locked
AD users with different local domain but external domain is different RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

    I've deployed Skype for Business. My AD users are using @newyork.local UPN. Whereas I have public certificate with different domain which is @something.com. Now all the users who have @newyork.local UPN needs to use Skype for Business but they cannot change their UPN. I need a single sign on for Skype for Business as well.

    How is this possible?

    Thanks

    Anees

    Wednesday, March 7, 2018 6:41 PM

All replies

  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi Anees,

    You could depoly the split-brain DNS for your demands ,contoso.com is used for the perimeter, and contoso.local is used for the internal like the following screenshot.

    set the DNS record like the following description.

    Internal DNS domain.local zone

    • lyncpool.domain.local = IP of FE1
    • lyncpool.domain.local = IP of FE2
      • Note: use lyncpool.domain.local as the pool name in topology
    • lyncedge1.domain.local = IP of Edge internal NIC
      • Edge will use host file to resolve lyncpool.domain.local to IP of FE1 and FE2 for next hop

    Internal DNS domain.com zone

    • sip.domain.com = IP of FE1
    • sip.domain.com = IP of FE2
    • _sipinternaltls._tcp.domain.com points to the Host (A) record sip.domain.com (5061)
    • lyncwebint.domain.com = VIP of HLB (Override internal Web Services pool FQDN check box)
    • lyncwebext.domain.com = TMG external IP (mobility hairpinning)
    • admin, meet, dialin.domain.com = VIP of HLB
    • ucupdates-r2.domain.com = VIP of HLB
    • _ntp._udp.domain.com = TimeserverIP
    • lyncdiscoverinternal.domain.com = lyncpool.domain.local (CNAME)

    Public DNS domain.com zone

    • lyncwebext.domain.com = TMG external IP
    • meet.domain.com = TMG external IP
    • dialin.domain.com = TMG external IP
    • lyncdiscover.domain.com = TMG external IP
    • sip.domain.com = Edge external IP
    • webconf.domain.com = Edge external IP
    • av.domain.com = Edge external IP
    • _sip._tls.domain.com points to the Host (A) record sip.domain.com (443)
    • _sipfederationtls._tcp.domain.com points to the Host (A) record sip.domain.com (5061)

    There is a similar link you could refer to it.

    https://social.technet.microsoft.com/Forums/lync/en-US/bbe0724e-69b2-44e2-a1df-ce9bb3a70985/lync-dns-records-in-split-brain-dns-question?forum=ocsplanningdeployment

    Best Regards,
    Leon Lu

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Thursday, March 8, 2018 8:49 AM
  • Question
    Sign in to vote
    1
    Sign in to vote

    Hi Anees,

    It is very common in Skype for Business deployments for the internal AD domain to be different to the SIP domain.  You do not need to change UPNs for users.

    Typically the SIP addresses for users are the same as their email address.

    Here's an example:

    • Internal AD domain: x500.local
    • SIP domain: x500.co.uk (SIP addresses match SMTP addresses for users)
    • SfB Standard Edition Server (named SfBFE1, joined to x500.local domain)
    • SIP Edge Server

    SfB Standard Edition Server Certificate

    Subject Name: sfbfe1.x500.local

    Subject Alternative Names:

    • A = lyncdiscoverinternal.x500.co.uk
    • A = dialin.x500.co.uk
    • A = meet.x500.co.uk
    • A = sip.x500.co.uk

    Internal DNS

    Add a zone for the external domain, or even better "pin-point" zones so you don't break resolution for the entire domain against external DNS.

    • SRV = _sipinternaltls._tcp.x500.co.uk
    • A = lyncdiscoverinternal.x500.co.uk
    • A = dialin.x500.co.uk
    • A = meet.x500.co.uk
    • A = sip.x500.co.uk

    External DNS

    • SRV = _sipfederationtls._tcp.x500.co.uk
    • SRV = _sip._tls.x500.co.uk
    • A = access.x500.co.uk
    • A = av.x500.co.uk
    • A = dialin.x500.co.uk
    • A = lyncdiscover.x500.co.uk
    • A = meet.x500.co.uk
    • A = sip.x500.co.uk
    • A = webconf.x500.co.uk
    • A = webservices.x500.co.uk

    Hope this helps,

    Steve.

    Thursday, March 8, 2018 9:31 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

     

    Are there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who has similar issue.

    Best Regards,
    Leon Lu

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, March 13, 2018 10:32 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

     

    Are there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who has similar issue.

    Best Regards,
    Leon Lu

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Monday, March 26, 2018 11:07 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hello Aness

    As the Steve and Leon mentioned here, you just need to make sure that you have a split-brain DNS by creating internal DNS zone with the public domain name (XYZ.com) containing the below records.

    • sip.XYZ.com = IP of FE1
    • sip.XYZ.com = IP of FE2
    • _sipinternaltls._tcp.domain.com points to the Host (A) record sip.domain.com (5061)
    • lyncwebint.XYZ.com = VIP of HLB (Override internal Web Services pool FQDN check box)
    • lyncwebext.XYZ.com = TMG external IP (mobility hair-pinning)
    • admin, meet, dialin.XYZ.com = VIP of HLB
    • ucupdates-r2.XYZ.com = VIP of HLB
    • _ntp._udp.XYZ.com = TimeserverIP
    • lyncdiscoverinternal.XYZ.com = lyncpool.XYZ.local (CNAME)

    Cheers,

    Mahmoud Hanafi

    Senior Exchange|Lync Administrator

    Blog: Twitter:   LinkedIn:   Facebook:

    Note: Posts are provided “AS IS” without warranty of any kind, either expressed or implied, including but not limited to the implied warranties of merchantability and/or fitness for a particular purpose.

    Monday, March 26, 2018 11:29 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi,

     

    Are there any update for this issue, if the reply is helpful to you, please try to mark it as an answer, it will help others who has similar issue.

    Best Regards,
    Leon Lu

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Wednesday, March 28, 2018 10:13 AM
  • Question
    Sign in to vote
    0
    Sign in to vote

    Hi ,

     

    Do you have some updates?if the reply help to you ,please mark the reply as answer.

    Best Regards,
    Leon Lu

    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.


    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Tuesday, April 3, 2018 10:04 AM