3.2 Configure DNS for Your Pool
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
When you create an Enterprise pool, Setup creates Active Directory objects and settings for the pool, including the pool FQDN. For clients to be able to connect to the pool, this pool FQDN must be registered in DNS.
In addition, for clients to automatically detect a the pool or Standard Edition Server on which a user is hosted, you must designate a Standard Edition Server or a pool in your internal Office Communications Server infrastructure to distribute incoming client sign-in requests.
This section describes the DNS records that you are required to configure in all Office Communications Server deployments and those required for automatic client sign-in.
Required DNS Records
At a minimum, you are required to configure the following DNS records for all Enterprise pool deployments:
An internal DNS record that resolves the FQDN of your Enterprise pool to the virtual IP address of the load balancer used by the Front End Servers in the pool.
An internal DNS record that resolves the internal Web farm FQDN from the Enterprise pool to the virtual IP address of the load balancer used by the Web Components Servers in the pool. For example records, see the following table.
These DNS entries are required even if you have a pool with only one Front End. For this case, an FQDN that is different than the Front End FQDN must be assigned as the pool FQDN and published in DNS that adheres to the preceding DNS record requirements.
Table 3. Example DNS Records Required for Internal Web Farm FQDN
| Internal Web Farm FQDN | Pool FQDN | DNS A Record(s) |
|---|---|---|
EEpool.contoso.com |
EEpool.contoso.com |
DNS A record for EEpool.contoso.com that resolves to the VIP address of the load balancer used by the Enterprise Edition Servers in the pool. In this case, the load balancer will distribute both SIP traffic to the Front End Servers and HTTP(S) traffic to the Web Components Servers. |
Meetings.internal.contoso.com |
EEpool.contoso.com |
DNS A record for the EEpool.contoso.com that resolves to the VIP address of the load balancer used by the Front End Servers. DNS A record for Meetings.internal.contoso.com that resolves to the VIP address of the load balancer used by the Web Components Servers. |
If you plan to support Web conferencing for external users, then you must create an external DNS A record that resolves the external Web farm FQDN to the external IP address of the reverse proxy. The client uses this record to connect to the reverse proxy. For more information, see the Microsoft Office Communications Server 2007 Edge Server Deployment Guide.
Required DNS Records for Automatic Client Sign In
This section explains the DNS records required for automatic client sign-in. If you plan to manually configure your clients to connect to Office Communications Server, skip this section.
To support automatic client sign-in, you must:
Designate a single server or pool to distribute and authenticate client sign-in requests. This may be one of the existing server or pool in your enterprise that host users, or you can designate a dedicated server or pool for this purpose that hosts no users. For high availability, we recommend that you designate an Enterprise pool for this function.
Create an internal DNS SRV record to support automatic client sign-in for this server or pool.
Note
SIP domain refers to the host portion of the SIP URIs assigned to users. For example, if SIP URIs are of the form *@contoso.com, then contoso.com is the SIP domain. The SIP domain is often different from the internal Active Directory domain. An organization may also support multiple SIP domains. For more information about configuring SIP domains, see the Microsoft Office Communications Server 2007 Administration Guide.
To enable automatic configuration for your clients, you must create an internal DNS SRV record that maps one of the following records to the FQDN of the Enterprise Edition pool (or Standard Edition server) that distribute sign-in requests from Office Communicator:
_sipinternaltls._tcp.<domain> - for internal TLS connections
_sipinternal._tcp.<domain> - for internal TCP connections (performed only if TCP is allowed)
You only need to create a single SRV record for the Standard Edition Server or Enterprise pool that will distribute sign-in requests.
Important
Only a single pool or Standard Edition Server can be designated to distribute sign-in requests. Create only one SRV record for the designated server or pool. Do NOT create this SRV record for additional internal servers or pools.
The following table shows example records required for the fictitious company, Contoso, which supports SIP domains of contoso.com and retail.contoso.com.
Table 4. Example DNS Records Required for Automatic Client Sign-In with Multiple SIP Domains
| FQDN of EE pool used to distribute sign-in requests | SIP Domain | DNS SRV Record |
|---|---|---|
Pool1.Contoso.com |
contoso.com |
An SRV record for _sipinternaltls._tcp.contoso.com domain over port 5061 that maps to Pool1.Contoso.com |
Pool1.Contoso.com |
retail.contoso.com |
An SRV record for _sipinternaltls._tcp.retail.contoso.com domain over port 5061 that maps to Pool1.Contoso.com |
Note
By default, queries for DNS records adhere to strict domain name matching between the domain in the user name and the SRV record. If you prefer that client DNS queries use suffix matching instead, you can configure the DisableStrictDNSNaming group policy. For more information, see the Microsoft Office Communicator Planning and Deployment Guide.
Example of the Certificates and DNS Records Required for Automatic Client Sign-in
Using the examples in the preceding table, the Contoso organization supports the SIP domains of contoso.com and retail.contoso.com and all its users have a SIP URI in the form of either:
<user>@retail.contoso.com
<user>@contoso.com
The administrator at Contoso would configure pool1.contoso.com as the pool that will distribute its sign-in requests.
Required DNS Records:
SRV record for _sipinternaltls._tcp.contoso.com domain over port 5061 that maps to pool1.contoso.com
SRV record for _sipinternaltls._tcp. retail.contoso.com domain over port 5061 that maps to pool1.contoso.com
Required Certificates
In addition to this, the certificate assigned to the Front End servers in pool1.contoso.com must have the following in their Subject Alternate Names:
sip.contoso.com
sip.retail.contoso.com
Create and Verify DNS SRV and A Records for Client Automatic Client Sign-in
You must create DNS SRV records in your internal DNS for every SIP domain. The procedure assumes that your internal DNS has zones for your SIP user domains.
To create a DNS SRV record
On the DNS server, click Start, click Control Panel, click Administrative Tools, and then click DNS.
In the console tree for your SIP domain, expand Forward Lookup Zones, and then right-click the SIP domain in which your Office Communications Server will be installed.
Click Other New Records.
In Select a resource record type, click Service Location (SRV), and then click Create Record.
Click Service, and then type _sipinternaltls.
Click Protocol, and then type _tcp.
Click Port Number, and then type 5061.
Click Host offering this service, and then type the FQDN of the pool.
Click OK.
Click Done.
After you have created the DNS SRV record, create a DNS A for each pool FQDN and URL FQDN that is not the same as the server FQDN.
To create a DNS A record
Click Start, click Control Panel, click Administrative Tools, and then click DNS.
In the console tree for your domain, expand Forward Lookup Zones, and then right-click the domain in which your Office Communications Server will be installed.
Click New Host (A).
Click Name (uses parent domain name if blank), and then type the name of the pool.
Click IP Address, and then enter the VIP of the load balancer. If you will deploy only one Enterprise Edition Server that is connected to the back-end without a load balancer, type the IP address of the Enterprise Edition server. (A load balancer is required if you deploy more than one Enterprise Edition server in a pool). Click Add Host, and then click OK.
To create an additional A record, repeat steps 4 and 5.
When you are finished creating all the A records that you need as described earlier in this topic, click Done.
To verify that the required records have been created successfully, wait for DNS replication (if you have just added the records), and then verify that the records were created as described in the next procedure.
Note
For illustrative purposes, the following steps use example.com as the domain portion of the SIP URI namespace. When executing these steps, use your actual SIP domain name instead.
To verify the creation of a DNS SRV record
Log on to a client computer in the domain with an account that is a member of the Administrators group or has equivalent permissions.
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type nslookup, and then press ENTER.
Type set type=srv, and then press ENTER.
Type _sipinternaltls._tcp.example.com, and then press ENTER. The output displayed for the TLS record is as follows:
Server: <dns server>.corp.example.com Address: <IP address of DNS server> Non-authoritative answer: _sipinternaltls._tcp.example.com SRV service location: priority = 0 weight = 0 port = 5061 svr hostname = poolname.example.com poolname.example.com internet address = <virtual IP Address of the load balancer> or <IP address of a single Enterprise Edition Server for pools with only one Enterprise Edition Server>When you are finished, at the command prompt, type exit.
After you configure the DNS records, verify that the FQDN of the Enterprise pool can be resolved by DNS.
To verify that the FQDN of the Enterprise pool can be resolved
Log on to a client computer in the domain.
Click Start, and then click Run.
In the Open box, type cmd, and then click OK.
At the command prompt, type ping <FQDN of the pool>, and then press ENTER.
Verify that you receive a response similar to the following, where the IP address returned is the IP address of the load balancer for your Enterprise pool or, in the case of an Enterprise pool with a single Enterprise Edition Server, the IP address of the Enterprise Edition Server.
Reply from 172.27.176.117: bytes=32 time<1ms TTL=127 Reply from 172.27.176.117: bytes=32 time<1ms TTL=127 Reply from 172.27.176.117: bytes=32 time<1ms TTL=127 Reply from 172.27.176.117: bytes=32 time<1ms TTL=127
How Client DNS Queries Work
During DNS lookup, SRV records are queried in parallel and returned in the following order to the client.
_sipinternaltls._tcp.<domain> - for internal TLS connections
_sipinternal._tcp. <domain> - for internal TCP connections (performed only if TCP is allowed)
_sip._tls. <domain> - for external TLS connections
_sip._tcp.<domain> - for external TCP connections
where <domain> is the SIP domain used by your internal clients.
The last two queries are useful when clients are connecting from outside your internal network. For more information about remote user access, see the Microsoft Office Communications Server 2007 Edge Server Deployment Guide.
The client uses the SRV record that is returned and is successful and does not try any other SRV records.
After the SRV record is returned, a query is performed for the DNS A record for the host name that is returned by the SRV record. If no records are found during the DNS SRV query, the client performs an explicit lookup of sip.<domain>. If the explicit lookup does not produce results, the client performs a lookup for sipinternal.<domain>. If the client does not find sipinternal.<domain>, it performs a lookup for sipexternal.<domain>.
If your DNS infrastructure prohibits configuration of these DNS records, you can manually edit the client registry to point to the appropriate home server. For more information about editing the client registry and configuring policy settings for the client, see the Microsoft Office Communicator 2007 Deployment Guide.