none
DNS Question for Automatic Client Sign-In

    Question

  • I have 4 SIP domains to add to a new Lync installation. When looking at all of the DNS requirements for this, especially for internal Automatic Client Sign-In, is it proper to add the Front End Pool Name (EEPool01.DomainA.com) to the Host Offering this service section of the SRV Record of a different DNS Zone? For example,

    _sipinternaltls.tcp.DomainB.com ---> EEPool01.DomainA.com

    Or does the host need to be in the same zone?

    _sipinternaltls.tcp.DomainB.com --> sip.DomainB.com


    MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003

    Friday, June 15, 2012 12:32 PM

Answers

  • you can use _sipinternaltls.tcp.DomainB.com ---> EEPool01.DomainA.com but as

    Holger Bunkradt wrote you may have certificate question not error:

    lync cannot verify that the server is trusted for sign-in address. Connect anywhere?

    and you can control it with trustmodeldata. so it does not need new sip address with new certificate with new san.

    Sunday, June 17, 2012 11:57 AM
  • Hi,

    _sipinternaltls.tcp.DomainA.com ---> EEPool01.DomainA.com

    _sipinternaltls.tcp.DomainB.com ---> EEPool01.DomainB.com

    _sipinternaltls.tcp.DomainC.com ---> EEPool01.DomainC.com

    _sipinternaltls.tcp.DomainD.com ---> EEPool01.DomainD.com

               

    EEPool01.DomainA.com, B,C and D point to IP address of your FE or Director.

    In addition, add four SANs (EEPool01.DomainA.com, B,C and D) into FE certificate SANs list.

    If _sipinternaltls.tcp.DomainB.com ---> EEPool01.DomainA.com, it may cause the domain trust issue as the description in Jens blog:

    http://blogs.technet.com/b/jenstr/archive/2011/02/10/lync-cannot-verify-that-the-server-is-trusted-for-your-sign-in-address.aspx


    Regards,

    Kent Huang

    TechNet Community Support ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.


    • Edited by Kent-Huang Tuesday, June 19, 2012 2:29 AM
    • Marked as answer by Kent-Huang Tuesday, July 03, 2012 8:46 AM
    Tuesday, June 19, 2012 2:29 AM

All replies

  • Yes the host has to be in the same doamin. If not the user will get a certificate warning with lync

    regards Holger Technical Specialist UC

    Friday, June 15, 2012 12:49 PM
  • Excellent. So the A record can be something like sip.DomainB.com or sip.DomainC.com which would essentially have the same IP as the Front End Pool (in DomanA.com) or the Director? Would having multiple SIP Domains be a good case to deploy a Director?

    MCITP Exchange 2010 | MCTS Exchange 2007 | MCITP Lync Server 2010 | MCTS Windows 2008 | MCSE 2003

    Friday, June 15, 2012 1:02 PM
  • No, if the srv is  _sipinternaltls.tcp.DomainB.com the pool Name has to be pool.DoaminB.com.

    You Need only a director for security reasons and if you have multiple pools.


    regards Holger Technical Specialist UC

    Friday, June 15, 2012 2:58 PM
  • you can use _sipinternaltls.tcp.DomainB.com ---> EEPool01.DomainA.com but as

    Holger Bunkradt wrote you may have certificate question not error:

    lync cannot verify that the server is trusted for sign-in address. Connect anywhere?

    and you can control it with trustmodeldata. so it does not need new sip address with new certificate with new san.

    Sunday, June 17, 2012 11:57 AM
  • Hi,

    _sipinternaltls.tcp.DomainA.com ---> EEPool01.DomainA.com

    _sipinternaltls.tcp.DomainB.com ---> EEPool01.DomainB.com

    _sipinternaltls.tcp.DomainC.com ---> EEPool01.DomainC.com

    _sipinternaltls.tcp.DomainD.com ---> EEPool01.DomainD.com

               

    EEPool01.DomainA.com, B,C and D point to IP address of your FE or Director.

    In addition, add four SANs (EEPool01.DomainA.com, B,C and D) into FE certificate SANs list.

    If _sipinternaltls.tcp.DomainB.com ---> EEPool01.DomainA.com, it may cause the domain trust issue as the description in Jens blog:

    http://blogs.technet.com/b/jenstr/archive/2011/02/10/lync-cannot-verify-that-the-server-is-trusted-for-your-sign-in-address.aspx


    Regards,

    Kent Huang

    TechNet Community Support ************************************************************************************************************************

    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question.


    • Edited by Kent-Huang Tuesday, June 19, 2012 2:29 AM
    • Marked as answer by Kent-Huang Tuesday, July 03, 2012 8:46 AM
    Tuesday, June 19, 2012 2:29 AM