Azure AD tenant with Azure AD Premium enabled. For more information, see Azure Active Directory Editions.
  • Password reset has been configured and enabled in your tenant. For more information, see Self-service password reset in Azure AD: how to enable, configure, and test self-service password reset.
  • You have at least one administrator account and one test user account with an Azure AD Premium license that you can use to test this feature. For more information, see Azure Active Directory Editions
    ImportantImportant
    Make sure that the administrator account that you use to enable password writeback is a cloud administrator account (created in Azure AD), not a federated account (created in on-premises AD and synchronized into Azure AD.
  • You have a single or multi-forest AD on-premises deployment running Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2 with the latest service packs installed.
    noteNote
    If you are running an older version of Windows Server 2008 or 2008 R2, you can still use this feature, but will need to install KB 2386717 before being able to enforce your local AD password policy in the cloud.
  • You have the Azure AD Sync tool installed and you have prepared your AD environment for synchronization to the cloud. For more information, see Directory Integration Tools.
  • If you are using DirSync, you must make sure your organization’s firewall is configured to block outbound connections. You must unblock TCP port 828 or 818 in order to enable and use the password writeback. If you are using AADSync, this step is not necessary, as only 443 TCP outbound needs to be open.

Password writeback is available in releases of the Azure AD Sync Tool with version number 1.0.0419.0911 or higher.  Password writeback with automatic account unlock is available in releases of the Azure AD Sync Tool with version number 1.0.0485.0222 or higher. If you are running an older version, please upgrade to at least this version before proceeding. Download the latest version of Azure AD Sync.

  1. Navigate to %ProgramFiles%Azure Active Directory Sync.
  2. Find the ConfigWizard.exe executable.
  3. Right-click the executable and select the Properties option from the context menu.
  4. Click on the Details tab.
  5. Find the File version field.

    password writeback

If this version number is greater than or equal to 1.0.0419.0911, you can skip to Step 2: Enable password writeback on your Directory Sync computer & configure firewall rules. If you have never installed AADSync before, then here are some resources you can use to learn about pre-requirements for setting up sync:

  1. If this is your first time installing the Azure AD Sync Tool, it is recommended that you follow a few best practices to prepare your environment for directory synchronization. Before you install the Azure AD Sync Tool, you must activate directory synchronization in either the Office 365 or the Azure management portals. For more information, see Azure Active Directory Sync.

Now that you have the Azure AD Sync tool downloaded, you are ready to enable password writeback. You can do this in one of two ways. You can either enable password writeback in the optional features screen of the Azure AD Sync setup wizard, or you can enable it via Windows PowerShell.

  1. On your Directory Sync computer, open the Azure AD Sync configuration wizard.
  2. Click through the steps until you reach the optional features configuration screen.
  3. Check the Password write-back option.

    password writeback

  4. Complete the wizard, the final page will summarize the changes and will include the password writeback configuration change.
  5. Once installation is complete, if you are blocking unknown outbound connections in your environment, you will also need to add the following rules to your firewall. Make sure you reboot your AADSync machine after making these changes:
    1. Allow outbound connects over port 443 TCP
    2. Allow outbound connections to https://ssprsbprodncu-sb.accesscontrol.windows.net/
      noteNote
      You can disable password writeback at any time by either re-running this wizard and deselecting the feature, or by setting the Write Passwords Back to On-Premises Directory setting to No in the User Password Reset Policy section of your directory’s Configure tab in the Azure Management Portal.
  1. On your Directory Sync computer, open a new elevated Windows PowerShell window.
  2. If the module is not already loaded, type in the Import-Module ADSync command to load the AAD Sync cmdlets into your current session.
  3. Get the list of AAD Connectors in your system by running the Get-ADSyncConnector cmdlet and storing the results in $aadConnectorName
  4. To get the current status of writeback for the current connector by running the following cmdlet: Get-ADSyncAADPasswordResetConfiguration –Connector $aadConnectorName.
  5. Enable password writeback by running the cmdlet: Set-ADSyncAADPasswordResetConfiguration –Connector $aadConnectorName –Enable $true
  6. Once installation is complete, if you are blocking unknown outbound connections in your environment, you will also need to add the following rules to your firewall. Make sure you reboot your AAD Sync machine after making these changes:
    1. Allow outbound connections over port 443 TCP
    2. Allow outbound connections to https://ssprsbprodncu-sb.accesscontrol.windows.net/
      noteNote
      If prompted for a credential, make sure that the administrator account that you specify for AzureADCredential is a cloud administrator account (created in Azure AD), not a federated account (created in on-premises AD and synchronized into Azure AD.
      noteNote
      You can disable password writeback through PowerShell by repeating the same instructions above but passing $false in step or by setting the Write Passwords Back to On-Premises Directory setting to No in the User Password Reset Policy section of your directory’s Configure tab in the Azure Management Portal.

Verify that the configuration was successful

Once the configuration succeeds, you will see the message Password reset write-back is enabled in the Windows PowerShell window. You can verify the service was installed correctly by opening Event Viewer, navigating to the application event log, and looking for event 31005 – OnboardingEventSuccess from the source PasswordResetService.

password writebackFor troubleshooting information and FAQ information, see “Troubleshoot Password Writeback” and “Password Writeback On-premises Event Log Error Codes” sections in FAQ/Troubleshooting for Azure AD password management.

For every forest that contains users whose passwords will be reset, if X is the account that was specified for that forest in the configuration wizard (during initial configuration), then X must be given the Reset Password, Change Password, Write Permissions on “lockoutTime”, and Write Permissions on “pwdLastSet”, extended rights on the root object of each domain in that forest. The right should be marked as inherited by all user objects.

Setting these permissions will allow the MA service account for each forest to manage passwords on behalf of user accounts within that forest. If you neglect to assign these permissions, then, even though writeback will appear to be configured correctly, users will encounter errors when attempting to manage their on-premises passwords from the cloud. Here are the detailed steps on how you can do this using the Active Directory Users and Computers management snap-in:

noteNote
it could take up to an hour for these permissions to replicate to all objects in your directory.
  1. Open Active Directory Users and Computers with an account that has the appropriate domain administration permissions.
  2. In the View Menu option, make sure Advanced Features is turned on.
  3. In the left panel, right click the object that represents the root of the domain.
  4. Click on the Security tab.
  5. Then click Advanced.

    password writeback

  6. On the Permissions tab, click Add.

    password writeback

  7. Select the account you want to give permissions to (this is the same account that was specified while setting up sync for that forest).
  8. In the drop down on the top, select Descendent User objects.
  9. In the Permission Entry dialog box that shows up, check the box for Reset Password, Change Password, Write Permissions on “lockoutTime”, and Write Permissions on “pwdLastSet”.

    SSPR lockoutTime pwdLastSet

  10. Then click Apply/Ok through all the open dialog boxes.

Now that password writeback has been enabled, you can test that it works by resetting the password of a user whose account has been synchronized into your cloud tenant.

  1. Navigate to http://passwordreset.microsoftonline.com or go to any organizational ID login screen and click the Can’t access your account? link.

    password writeback

  2. You should now see a new page which asks for a user ID for which you want to reset a password. Enter your test user ID and proceed through the password reset flow.
  3. After you reset your password, you will see a screen that looks similar to this. It means you have successfully reset your password in your on-premises and/or cloud directories.

    password writeback

  4. To verify the operation was successful, go to your Directory Sync computer, open Event Viewer, navigate to the application event log, and look for event 31002 – PasswordResetSuccess from the source PasswordResetService for your test user.

    password writeback

For troubleshooting information and FAQ, see “Troubleshoot Password Writeback” and “Password Writeback On-premises Event Log Error Codes” sections in FAQ/Troubleshooting for Azure AD password management.

Advertisements

Enabling system restore and File history in Windows 8, 8.1,10 and 7

Tags

, ,


By enabling System Protection in your system, it will help you restore the system with the most recent date.

You can restore the data by using system restore from the System protection menu in Device Manager.

This first method is just one way that users can access System Protection in Windows 8.1.

1. Right-click on the Windows Start flag in the bottom left corner of the display.

Windows Start Flag

2. Click on System.

System from context menu select

3. Click on the System Protection link in the left frame.

System Properties

From this point, the use of System Protection functions using the same processes used with Windows 7.

To access System Restore in Windows 8, please use the following steps to open System Restore.

1. Move the mouse to the bottom right corner of the display and wait for the Charm bar to open. Once the Charm bar is open, click on Settings.

Settings

2. On the PC Settings window that opens, click on Update and Recovery.

PC Settings

3. Click on Recovery.

Update and Recovery  - Recovery

4. On the Recovery screen, click the Restart Now button below Advanced Startup.

5. The computer will reboot into the Advanced Boot options menu.

 

6. The next screen that loads has three options. Click on the Troubleshoot option’s button.

2 - Choose option screen

7. The screen that loads lists three options. The three options are Refresh your PC, Remove Everything, and Advanced options. Select the Advanced Options button.

3 - Troubleshoot screen

8. The next screen will have 5 or more new items listed. These options are System Restore, System Image Recovery, Startup Repair, Command Prompt, and Startup Settings. Some systems may also have an option for UEFI Firmware Settings (it may also be called BIOS Firmware settings depending on the computer’s motherboard configuration). Select the System Restore option.

4 - Advanced options screen

9. Select a user account to continue. In this case, the account I am using is my Ralby account.

Ralby account

10. Enter the password for the account. Click the Continue button.

Ralby pwd

11. From this point, Windows 8.1 loads the System Restore wizard used in Windows 7. The process for restoring the computer uses the same steps that were used in Windows 7. For more information on that process, please see my Using System Protection in Windows 7 article.

System Restore 1

Restoring Previous Versions of Personal Files

In Windows 8.1, Microsoft removed the Restore previous versions option when users right-click on a file to get to its context menu.  Instead, Microsoft now has a feature called File History that they have introduced. File History is located in the Update and Recovery section of PC Settings. File History stores copies of users’ personal files

To access File History, use steps 1 – 3 above but select File History instead of either of the other two options.  The File History window and its options will load.

File History 1

From this screen, users can enable and configure File History.  To enable File History, slide the toggle on the slider bar to the right.  Next, users can select the drive for storing the file versions on if they need a different drive than the one selected.  Network drive locations can  be used for storing the file versions if desired or needed. Once File History is turned on, it will start to perform an initial backup of users’ personal files. To perform a manual backup, users will need click the Back up now button.

File History 2

 

By default only desktop ,My Documents, favorites and contacts only will come under the File History backup. If you want to take the back up of oter partition right click and select  “include in library” and create new library, then it will come under the library.

To restore the files saved by File History, use the steps below.

1. Left-click on the Windows flag icon.

Windows Start Flag

 

2. Type File History while the Start screen is displayed and Windows 8.1 will search for any programs or tools using that name.

File History Restore 1

3. Click on the Restore your files with File History option to load the following window.

Home - File History

 

4. From here, users can browse through the folders just like users can do with File Explorer.  To change which version of the files are being opened, users will need to use the arrow keys in the bottom middle of the File History window.

File History can also be accessed through the Control Panel.  When the View by: is set to Category, select the System and Security option and then select the appropriate item in the File History section.  Users can also select the Save backup copies of your files with File History option listed under System and Security to open the File History screen.  For users set to show Large or Small icons, click on File History.

File History main

On the left side of the File History window are options for restoring personal files, selecting the hard drive for storing the file versions, a section allowing users to exclude folders or libraries from being backed up, and an advanced settings section.  The Restore personal files option opens the same window shown in item 3 above in this section.  Select drive allows users to choose where to save the backed up personal files.  The Advanced Settings section allows users to select how often to make copies of the files, how much space to allocate for storing the files, and a duration for keeping the saved file versions.  Users can also recommend the selected drive to other members of the same Homegroup as well as view logfiles for recent issues.

 

 

Lync (Skype for business)-Skype communication

Tags

,


Courtsey Microsoft TechNet Blog , Microsoft Community Blog

This combination enables Lync customers to take advantage of the global reach of Skype to connect and collaborate with suppliers, customers, and partners while relying on the enterprise richness of Lync. This initial set of features includes:

  • Adding Skype contacts to Lync and vice-versa, enabling presence sharing
  • Audio calling and instant messaging between Lync and Skype users
  • Management settings for Lync administrators

What about end users?

Lync users can connect to Skype from Lync 2010 or Lync 2013, including any of the 2013 mobile clients.

Skype users will need the latest Skype client available from Skype.com. Today, Lync-Skype connectivity is supported from the Windows and Mac desktop clients with more options coming soon as other clients are updated.

Additionally, Skype users must sign in to Skype with a Microsoft account (formerly Windows Live ID) to communicate with Lync contacts. A Microsoft account is the combination of an email address and a password that you can also use to sign in to services like SkyDrive, Windows Phone, Xbox LIVE, and Outlook.com (and previously Hotmail or Messenger). If you use an email address and password to sign in to these or other services, you already have a Microsoft account. If you don’t have a Microsoft account, it’s easy to create one. You can merge your existing Skype account with your Microsoft account for single sign-on across a variety of applications and services.

Can’t communicate with AOL, Yahoo!, or Google Talk users

Lync 2013 for Office 365 supports external Skype for Business (Lync) users, and Skype users signed in with a Microsoft account. Communication with other IM providers isn’t supported.

Seeing it in action

Lync users add Skype contacts by typing their Skype users’ Microsoft account names into the Add Skype Contact window in Lync. Click the Add a Contact icon > Add a Contact Not in My Organization > Skype, then enter their Skype contact information and click OK.

Skype users add Lync contacts by typing their email addresses into the search bar within Skype and clicking Add to Contacts.

Once the recipient has accepted the add-contact request, presence information is exchanged and updated.

To start an audio call from Lync, make the same clicks as if the contact were a fellow Lync user.

The experience appears like a Lync call to the Lync user and a Skype call to the Skype user.


Lync call window


Skype call window

And remember, Skype users need to sign in to Skype with a Microsoft account, which can be linked to an existing Skype ID.

Troubleshooting Skype for Business-Skype Connectivity.

Microsoft recently announced the availability of Lync-Skype connectivity. If you haven’t been able to get up and running yet, then you’ve come to the right place.

Before you begin though, check out our three most popular answers:

1.     The Skype user must be signed in with a Microsoft account (formerly Windows Live ID).

2.     If the Skype user is using their own email address as a Microsoft ID (for example, bob@contoso.com instead of bob@outlook.com or something similar) then you have to format their name like this when you add them as a contact: bob(contoso.com)@msn.com. Learn more.

3.     To receive contact requests from Skype, the Skype for Business user has to set their alert level as follows: go to Options > Alerts > Contacts not using Skype for Business and choose Allow invites but block all other communications or Allow anyone to contact me.

Did any of these suggestions get you connected? If not, read on (and if you’re an admin, take a look at  the Provisioning Guide for Skype for Business-Skype Connectivity)…

Lync Server and Skype for Business

A Skype for Business user does not receive a contact request from a Skype user

This can happen when the Skype for Business user has Skype for Business options set so they are not notified when someone else adds them as a contact.

Solution           The Skype for Business user must go to Options > Alerts > General alerts, and then select Tell me when someone adds me to their contact list.

A Skype for Business user removes a Skype user, but the Skype user can still see Skype for Business user’s presence and send IMs

This happens when the Skype for Business user chooses Remove from Group instead of Remove from Contact List.

Solution           In the Skype for Business main window, click Relationships, and then remove the Skype user from the list.

When a Skype for Business user calls a Skype user, the call sometimes fails

This currently happens in less than one percent of the cases, and is scheduled to be fixed in the next service update.

Workaround     Try the call again. NOTE:  A fix for this will be available by June 30 as part of the Skype for Business cumulative update.

Skype for Business users can’t communicate with Skype users who have a Microsoft account with a custom (EASI) domain

A Skype for Business user adds a Skype user with a custom Microsoft account such as bob@contoso.com, and can’t see their presence or send them IMs.

Workaround     Add the contact using the following format: bob(contoso.com)@msn.com, where bob@contoso.com is the custom Microsoft account name of the person you’re trying to contact.  For details, see Skype for Business users can’t communicate with external contacts who have Microsoft accounts that have a custom (EASI) domain.

 Office 365 Small Business customers have External communications turned on, but can’t connect to Skype users

Before May 20, 2013, turning on External communications for Small Business customers didn’t automatically turn on Skype for Business-Skype connectivity. Now it does.

Workaround     Switch External communications off and then back on again. Go to Admin > Service settings > Instant messaging, meetings and conferencing > External communications.

Skype users

Skype users signed in with a new Microsoft account notice a delay of several minutes in seeing the presence status of a newly-added Skype for Business contact

This situation occurs when the Skype user signs in with a newly created Microsoft account, and the Skype for Business user has the following alert setting: Options > Alerts > Contacts not using Skype for Business > Allow anyone to contact me.  

Workaround     You can either wait for five minutes, or sign out of Skype and then sign back in. You can then see the Skype for Business user’s presence.

A Skype and a Skype for Business user remove each other as contacts, and then attempt to add each other as a contact again, but are not successful

This happens when a Skype and a Skype for Business user both remove each other as contacts. When one person tries to add the other contact again, the other person does not receive a contact request.

Workaround     The Skype for Business and the Skype user must both add each other as contacts again.

Lync (Skype for business)-Skype communication

Tags

,


Courtsey Microsoft TechNet Blog , Microsoft Community Blog

This combination enables Lync customers to take advantage of the global reach of Skype to connect and collaborate with suppliers, customers, and partners while relying on the enterprise richness of Lync. This initial set of features includes:

  • Adding Skype contacts to Lync and vice-versa, enabling presence sharing
  • Audio calling and instant messaging between Lync and Skype users
  • Management settings for Lync administrators

What about end users?

Lync users can connect to Skype from Lync 2010 or Lync 2013, including any of the 2013 mobile clients.

Skype users will need the latest Skype client available from Skype.com. Today, Lync-Skype connectivity is supported from the Windows and Mac desktop clients with more options coming soon as other clients are updated.

Additionally, Skype users must sign in to Skype with a Microsoft account (formerly Windows Live ID) to communicate with Lync contacts. A Microsoft account is the combination of an email address and a password that you can also use to sign in to services like SkyDrive, Windows Phone, Xbox LIVE, and Outlook.com (and previously Hotmail or Messenger). If you use an email address and password to sign in to these or other services, you already have a Microsoft account. If you don’t have a Microsoft account, it’s easy to create one. You can merge your existing Skype account with your Microsoft account for single sign-on across a variety of applications and services.

Can’t communicate with AOL, Yahoo!, or Google Talk users

Lync 2013 for Office 365 supports external Skype for Business (Lync) users, and Skype users signed in with a Microsoft account. Communication with other IM providers isn’t supported.

Seeing it in action

Lync users add Skype contacts by typing their Skype users’ Microsoft account names into the Add Skype Contact window in Lync. Click the Add a Contact icon > Add a Contact Not in My Organization > Skype, then enter their Skype contact information and click OK.

Skype users add Lync contacts by typing their email addresses into the search bar within Skype and clicking Add to Contacts.

Once the recipient has accepted the add-contact request, presence information is exchanged and updated.

To start an audio call from Lync, make the same clicks as if the contact were a fellow Lync user.

The experience appears like a Lync call to the Lync user and a Skype call to the Skype user.


Lync call window


Skype call window

And remember, Skype users need to sign in to Skype with a Microsoft account, which can be linked to an existing Skype ID.

Troubleshooting Skype for Business-Skype Connectivity.

Microsoft recently announced the availability of Lync-Skype connectivity. If you haven’t been able to get up and running yet, then you’ve come to the right place.

Before you begin though, check out our three most popular answers:

1.     The Skype user must be signed in with a Microsoft account (formerly Windows Live ID).

2.     If the Skype user is using their own email address as a Microsoft ID (for example, bob@contoso.com instead of bob@outlook.com or something similar) then you have to format their name like this when you add them as a contact: bob(contoso.com)@msn.com. Learn more.

3.     To receive contact requests from Skype, the Skype for Business user has to set their alert level as follows: go to Options > Alerts > Contacts not using Skype for Business and choose Allow invites but block all other communications or Allow anyone to contact me.

Did any of these suggestions get you connected? If not, read on (and if you’re an admin, take a look at  the Provisioning Guide for Skype for Business-Skype Connectivity)…

Lync Server and Skype for Business

A Skype for Business user does not receive a contact request from a Skype user

This can happen when the Skype for Business user has Skype for Business options set so they are not notified when someone else adds them as a contact.

Solution           The Skype for Business user must go to Options > Alerts > General alerts, and then select Tell me when someone adds me to their contact list.

A Skype for Business user removes a Skype user, but the Skype user can still see Skype for Business user’s presence and send IMs

This happens when the Skype for Business user chooses Remove from Group instead of Remove from Contact List.

Solution           In the Skype for Business main window, click Relationships, and then remove the Skype user from the list.

When a Skype for Business user calls a Skype user, the call sometimes fails

This currently happens in less than one percent of the cases, and is scheduled to be fixed in the next service update.

Workaround     Try the call again. NOTE:  A fix for this will be available by June 30 as part of the Skype for Business cumulative update.

Skype for Business users can’t communicate with Skype users who have a Microsoft account with a custom (EASI) domain

A Skype for Business user adds a Skype user with a custom Microsoft account such as bob@contoso.com, and can’t see their presence or send them IMs.

Workaround     Add the contact using the following format: bob(contoso.com)@msn.com, where bob@contoso.com is the custom Microsoft account name of the person you’re trying to contact.  For details, see Skype for Business users can’t communicate with external contacts who have Microsoft accounts that have a custom (EASI) domain.

 Office 365 Small Business customers have External communications turned on, but can’t connect to Skype users

Before May 20, 2013, turning on External communications for Small Business customers didn’t automatically turn on Skype for Business-Skype connectivity. Now it does.

Workaround     Switch External communications off and then back on again. Go to Admin > Service settings > Instant messaging, meetings and conferencing > External communications.

Skype users

Skype users signed in with a new Microsoft account notice a delay of several minutes in seeing the presence status of a newly-added Skype for Business contact

This situation occurs when the Skype user signs in with a newly created Microsoft account, and the Skype for Business user has the following alert setting: Options > Alerts > Contacts not using Skype for Business > Allow anyone to contact me.  

Workaround     You can either wait for five minutes, or sign out of Skype and then sign back in. You can then see the Skype for Business user’s presence.

A Skype and a Skype for Business user remove each other as contacts, and then attempt to add each other as a contact again, but are not successful

This happens when a Skype and a Skype for Business user both remove each other as contacts. When one person tries to add the other contact again, the other person does not receive a contact request.

Workaround     The Skype for Business and the Skype user must both add each other as contacts again.

Print Spooler restart from the command prompt

Tags


Click here to get the complete link

We cannot restart the print spooler unless we have administrator rights in the PC. For restarting the print spooler you can use command prompt by open as administrator rights then use the below command for stopping and starting the print spooler service

Steps (3 total)

1

Open command prompt

click start, run and type cmd and press enter

2

stop command

Enter the following command and press enter

net stop spooler

3

start command

Enter the following command to start the print spooler again

net start spooler

Conclusion

Restarting the print spooler will fix any minor glitches

Restrictions and limitations when you sync OneDrive for Business

Tags

,


Click here to get the complete page

Courtsey- Microsoft support, Community , Video How to Sync , Repair One Drive

Fix OneDrive for Business sync problems

If you can’t sync files between your computer andOneDrive for Business, it might be due to problems with theOneDrive for Business sync client. If theOneDrive for Business sync client isn’t functioning properly, follow the steps in this article to fix the problem.Follow these steps to fix your OneDrive for Business sync problems

If you don’t have the OneDrive for Business sync app, you can download it free.

Step 1: Make sure that the OneDrive for Business sync app is up-to-date

OneDrive for Business is frequently updated. Make sure that you have the most current version of OneDrive for Business installed.

Step 2: Make sure that your file and folder names don’t contain unsupported characters or invalid file types

If a file or folder name contains certain characters or file types, you won’t be able to sync those files. Review the list of invalid characters and file types, and change any file or folder names, or remove the file types that aren’t supported.

Step 3: Make that sure your file sizes, items counts, and file path lengths are within the limits

If a file you’re trying to sync is too large, or if you’re trying to sync too many items, OneDrive for Business sync might not work. Review the limits for the size and number of files that can be synced, and make sure the files you’re trying to sync don’t fall within the listed restrictions or limitations.

Step 4: Repair a OneDrive for Business sync connection

Follow these quick steps to repair a sync connection with OneDrive for Business, and see if that fixes your sync problem.

Step 5: Stop and restart syncing for a OneDrive for Business library

If you’re having problems with a synced library folder, it’s sometimes simplest to just stop syncing the library, and then start syncing the library again, as if for the first time.

Step 6: Use the OneDrive for Business Sync Issues Troubleshooting Guide

If you’re still experiencing sync problems, try the OneDrive for Business Sync Issues Troubleshooting Guide. This tool can help guide you through diagnosing and resolving issues with libraries you’re currently syncing.

Still having sync issues?

If you’re still having sync issues, try posting a question in the Office 365 community forums. They’re a great resource, and they’re monitored by Microsoft support agents who can help if you’ve tried the steps here and are still stuck. You can also contact Office 365 for business support.

This article contains information about the restrictions and limitations in usingOneDrive for Business (formerlySkyDrive Pro) to syncSharePoint Online orSharePoint 2013 libraries to your computer.

Collapse imageMORE INFORMATION

Number of items that can be synced

  • You can sync up to 20,000 items in your OneDrive for Business library. This includes folders and files. You can also sync up to 20,000 items for each additional OneDrive personal site that you may have access to.
  • You can sync up to 5,000 items in a SharePoint library. This includes folders and files. These are the libraries that you find on various SharePoint sites, such as team sites and community sites, libraries that other people created, or that you created from your Sites page. You can sync multiple SharePoint libraries.

Size limit for syncing files

In any SharePoint library, you can sync files of up to 2 gigabytes (GB).

Character limit for files and folders

These limits apply to files and folders that you add to a synced library folder for uploading to SharePoint.

  • In SharePoint Server 2013, file names can have up to 128 characters.
  • In SharePoint Online, file names can have up to 256 characters.
  • Folder names can have up to 250 characters.
  • Folder name and file name combinations can have up to 250 characters.

Invalid characters

SharePoint Online

The following characters in file or folder names aren’t supported when you sync OneDrive for Business with SharePoint Online:

\
/
:
*
?

<
>
|
#
%

Additionally, a file or folder name that begins with a tilde (~) isn’t supported.

SharePoint Server 2013

The following characters in file name aren’t supported when you sync OneDrive for Business with SharePoint Server 2013:

\
/
:
*
?

<
>
|
#
{
}
%
~
&

A file name that begins with a period (.) or a tilde (~) isn’t supported.

Unsupported folder names

When you sync OneDrive for Business with SharePoint Online or SharePoint 2013, a folder named “forms” isn’t supported at the root level for a list or library. This occurs because “forms” is a hidden default folder that’s used to store templates and forms for the library. Additionally, a folder that contains the string _vti_ is reserved by SharePoint, and isn’t supported.

The following folder names can be synchronized in OneDrive for Business and SharePoint Online. However, if they’re synchronized, they won’t appear when you view the library on the SharePoint Online or OneDrive for Business webpage. With some of these restrictions, you may be unable to add files or folders that have these characters while in the OneDrive for Business folder. However, if you create the files or folders outside OneDrive for Business and then drag those files or folders into the OneDrive for Business folder, the files and folders will sync but the files won’t appear on the webpage.

*_files:
*_Dateien
*_fichiers
*_bestanden
*_file
*_archivos
*_tiedostot
*_pliki
*_soubory
*_elemei
*_ficheiros
*_arquivos
*_dosyalar
*_datoteke
*_fitxers
*_failid
*_fails
*_bylos
*_fajlovi
*_fitxategiak

GUID strings as file names

The GUID string structure is supported in SharePoint Online.

The following GUID string structure isn’t supported for file names in SharePoint 2013:

‘{‘ + 8 hexadecimal + ‘-‘ + 4 hexadecimal + ‘-‘ + 4 hexadecimal + ‘-‘ + 4 hexadecimal + ‘-‘ + 12 hexadecimal +’}’

For example, a GUID that matches this structure resembles the following:

{9b6634a7-26b7-40a2-a48e-6f967d89c29e}

Invalid file types

You can’t upload files that have a *.tmp or *.ds_store extension, and you can’t upload desktop.ini, thumbs.db, or ehthumbs.db files.

Additionally, you can’t upload files whose file types are blocked on the SharePoint site. If your organization is running SharePoint Server, the list of blocked files may vary, depending on what your administrator sets up. If your organization is running SharePoint Online, the default list of blocked files is fixed and can’t be changed. To see a list of the default blocked files, go to the following Microsoft website: