DNS Requirements for Automatic Client Sign-In
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
Topic Last Modified: 2015-03-09
This section explains the DNS records required for automatic client sign-in. When you deploy your Standard Edition servers or Enterprise pools, you can configure your clients to use automatic discovery to sign in to the appropriate Standard Edition server or Enterprise pool. If you plan to require your clients to connect manually to Office Communications Server, you can skip this topic.
To support automatic client sign-in, you must:
Designate a single server or pool to distribute and authenticate client sign-in requests. This can be one of the existing server or pool in your organization that host users, or you can designate a dedicated server or pool for this purpose that hosts no users. For high availability, we recommend that you designate an Enterprise pool for this function.
Create an internal DNS SRV record to support automatic client sign-in for this server or pool.
Note
In the following record requirements, SIP domain refers to the host portion of the SIP URIs assigned to users. For example, if SIP URIs are of the form *@contoso.com, contoso.com is the SIP domain. The SIP domain is often different from the internal Active Directory domain. An organization can also support multiple SIP domains. For details about configuring SIP domains, see Office Communications Server 2007 R2 Administration Guide in the Operations documentation.
To enable automatic configuration for your clients, you must create an internal DNS SRV record that maps one of the following records to the fully qualified domain name (FQDN) of the Enterprise pool or Standard Edition server that distributes sign-in requests from Microsoft Office Communicator clients:
_sipinternaltls._tcp.<domain> - for internal TLS connections
_sipinternal._tcp. <domain> - for internal TCP connections (performed only if TCP is allowed)
You only need to create a single SRV record for the Enterprise pool or Standard Edition server or that will distribute sign-in requests.
Important
Only a single Enterprise pool or Standard Edition server can be designated to distribute sign-in requests. Create only one SRV record for the designated server or pool. Do not create this SRV record for additional internal servers or pools.
The following table shows some example records required for the fictitious company Contoso, which supports SIP domains of contoso.com and retail.contoso.com.
Table 1. Example of DNS Records Required for Automatic Client Sign-in with Multiple SIP Domains
FQDN of Enterprise pool used to distribute sign-in requests | SIP domain | DNS SRV record |
---|---|---|
pool1.contoso.com |
contoso.com |
An SRV record for _sipinternaltls._tcp.contoso.com domain over port 5061 that maps to pool1.contoso.com |
pool1.contoso.com |
retail.contoso.com |
An SRV record for _sipinternaltls._tcp.retail.contoso.com domain over port 5061 that maps to pool1.contoso.com |
Note
By default, queries for DNS records adhere to strict domain name matching between the domain in the user name and the SRV record. If you prefer that client DNS queries use suffix matching instead, you can configure the DisableStrictDNSNaming Group Policy. For details, see the Planning for Communicator and Deploying Communicator documentation.
Example of the Certificates and DNS Records Required for Automatic Client Sign-In
This example uses the examples in the preceding table. The Contoso organization supports the SIP domains of contoso.com and retail.contoso.com, and all its users have a SIP URI in one of the following forms:
<user>@retail.contoso.com
<user>@contoso.com
Example of Required DNS Records
If the administrator at Contoso configures pool1.contoso.com as the pool that will distribute its sign-in requests, the following DNS records are required:
SRV record for _sipinternaltls._tcp.contoso.com domain over port 5061 that maps to pool1.contoso.com
SRV record for _sipinternaltls._tcp. retail.contoso.com domain over port 5061 that maps to pool1.contoso.com
Example of Required Certificates
In addition, the certificate that is assigned to the Front End Servers in the pool1.contoso.com Enterprise pool must include the following in its Subject Alternate Name (SAN):
sip.contoso.com
sip.retail.contoso.com