Update – May-26-2015: With the help of Yoav Barzilay, we’ve updated the script to include several new features:
- Support for EDGE servers Certificates retrieval
- Support Skype for Business Server 2015 environment
- The script include parameters which allow you to retrive certificates from FE, EDGE and OWAS all together or one at a time
- Visual improvements
- Connectivity tests for servers in Pool
- A smarter filter for environment to ignore environments with OCS 2007 R2
Download version 0.46 from Here
Update – August-8-2014: With the help of Anthony Caragol, I’ve updated the script to include two new features:
- The script query every server within a pool and not just the pool itself
- The script is using PSRemoting which allow it to run the Get-CsCertificate cmdlet and return only the assigned certificate for Lync and not all the ones exists on a server as it was on the previous version
Download version 0.3 from Here
I’ve been doing some troubleshooting lately for a customer which had some issues with expired certificates on his Lync Environment, and asked me how he can monitor or track existing certificates expiration on his Lync environment.
There are great tools out there which helps tracking and monitoring certificates in any environment (not only for Lync), the ones I had a chance to work with are:
The problem is that the first tool can run against an internal CA only which means it holds a lot of certificates or alternatively it does not include Public certificates.
The Cmdlet is doing an excellent job in providing the information we need, but it can only run against the local server which might be an issue for an environment with multiple Lync servers and pools.
The third option is easy and very detailed but it is running against external servers only.
That’s why we decided (Yoav Barzilay and I) to come up with the following script:
Information:
The following script will query for every Lync server in the Environment which is a registrar, an EDGE or an OWAS and will pull the following information on every certificates exists under the Local Machine to an HTML report file:
- Friendly Name
- Issuer
- Thumbprint
- Subject Name
- Issue Date
- Expiration Date
- Expires In (Days)
The information is gathered by using the following PowerShell cmdlet:
$Store = New-Object System.Security.Cryptography.X509Certificates.X509Store(“MY”,”LocalMachine”)
$Store.Open(“ReadOnly”)
Script Features:
- The script pulls the information from every server by query the Local Machine container to an HTML report file
- Certificates which are about to expired in the next 30 days will be colored in Red
- The script can also be configured to send email as well as being a scheduled task in order to be notified on a weekly/monthly basis.
The current caveats with the Script (which hopefully will be solved on the next version):
- Does not pull EDGE servers Certificates information
- Does not have Lync Certificates assignment awareness (Does not know which certificate is currently assigned)
Output:
Download:
Nice one 🙂 Looking forward to upcoming updates Guy 🙂
Thank you, appreciate the feedback 🙂
I’ve already updated the script with two new features and hopefully i could get the EDGE servers to work in the upcoming version.
Reblogged this on Universal Communications, My experiences. and commented:
A really nice initiative on a matter that’s crucial to Lync operations.
You should not forget about PSTN gateways utilizing SIP TLS (and certificates) as well!
That’s a good feedback, i’m not sure though i can use the same method for pulling out the information on PSTN gateways, but i’ll definitely look into that.
Maybe you can include this “grey area” in the instruction guide, just to alert the user of this tool.
i’m working on a newer version of the script which will hopefully include the EDGE integration, but i’ll definitely add this comment.
Thanks
amazing script(helps to learn some powershell tricks also)
Pingback: Weekly IT Newsletter – August 4-8, 2014 | Just a Lync Guy
Pingback: NeWay Technologies – Weekly Newsletter #107 – August 8, 2014 | NeWay
Hi Guy
We have a few customers still using Lync 2010. Any tips on getting your script to work for Lync 2010 environments? I’ve tried, but it fails to get the server list.
Cheers
Hi Jason,
The script should work for Lync 2010 environment as well as the Get-CsCertificate is available for both Lync 2013 and Lync 2010 (though i haven’t had a chance to test it on Lync 2010).
What is the error message that you are getting?
Running the script errors at line 212 Error Connecting to local server.
Any ideas why it does this?
The reason it may not work is because line 212 is using Invoke-Command which is part of PowerShell 3.0 and above.
what kind of OS and PowerShell version are you using?
i can try and send you the initial version of the script which can get the certificates list, but cannot determine the Lync assigned certificates but all certificates.
The OS is W2K8 R2, Lync 2010 and powershell 4.0
That should work, does it give this error for every lync 2010 server? I can try and send you with an earlier version of the script which give similar output but works in a different method.
Yes it does this on all my Lync servers, I didn’t try my edge. I would like to try the older version so a link would be nice.
Send my your email and I’ll send you a link and ill try and troubleshoot it with you
I had to make this adjustment to the section starting at line 74 (in v0.03) of the script to make it work for Lync 2010: Otherwise the $ServerList et al all end up as empty variables (which is then where Invoke-Command will fall down, as it has nothing to connect to).
However, it looks like there’s more work to do, as then I end up with a lot of errors from the Invoke-Command itself, saying it can’t find the Get-CsCertificate command. I’ll look into that too.
$Poollist = Get-CsPool | Where-Object {($_.Services -like “*Registrar*”) -OR ($_.Services -like “*MediationServer*”)}
$EDGElist = Get-CsPool | Where-Object {$_.Services -like “*EDGE*”}
$WAClist = Get-CsPool | Where-Object {($_.Services -like “*WAC*”)}
$ServerList = @()
$EDGEServerList = @()
$WacServerList = @()
foreach($pool in $PoolList){
$ServerList += $pool.computers
}
foreach($edge in $EDGEList){
$EDGEServerList += $edge.computers
}
foreach($wac in $WACList){
$WacServerList += $wac.computers
}
addendum to previous comment:
The Invoke-Command needs the scriptblock modified to include “Import-Module Lync;” before the call to Get-CsCertificate. Then it works, ok.
Thanks Bryan, ill include the adjusments on my next version.
I tried your 0.1 version of the script and this works flawless for me. Could it be that the version of Lync we’re running has something to do with it? We’re running: Microsoft Lync Server 2010 (4.0.7577.0)
Hi Edwin,
Version 0.1 is working in a different way then version 0.3.
In version 0.3 i’m using Invoke-Command which requires specific version of PowerShell and Windows and in version 0.1 i’m using remote connection directly.
On what version of Windows does your Lync 2010 environment runs on? If that’s on Windows Server 2003 that could explain that.
We run it on Windows Server 2008 R2 X64 SP1. Come to think of it, i never checked our internal firewall for winrm blocking…..hmmmm
Hi, I am running Lync 2010 with PowerShell v2, would be able to send me the older version of this script please? many thanks. Chau
Great script! I am now making use of this in our production environment. Any news on when the Edge servers will be included?
Also, just as a suggestion, is there a way to include in the report if you were unable to contact a server for some reason?
Keep up the good work! Thanks!
Hi,
I’m still working on the EDGE piece, hope to have it ready in the next couple of weeks.
Thanks for the feedback, I’ll try to include as much information as possible.
Guy,
Please fix the edge piece. line 212 is pitching errors at me. not seeing the WAS either.
Hi John,
Yes, i’m well of this issue, the EDGE is on my top priority and i hope to make a progress with it very soon and release a newer version of the script.
Hi Guy, Great Script…
Any News on edge server??
Unfortunately i didn’t had time to get back to work on the EDGE component, but i’m planning doing so in the near future as well as adding SfB support.
wait for updates… 🙂
Actually i was able to get some time on this script today and have a newer version now, let me know if you want to test it out before i release it
I’ll give it a go if you’ll let me.
Sure, send me your email and i’ll forward that to you for testing: [email protected]
Pingback: Script: Lync Certificates Report gets an updated with SfB & EDGE servers support | Just a Lync Guy
The synopsis seems to be coming from a different script:
SYNOPSIS
This script shows Lync users last logon to a Lync pool based on the Lync CDR database and will display Lync Orphaned Users
Thanks, I’ll fix it 🙂
Hey Guy, I wanted to use the sendmail feature, and the body was really not formatting. Each tale was nested in the previous table. I found an error in your HTML formatting. You aren’t adding a at the end of each server’s results. I added the appropriate code at line 512:
$UniqeFEServersList = $UniqeFEServersList | Sort-Object -Unique
foreach ($Server in $UniqeFEServersList)
{
Add-Content $ServicesFileName “”
Add-Content $ServicesFileName “”
Add-Content $ServicesFileName “$Server (Front End)”
Add-Content $ServicesFileName “”
WriteTableHeader $ServicesFileName
foreach ($item in $RemoteFECertList)
{
if ($item.PSComputerName -eq $Server)
{
writeServiceInfo $ServicesFileName $item.Use $item.Issuer $item.Thumbprint $item.Subject $item.NotBefore $item.NotAfter
}
}
Add-Content $ServicesFileName “” #sean mcnamara
}
See above. Thanks.
Hi I am using the Powershell 2.0 version of the Lync server. Can you please help me with the script that is compatible with powershell 2.0. I am running Lync 2010.
Thanks
Priya
Unfortunately it does required later Powershell version for supporting some of the functions mentioned.
I’d recommend for you to update the PowerShell version if possible.