About Me

My Photo
TsooRad is a blog for John Weber. John is a Lync Server MVP (2010-2013). My day job is titled "Principal Consulting Engineer" - I work with an awesome group of people at CDW, LLC. I’ve been at this gig in one fashion or another since 1988 - starting with desktops (remember Z-248’s?) and now I am in Portland, Oregon. I focus on collaboration and infrastructure. This means Exchange of all flavors, LCS/OCS/Lync, Windows, business process, and learning new stuff. I have a variety of interests - some of which may rear their ugly head in this forum. I have a variety of certifications dating back to Novell CNE and working up through the Microsoft MCP stack to MCITP multiple times. FWIW, I am on my third career - ex-USMC, retired US Army. I have a fancy MBA. One of these days, I intend to start teaching. The opinions expressed on this blog are mine and mine alone.

2012/10/29

Lync Server DNS Pinpoint zones

Edited 10.29.2012 1535 PST – thanks to Jeremy!

Scenario

I recently did a project where the client wanted to use their email address domain for their SIP domain – fairly common – but they did not have an internal DNS zone for that domain.  Their internal AD structure was domain.local – not something we can publish for external or federation access.  Furthermore, the client did not want to establish split-DNS – which is the common solution for this type of environment.  But, the client also wanted external users, mobility, and federation. 

What the client was doing was using an external DNS provider to resolve their SMTP domain lookups.  When the external name resolution directed an internal client to an external IP that was NAT to an internal resource, the firewall did an automagic redirect to the proper internal target.

Clearly, this will not work for Lync – even if mobility needs to always achieve the same connection regardless of location, using the firewall to execute fancy footwork won’t work due to how an Edge server works, or how TMG works.  TMG would see those packets as spoofed and simply drop them.  Edge will work, after a fashion, but when the client starts connecting internally and externally at the same time, the combination is guaranteed to produce inconsistent user experience and outright failures.

Remember that Lync 2010 does an automatic lookup for _sipinternaltls._tcp.<domain.name> where <domain.name> is the SIP domain that provisioned for the user who is logging in with a SIP enabled AD account.  Therefore, in our test case, we want the Lync 2010 Client to find _sipinternaltls._tcp.domain.com.

What to do?

The answer is to create “pinpoint” DNS zones.  This type of DNS zone is a single record that is represented by the zone itself.  For instance, if you need/want to have SIP.domain.com, but you don’t want to have to double manage a lengthy list of A records in two places (split DNS) then you can create a pointpoint zone that looks like this:

image

When the client goes looking for SIP.domain.com, it can certainly find it, yes?  But name resolution for anything else in domain.com other than that specific name (SIP.domain.com) will need to go somewhere else for resolution.

Let’s take a look at how to create a pinpoint DNS zone record.

Start with your DNS Manager…Right-click the “Forward Lookup Zones” and choose “New Zone.”

image

Click NEXT in the “Welcome to the New Zone Wizard” and then choose Primary Zone.
image image

Choose the Zone Replication Scope option that makes sense for your environment…

image 

And then name your zone.  We want SIP.domain.com. I always only allow secure dynamic updates

image image

Select Finish, and you have created the new zone.

image

After you get your new zone, you need to add a host record so your DNS server can reply to DNS queries with an IP address.  To do that, right-click your zone and choose “New Host (A or AAAA)…”  Leave the NAME blank, input the IP, and I always adjust internal A records downwards.  In this case, I used a five minute TTL because I am forever whipping my Lync lab into some different configuration and I want the client connection points to be updated quickly.

image image

Voila!  Now we look like the first picture. 

Pretty slick.  But, perhaps you know that the Lync 2010 client looks for SRV records by default?  How to construct an SRV record using this pinpoint technique? 

Get yourself to a command prompt…You will have a seriously hard time doing this in the GUI as this action is not supported in the DNS Manager GUI.  See this reference.

and enter the following:

dnscmd . /zoneadd _sipinternaltls._tcp.domain.com. /dsprimary

(creates the actual pinpoint zone)

&

dnscmd . /recordadd _sipinternaltls._tcp.domain.com. @ SRV 0 0 5061 sip.domain.com

(adds the SRV record to that zone)

Here is the final client lookup flow. We resolve to an SRV record that the Lync 2010 client looks for (_sipinternaltls._tcp.domain.com) and pointed that to another pinpoint zone (sipinternal.domain.com) with the FE pool having a cert that included that name in the SAN.  We did this to get around the strict DNS naming issue that would have caused login issues  due to the difference between the FQDN (tsoorad.net) and the SIP domain name (domain.com).

image

Remember to add the SIP domain to the Lync Front End Server (or servers) as shown.

image

YMMV!

16 comments:

enqush bataa said...

Hi TsooRad!

1.1.1.31 what's ip of this?
Is it lync edge external interface IP?

tsoorad said...

At the time I wrote this article, my lab was a single lync 2010 Enterprise Server. Therefore the sip.domain.com address is the Lync Pool. If you had two nodes, there would be two A records.

enqush bataa said...

I've also deployed Edge and Proxy server. So IP must be Reverse proxy's external IP right?

Our sip domain was lync.contoso.com for testing purpose. Now I need to configure in real situation. Therefore sip domain changed to contoso.com.
contoso.com is our website address and it points to own public IP.

When I wrote pin point DNS record, our internal workstations can't connect to contoso.com. Do you know the problem?

tsoorad said...

I sure hope you are not literally using contoso.com.
Internal users need to have "sip.domain.com" pointing to the pool.
For an SE, that would be a single IP. For a DNSLB Enterprise pool, there would need to be an A record for "sip.domain.com" pointing to each FE member. So, if you have 3 nodes in your pool, using 1.1.1.10, 1.1.1.11, and 1.1.1.12, there would be three A records, one for each pool member.

enqush bataa said...

Thanks you very much for the answer.
Yes of course I'm using different sip domain.

I'm sorry but I don't understand clearly. Let me explain in more detailed.

Deployed Lync SE with edge and reverse proxy(using MS TMG)

contoso.com - Main sip domain.
corp.contoso.local - local DNS
access edge - sip.contoso.com - lync edge server public IP.
webconf - webconf.contoso.com - public IP
av edge - av.contoso.com - public IP
simple URLs - meet.contoso.com, dialin.contoso.com
lync web access - owa.contoso.com - points to Reverse Proxy
external web - extweb.contoso.com -> points to reverse proxy public IP

SRV records on external DNS:
_sipfederationstls._tcp.contoso.com 5061 points to sip.contoso.com
_sip._tls.contoso.com 443 -> sip.contoso.com

Our organization users want to sign in with their email address like bob@contoso.com to lync.

So your this post was really helped me when sip domain was lync.contoso.com. After changed sip domain to contoso.com it doesn't work.

When I create pin point zone for contoso.com on local DNS, our local workstations can't connect to lync and when they enter contos.com(our company website) url on browser it doesn't connect because I created contoso.com pin point zone with different IP address(edge server publicIP, also tried to change it to reverse proxy public IP).

I hope you understand my situation. Do I need change sip domain contoso.com to something like lync.contoso.com?

tsoorad said...

Did you changenthenusers to the new sip domain uri?

enqush bataa said...

Tried to troubleshoot edge server.

Added DNS A record on internal DNS server something like lyncedge.contoso.local

But still can't ping. My edge server is VM. But still wondering why I can't ping...

tsoorad said...

Sounds like you have some name resolution issues. Double check dns. Then ensure you can resolve all names from each server. Using netmon can you see client traffic arriving at the edge? Using client-side logs and netmon, are the clients resolving and connecting to the right server?

enqush bataa said...

Thanks Tsoorad.
All of my servers are in same subnet, no DMZ. I know it's not recommended, but it'll work.

When I configure gateway on internal interface, ping and nslookup works.

I just want to make sure that sip.domain.com is access edge service URL? Then you added pinpoint dns zone with this name?

tsoorad said...

Sip.domain.com is external AND internal. Internal clients need to connect to FE pool. External clients need to connect to access edge on the external nic on the edge server.

If you cannot ping FE from edge without a gateway, then you have a route issue. Put the gateway on the external nic. Dns on inside nic, not outside. Make sure internal dns can resolve outside (like msn or CNN) and use a host file if need be.

tsoorad said...

Sip.domain.com is external AND internal. Internal clients need to connect to FE pool. External clients need to connect to access edge on the external nic on the edge server.

If you cannot ping FE from edge without a gateway, then you have a route issue. Put the gateway on the external nic. Dns on inside nic, not outside. Make sure internal dns can resolve outside (like msn or CNN) and use a host file if need be.

tsoorad said...

And DNS internal to windows AD is going to point to a different address than the external dns host does.

enqush bataa said...

Thank you so much TsooraD.

It works great internally.

When I login from externally, it asks me enter password and domain\name. I entered login information but it cannot login.

using www.testocsconnectivity.com result:
Testing remote connectivity for user bob.b@contoso.com to the Microsoft Lync server.
Specified remote connectivity test(s) to Microsoft Lync server failed. See details below for specific failure reasons.
Tell me more about this issue and how to resolve it

Additional Details
Couldn't sign in. Error: Error Message: The operation failed after several attempts..
Error Type: RegisterException.
Deregister Reason: None.

tsoorad said...

Can the FE pool ping the edge by fqdn? Not IP. FQDN.
Can the Edge server or pool servers ping the FE pool or pool servers by FQDN? Not IP, FQDN.
Edge must resolve and contact FE pool.
If you have that figured out, then check and see if the user is allowed to login remotely.
Do you have the Edge Server authorized to allow federation, remote, etc?

enqush bataa said...

Can the FE pool ping the edge by fqdn? Not IP. FQDN.

Yes

Can the Edge server or pool servers ping the FE pool or pool servers by FQDN? Not IP, FQDN.

Yes

Edge must resolve and contact FE pool.

yes, nslookup works

If you have that figured out, then check and see if the user is allowed to login remotely.
Do you have the Edge Server authorized to allow federation, remote, etc?

Yes I enabled everything on lync control panel - external access policy, access edge configuration.

tsoorad said...

Enqush,
Can the Edge server resolve and ping the FE? Can the FE server resolve and ping the Edge.
Whether or not nslookup works is not the issue. nslookup just shows what is in the dns provider. You need bidirectional communication between the Edge and the FE. To achieve that, the Edge must be able to lookup, on its' DNS or host file, the FQDN of the FE.
Typically, I always have the Edge server using internal DNS and never have the Edge external NIC with DNS server IP listed. If you use external DNS servers for your Edge Server, you will need to construct a host file so that the Edge can find the FE.