Move-CsUser : Unable to locate Windows Live ID token from the provided credentials, or fr om Active Directory Federation Services (AD FS) credentials cache.

PROBLEM

I am getting below error while trying to move the on-premises lync 2013 user to Skype Online.

O365 Sign in method – Seamless Single Sign-on
ADFS Services – Stopped

ADConnect Sync – OK

Password Write back – Enabled

Move-CsUser -Identity “mailtest@domain.com” -Target sipfed.online.lync.com -Confirm:$false -Verbose

VERBOSE: CN=MailTest,OU=Test,OU=Users,OU=IT,OU……………..DC=local

WARNING: Moving a user from the current version to an earlier version (or to a service

version) can cause data loss.

VERBOSE:CN=MailTest,OU=Test,OU=Users,OU=IT,OU……………..DC=local

Move-CsUser : Unable to locate Windows Live ID token from the provided credentials, or fr

om Active Directory Federation Services (AD FS) credentials cache.

At line:1 char:1

+ Move-CsUser -Identity “mailtest@domain.com” -Target sipfed.online.lync.com -Co …

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo          : InvalidOperation: (CN=MailTest,OU=………..DC=local:OCSAD

User) [Move-CsUser], MoveUserException

+ FullyQualifiedErrorId : MoveError,Microsoft.Rtc.Management.AD.Cmdlets.MoveOcsUserC

mdlet

Move-CsUser : HostedMigration fault: Error=(510), Description=(This user’s tenant is not enabled for shared sip address space.)

PROBLEM

In a Lync hybrid deployment, when you try to move users from the on-premises server that is running Lync to Skype for Business Online (formerly Lync Online) in Office 365, you receive the following error message in Skype for Business Online PowerShell:

Move-CsUser : HostedMigration fault: Error=(510), Description=(This user’s tenant is not enabled for shared sip address space.)

SOLUTION

Before you try to migrate an on-premises Lync user to Skype for Business Online in Office 365, your Office 365 Skype for Business Online organization must be enabled for Shared Session Initiation Protocol (SIP) Address Space.

Set-CsTenantFederationConfiguration -SharedSipAddressSpace $true

 

How to connect to Skype for Business Online PowerShell

The first step is to install the Windows PowerShell Module for Skype for Business Online. For information, go to the following Microsoft website:

After you have the Skype for Business Online Connector module installed, open Windows PowerShell, and then run the following commands:

Import-Module LyncOnlineConnector

 

$cred = Get-Credential

 

$CSSession = New-CsOnlineSession -Credential $cred

 

Import-PSSession $CSSession -AllowClobber

For more information about how to connect to Skype for Business Online by using Windows PowerShell, go to the following Microsoft TechNet website:

409 Client Error: Conflict for url: Zone file path record name while importing a zone file to Azure DNS using CLI

Issue: –

You received this error while importing zone file using the CLI method to Azure DNS.

409 Client Error: Conflict for url: Zone file path

 

Cause:- 

There is always a limit of records you can import to the Azure DNS zone. Let say MS set a limit of 2000 records and you try to import a file more than 2000 DNS records.

Resolution:-

If you are importing more records than it shows in Azure DNS portal then you will getting this error when during the import, the records count reached the limit. Simply ask Microsoft to increase the records limit for each zone file.

How to to create the service connection point in the forest where computers exist to allow devices sync to Azure

Use below scrip to create a service connection point so that device sync can be enabled for Azure.

$verifiedDomain = “contoso.com”    # Replace this with any of your verified domain names in Azure AD

$tenantID = “72f988bf-86f1-41af-91ab-2d7cd011db47”    # Replace this with you tenant ID

$configNC = “CN=Configuration,DC=corp,DC=contoso,DC=com”    # Replace this with your AD configuration naming context (use Get-ADRootDSE to get this value)

$de = New-Object System.DirectoryServices.DirectoryEntry

$de.Path = “LDAP://CN=Services,” + $configNC

$deDRC = $de.Children.Add(“CN=Device Registration Configuration”, “container”)

$deDRC.CommitChanges()

$deSCP = $deDRC.Children.Add(“CN=62a0ff2e-97b9-4513-943f-0d221bd30080”, “serviceConnectionPoint”)

$deSCP.Properties[“keywords”].Add(“azureADName:” + $verifiedDomain)

$deSCP.Properties[“keywords”].Add(“azureADId:” + $tenantID)

$deSCP.CommitChanges()

How can I roll over the Kerberos decryption key of the AZUREADSSOACC computer account

It is important to frequently roll over the Kerberos decryption key of the AZUREADSSOACC computer account (which represents Azure AD) created in your on-premises AD forest.

Important

We highly recommend that you roll over the Kerberos decryption key at least every 30 days.

Follow these steps on the on-premises server where you are running Azure AD Connect:

Step 1. Get list of AD forests where Seamless SSO has been enabled
1.First, download, and install Azure AD PowerShell.
2.Navigate to the %programfiles%\Microsoft Azure Active Directory Connect folder.
3.Import the Seamless SSO PowerShell module using this command:

Import-Module .\AzureADSSO.psd1.

4.Run PowerShell as an Administrator. In PowerShell, call

New-AzureADSSOAuthenticationContext.

This command should give you a popup to enter your tenant’s Global Administrator credentials.

5.Call Get-AzureADSSOStatus. This command provides you the list of AD forests (look at the “Domains” list) on which this feature has been enabled.

Step 2. Update the Kerberos decryption key on each AD forest that it was set it up on

1.Call $creds = Get-Credential. When prompted, enter the Domain Administrator credentials for the intended AD forest.