Required DNS Records for Automatic Client Sign-In
Microsoft Office Communications Server 2007 and Microsoft Office Communications Server 2007 R2 will reach end of support on January 9, 2018. To stay supported, you will need to upgrade. For more information, see Resources to help you upgrade your Office 2007 servers and clients.
If you are enabling automatic sign-in for clients of Office Communications Server, you will need to configure additional DNS records as explained in this section. If you will require your clients to manually connect to Office Communications Server, you can skip this section.
To support automatic client sign-in, you must do the following:
Designate a single server or pool to distribute and authenticate client sign-in requests. This can be an existing server or pool that host users, or you can designate a dedicated server or pool that hosts no users for this purpose. If you require high availability, we recommend that you designate an Enterprise pool for this function.
Create an internal DNS SRV record to support automatic client sign-in for this server or pool.
To enable automatic sign-in for your clients, you must create an internal DNS SRV record that maps one of the following records to the FQDN of the server or pool that distributes sign-in requests from Office Communicator:
_sipinternaltls._tcp.<domain> - for internal TLS connections
_sipinternal._tcp. <domain> - for internal TCP connections (performed only if TCP is allowed)
You need to create only a single SRV record for the Standard Edition Server or Enterprise pool that will distribute sign-in requests.
Important
Only a single pool or Standard Edition Server can be designated to distribute sign-in requests. Create only one SRV record for the designated server or pool. Do not create an SRV record for additional internal servers or pools.
Table 2 shows some example records that are required for the fictitious company, Contoso, that supports SIP domains of contoso.com and retail.contoso.com.
Note
The SIP domain refers to the host portion of the SIP URIs that are assigned to users. For example, if SIP URIs are of the form *@contoso.com, then contoso.com is the SIP domain. The name of the SIP domain is often different from that of the internal Active Directory domain. An organization may also support multiple SIP domains. For more information on configuring SIP domains, see the Microsoft Office Communications Server 2007 Administration Guide.
Table 2. Example DNS Records Required for Automatic Client Sign-In with Multiple SIP Domains
| FQDN of Standard Edition Server used to distribute sign-in requests | SIP Domain | DNS SRV Record |
|---|---|---|
server1.Contoso.com |
Contoso.com |
An SRV record for _sipinternaltls._tcp.contoso.com domain over port 5061 that maps to server1.Contoso.com |
server1.Contoso.com |
Retail.Contoso.com |
An SRV record for _sipinternaltls._tcp.retail.contoso.com domain over port 5061 that maps to server1.Contoso.com |
Note
By default, queries for DNS records adhere to strict domain name matching between the domain in the user name and the SRV record. If you prefer that client DNS queries use suffix matching instead, you can configure the DisableStrictDNSNaming group policy. For details, see the Microsoft Office Communicator Planning and Deployment Guide.
Example of the Certificates and DNS Records Required for Automatic Client Sign-in
Using the examples in the preceding table, the Contoso organization supports the SIP domains of contoso.com and retail.contoso.com, and all its users have a SIP URI in one of the following forms:
<user>@retail.contoso.com
<user>@contoso.com
If the administrator at Contoso configures pool1.contoso.com as the pool that will distribute its sign-in requests, the following DNS records are required:
SRV record for _sipinternaltls._tcp.contoso.com domain over port 5061 that maps to server1.contoso.com
SRV record for _sipinternaltls._tcp. retail.contoso.com domain over port 5061 that maps to server1.contoso.com
In addition, the certificate that is assigned to the server, pool1.contoso.com must have the following in their Subject Alternate Names:
sip.contoso.com
sip.retail.contoso.com
Create and Verify DNS SRV and A Records for Client Automatic Client Sign-in
You must create DNS SRV records in your internal DNS for every SIP domain. The following procedure assumes that your internal DNS has zones for your SIP user domains.
To create a DNS SRV record
On the DNS server, click Start, click Control Panel, click Administrative Tools, and then click DNS.
In the console tree for your SIP domain, expand Forward Lookup Zones, and then right-click the SIP domain in which your Office Communications Server will be installed.
Click Other New Records.
In Select a resource record type, click Service Location (SRV), and then click Create Record.
Click Service, and then type _sipinternaltls.
Click Protocol, and then type _tcp.
Click Port Number, and then type 5061.
Click Host offering this service, and then type the FQDN of the Standard Edition Server.
Click OK.
Click Done.
After you have created the DNS SRV record, create a DNS A for the Standard Edition Server.
To create a DNS A record
On the DNS server, click Start, click Control Panel, click Administrative Tools, and then click DNS.
In the console tree for your domain, expand Forward Lookup Zones, and then right-click the domain in which your Office Communications Server will be installed.
Click New Host (A).
Click Name (uses parent domain name if blank), and then type the name of the pool.
Click IP Address, and then enter the IP address of the Standard Edition Server.
Click Add Host, and then click OK.
Click Done.
To verify that the required records have been created successfully, wait for DNS replication (if you have just added the records), and then verify that the records were created as described in the next procedure.
Note
For illustrative purposes, the following procedure uses example.com as the domain portion of the SIP URI namespace. When executing these steps, use your actual SIP domain name instead.
To verify the creation of a DNS SRV record
Log on to a client computer in the domain with an account that is a member of the Administrators group or has equivalent permissions.
Click Start, and then click Run. In the Open box, type cmd, and then click OK.
At the command prompt, type nslookup, and then press ENTER.
Type set type=srv, and then press ENTER.
Type _sipinternaltls._tcp.example.com, and then press ENTER. The output displayed for the TLS record is as follows:
Server: <dns server>.corp.example.com Address: <IP address of DNS server> Non-authoritative answer: _sipinternaltls._tcp.example.com SRV service location: priority = 0 weight = 0 port = 5061 svr hostname = server1.example.com server1.example.com internet address = <IP address of the Standard Edition Server>When you are finished, at the command prompt, type exit, and then press ENTER.
After you configure the DNS records, verify that the FQDN of the Standard Edition Server can be resolved by DNS.
To verify that the FQDN of the Standard Edition Server can be resolved
Log on to a client computer in the domain.
Click Start, and then click Run. In the Open box, type cmd, and then click OK.
At the command prompt, type ping <FQDN of the Standard Edition Server>, and then press ENTER.
Verify that you receive a response similar to the following, where the IP address returned is the IP address of the Standard Edition Server.
Reply from 172.27.176.117: bytes=32 time<1ms TTL=127 Reply from 172.27.176.117: bytes=32 time<1ms TTL=127 Reply from 172.27.176.117: bytes=32 time<1ms TTL=127 Reply from 172.27.176.117: bytes=32 time<1ms TTL=127
How Client DNS Queries Work
During DNS lookup, SRV records are queried in parallel and returned in the following order to the client:
_sipinternaltls._tcp.<domain> - for internal TLS connections
_sipinternal._tcp. <domain> - for internal TCP connections (performed only if TCP is allowed)
_sip._tls. <domain> - for external TLS connections
_sip._tcp.<domain> - for external TCP connections
where <domain> is the SIP domain used by your internal clients.
The last two queries are useful when clients are connecting from outside your network. For more information on remote user access, see the Microsoft Office Communications Server 2007 Edge Server Deployment Guide.
The client uses the SRV record that is returned successfully, and it does not try any other SRV records.
After the SRV record is returned, a query is performed for the DNS A record for the host name that is returned by the SRV record. If no records are found during the DNS SRV query, the client performs an explicit lookup of sip.<domain>. If the explicit lookup does not produce results, the client performs a lookup for sipinternal.<domain>. If the client does not find sipinternal.<domain>, it performs a lookup for sipexternal.<domain>.
If your DNS infrastructure prohibits configuration of these DNS records, you can manually edit the client registry to point to the appropriate home server. For more information about editing the client registry and configuring policy settings for the client, see the Microsoft Office Communicator 2007 Deployment Guide.