Lync 2013 DNS requirements in a multi tenant deployment

Similar Messages

• Lync 2013 certificate requirements for multiple SIP domains

  Hi All,
  I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
  around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
  appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
  Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
  Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
  Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
  Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
  Friendly URL option 3 from this page:
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  Client auto-configuration:
  i.     
  Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
  ii.     
  Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
  iii.     
  Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
  HTTPS.
  If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
  How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
  Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
  to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
  Many thanks,

  Many thanks for the response.
  I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
  http://technet.microsoft.com/en-us/library/gg398287.aspx
  What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
  http://technet.microsoft.com/en-gb/library/hh690030.aspx
  Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
  to an address of director.contoso.net is not supported over HTTPS.
  In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
  rule for port 80 (HTTP).
  For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
  domain.”
  I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
  As per the below article:
  http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
  “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
  create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
  This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
  the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
  ===================
  1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
  2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
  fall under the XXX umbrella but are very much run as individual entities.
  Question:
  Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
  Thanks.

• Lync 2013 DNS records

  Hello,
  Have been working on my Lync 2013 deployment for a while and until today I am still not quite sure about some DNS entries, especially confused by MS planning tool DNS Report. Here is my setup:
  2013 enterprise, 3 FE servers in a pool (lyncpool01.domain.local), 3 BE SQL servers, 1 WAC server in a farm  (wacfarm.domain.local) , Kemp HLB (cswebint.domain.local and wacfarm.domain.local), TMG server as reverse proxy and 1 edge server ( lyncedge01.domain.local)
  in a pool ( lyncedgepool.domain.local)
  sip domain name: domain.com
  Please help to clarify, in "domain.com" zone on my internal DNS server
  1) lyncdiscoverinternal.domain.com:
  MS planning tool does not have it in DNS report. Should I point it to lyncpool.domain.local as a CNAME record, or 3 A records pointing to the FE servers, or point to the reverse proxy server external DMZ address?
  2) _sipinternaltls._tcp.domain.com
  MS planning tool says pointing to lyncpool01.domain.local, should I point it to sip.domain.com?
  3) cswebint.domain.local and cswebext.domain.com
  Should I point both to the VIP of the kemp HLB?
  4) lyncdiscover.domain.com
  Should I create 3 A records pointing to the FE servers, or one CNAME record pointing to lyncpool01.domain.local?
  Thanks in advance.

  Let me see if I can help you make sense of what you have:
  1. LyncDiscoverInternal
  You don't really need this record as lyncdiscoverinternal just will re-direct you back to lyncdiscover.
  2. _sipinternalts
  This should be in your internal DNS SRV records point to lyncpool.
  3.  Are you using your Kemps for HLB for all Lync services and/or Lync Web Services?
  I'm going to guess below without knowing:
  cswebext = your external DNS A record for Lync Web Services connectivity point to your reverse proxy solution.  If that is the Kemp in this case, then the DMZ VIP.
  cswebint = you internal DNS A record for Lync Web Services.  This would point to you internal VIP.
  4. LyncDiscover
  This should be an external DNS A record pointing to your reverse proxy, which is the same external VIP as cswebext.
  Hope this helps,
  Please “Vote As Helpful” and/or “Mark As Answer” if this post helped you. Thanks!
  Adam Curry, UC Consultant, Unify Square Inc. (Blog,
  Twitter)
  Looking for Lync Users Groups in your area? Check out
  Lync Users Group

• OCS to Lync 2013, move all users over before client deployed?

  Hello, quick question hoping someone can answer...
  We've deployed Lync 2013 and are migrating about 2000 users from OCS across many branch offices, going branch-by-branch.
  Is there any downside to moving ALL 2000 users over to the Lync pool before they have the Lync client deployed to their site? They would still be using Communicator until their site receives the Lync install. I know Communicator works when connecting to
  the Lync pool so I'm guessing this should be OK.
  The problem we're seeing during this transition phase is when an employee travels to a site that's had Lync client deployed but the employee is still on the Communicator pool because their primary site hasn't been upgraded yet, and are thus unable to sign-in
  to Lync.

  I would agree with Anthony, 
  The basic features works with the Communicator clients but when it comes to conferencing users will face a lot of problems, also  a problem as been identified during such scenario is when users homed on the lync pool and signing in using the OC client
  experience a weird behavior when their contact lists disappear, then it appears again when logging using a lync client. 
  as a resume.
  If you are obliged to use the OC client please make sure that it is patched with the latest updated released. 
  as a best practice move to Lync client as soon as possible.
  Regards,
  Charbel Hanna
  Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread

• Lync 2013 SQL requirements

  I have a SQL environment which is used for web apps, ERP, CRM and other databases. Can I install my Lync SQL environment onto this SQL server? is this scenario supported?
   or do I need dedicated and separate Lync SQL servers?

  It's recommended to use a separate SQL server for Lync (Physical of Virtual), however collating Lync database with other SQL databases will work. Considering the cost of SQL licenses, this is not uncommon.
  It is important in either scenario that the SQL servers have adequate resources/performance to be able to handle the load from Lync server in addition to anything else it will be doing. 
  Also note that if you have multiple front end pools, these cannot share a SQL server. (and creating another instance on the same SQL server also does not work)
  Take a look at the Technet information for more: http://technet.microsoft.com/en-us/library/jj205112.aspx and http://technet.microsoft.com/en-us/library/gg398835.aspx
  (refer to Back End Servers)
  If this helped you please click "Vote As Helpful" if it answered your question please click "Mark As Answer"
  Georg Thomas | Lync MVP
  Blog www.lynced.com.au | Twitter
  @georgathomas
  Lync Edge Port Check (Beta)
  This forum post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

• Lync 2013 sizing for 12000 uers

  Hi,
     I have 12000 user to be planned for lync 2013. features required IM/presence, A/V, Web conferencing, Desktop sharing, persistence chat,  External access, federation etc.    HA is required.  below is the sizing , please let
  me know,  in case i can reduce the component.
  1.  3 FE servers in a pool + 2 SQL mirrored , 2 Edge servers in a pool, 2 persistence in a pool + 2 backend mirrored DB, 2 Web apps server   ...... can i reduce any servers from here???
  2 .   two HLB for external FE traffic, two  HLB for internal FE traffic  ........     can i reduce any HLB here? can i reduce DNS load balancing here?
  3.    DNS load balancing for a EDGE server pool .....do  i need to use HLB for any case?
  find picture for MS planning tool output
  thx

  1. The planning tool is correct, you will need 2 HLBs for the Front End Pool
  2. DNS LB on Edge limitations are a loss of failover with the following:
  Federation with OCS 2007\2007 R2
  Exchange UM for remote users using Exchange UM prior to Exchange 2010 with SP1
  Connectivity to public IM users
  3. If you add a PC pool and add 2 PC servers to the Pool you get HA
  4. WebApp, 2 servers with HLB
  http://technet.microsoft.com/en-us/library/gg615011.aspx
  I just want to point out that often times a lack of full understanding often results in customers requesting the platinum coated solution. In my opinion we can often over complicate a deployment resulting in more risk..
  Do have a read of Jason's thought at http://jasonshave.blogspot.co.nz/2012/11/lync-server-2013-ha-design-changes-and.html
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Lync Sorted blog

• Lync 2013 sign in problem

  well i did setup everything from scratch according to the microsoft free eblook about lync 2013
  and i joined a win 8.1 pc to my domain
  when i try to login it ask me for password but when i enter it it says that 
  cant sign in to lync
  you didnt get signed in .it might be your sign-in address or logon credentials, so try those again. if that doesnt work,contact your support team
  im desperate guys , plz help me

  Hi AliReza Baensaf,
  You can follow the steps below to troubleshoot the issue.
  1. Please check whether or not all the Lync services are running.
  2. Make sure the required DNS records are set up.
  DNS requirements for Front End pool in Lync Server 2013
  DNS requirements for automatic client sign-in in Lync Server 2013
  3. Please try manual configuration to test the issue.
  4. You can enable Lync client logging and use snooper to analyze it.
  5. Install the updates for both Lync server and Lync client.
  Best regards,
  Eric

• Successfully installed Lync 2013 via Click-to-Run, but getting "Choose your product" prompt

  After installing Lync 2013 client using method
  Click-to-Run "Deploy Office 365 ProPlus from an on-premises location",downloaded Office source is on local hard drive with the
  "config.xml" shown below. 
  I'm getting "Choose your Product" prompt after signing-in.  We have Office 365 Enterprise E3 plan and we just wanted to upgrade Lync 2010 to Lync 2013 (not the Basic).
   <Configuration>
    <Add SourcePath="E:\Temp" OfficeClientEdition="32" >
      <Product ID="LyncRetail">
        <Language ID="en-us" />
      </Product>
  <!-- <Product ID="VisioProRetail">
        <Language ID="en-us" />
      </Product>  -->
    </Add>  
    <Display Level="NONE" AcceptEULA="TRUE" />  
    <Logging Name="OfficeSetup.txt" Path="E:\Temp" /> 
    <Property Name="AUTOACTIVATE" Value="1" />
  </Configuration>
  Though Lync will continue to work when you close the window.  I need to deploy the full 2013 client to several
  machines locally.
   Thanks.

  Hello,
  Looks like you‘ve tried a hybrid deployment with Lync 2010 and 2013, right? This might be the reason why Lync 2013 keep prompting to choose your product. Lync 2013 will automatically identify the products that it found for your account which you used to
  login Lync 2013.
  So, please try to remove any earlier version (Better to remove all Office 2010 suite) on your computer and try a fresh installation again. Let’s see the "Choose your product" prompt would appear again.

• Lync 2013 x64 silent client deployment via SCCM 2012 SP1

  Greetings everyone!
  I ran into a problem with Lync 2013 x64 silent deployment.
  I need to provide every workstation with Lync 2013 client, so i decided to use deployment via SCCM 2012 sp1.
  I created 2 msp files with OCT, one based on x86 Office 2013 Proplus, and other based on x64 Office 2013 Proplus.
  Added them as applications to sccm software library.
  Deployment of Lync 2013 x86 application was a success with over than 80% compliance. 
  But all Lync 2013 x64 automatic installations finish with different errors.
  I created special device collection for workstations with office 2010 x64 and 2013 x64, because i can't install other architecture products once it has x64 product installed.
  My membership query-rules for this collection:
  Office 2013 x64
  select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceId
  = SMS_R_System.ResourceId where UPPER(SMS_G_System_INSTALLED_SOFTWARE.SoftwareCode) = "{90150000-0011-0000-1000-0000000FF1CE}"
  Office 2010 x64
  select SMS_R_SYSTEM.ResourceID,SMS_R_SYSTEM.ResourceType,SMS_R_SYSTEM.Name,SMS_R_SYSTEM.SMSUniqueIdentifier,SMS_R_SYSTEM.ResourceDomainORWorkgroup,SMS_R_SYSTEM.Client from SMS_R_System inner join SMS_G_System_INSTALLED_SOFTWARE on SMS_G_System_INSTALLED_SOFTWARE.ResourceId
  = SMS_R_System.ResourceId where UPPER(SMS_G_System_INSTALLED_SOFTWARE.SoftwareCode) = "{90140000-0011-0000-1000-0000000FF1CE}"
  My application deployment type points to setup.exe in office 2013 x64 installation folder, where i created msp file in updates folder via OCT and edited config.xml file in proplus.ww folder.
  So my installation program looks like this setup.exe /adminfile updates\1lync.msp /config proplus.ww\config.xml
  The same configuration works with Lync 2013 x86 deployment, except other setup folders.
  When i try running installation program setup.exe with /adminfile and /config parameters locally, it installs successfully without errors or warnings.
  I'm trying to find out problem source, does anyone have ideas what I am doing wrong?
  Also i'm trying to reduce office 2013 installation folder size, what subfolders are necessary for Office 2013 proplus installation (still installing only lync with common files and tools)? Because now 3.5 GB package is quite hard to distribute to sccm secondary
  sites with deployment point.
  Thanks in advance.

  Hi,
  Here are some tips and tricks for your reference.
  Tips and Tricks: Deploying Lync 2013 client using SCCM 2012 | Lync 2013 Client Customization for SCCM 2012 Deployment Package
  http://zahirshahblog.com/2014/01/08/tips-and-tricks-deploying-lync-2013-client-using-sccm-2012-lync-2013-client-customization-for-sccm-2012-deployment-package/
  Note: Microsoft provides third-party contact information to help you find technical support. This contact information may change without notice. Microsoft does not guarantee the accuracy of this third-party contact information.
  We
  are trying to better understand customer views on social support experience, so your participation in this
  interview project would be greatly appreciated if you have time.
  Thanks for helping make community forums a great place.

• Lync 2013 Multi-tenant Hosting Pack third-party solutions available for features listed as "Via Thirdparty"

  Hi,
  Who are all the third party vendors that can integrate with Lync 2013 Multi-tenant hosting pack V2  features that are supported Via 3rd party.
  1) Call park
  2) Outgoing DID manipulation
  3) E-911
  3) Dialplans & Policies
  4) Support for Analog devices (e.g. FAX)
  5) Response groups
  6) Network QoS - DSCP
  7) Phone number management
  8) IM/P & Voice with Skype. 
  9)Inteoperability with on-premises video conferencing systems
  Regards,
  SR

  Hi,
  Base on my understanding, as it is the Mutli-Tenant environment, in internal DNS server, there is no need to add the DNS A record
  lyncdiscoverinternal. However, you can try to add the DNS record in internal DNS server to test the issue as well.
  Also, please make sure you have updated both Lync Server 2013 and Exchange 2013 to the latest version. If not, update it and then test again.
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• How to achieve Multi-Tenant in Lync Server 2013 Enterprise Edition

  Hi,
    As LHPv2 is discontinued, is anyone has idea how to achieve Multi-Tenant in Lync Server 2013 Enterprise Edition?
  e.g users from different tenants should not be able to communicate unless it is allowed either by federation or any other form.
  J.B.Patnaik

  once a Topology has been published you can not change the FQDN.
  Also you can refer shah-Khan answer, it will be helpful for you
  http://social.technet.microsoft.com/Forums/lync/en-US/47d4e101-4f7b-4115-8f44-897eb5410acb/need-to-change-a-published-fqdn-lync-pool-for-lync-enterprise-2010?forum=ocsplanningdeployment
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question, please click "Mark As Answer"
  Mai Ali | My blog: Technical | Twitter:
  Mai Ali

• Lync 2013 Multi Tenant - SIP/2.0 401 Unauthorized

  New Lync 2013 Multi Tenant install. Can provision users in the Primary OU. Users in primary OU login without error.
  Users provisioned in a sub OU can not login to Lync. Provisioning process completes successfully.
  Client prompts for password. Attempts login and fails with:
  You didn't get signed in. It might be your sign-in address or logon credentials. (SIP address and UPN are identical)
  FE logging:
  SIP/2.0 401 Unauthorized
  TL_INFO(TF_PROTOCOL) [0]128C.2E1C::04/15/2014-22:28:42.421.00004ea3 (SIPStack,SIPAdminLog::ProtocolRecord::Flush:ProtocolRecord.cpp(265))[212989229] $$begin_recordTrace-Correlation-Id: 212989229
  Instance-Id:
  3A4
  Direction:
  outgoing;source="local"
  Peer:
  edge1.domain.corp:56094
  Message-Type:
  response
  Start-Line:
  SIP/2.0 401 Unauthorized
  From:
  <sip:[email protected]>;tag=57e75cd85f;epid=f7a8f50c07
  To:
  <sip:[email protected]>;tag=10A7EC7396D5F1EDCEA8D35A0C49F3CB
  Call-ID:
  8654248b0dd64d519f42617b862e75bc
  CSeq:
  2 REGISTER
  Via:
  SIP/2.0/TLS 10.200.10.210:56094;branch=z9hG4bK4B6654F6.FADCC8B2E74B96BA;branched=FALSE;ms-received-port=56094;ms-received-cid=20C00
  Via:
  SIP/2.0/TLS 172.16.232.59:60361;received=10.200.250.206;ms-received-port=43233;ms-received-cid=1E9D00
  Content-Length:
  0
  Failed to validate user credentials
  $$end_record
  TL_ERROR(TF_SECURITY) [0]128C.2E1C::04/15/2014-22:28:42.468.0000542a (SIPStack,SIPAdminLog::WriteSecurityEvent:SIPAdminLog.cpp(319))[212989229] $$begin_recordText: Failed to validate user credentials
  Result-Code:
  0x8009030c SEC_E_LOGON_DENIED
  Source:
  edge1.domain.internal:56094
  SIP-Start-Line:
  REGISTER sip:domain.com SIP/2.0
  SIP-Call-ID:
  8654248b0dd64d519f42617b862e75bc
  SIP-CSeq:
  3 REGISTER
  Data:
  gssapi-data="NTLMSSP\x00\x03\x00\x00\x00\x18\x00\x18\x00\xB4\x00\x00\x00D\x01D\x01\xCC\x00\x00\x00 \x00 \x00X\x00\x00\x000\x000\x00x\x00\x00\x00\x0C\x00\x0C\x00\xA8\x00\x00\x00\x10\x00\x10\x00\x10\x02\x00\x00U\x82\x90b\x06\x03\x80%\x00\x00\x00\x0FQ\xC8@\x1E\x1F\xD2\xF9w\x0C!\xF8Y\x84\x84\x06PM\x00i\x00c\x00r\x00o\x00s\x00o\x00f\x00t\x00A\x00c\x00c\x00o\x00u\x00n\x00t\x00r\x00i\x00c\x00h\x00.\x00l\x00i\x00b\x00e\x00r\x00t\x00y\x00@\x00h\x00o\x00t\x00m\x00a\x00i\x00l\x00.\x00c\x00o\x00m\x00L\x00A\x00P\x00T\x00O\x00P\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00+\xD8\x1CE\xFB\\x9E7\xACbc\x17e\xDE\xAC\xFD\x01\x01\x00\x00\x00\x00\x00\x00R\n\x0E\xFAX\xCF\x01\xF2h\xA4\xBE\x8B\xC3w=\x00\x00\x00\x00\x02\x00\x06\x00P\x00P\x00C\x00\x01\x00\x1A\x00P\x00P\x00C\x001\x00L\x00Y\x00N\x00C\x00F\x00E\x000\x000\x001\x00\x04\x00\x10\x00p\x00p\x00c\x00.\x00c\x00o\x00r\x00p\x00\x03\x00,\x00P\x00P\x00C\x001\x00L\x00Y\x00N\x00C\x00F\x00E\x000\x000\x001\x00.\x00p\x00p\x00"
  $$end_record

  Hi,
  Please double check the port between FE server and Edge server.
  Please also check if you add the SAN of sub domain in the Edge external certificate with the help of the link below:
  http://technet.microsoft.com/en-us/library/gg398409.aspx
  Best Regards,
  Eason Huang
  Eason Huang
  TechNet Community Support

• Unable to send to external email recipients - Multi Tenant Exchange 2013 - MultiRole servers in DAG

  Greetings all, I hope someone can help.
  I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
  Internal mail flow is fine (external email addresses can send to the domain).
  External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
  There are two multi-role Exchange servers that are members of the DAG.
  I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
  No SSL certificates have been purchased or installed yet.
  Exchange URLs have not been changed since default configuration at install.
  OWA and ECP works both internal and external.
  External DNS works with SPF and PTR records correctly configured
  Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
  Send Connectors are the default ones created during install. Receive connector is standard configuration with  - * - 
  When sending email to an external address, I receive a failure notice
  ServerName.test.corp.int gave this error:
  Unable to relay 
  Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
  More Info - 
  ServerName.test.corp.int
  Remote Server returned '550 5.7.1 Unable to relay'
  I have been troubleshooting this for many hours with no progress.
  I have created new Send Connectors for the server that is advising that it is unable to relay, but they have all failed.
  I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
  I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
  I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
  I am at a loss as to why I can't send out with the default configuration. I would assume that email would flow out without any changes, but this does not happen.
  Can someone please assist before I lose my sanity.
  Thanks in advance,
  Terry

  Greetings all, I hope someone can help.
  I have created a Exchange 2013 multi-tenant organization, with two servers, both multi-role - CAS and Mailbox roles.
  Internal mail flow is fine.
  Incoming mail from external senders is also fine. - 
  external email addresses can send to the domain).
  External firewall port forwards ports 443 and 25 to the Internal DAG IP address.
  There are two multi-role Exchange servers that are members of the DAG.
  I am able to connect to OWA and ECP via https://externalIP/OWA and https://alias.domain.com/OWA
  No SSL certificates have been purchased or installed yet.
  Exchange URLs have not been changed since default configuration at install.
  OWA and ECP works both internal and external.
  External DNS works with SPF and PTR records correctly configured
  Exchange RCA - Send test only fails with one Spam Listing (this Blacklist provider now flags all domains and you cannot ask to be removed)
  Receive Connectors are the default ones created during install. Send connector is standard configuration with  - * - 
  When sending email to an external address, I receive a failure notice
  ServerName.test.corp.int gave this error:
  Unable to relay 
  Your message wasn't delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.
  More Info - 
  ServerName.test.corp.int
  Remote Server returned '550 5.7.1 Unable to relay'
  I have been troubleshooting this for several days with no progress.
  I have created new Receive Connectors for the server that is advising that it is unable to relay, but they have all failed.
  I have tried setting the Internal IP address for Exhange Server 1 (Exchange Server 2 reports failure), with most combinations of Security (Anonymous, Exchange Users, etc).
  I have also tried with the IP range 192.168.11.0/24 to allow the whole the subnet, I still receive the unable to relay failure notice.
  I have tried this guide - hxxps://glazenbakje.wordpress.com/2012/12/30/exchange-2013-how-to-configure-an-internal-relay-connector/ - with different combinations, still no resolution.
  Even more info - Further troubleshooting -
  I found my one of my Exchange servers had an extra NIC. I have since added a second NIC to the other server, so now both Exchange servers have dual NICs. I removed the DAG cleanly and recreated the DAG from scratch, using this link -
  hxxp://careexchange.in/how-to-create-a-database-availability-group-in-exchange-2013/ 
  The issue still exists, even with a newly created DAG. I also found that the Tenant Address Books were not 'applied'. I applied them but still no resolution
  I think the issue is related to multi-tenant configuration even though the error says that it can't relay. The unable to relay message can appear when sending from a domain that the Organization does not support. Like trying to email as [email protected]
  when you domain name is apple.com - But through extensive research I still can't resolve the issue.
  Can someone please assist before I lose my sanity.
  Thanks in advance,
  Terry

• Exchange 2013 Multi-tenant contact administration

  Hi everybody!
  Searched high and low, but couldn't find an answer.
  I have deployed multi-tenancy Exchange as a service provider, and will look into self service portals later.
  I'm currently developing all the powershell scripts needed to manage the multi tenant environment.
  Question arrises:
  How do you handle contacts in a multi-tenant environment?
  Since a SMTP address can only be used once in an Exchange Organization, what if 2 tenants need the same contact?
  - Use customattributes and filter on that? Than what if I want to use the multi-tenant AD for different purposes later?
  - Use custom DACLs on the OU or contacts?
  - Any other ideas?
  Of course I started with
  http://blogs.technet.com/b/exchange/archive/2013/02/20/hosting-and-multi-tenancy-guidance-for-exchange-server-2013-now-available.aspx but there's no mention of this issue.
  Thank you for any input regarding this issue.
  There's a new blog in town: http://msfreaks.wordpress.com

  I would advise against "sharing" contacts, as each tenants requirements may be different. Meaning each may want to see different values for various attributes. You may want to stand up an ADLDS instance for each tenant which will hold their contacts independently
  of your current Active Directory Forest that houses Exchange. This way, your Exchange Organization remains pristine, no never-ending queues/NDRs for ambiguous SMTP addresses, and each tenant can manage their own contacts without interfering with each
  other. Also, I would look into Forefront Identity Manager (FIM).
  Woody Colling, MCITP Exchange 2010 --The incentive for the experts to answer posts is to get their replies marked as helpful, or as the answer to our questions, help them help us, mark posts accordingly--

• What are the ports required for the Audio, Video and A/V conferencing when the following end points are enabled for QoS in Lync 2013 server?

  Hi All,
  What are the ports required for the Audio, Video and A/V conferencing when the following clients are enabled for QoS in Lync 2013 server?
  Client Type
  Port range  and Protocol required for Audio
  Port range and Protocol required for
  Video
  Port range and Protocol required for
  A/Vconferencing
  Windows Desktop   Client
  Windows mobile App
  Iphone
  Ipad
  Andriod phone
  Andriod Tablet
  MAC desktop client
  Please advise. Many Thanks.

  Out of the box, 1024-65535 for all of the client ports.  :) 
  https://technet.microsoft.com/en-us/library/gg398833.aspx
  You'll want to tune your client ports a bit
  https://technet.microsoft.com/en-us/library/jj204760.aspx as seen here, and then the client ports would use those ranges which is easier to set QoS markings.  I'm not sure the mobile clients respect that setting.
  Elan's got the best writeup for Windows clients here:
  http://www.shudnow.net/2013/02/16/enabling-qos-for-lync-server-2013-and-various-clients-part-1/
  However, the marking of the packets is the tricky part.  Windows can do it via Group Policy, but for the other clients you'll need to have the network specifically prioritize ports regardless of DSCP markings.  You have to do it based on ports
  as the traffic could be peer to peer.
  Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
  SWC Unified Communications
  This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.