locked
Federation not working for user from trusted domain RRS feed

  • Question

  • Hi everybody,

    Our setup:

    Domain1 with S4B + Edge server, working federation and PSTN connectivity.

    Domain2 users switched from Office365 Skype to Domain1 Skype, Skype enabled and login via disabled account in Domain1.

    Users from Domain2 can not communicate with federated users from other domains.

    No presence
    IM Error:The action couldn't be completed. Please try again later.
    Skype Call Error: Operation was unsuccessful.

    Domain1 users can be contacted, of course.

    DNS A, CNAME and SRV records are ok, Microsoft Connectivity Test for Lync shows everything green.

    Nothing in evenlogs on Frontend or Edge Server.

    I'm out of clues. What did I miss?

    Regards
    Holger


    • Edited by Holibert Thursday, August 31, 2017 8:03 PM
    Thursday, August 31, 2017 8:00 PM

Answers

  • Sorry for the late reply, have some other projects running and did a little further research myself.

    I solved it. The problem were the DNS entries for Domain2. The SRV entries pointed to a Domain1 A record and as I know now this is a big no-no, it must be an A record from Domain2 resolving to the same IP. I changed all records with reference to Domain1 (SRV, CNAME) and after about 2 hours presence information of federated Skype contacts lit up.

    Thanks to all for the help!

    Best Regards,
    Holger







    • Marked as answer by Holibert Wednesday, September 6, 2017 11:33 AM
    • Edited by Holibert Thursday, September 7, 2017 7:57 AM
    Wednesday, September 6, 2017 11:33 AM

All replies

  • Are the users who were moved to Domain1 now using a newly added sip domain?

    If you run get-csmanagementstorereplicationstatus, does it show that replication to the edge is functional?


    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Thursday, August 31, 2017 8:37 PM
  • Yes, these users have their own sip domain. This domain was added a while ago, get-csmanagementstorereplicationstatus shows edge store is up-to-date.

    Maybe it's important - this domain is still registered in O365, Domain2 users use everything but Skype there.

    • Edited by Holibert Thursday, August 31, 2017 9:16 PM
    Thursday, August 31, 2017 9:15 PM
  • Yeah, that could very well pose a problem, depending on the config.  The domain can be registered in O365, but if it's registered in a different tenant than the hybrid is using, I've seen issues.  Are domain2 users still in their own separate tenant?

    Assuming DNS record point to your on-premises organization, can you federate with other corporations that are on-premises only?  Meaning, none of their Skype\Lync infrastructure is in Office365?


    Please remember, if you see a post that helped you please click "Vote" on the left side of the response, and if it answered your question please click "Mark As Answer". SWC Unified Communications This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, SWC, their employees, or other MVPs.

    Thursday, August 31, 2017 9:50 PM
  • Hi Holibert,

    Domain2 users switched from Office365 Skype to Domain1 Skype, Skype enabled and login via disabled account in Domain1.

    Could you give me more details about this operation? If  Office365 SFB user switch to the domain 1, the user enabled and login, and you don’t enable communications with federated users in skype for business control panel, the account was disabled in domain2 ?

    If you are moved user please check that user have correct values for the attributes shown in the following table, typs this cmdlet:

    Get-CsUser | fl DisplayName,HostingProvider,SipAddress,Enabled

          

    Active Directory attribute

    Attribute name

    Correct value for Online user

    Correct value for on–premises users

    msRTCSIP-DeploymentLocator

    HostingProvider

    sipfed.online.lync.com

    SRV:

    msRTCSIP-PrimaryUserAddress

    SIPAddress

    sip:userName@contoso.com

    sip:userName@contoso.com

    sRTCSIP-UserEnabled

    Enabled

    True

    True

    Each user who has been moved will need to log out, then log back in. 

    If you have some doubts about the migration. The following document is for your reference.

    https://technet.microsoft.com/en-us/library/dn689115.aspx


    Best Regards,

    Leon-Lu
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Friday, September 1, 2017 9:42 AM
  • Yes, all users from Domain2 are still in their own seperate tenant in O365.
    Domain1 isn't registered in O365, we don't really use this O365 tenant. All our servers are on-premise.

    DNS record test in O365 shows records pointing to our on-premise organization.

    The error messages above are tests against other on-premise installation.
    Tests with O365 tenants give in IM a different error message:
                This message wasn't sent to ..... due to company policy

    Yesterday I diabled federation on organization level for the Domain2 tenant in O365. Today all federation was cut even to Domain1. After re-enabling federation in O365 an IM test with an O365 tenant was successful. But after logoff, clearing sign-in info and login again we have the same state as yesterday - no federation with on-premise or O365 organizations



    • Edited by Holibert Friday, September 1, 2017 11:07 AM
    Friday, September 1, 2017 10:41 AM
  • Hi Holibert,

     

    I cannot understand your topology, for further troubleshooting ,could you describe your AD topology?

    You have the Resource forest topology? If you have doubts about the topology ,the following document is for your reference.

    https://technet.microsoft.com/en-us/library/gg398173%28v=ocs.15%29.aspx?f=255&MSPPError=-2147217396


    Best Regards,

    Leon-Lu
    TechNet Community Support


    Please remember to mark the replies as answers if they help and unmark them if they provide no help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Tuesday, September 5, 2017 6:59 AM
  • Sorry for the late reply, have some other projects running and did a little further research myself.

    I solved it. The problem were the DNS entries for Domain2. The SRV entries pointed to a Domain1 A record and as I know now this is a big no-no, it must be an A record from Domain2 resolving to the same IP. I changed all records with reference to Domain1 (SRV, CNAME) and after about 2 hours presence information of federated Skype contacts lit up.

    Thanks to all for the help!

    Best Regards,
    Holger







    • Marked as answer by Holibert Wednesday, September 6, 2017 11:33 AM
    • Edited by Holibert Thursday, September 7, 2017 7:57 AM
    Wednesday, September 6, 2017 11:33 AM