Publishing Lync Topology Firewall Requirements (missing TCP Ports)

In a special scenario, where I faced certain issue publishing the Lync Topology, where the Lync Frontend Servers are located in Sub Domain, you need to open certain TCP Ports to at least one Root Domain Controller:

If you enabled the Lync Topology, you might face this issues:

Error: The given key was not present in dictionary.
Type: KeyNotFoundException

Error: An error occurred when attempting to add "computer" to "RTCGroupxxx"
Type: DeploymentException

CategoryInfo: InvalideOperation: ([0] Microsoft.R....Core.Service)
WebServer:pool.<fqdn> execution failed on an unrecoverable error.

Error: Cannot obtain the domain information for computer "Root DC fqdn". Please make sure the computer FQDN is correct.

Error: DsRoleGetPrimaryDomainInfromation failed with error "6BA".

Just missing are the requirements for Topology publishing.

If you are going to enable the Topology, you can use:
Enable-CsTopology [-Confirm [<SwitchParameter>]] [-Force <SwitchParameter>] [-GlobalCatalog <Fqdn>] [-GlobalSettingsDomainController <Fqdn>] [-Report <String>] [-SkipPrepareCheck <$true | $false>] [-WhatIf [<SwitchParameter>]]

Here you can specify the following parameter:

GlobalCatalog: Local Domain DC FQDN
GlobalSettingsDomainController: Root Domain DC FQDN
SkipPrepareCheck: can skip the Prepare Checks, e.g. Schema Prep or Forrest Prep

Overview of all required TCP Ports:

While you are publishing the Topology, a bunch of setting at the Root Level Domain must be done.
E.g. we assume, you also positioned all RTC and CS groups, the Lync relevant System Groups in the Root Domain.


During publishing the Topology changes are made here:

Root Domain:

- AD Configuration Partition: "CN=RTC Service,CN=Services,CN=Configuration,DC=<DOM>,DC=<DOM>"
Here the Topology writes all entries, e.g. POOLs, Conference Directories and more
This change require access via TCP PORT 88 and 389 only

- Lync System Groups (CS and RTC): "CN=USERS,DC=<DOM>,DC=<DOM>"
Here during publishing the Groups e.g.: RTCComponentUniversalServices, RTCHSUniversalService, RTCUniversalConfigReplicator and RTCUniversalServerAdmins are filled with the e.g. Frontend Server as group member.
This change require access via TCP PORT 139 and 445 only
(This Ports are also used during the PrepareCheck, also the Wizard AD Preparation Check)

- Other Changes are written to the Lync Share, the FileServer. This depends on where this server is located. You could also have placed it into the Root Domain.

After the Topology is published, you do not need this ports any further and could temporarily disable them.

Within the Lync Server AD Domain:

You find the Ports and protocols for internal servers in Lync Server 2013   here: 


Popular posts from this blog

How to hide users from GAL if they are AD Connect synchronized

Cannot join external Lync Meeting: Lync Edge Server Single IP Address (Lync Edge Server Single IP Web Conferenceing Problem)

MFA with Guest Access and different tenants settings