Recently we migrated our old Lync 2010 Edge to Lync 2013. After the deployment was finished all functionality was working OK. But when looking in Control Panel under ‘Topology’ replication of the CMS is failing to the Edge Server.

After checking firewall ports, the ability to telnet, the DNS configuration, the certificate configuration and the external NIC configuration, a log was run through Lync Server Logging Tool, this showed no errors which also was matched by no errors in the Event Viewer.

We then decided to change a registry key on the Edge Server, the registry key is situated in the below hive – HKLMSystemCurrentControlSetControlSecurityProvidersSchannel in here you will need to add a regkey named ClientAuthTrustMode with a Hexadecimal value of 2.

You need to add this regkey due to Schannel connections are failing in case of mutual authentication (client as well as server). What is happening is that the trusted issuers list for credential group on the server side doesn’t contain the issuer of the client’s certificate. In Windows 2012, Schannel while evaluating client policy looks for the value of ClientAuthTrustMode.

After installing this regkey you will need to reboot the edge server, i find it best to invoke the CMS replication straight away after everything is back up and stable using Invoke-CsManagementStoreReplication, you can then check in Control Panel/the Edge servers event viewer to watch the replication service starting and communicating the CMS over.

About the author