Issue with OAuth Certificate & Installing Multiple Lync Server 2013 Servers at the Same Time

I've run into this issue a couple times when deploying Lync Server 2013 in my lab and at customer sites.  Topology Builder makes it very easy to deploy your Lync servers quickly, but in Lync Server 2013, there's one gotcha you need to be aware of when initially deploying multiple Lync Server 2013 servers at once.  And it has to do with the OAuth certificate used in Lync Server 2013.  I've previously written about OAuth and its role in Lync Server 2013 here: OAuth Certifcate in Lync Server 2013.

The gotcha is that you need to have the OAuthTokenIssuer certificate assigned before you can complete Step 3 in the Deployment Wizard and proceed to starting services.  If this is the first set of Lync Server 2013 servers you're deploying, the OAuthTokenIssuer certificate was replicated to the CMS when you assigned it to the first Lync Server 2013 server.  The problem arises if you have already completed Step 1 in the Deployment Wizard on the other Lync Server 2013 servers that require the OAuthTokenIssuer certificate.

Part of Step 1 in the Deployment Wizard is to connect to the CMS and grab a copy of the current topology.  This copy of the topology doesn't yet have the OAuthTokenIssuer certificate in it.

When you get to Step 3 in the Deployment Wizard, you will see that the OAuthTokenIssuer certificate hasn't replicated to this Lync server...and it won't.  This server is looking a the local copy of the CMS that was imported during Step 1.  That means that in order for this server to know that there's an OAuthTokenIssuer certificate in the CMS that it's supposed to use, you need to get the updated topology replicated to this server.  There are two ways to accomplish this.  The first way is to use the Export-CsConfiguration and Import-CsConfiguration with the -LocalStore parameter.  The second way is to just let CMS replication happen.  You will need to make sure that at least one Front End Server is operational in the pool configured to host the CMS.  Then on the other Lync Server 2013 servers that need the OAuthTokenIssuer certificate replicated to it, make sure that the Lync Server Replica Replicator Agent service is started:

Once the Lync Server Replica Replicator Agent service is started, you will be waiting for replication to happen and the following events to appear in the Lync Server event log:

Once you see Event ID 3038, the CMS has replicated the OAuthTokenIssuer certificate to the server.  You can also check Get-CsManagementStoreReplicationStatus and make sure that the server is up-to-date:

UpToDate           : True
ReplicaFqdn        : LAB-LS15-DIR1.lab.deitterick.com
LastStatusReport   : 11/24/2012 8:15:36 PM
LastUpdateCreation : 11/24/2012 8:08:05 PM
ProductVersion     : 5.0.8308.0

If you refresh the Certificate Wizard or run Step 3 from the Deployment Wizard again, you will now see the OAuthTokenIssuer certificate assigned to the server:

You can now complete Step 3 and continue on with Step 4 in the Deployment Wizard.

 

While Topology Builder makes it very easy to deploy your entire Lync Server 2013 environment in one shot, you just need to be aware of how and when the OAuthTokenIssuer certificate is replicated to your Lync Server 2013 servers.