Multiple additional SIP domains - certificate and DNS requirements

We've setup Lync 2010 Enterprise in our organisation and have successfully enabled a couple of thousand users.
This is working successfully internally, externally and through Lync Mobile.
However, we've only enabled users who are using the main company domain for SMTP and SIP addresses aaaaa_group.com (so all nice and easy so far!)
In other words, user A has a primary SMTP and SIP address of
UserA@aaaaa_group.com
However, due to numerous mergers and acquisitions over the years, we have quite a lot of users who have other primary SMTP addresses e.g. bbbbb_co.uk, ccccc_company.com, ddddd_ltd.co.uk, de.ccccc_company.com etc etc
There must be in excess of 40 to 50
of these other domains in use as primary SMTP addresses.
(Nearly all
these users have secondary SMTP addresses of aaaaa_group.com).
I have been told to approach this from a best practices point of view and give all users a SIP address that matches their primary SMTP address and calculate how much it will cost to buy certificates to cover enabling every user for Lync on all these domains.
I know from reading that wilcard certificates are considered to be a bad thing generally with Lync, especially if using Lync Mobility as the phone Lync clients don't accept them. 
Wilcard certificates aside, what are the names that will I need to add to my SAN certificates?  Presumably sip.domain.com, access.domain.com, meet.domain.com, dialin.domain.com, edge.domain.com, autodiscover.domain.com, lyncdiscover.domain.com
The potential cost of all these names is frankly getting pretty scary considering we currently use Verisign for all our cert requirements, and they charge like a wounded bull.  However, I still need to report back with a cost of doing this, no matter
what it is.
Any thoughts/comments would be very welcome. :-)

Actually the Mobility clients for mobile devices (cell phones, tablets) DO support wildcard entries in the certificates, it's the Lync Phone Edition client (desktop handset devices) which does not work with wildcards.  So you may be able to use wildcards,
but do plenty of research on how to approach this.  Here are some articles to get started:
http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/
http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/
That said, if you decide to skip the wildcard approach then you do NOT need to add additional entries for ALL FQDN types, only some.
For both the Edge Server external certificate and any internal Front End certificate you'll need to add the 'sip' FQDN for every domain to the SAN field.
sip.domain1.com, sip.domain2.com, sip.domain3.com, etc
The Front End certificate will also need the lyncdiscover and lyncdiscoverinternal
FQDNs, and the Reverse Proxy certificate will require the lyncdiscover
FQDNs.
For Exchange Server you'll need to an autodiscover.domainX.com record as well, although this can also be covered by the wildcard entry.  The remainder of names (web conferencing, external web services, dialin, meet, etc.) can all remain in the primary
SIP domain only as these FQDNs will be passed in-band to the clients after they have successfully signed-in to Lync.  Unless you need users to all user their own domain names for the SimpleURLs (which it doesn't not sound like in your scenario) then you'd
have to add all those as well.
So if you are not supporting any Lync Phone Edition devices I would try going with the wildcard route first to see how well things work.  And even if you do have some of those devices you could simply add the 40-50
sip.domain.com FQDNs to both the FE and Edge certificate but still use a wildcard entry for the mobility clients, SimpleURls, etc.  Just make sure that the certificates Common Name (e.g. Subject Name) is NOT the wildcard entry, use the primary
domain name entry in the CN and then place the wildcard entries in the SAN field.  It is also best practice to duplicate the CN as a SAN field entry for the widest range of support by all clients.
For example:
Edge Server external certificate
Common Name: sip.domain1.com
Subject Alternative Name: sip.domain1.com, *.domain1.com, *.domain2.com, *.domain3.com, *.domain4.com,
etc...
Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

Similar Messages

  • Server 2012 std not able to see Domain, DC and DNS on Win SBS 2008 std Domain

    Hi There
    I have a HP ML 110 G5 SBS 2008 std server as my DC on my network. I recently added a HP Microserver running Server 2012 std (with no roles or features installed) to act solely as a file server for a 3rd party program as the program was not running efficiently
    on the main server.
    The problem I am having now is that the 2012 server keeps falling off the domain and cannot contact DNS server. I have also had to re-enable remote desktop several times. It also shows the 2012 Server as being on a private firewall profile and not on the
    domain firewall profile but I suspect that this is part of the same problem. 
    the resulting problem that this is causing is that the local machines that need to contact an SQL database on the 2012 fileserver intermittently either time out or are very slow to connect.  
    So far I have tried: 
    Switching from Static IP to DHCP. 
    Re-adding the server to the domain. 
    Stopping and restarting DNS services on the DC.
    Checking physical Network connections and routing.
    Putting the 2012 server into the same Organizational Unit as the 2008 DC. 
    Has anyone else encountered this problem when adding a 2012 server to a 2008 domain?  I have a feeling that the solution is probably something simple that I've overlooked, but I can't think what.  Any help would be greatly appreciated. 
    Regards
    Russ
    Also, as some additional info -
    Event viewer gives the following errors:
    Group Policy Error:
    Log Name:      System
    Source:        Microsoft-Windows-GroupPolicy
    Date:          2015-04-27 01:17:51 PM
    Event ID:      1129
    Task Category: None
    Level:         Error
    Keywords:      
    User:          SYSTEM
    Computer:      [SERVERNAME].[DOMAIN].local
    Description:
    The processing of Group Policy failed because of lack of network connectivity to a domain controller. This may be a transient condition. A success message would be generated once the machine gets connected to the domain controller and Group Policy has
    successfully processed. If you do not see a success message for several hours, then contact your administrator.
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-GroupPolicy" Guid="{AEA1B4FA-97D1-45F2-A64C-4D69FFFD92C9}" />
    <EventID>1129</EventID>
    <Version>0</Version>
    <Level>2</Level>
    <Task>0</Task>
    <Opcode>0</Opcode>
    <Keywords>0x8000000000000000</Keywords>
    <TimeCreated SystemTime="2015-04-27T11:17:51.111942100Z" />
    <EventRecordID>19056</EventRecordID>
    <Correlation ActivityID="{C0CBAF2B-1E93-49C0-B910-069AE43F74B2}" />
    <Execution ProcessID="732" ThreadID="1336" />
    <Channel>System</Channel>
    <Computer>[SERVERNAME].[DOMAIN].local</Computer>
    <Security UserID="S-1-5-18" />
    </System>
    <EventData>
    <Data Name="SupportInfo1">1</Data>
    <Data Name="SupportInfo2">1548</Data>
    <Data Name="ProcessingMode">0</Data>
    <Data Name="ProcessingTimeInMilliseconds">0</Data>
    <Data Name="ErrorCode">1222</Data>
    <Data Name="ErrorDescription">The network is not present or not started. </Data>
    </EventData>
    </Event>
    DNS Error:
    Log Name:      System
    Source:        Microsoft-Windows-DNS-Client
    Date:          2015-04-27 04:54:58 PM
    Event ID:      8015
    Task Category: (1028)
    Level:         Warning
    Keywords:      
    User:          NETWORK SERVICE
    Computer:      [SERVERNAME].[DOMAIN].local
    Description:
    The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings:
               Adapter Name : {3DDD0E46-D879-48C0-9DF6-5FAC0F1A56C4}
               Host Name : [SERVERNAME]
               Primary Domain Suffix : [DOMAIN].local
               DNS server list :
    192.168.2.10
               Sent update to server : <?>
               IP Address(es) :
                 192.168.2.15
    The reason the system could not register these RRs was because the update request it sent to the DNS server timed out. The most likely cause of this is that the DNS server authoritative for the name it was attempting to register or update is not running
    at this time. You can manually retry DNS registration of the network adapter and its settings by typing 'ipconfig /registerdns' at the command prompt. If problems still persist, contact your DNS server or network systems administrator.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
    <System>
    <Provider Name="Microsoft-Windows-DNS-Client" Guid="{1C95126E-7EEA-49A9-A3FE-A378B03DDB4D}" />
    <EventID>8015</EventID>
    <Version>0</Version>
    <Level>3</Level>
    <Task>1028</Task>
    <Opcode>0</Opcode>
    <Keywords>0x4000000000000000</Keywords>
    <TimeCreated SystemTime="2015-04-27T14:54:58.599130300Z" />
    <EventRecordID>19105</EventRecordID>
    <Correlation />
    <Execution ProcessID="856" ThreadID="952" />
    <Channel>System</Channel>
    <Computer>[SERVERNAME].[DOMAIN].local</Computer>
    <Security UserID="S-1-5-20" />
    </System>
    <EventData>
    <Data Name="AdapterName">{3DDD0E46-D879-48C0-9DF6-5FAC0F1A56C4}</Data>
    <Data Name="HostName">[SERVERNAME]</Data>
    <Data Name="AdapterSuffixName">[DOMAIN].local</Data>
    <Data Name="DnsServerList"> 192.168.2.10</Data>
    <Data Name="Sent UpdateServer">&lt;?&gt;</Data>
    <Data Name="Ipaddress">192.168.2.15</Data>
    <Data Name="ErrorCode">1460</Data>
    </EventData>
    </Event>

    Can you post an ipconfig /all from the server and the DC?
    Robert Pearman SBS MVP
    itauthority.co.uk |
    Title(Required)
    Facebook |
    Twitter |
    Linked in |
    Google+

  • Domain Trust and DNS

    Hello,
    We have a 2-way domain trust between a Windows 2003 domain and a 2008 domain.  Nearly all works, we can share folder permissions etc but what we can't do on their domain is add a PC on their network that is part of our domain.
    The error is:
    it can't find the SRV record for _ldap._tcp.dc._msdcs.ukdomain.local.
    if they go to their DNS and look at the seconday forward lookup some for ukdomain.local it doesn't show a zone called _msdcs under ukdomain.local instead outside my zone we have a separete zone called _msdcs.gb.vo.local like this:
    DC1
    ----->Forward Lookup Zones
    -------->_Msdcs.ukdomain.local
    -------->ukdomain.local
    I though it should look like this:
    DC1
    ----->Forward Lookup Zones
    ------->ukdomain.local
    --------->_Msdcs
    Thanks

    If you are on their network can you ping their domain?
    If not then you have a DNS, routing, or firewall issue.
    Are ports being blocked?  For DNS, add a conditional forwarder to point to DNS for the other Domain and do the same on the other side, this will work better in 2008 as it's replicated to the forest.
    Testing
    Domain Controller Connectivity Using PORTQRY
    Protocol and Port
    AD and AD DS Usage
    Type of traffic
    TCP and UDP 389
    Directory, Replication, User and Computer Authentication, Group Policy, Trusts
    LDAP
    TCP 636
    Directory, Replication, User and Computer Authentication, Group Policy, Trusts
    LDAP SSL
    TCP 3268
    Directory, Replication, User and Computer Authentication, Group Policy, Trusts
    LDAP GC
    TCP 3269
    Directory, Replication, User and Computer Authentication, Group Policy, Trusts
    LDAP GC SSL
    TCP and UDP 88
    User and Computer Authentication, Forest Level Trusts
    Kerberos
    TCP and UDP 53
    User and Computer Authentication, Name Resolution, Trusts
    DNS
    TCP and UDP 445
    Replication, User and Computer Authentication, Group Policy, Trusts
    SMB,CIFS,SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc
    TCP 25
    Replication
    SMTP
    TCP 135
    Replication
    RPC, EPM
    TCP Dynamic
    Replication, User and Computer Authentication, Group Policy, Trusts
    RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
    TCP 5722
    File Replication
    RPC, DFSR (SYSVOL)
    UDP 123
    Windows Time, Trusts
    Windows Time
    TCP and UDP 464
    Replication, User and Computer Authentication, Trusts
    Kerberos change/set password
    UDP Dynamic
    Group Policy
    DCOM, RPC, EPM
    UDP 138
    DFS, Group Policy
    DFSN, NetLogon, NetBIOS Datagram Service
    TCP 9389
    AD DS Web Services
    SOAP
    UDP 67 and UDP 2535
    DHCP
    Note
    DHCP is not a core AD DS service but it is often present in many AD DS deployments.
    DHCP, MADCAP
    UDP 137
    User and Computer Authentication,
    NetLogon, NetBIOS Name Resolution
    TCP 139
    User and Computer Authentication, Replication
    DFSN, NetBIOS Session Service, NetLogon
    If it answered your question, remember to “Mark as Answer”.
    If you found this post helpful, please “Vote as Helpful”.
    Postings are provided “AS IS” with no warranties, and confers no rights.
    Active Directory: Ultimate Reading Collection
    Active Directory Visio Stencils 2013 - Directory Services Visio Stencils
    Kelly Bush
    It appears that you've copied and posted the chart, with some editing,
    from my blog, link posted below. No problem, as long as it helps the poster. :-)
    Active Directory Firewall Ports – Let’s Try To Make This Simple
    http://blogs.msmvps.com/acefekay/2011/11/01/active-directory-firewall-ports-let-s-try-to-make-this-simple/
    Also, I would like to add, that for firewall checks, to make sure the ephemeral ports are opened. These are the important random response ports. The ports are dependent on the operating system version.
    Here's the matrix:
    Ephemeral Ports:
    And most of all, the Ephemeral ports, or also known as the “service response ports,” that are required for communications. These ports are dynamically created for session responses for each client
    that establishes a session, (no matter what the ‘client’ may be), and not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.are used only for that session. Once the session has dissolved,
    the ports are put back into the pool for reuse. This applies not only to Windows, but to Linux and Unix as well. See below in the references section to find out more on what ‘ephemeral’ means.
    TCP & UDP 1025-5000
    Window 2003/XP and older
    Ephemeral Dynamic Service Response Ports
    TCP & UDP 49152-65535
    Windows 2008/Vista and newer
    Ephemeral Dynamic Service Response Ports
    TCP Dynamic Ephemeral
    Replication, User and Computer Authentication, Group Policy, Trusts
    RPC, DCOM, EPM, DRSUAPI, NetLogonR, SamR, FRS
    UDP Dynamic Ephermeral
    Group Policy
    DCOM, RPC, EPM
    If the scenario is a Mixed-Mode NT4 & Active Directory scenario with NT4 BDCs, then the following must be opened:
    TCP & UDP 1024 – 65535
    NT4 BDC to Windows 2000 or newer Domain controller PDC-E communications
    RPC, LSA RPC, LDAP, LDAP SSL, LDAP GC, LDAP GC SSL, DNS, Kerberos, SMB
    Ace Fekay
    MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
    Microsoft Certified Trainer
    Microsoft MVP - Directory Services
    Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
    This posting is provided AS-IS with no warranties or guarantees and confers no rights.

  • Lync 2013 certificate requirements for multiple SIP domains

    Hi All,
    I am engaged with a client in respect of a Lync 2013 implementation initially as a conferencing platform with a view to enabling EV functions (inc. PSTN conferencing) in the future. They initially need to support 30 SIP domains and eventually
    around 100 SIP domains which is proving to be either not possible or severely cost prohibitive. Their current certificate provider, Thawte, can only support up to 25 SANs and have quoted them 5 figures. We tend to use GeoTrust as they are cheaper but they
    appear to have a limit of 25 SANs. GoDaddy appear to support up to 100 SANs for a pretty reasonable cost. My questions are as follows:
    Is there a way that I’m missing of reducing the number of SANs required on the Edge server?
    Use aliases for access edge FQDNs - Supported by desktop client but not by other devices so not really workable
    Don’t support XMPP federation therefore removing the need for domain name FQDNs for each SIP domain
    Is there a way that I’m missing of reducing the number of SANs required on the Reverse Proxy server?
    Friendly URL option 3 from this page:
    http://technet.microsoft.com/en-us/library/gg398287.aspx
    Client auto-configuration:
    i.     
    Don’t support mobile client auto-configuration in which case no lyncdiscover.sipdomain1.com DNS records or SANs would be required.
    ii.     
    Support mobile client auto-configuration over HTTP only in which case CNAME records are required for each SIP domain (lyncdiscover.sipdomain1.com, etc. pointing to lyncdiscover.designateddomain.com) but no SANs are required.
    iii.     
    Support mobile client auto-configuration over HTTPS in which case DNS records are required for each SIP domain and a SAN entry for each SIP domains is also required. This is because a DNS CNAME to another domain is not supported over
    HTTPS.
    If the answer to 1 and/or 2 is no, are there certificate providers that support over 100 SANs?
    How do certificate requirements differ when using the Lync 2013 hosting pack? I would think that this issue is something that a hosting provider would need to overcome.
    Would the Lync 2013 Hosting Pack work for this customer? The customer uses SPLA licensing so I think is eligible to use the hosting pack but not 100% sure it will work in their environment given that client connections are supposed
    to all come through the Edge where their tenants will be internal and also given the requirement for an ACP for PSTN conferencing.
    Many thanks,

    Many thanks for the response.
    I was already planning to use option 3 from the below page for simple URLs to cut down on SAN requirement.
    http://technet.microsoft.com/en-us/library/gg398287.aspx
    What are the security concerns for publishing autodiscover over port 80? I.e. Is this only used for the initial download of the discovery record and then HTTPS is used for authentication? This seems to be the case from the following note on the below page:
    http://technet.microsoft.com/en-gb/library/hh690030.aspx
    Mobile device clients do not support multiple Secure Sockets Layer (SSL) certificates from different domains. Therefore, CNAME redirection to different domains is not supported over HTTPS. For example, a DNS CNAME record for lyncdiscover.contoso.com that redirects
    to an address of director.contoso.net is not supported over HTTPS.
    In such a topology, a mobile device client needs to use HTTP for the first request, so that the CNAME redirection is resolved over HTTP. Subsequent requests then use HTTPS. To support this scenario, you need to configure your reverse proxy with a web publishing
    rule for port 80 (HTTP).
    For details, see "To create a web publishing rule for port 80" in Configuring the Reverse Proxy for Mobility. CNAME redirection to the same domain is supported over HTTPS. In this case, the destination domain's certificate covers the originating
    domain.”
    I don’t think SRV records for additional SIP domain access edge is a workable solution as this is not supported by some devices.
    As per the below article:
    http://blog.schertz.name/2012/07/lync-edge-server-best-practices/
    “The recommended approach for external client Automatic Sign-In when supporting multiple SIP domains is to include a unique Access Edge FQDN for each domain name in the SAN field.  This is no longer a requirement (it was in OCS) as it is possible to
    create a DNS Service Locator Record (SRV) for each additional SIP domain yet have them all point back to the same original FQDN for the Access Edge service (e.g. sip.mslync.net). 
    This approach will trigger a security alert in Windows Lync clients which can be accepted by the user, but some other clients and devices are unable to connect when the Automatic Sign-In process returns a pair of SRV and Host (A) records which do not share
    the same domain namespace.  Thus it is still best practice to define a unique FQDN for each additional SIP domain and include that hostname in the external Edge certificate’s SAN field”.
    ===================
    1. Basically the requirement is to initially provide Lync conferencing services (minus PSTN conferencing) to internal, external, federated and anonymous participants with a view to providing PSTN conferencing and therefore enterprise voice services later.
    2. The customer currently supports close to 100 SMTP domains and wants to align their SIP domains with these existing domains. The structure of their business is such that “XXX IT Services” provide the IT infrastructure for a collection of companies who
    fall under the XXX umbrella but are very much run as individual entities.
    Question:
    Would you agree that I’m going to need a SAN for every SIP domain’s access edge FQDN?
    Thanks.

  • How would I request skype for two sip domains and one edge

    I have a could logistic questions.
    scenario:
    1 edge server : lync-edge-access.domain1.com (fqdn of access server)
    2 sip domains: domain1.com and domain2.com
    public certificate with SN: lync-edge-access.domain1.com as well as all of the SAN's including sip.domain1.com and sip.domain2.com
    3 A records with the same IP: sip.domain1.com, sip.domain2.com, lync-edge-access.domain1.com.
    2 srv records pointing to sip.domain1.com and sip.domain2.com on port 5061. (since they have the same IP as lync-edge-access.domain1.com and that servers certificate has names for all of them I figure this is a correct method to set them up.
    My first question was when I requested my federation with Skype via Microsoft with my license agreement number it asked me for the fqdn of my access edge server. I figured this would be lync-edge-access.domain1.com. It then asked me for my sip domains and
    I added two, domain1.com and domain2.com. Did I do this correctly or should I have put in two requests, one for fqdn of sip.domain1.com and sip domain of domain1.com and one for sip.domain2.com and domain domain2.com. Or should I change my srv records to both
    point to lync-edge-access.domain1.com?
    Currently when I am looking for contacts in Skype I cant find my accounts and vice versa if I add an account in lync for Skype it just reports offline. so I figure I did something wrong with my logic above. I can easily request an update but I want to make
    sure I get it right this time.
    Thanks
    Loren
    Loren Hudson

    Hi Loren
    As far as I know, you could add one or more SIP domain names at the same time.
    To initiate the provisioning process for Lync-Skype connectivity:
    1.Sign in to the website, https://pic.lync.com, using your Microsoft Windows Live ID.
    2.Select the Microsoft licensing agreement type.
    3.Select the check box, verifying that you have read and accept the Product Use Rights for Lync Server.
    4.On the Initiate a Provisioning Request page, click the appropriate link to initiate a provisioning request:
    5.On the Specify Provisioning Information page, enter the Access Edge service FQDN. For example, accessedge.contoso.com.
    6.Enter at least one or more SIP domain names, and then click Add.
    7.In the list of
    Public IM Service providers, select
    Skype, and click
    Next to add contact information, and submit the provisioning request.
    Click the link below for more information.
    Accessing the Lync Server public IM connectivity provisioning site from Lync Server 2013
    http://technet.microsoft.com/en-us/library/dn440174.aspx
    Hope it can be helpful.
    Best regards,
    Eric

  • Add SIP Domain to Lync 2013

    Hello, I'm looking to add an additional SIP domain to Lync 2013 Standard.  We plan to give a group of users a login with the new SIP domain and add them to an existing front end pool. 
    Aside from adding the SIP domain within Topology Builder, what are the other steps required (certificate, etc?).  Thanks.

    Take a look at Shawn Kirkpatrick's blog: http://blog.lyncfreak.com/2011/10/04/adding-new-sip-domains-to-lync/
    also: http://ucsip.wordpress.com/2013/03/06/lync-add-additional-sip-domains-to-an-already-deployed-environment/
    Please mark posts as answers/helpful if it answers your question.
    Blog
    Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

  • Lync 2013 DNS requirements in a multi tenant deployment

    Hi All,
    We are planning to deploy lync 2013 enterprise in a two site (pool) deployment. Both the sites are separated by a WAN link.
    Our primary SIP domain is xyz.com
    For site A, we have
    1) A pool name siteApool.xyz.com
    2) 2 FEs name siteAfe001.xyz.net and siteAfe002.xyz.net
    3) A edge for external access siteAedge
    For site B, we have
    1) A pool name siteBpool.xyz.com
    2) A FE name siteBfe001.xyz.net
    Site B users will use the edge at site A for external access.
    As per the r&d we know that following records are required for external access 
    Access/webcon/av.xyz.com
    _sip_tls.xyz.com
    Apart from that we also need following service URL records as well
    dialin.xyz.com
    meet.xyz.com
    admin.xyz.com
    sip.xyz.com
    Our problem starts here and because we only manage xyz.net dns not the xyz.com dns (its is our public dns), which rises two questions -
    1) As both the internal and external users are going to use same service url records (dailin/meet/admin/sip.xyz.com), how can we make sure that when a user uses lync on office LAN the service urls will be resolved by xyz.net dns and will not get routed to
    xyz.com (public dns) for dns resolution.
    2) As i told we have a two site deployment and we need common service url records (dailin/meet/admin/sip.xyz.com) to be used by user at both site , how can i make sure that when a user at site A ask for dailin/meet/admin/sip.xyz.com it gets routed to
    siteApool.xyz.com and when a user at site B ask for dailin/meet.xyz.com it gets routed to siteBpool.xyz.com. We need such functionality to save unnecessary WAN traffic.
    Please help me to figure out the most suitable design.
    Thanks,
    Mohit Taneja

    Hi Mohit Taneja,
    Some additional information.
    About the DNS requirements, you could refer to the following article.
    http://technet.microsoft.com/en-us/library/gg398082.aspx
    About the network traffic, it depends on where exactly the user is hosted. Central site does not decide the media traffic . If user is hosted in site-B and organize the meeting , media has
    to travel via WAN if you don’t have edge server in site-B.
    Best regards,
    Eric

  • Lab setup multiple SIP domains for federation

    I have been setting up multiple Lync 2013 lab environments and have a question about my external DNS environment. I have installed server 2012R2 on the host running the lab with its own domain (contoso.local). I have this server which hosts a separate domain,
    Hyper-V and a CA, this is what I am using for my external environment. The network IP is 10.0.0.0/16.
    I set up a server called vRouter that has 3 NICs. In Hyper-v I have 3 virtual switches configured. One for the External environment - 10.0.0.0/16 (not necessary for lab, setup to transfer needed files from internet to VMs), one for 192.168.1.0/24, and one
    with 192.168.2.0/24. The virtual router has RRAS installed and can route traffic between 192.168.1.0/24 and 192.168.2.0/24.
    My VMs for the lab are as follows.
    1test.local
    AD1.1test.local -192.168.1.100
    FE1.1test.local - 192.168.1.200
    Edge1 - 192.168.1.210int, 10.0.5.10ext
    2test.local
    AD2.1test.local -192.168.1.100
    FE2.1test.local - 192.168.1.200
    Edge2.1test.local - 192.168.1.210int, 10.0.6.10ext
    Both environments have users that can log into lync and message each other.
    When installing the Edge servers I used the same FQDN and IP for the external interface since all ports are open and firewalls have been disabled internally. I installed the internal certificate from the AD server which has CA role in each environment. On
    the external device I used the Host's CA to get certificates for both Edge servers. The Edge servers have 2 NICs one on their expected internal environment with no Gateway. And one on the external environment. These servers are not part of any domain. however
    I did add the contoso.local to the primary DNS suffix when domain membership changes under system properties. I then created the two following A records on the host computer (10.0.0.0\16 network, contoso.local) to be able to see router their external traffic.
    Edge1.contoso.local 10.0.5.10
    Edge2.contoso.local 10.0.6.10
    Both of these FQDNs are what is in my topology for the Access Edge service, Web Conferencing Edge Service, and A/v Edge Service with the same IP using different ports in both environments.
    Both environments are set up to support the other SIP domain. However when I try to add a user from the other domain I cannot communicate with that user nor see their presence.
    I looked over my external DNS settings and realized that I had not set a SRV record on the 10.0.0.0\16 network(external).
    I then realized that if I try to add the traditional _sipfederationtls._tcp.contoso.local I will have 2 conflicting entries.
    One for:
    _sipfederationtls._tcp.contoso.local - 10.0.5.10 (1test.local edge)
    and one for:
    _sipfederationtls._tcp.contoso.local - 10.0.6.10 (2test.local edge)
    Should I spin up another VM and make that a DC with a CA and trust it to the host computer, set up conditional forwarders. Something like Trust.local and correct the DNS, topology builder FQDN, and certificates on the second edge server?
    Edge2.trust.local
    Or can I add a new zone to my host computer then correct the DNS, topology builder FQDN, Certificates?
    Or am I missing another external DNS record on my contoso.local environment?
    Can I set up a CNAME entry that will mask the second edge server?
    Any input would be appreciated.
    Thanks

    If contoso.com is not a sip domain, then you won't need that DNS record at all.  Those records are autodiscover records that Lync uses based upon the sip domain. 
    So you'd need
    _sipfederationtls._tcp.1test.local
    and
    _sipfederationtls._tcp.2test.local
    What effectively happens, is when someone on the outside tries to IM
    [email protected], their Lync edge server will see the 1test.local and query the appropriate above record for it so it knows where to communicate.
    Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
    SWC Unified Communications

  • Multiple email domain certificates

    Hello Experts,
    We have exchange 2013 and want to host 5 email domains with that exchange server. Exchange  sits on Win 2012 and have configured with autodiscover properly and it works for one domain. Please advice how we can configure public digicert certificate for
    5 email domains. Do we need to request 5 digicert SAN certificates and import into exchange 2013 server and assign each domain separately.
    or can i buy one digicert SAN certificate with 5 domain support and import and configure for 5 email domains in exchange 2013.
    We want to enable certificates for OWA, Outlook Anywhere.
    Please advise.
    Thanks!
    Regards, Ganesh, MCTS, MCP, ITILV2 This posting is provided with no warranties and confers no rights. Please remember to click Mark as Answer and Vote as Helpful on posts that help you. This can be beneficial to other community members reading the thread.

    Hi,
    Agree with Ed, we can add all the host names Autodiscover.*.com and the names in the OWA URLs in one certificate or multiple certificates.
    Alternatively, to simplify the namespace, we can depend on Autodiscover redirection and public CNAME or SRV records.
    To configure Autodiscover Redirection for the Multi-Tenant Organization, you can refer to the following article:
    http://technet.microsoft.com/en-us/library/ff923256.aspx
    For more information about the simplifier method, you can refer to the following article:
    http://social.technet.microsoft.com/wiki/contents/articles/5787.exchange-2010-multi-tenant-autodiscover-and-dns-configuration.aspx
    Moreover, here is a document about multi-tenancy (Hosted) Exchange 2013:
    http://go.microsoft.com/fwlink/p/?LinkId=282659
    Thanks,
    Angela Shi
    TechNet Community Support

  • Multiple (but separate) domain problem & Apple's slow and useless response

    I am having problem with multiple (but separate) domain. I opened a ticket.
    Here is Apple's slow and useless response and my follow up.
    This follow up is not going to resolve the issues I am having. The sites are not in one domain file. I have split them into separate domains. I found that the simplest change to any page made the publishing process extremely and reasonably slow. If I updated a single site, iWeb republishes the whole conglomeration; hardly the most efficient way.
    I have several directories under the ~/Library/Application Support/iWeb/ directory with separate Domain.sites2 files for each site:
    consultingAM.com
    DarkAssassinMovie.com
    Fuzzy Llama Junior Optimist Club
    GulfportOptimist.com
    OptimistView
    pAwesomeProductions.com
    www.nfdoi.com
    With the previous version of iWeb, I navigated to a specific ~/Library/Application Support/iWeb/ directory, selected the Domain.site file, and opened it. This would open iWeb with the selected domain. Several of the sites have their blog page with the RSS subscribe option.
    Once I made the update, all I usually had to do was publish site and all was well. Occasionally, I would have to do a publish all if I changed domains. All in all, I had no problems with publishing once I found the right steps to be able to maintain multiple domains.
    Now, using the default publish or publish all process, all I get is the last site I published. In order to get things semi-functional, I published a site, then I would go to iDisk/Web/Sites/ directory, select the folder name for the site I had just published, then copy it or move it to iDisk/Web/Sites/iWeb directory. This was rather slow and I suspect it is not an approved solution, but it semi-worked. My sites are back up, but they are not fully functional.
    Is there anyway to get back to using the ~/Library/Application Support/iWeb/ directory (separate Domain.sites file for each site) process to publish multiple sites? If not, is there any way to suck in the various domains back into one? If that is possible, will it take hours to publish the combined 2-3GB like it did with the previous version?
    How do I reverse the 'personal domain' process? I do not want to do this at this time. I just wanted to see what the steps were. I have done the first step, but not the second.
    I was glad to see some of the changes made in the upgrade (web widgets, maps, html snippets, theme switching), but I am too happy about the changes made by the upgrade process. In the past, I upgraded my Apple related stuff as soon as it came out. Based on this upgrade, that won't happen again.
    It took you guys 5 days to get back to me (during which time several of my sites were down) and I do not believe the information you provided is going to solve my specific problems. I am very disappointed with the results of this upgrade. Clearly there was inadequate testing of this product before it was released. I cannot recall seeing the Apple discussion forums with hundreds of topics and thousands of posts within a week or two of a new release. Apple had to upgrade iWeb in the first week, another poor sign.
    Apple is beginning to slip back to the pack; all vendors all below average. Apple is getting more like Microsoft everyday. First Apple delays the release of an OS upgrade so they can concentrate on a freaking phone, now you release software that is so buggy it should be classified as beta at best.
    Some of the changes/problem I am seeing since the upgrade (in addition to the problems mentioned previously) are:
    layout changes; some of my pages no longer look the same; same of the changes are so bad the pages are unreadable
    broken photo pages; some of my photo pages no longer work; some of them have no text or pictures
    file/page name changes; why would Apple change the location of the files; now my domains are not pointing right location; special characters (like spaces, ampersands, etc.) are handled differently in this version; specifically, I see that spaces are changed to underscores (_); iWeb used to use '%20' for spaces; what was Apple thinking?
    broken 3rd party themes; I know Apple is not responsible for 3rd party themes, but you should certainly be aware that they exist
    Based on what I am seeing online, most of the people who are complaining about major iWeb issues are not newbies; based on the technical details in the threads, there are clearly some experienced people who are trying to figure things outw. I have lost many hours trying to figure this mess out. I now have to review hundreds of pages to try get things to look and work the way they did before the upgrade. I have had to handle dozens of phone calls and emails from my viewers and subscribers trying to explain the situation.
    I googled 'iweb 08 *****' and got nearly 50,000 hits! I think Apple better get in front of this train before it gets run over.
    On Aug 19, 2007, at 11:09 AM, .Mac Support wrote:
    Dear David,
    I understand that you are experiencing an issue viewing some of your websites published in iWeb:
    I have examined all of the published pages and they appear to load and function as expected. If you published your website to .Mac, you can visit it either of these ways:
    - In iWeb, click the Visit button in the lower-left corner.
    - Enter the following URL into a web browser:
    http://web.mac.com/daviddawley/
    If you have published more than one website, the URL above will take you to the default website, which is the first website listed in iWeb. To visit another website you have created in iWeb, use the following URL format:
    http://web.mac.com/daviddawley/iWeb/YourSiteName
    Using this form, the web addresses for the two sites you mentioned would be:
    http://web.mac.com/daviddawley/iWeb/FuzzyLlamaJuniorOptimist.com
    http://web.mac.com/daviddawley/iWeb/pAwesomeProductions.com
    To change the default website, simply open iWeb, and in the Site Organizer, drag the desired default website to the top and republish to .Mac.
    NOTE: Be sure to give each website a unique name. This will help prevent one website from overwriting another. For further information, refer to the following article:
    iWeb: Do not use similar names for your sites
    http://www.info.apple.com/kbnum/n303042
    If you still experience issues with the website, try the following troubleshooting steps:
    WAIT SEVERAL MINUTES
    If your website has movies, you may need to wait several minutes after going to the website before the movies are ready to play. The QuickTime Player icon indicates that a movie is still loading.
    CLEAR YOUR BROWSER CACHE
    If you use Safari, you can clear your browser cache by choosing Empty Cache from the Safari menu. If you use another browser, consult that browser’s documentation if you need assistance in clearing your browser cache.
    UPDATE YOUR BROWSER
    Make sure you are using the latest available version of your web browser when viewing pages published in iWeb. If you use Safari, you can check for updates by choosing Software Update from the Apple menu. If there are any available Safari, Security, or Mac OS X updates, install those updates and try looking at your website again.
    If you use another browser, consult that browser’s documentation if you need assistance in updating the browser.
    TRY ANOTHER BROWSER
    If you use a Mac, try viewing your website with Safari or Firefox. If you use Windows, try Internet Explorer 6 or Firefox. Firefox is a free download available here: http://getfirefox.com
    TRY ANOTHER NETWORK
    If possible, try viewing your website from another network or Internet connection. If you can successfully view the website from another network, please consult your network administrator or Internet service provider (ISP) to resolve this issue.
    Important: Mention of third-party websites and products is for informational purposes only and constitutes neither an endorsement nor a recommendation. Apple assumes no responsibility with regard to the selection, performance, or use of information or products found at third-party websites. Apple provides this only as a convenience to our users. Apple has not tested the information found on these sites and makes no representations regarding its accuracy or reliability. There are risks inherent in the use of any information or products found on the Internet, and Apple assumes no responsibility in this regard. Please understand that a third-party site is independent from Apple and that Apple has no control over the content on that website.
    Sincerely,
    Mel
    .Mac Support
    http://www.apple.com/support/dotmac
    http://www.mac.com/learningcenter
    Support Subject : iWeb
    Sub Issue : I can't publish to .Mac from iWeb
    Comments : I was interested in forwarding one of several iWeb based sites to one of my domains. I wanted to see what the steps were. I believe I inadvertently started the process for moving the site to www.nfdoi.com site. I have several sub directories under the ~/Library/Application Support/iWeb directory with separate domain.sites files (now domain.sites2).
    I was going through all of my domain.sites files and opening them in iWeb08; then publishing them. Somewhere along the line everything blew up. Most of my iWeb sites no longer function, It appears that every other iweb site other www.nfdoi.com is down EXCEPT the last one I published. I have made a mess of things and would appreciate any help.
    Don't work:
    http://web.mac.com/daviddawley/FuzzyLlamaJuniorOptimist.com
    http://web.mac.com/daviddawley/pAwesomeProductions.com
    Works:
    http://web.mac.com/daviddawley/Optimist_View/OptimistView.com/OptimistView.com.h tml
    ========= PLEASE USE THE SPACE ABOVE TO DESCRIBE THE ISSUE BASED ON THE QUESTIONS BELOW =========
    1. What version of iWeb are you using to publish to .Mac? iLife 08
    2. When did you first notice this issue? After publishing a few sites.
    3. What happens, including any error messages, when you try to publish your site?
    --------------------- Additional Info -------------------------
    Alternate email address : [email protected]
    OS Version : Mac OS X 10.4.10
    Browser Type : Safari 2.x
    Category : I can't publish to .Mac from iWeb
    Connection Type :Other
    TrackID: 4154168

    Just got off the phone with Apple Support.  There procedure was the following:
    1.  Go to the Apple TV, select settings, general and scroll down to reset.
    2.  Select reset and then select reset all
    Apple TV will go through a restart after the reset and you will have to select your network then log in with your network or Airport Express password.  You will then have to turn on home sharing and It will then ask you for your Apple ID for the iTunes store and then the password.  At this point you may not see your library, because the Apple TV wants you to turn on home sharing on your home computer that is hosting the movie library.  Turn off home sharing on that computer, restart iTunes and turn on home sharing again.  After this is done you should be able to see you library listed under the computer.
    After going through these steps, when I select an HD movie from my iTunes library the movie comes up after about a 5 second delay.
    Hope this helps!  I am back up for business.

  • CUPS 8.6 - Supporting Multiple SIP Domains on a per-user basis

    Working on a CUPS 8.6 PoC with a customer who currently is running a deployed OCS environment. 
    Users all sign into a single domain internally but have multiple SMTP domains for email as this customer has many different companies they have aquired.
    OCS  is able to support and route multiple SIP domains by specifing the SIP address under AD User settings such that two users both signed into the same OCS server can send IM's to each other even though they have different SIP addresses.  sip:[email protected] , sip:[email protected]
    CUPS on the other hand does not seem to allow this on a per-user basis.  It places every user in the sip domain that the server is a member of.
    The Jabber client allows you to specify a domain but I am not how this is used as the actual user account in CUPS is only ever the one domain and if you try and specify a different domain in the Jabber Connection Settings, it will not allow you to login.
    It is not a big deal for internal communications if everyone is on the same domain, but where it is important is for future B2B IM.  Users need to be able to give out THEIR IM address with THEIR respective domain.
    Does anyone else know for a fact that I will only be able to have one domain per CUP cluster?
    Any thoughts on this design?

    Not sure on the design perspective but as for CUPS Domain, we can only have single domain per cluster. As you have already found out that for any user licensed for CUPS, their IM address would be userid@CUPSDomain
    CUPS does have funtionality of federating with foreign domains such as AOL/GoogleTalk/WebEx Connect.

  • Deleted failed DC from the domain (Server 2012 R2) - Now after doing metadata and DNS cleanup, I can no longer promote a new DC to the domain

    I work for a university and teach IT courses to undergrad and graduate students. The details below are pertaining an isolated lab environment
    I had a storage failure in my lab and the DCs became corrupt. This is a university lab environment so there isn't anything crucial on here. I just would rather avoid rebuilding the domain/forest and would rather use this as a learning experience with my
    students...
    So after the storage failed and was restored, the VMs hosted became corrupt. I did a NTDSUTIL to basically repair the NDTS.dit file but one of my DCs reverted to a state before DC promotion. Naturally, the domain still had this object in AD. After numerous
    failed attempts at trying to reinstall the DC on the server through the server manager wizard in 2012 R2, I decided that a metadata cleanup of the old failed object was necessary.
    Utilizing this article, I removed all references of the failed DC from both AD and DNS (http://www.petri.com/delete_failed_dcs_from_ad.htm) 
    So now that the failed object is removed completely from the domain and the metadata cleanup was successful, I then proceeded to re-install the necessary AD DS role on the server and re-promote to the existing domain. Pre-Requisites pass but generate some
    warning around DNS Delgation, and Dynamic Updates (delegation is ignored because the lab is isolated from external comms, and dynamic updates are in fact enabled on both my _msdcs and root domain zones).
    Upon the promotion process, I get the following error message (also worth mentioning - the account performing these operations is a member of DA, EA, and Schema Admins)
    The operation failed because:
    Active Directory Domain Services could not create the NTDS Settings object for this Active Directory Domain Controller CN=NTDS Settings,CN=domainVMDC1,CN=Servers,CN=Default-
    First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu on the remote AD DC domainVMDC2. Ensure the provided network credentials have sufficient permissions.
    "While processing a change to the DNS Host Name for an object, the Service Principal Name values could not be kept in sync."
    As you can see, this error seems odd considering. Now that I'm down to a single DC and DNS server, the sync should be corrected. I've run a repadmin /syncall and it completed successfully. Since then, I've run dcdiags and dumped those to a text as well and
    here are my results...
    Directory Server Diagnosis
    Performing initial setup:
       Trying to find home server...
       Home Server = domainVMDC2
       * Identified AD Forest. 
       Done gathering initial info.
    Doing initial required tests
       Testing server: Default-First-Site-Name\domainVMDC2
          Starting test: Connectivity
             ......................... domainVMDC2 passed test Connectivity
    Doing primary tests
       Testing server: Default-First-Site-Name\domainVMDC2
          Starting test: Advertising
             ......................... domainVMDC2 passed test Advertising
          Starting test: FrsEvent
             ......................... domainVMDC2 passed test FrsEvent
          Starting test: DFSREvent
             ......................... domainVMDC2 passed test DFSREvent
          Starting test: SysVolCheck
             ......................... domainVMDC2 passed test SysVolCheck
          Starting test: KccEvent
             ......................... domainVMDC2 passed test KccEvent
          Starting test: KnowsOfRoleHolders
             ......................... domainVMDC2 passed test KnowsOfRoleHolders
          Starting test: MachineAccount
             ......................... domainVMDC2 passed test MachineAccount
          Starting test: NCSecDesc
             ......................... domainVMDC2 passed test NCSecDesc
          Starting test: NetLogons
             ......................... domainVMDC2 passed test NetLogons
          Starting test: ObjectsReplicated
             ......................... domainVMDC2 passed test ObjectsReplicated
          Starting test: Replications
             ......................... domainVMDC2 passed test Replications
          Starting test: RidManager
             ......................... domainVMDC2 passed test RidManager
          Starting test: Services
             ......................... domainVMDC2 passed test Services
          Starting test: SystemLog
             A warning event occurred.  EventID: 0x00001795
                Time Generated: 12/18/2014   00:35:03
                Event String:
                The program lsass.exe, with the assigned process ID 476, could not authenticate locally by using the target name ldap/domainvmdc2.domain.school.edu. The target name used is not valid. A target name should
    refer to one of the local computer names, for example, the DNS host name.
             ......................... domainVMDC2 passed test SystemLog
          Starting test: VerifyReferences
             ......................... domainVMDC2 passed test VerifyReferences
       Running partition tests on : ForestDnsZones
          Starting test: CheckSDRefDom
                For the partition
                (DC=ForestDnsZones,DC=domain,DC=school,DC=edu) we encountered
                the following error retrieving the cross-ref's
                (CN=3098109a-ff99-41d4-8926-0e814ac8efde,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
                 information: 
                   LDAP Error 0x52e (1326). 
             ......................... ForestDnsZones failed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition
                (DC=ForestDnsZones,DC=domain,DC=school,DC=edu) we encountered
                the following error retrieving the cross-ref's
                (CN=3098109a-ff99-41d4-8926-0e814ac8efde,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
                 information: 
                   LDAP Error 0x52e (1326). 
             ......................... ForestDnsZones failed test
             CrossRefValidation
       Running partition tests on : DomainDnsZones
          Starting test: CheckSDRefDom
                For the partition
                (DC=DomainDnsZones,DC=domain,DC=school,DC=edu) we encountered
                the following error retrieving the cross-ref's
                (CN=2f0b8ac0-2630-441a-891f-b5fcb91498a8,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
                 information: 
                   LDAP Error 0x52e (1326). 
             ......................... DomainDnsZones failed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition
                (DC=DomainDnsZones,DC=domain,DC=school,DC=edu) we encountered
                the following error retrieving the cross-ref's
                (CN=2f0b8ac0-2630-441a-891f-b5fcb91498a8,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
                 information: 
                   LDAP Error 0x52e (1326). 
             ......................... DomainDnsZones failed test
             CrossRefValidation
       Running partition tests on : Schema
          Starting test: CheckSDRefDom
             ......................... Schema passed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition
                (CN=Schema,CN=Configuration,DC=domain,DC=school,DC=edu) we
                encountered the following error retrieving the cross-ref's
                (CN=Enterprise Schema,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
                 information: 
                   LDAP Error 0x52e (1326). 
             ......................... Schema failed test CrossRefValidation
       Running partition tests on : Configuration
          Starting test: CheckSDRefDom
             ......................... Configuration passed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition
                (CN=Configuration,DC=domain,DC=school,DC=edu) we encountered
                the following error retrieving the cross-ref's
                (CN=Enterprise Configuration,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
                 information: 
                   LDAP Error 0x52e (1326). 
             ......................... Configuration failed test CrossRefValidation
       Running partition tests on : domain
          Starting test: CheckSDRefDom
             ......................... domain passed test CheckSDRefDom
          Starting test: CrossRefValidation
                For the partition (DC=domain,DC=school,DC=edu) we encountered
                the following error retrieving the cross-ref's
                (CN=domain,CN=Partitions,CN=Configuration,DC=domain,DC=school,DC=edu)
                 information: 
                   LDAP Error 0x52e (1326). 
             ......................... domain failed test CrossRefValidation
       Running enterprise tests on : domain.school.edu
          Starting test: LocatorCheck
             ......................... domain.school.edu passed test
             LocatorCheck
          Starting test: Intersite
             ......................... domain.school.edu passed test Intersite
    From what I can gather, there is a definite DNS issue but I don't have any stale records to the old DC stored anywhere. I've tried this with a new server as well and get similar errors... 
    At this rate I'm ready to rebuild the entire forest over again. I'm just reluctant to do so as I want to make this a learning experience for the students. 
    Any help would be greatly appreciated. Thanks!

    As you can see, there seems to be some errors. The one that I did correct was the one around the _msdcs NS record being unable to resolve. For whatever, reason the name wasn't resolving the IP but all other NS tabs and records were. Just that one _msdcs
    sub-zone. Furthermore, the mentioning of any connections to root hint servers can be viewed as false positives. There is no external comms to this lab so no communication with outside IPs can be expected. Lastly, they mentioned a connectivity issue yet mention
    that I should check the firewall settings. All three profiles are disabled in Windows Firewall (as they have been the entire time). Thank you in advance for your help!
    C:\Windows\system32>dcdiag /test:dns /v
    Directory Server Diagnosis
    Performing initial setup:
       Trying to find home server...
       * Verifying that the local machine domainVMDC2, is a Directory Server.
       Home Server = domainVMDC2
       * Connecting to directory service on server domainVMDC2.
       * Identified AD Forest.
       Collecting AD specific global data
       * Collecting site info.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu,LDAP_SCOPE_SUBTREE,(objectCategory=ntDSSiteSettings),.......
       The previous call succeeded
       Iterating through the sites
       Looking at base site object: CN=NTDS Site Settings,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu
       Getting ISTG and options for the site
       * Identifying all servers.
       Calling ldap_search_init_page(hld,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu,LDAP_SCOPE_SUBTREE,(objectClass=ntDSDsa),.......
       The previous call succeeded....
       The previous call succeeded
       Iterating through the list of servers
       Getting information for the server CN=NTDS Settings,CN=domainVMDC2,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=domain,DC=school,DC=edu
       objectGuid obtained
       InvocationID obtained
       dnsHostname obtained
       site info obtained
       All the info for the server collected
       * Identifying all NC cross-refs.
       * Found 1 DC(s). Testing 1 of them.
       Done gathering initial info.
    Doing initial required tests
       Testing server: Default-First-Site-Name\domainVMDC2
          Starting test: Connectivity
             * Active Directory LDAP Services Check
             The host
             3a38b19c-4bb3-4542-acb6-9e5e97cc15c4._msdcs.domain.school.edu
             could not be resolved to an IP address. Check the DNS server, DHCP,
             server name, etc.
             Got error while checking LDAP and RPC connectivity. Please check your
             firewall settings.
             ......................... domainVMDC2 failed test Connectivity
    Doing primary tests
       Testing server: Default-First-Site-Name\domainVMDC2
          Test omitted by user request: Advertising
          Test omitted by user request: CheckSecurityError
          Test omitted by user request: CutoffServers
          Test omitted by user request: FrsEvent
          Test omitted by user request: DFSREvent
          Test omitted by user request: SysVolCheck
          Test omitted by user request: KccEvent
          Test omitted by user request: KnowsOfRoleHolders
          Test omitted by user request: MachineAccount
          Test omitted by user request: NCSecDesc
          Test omitted by user request: NetLogons
          Test omitted by user request: ObjectsReplicated
          Test omitted by user request: OutboundSecureChannels
          Test omitted by user request: Replications
          Test omitted by user request: RidManager
          Test omitted by user request: Services
          Test omitted by user request: SystemLog
          Test omitted by user request: Topology
          Test omitted by user request: VerifyEnterpriseReferences
          Test omitted by user request: VerifyReferences
          Test omitted by user request: VerifyReplicas
          Starting test: DNS
             DNS Tests are running and not hung. Please wait a few minutes...
             See DNS test in enterprise tests section for results
             ......................... domainVMDC2 passed test DNS
       Running partition tests on : ForestDnsZones
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation
       Running partition tests on : DomainDnsZones
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation
       Running partition tests on : Schema
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation
       Running partition tests on : Configuration
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation
       Running partition tests on : domain
          Test omitted by user request: CheckSDRefDom
          Test omitted by user request: CrossRefValidation
       Running enterprise tests on : domain.school.edu
          Starting test: DNS
             Test results for domain controllers:
                DC: domainVMDC2
                Domain: domain.school.edu
                   TEST: Authentication (Auth)
                      Authentication test: Successfully completed
                   TEST: Basic (Basc)
                      Error: No LDAP connectivity
                      The OS
                      Microsoft Windows Server 2012 R2 Datacenter (Service Pack level: 0.0)
                      is supported.
                      NETLOGON service is running
                      kdc service is running
                      DNSCACHE service is running
                      DNS service is running
                      DC is a DNS server
                      Network adapters information:
                      Adapter [00000010] vmxnet3 Ethernet Adapter:
                         MAC address is 00:50:56:A2:2C:24
                         IP Address is static
                         IP address: *.*.100.26
                         DNS servers:
                            *.*.100.26 (domainVMDC2) [Valid]
                      No host records (A or AAAA) were found for this DC
                      The SOA record for the Active Directory zone was found
                      The Active Directory zone on this DC/DNS server was found primary
                      Root zone on this DC/DNS server was not found
                   TEST: Forwarders/Root hints (Forw)
                      Recursion is enabled
                      Forwarders are not configured on this DNS server
                      Root hint Information:
                         Name: a.root-servers.net. IP: 198.41.0.4 [Invalid (unreachable)]
                         Name: b.root-servers.net. IP: 192.228.79.201 [Invalid (unreachable)]
                         Name: c.root-servers.net. IP: 192.33.4.12 [Invalid (unreachable)]
                         Name: d.root-servers.net. IP: 199.7.91.13 [Invalid (unreachable)]
                         Name: e.root-servers.net. IP: 192.203.230.10 [Invalid (unreachable)]
                         Name: f.root-servers.net. IP: 192.5.5.241 [Invalid (unreachable)]
                         Name: g.root-servers.net. IP: 192.112.36.4 [Invalid (unreachable)]
                         Name: h.root-servers.net. IP: 128.63.2.53 [Invalid (unreachable)]
                         Name: i.root-servers.net. IP: 192.36.148.17 [Invalid (unreachable)]
                         Name: j.root-servers.net. IP: 192.58.128.30 [Invalid (unreachable)]
                         Name: k.root-servers.net. IP: 193.0.14.129 [Invalid (unreachable)]
                         Name: l.root-servers.net. IP: 199.7.83.42 [Invalid (unreachable)]
                         Name: m.root-servers.net. IP: 202.12.27.33 [Invalid (unreachable)]
                      Error: Both root hints and forwarders are not configured or
                      broken. Please make sure at least one of them works.
                   TEST: Delegations (Del)
                      Delegation information for the zone: domain.school.edu.
                         Delegated domain name: _msdcs.domain.school.edu.
                            Error: DNS server: domainvmdc2. IP:<Unavailable>
                            [Missing glue A record]
                            [Error details: 9714 (Type: Win32 - Description: DNS name does not exist.)]
                   TEST: Dynamic update (Dyn)
                      Test record dcdiag-test-record added successfully in zone domain.school.edu
                      Warning: Failed to delete the test record dcdiag-test-record in zone domain.school.edu
                      [Error details: 13 (Type: Win32 - Description: The data is invalid.)]
                   TEST: Records registration (RReg)
                      Network Adapter [00000010] vmxnet3 Ethernet Adapter:
                         Matching CNAME record found at DNS server *.*.100.26:
                         3a38b19c-4bb3-4542-acb6-9e5e97cc15c4._msdcs.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _ldap._tcp.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _ldap._tcp.a9241004-88ea-422d-a71e-df7b622f0d68.domains._msdcs.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _kerberos._tcp.dc._msdcs.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _ldap._tcp.dc._msdcs.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _kerberos._tcp.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _kerberos._udp.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _kpasswd._tcp.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _ldap._tcp.Default-First-Site-Name._sites.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _kerberos._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _ldap._tcp.Default-First-Site-Name._sites.dc._msdcs.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _kerberos._tcp.Default-First-Site-Name._sites.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _ldap._tcp.gc._msdcs.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _gc._tcp.Default-First-Site-Name._sites.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _ldap._tcp.Default-First-Site-Name._sites.gc._msdcs.domain.school.edu
                         Matching  SRV record found at DNS server *.*.100.26:
                         _ldap._tcp.pdc._msdcs.domain.school.edu
                   Error: Record registrations cannot be found for all the network
                   adapters
             Summary of test results for DNS servers used by the above domain
             controllers:
                DNS server: 128.63.2.53 (h.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 128.63.2.53               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 192.112.36.4 (g.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.112.36.4               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 192.203.230.10 (e.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.203.230.10               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 192.228.79.201 (b.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.228.79.201               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 192.33.4.12 (c.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.33.4.12               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 192.36.148.17 (i.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.36.148.17               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 192.5.5.241 (f.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.5.5.241               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 192.58.128.30 (j.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 192.58.128.30               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 193.0.14.129 (k.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 193.0.14.129               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 198.41.0.4 (a.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 198.41.0.4               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 199.7.83.42 (l.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.83.42               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 199.7.91.13 (d.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 199.7.91.13               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: 202.12.27.33 (m.root-servers.net.)
                   1 test failure on this DNS server
                   PTR record query for the 1.0.0.127.in-addr.arpa. failed on the DNS server 202.12.27.33               
    [Error details: 1460 (Type: Win32 - Description: This operation returned because the timeout period expired.)]
                DNS server: *.*.100.26 (domainVMDC2)
                   All tests passed on this DNS server
                   Name resolution is functional._ldap._tcp SRV record for the forest root domain is registered
             Summary of DNS test results:
                                                Auth Basc Forw Del  Dyn  RReg Ext
                Domain: domain.school.edu
                   domainVMDC2                 PASS FAIL FAIL FAIL WARN FAIL n/a
             ......................... domain.school.edu failed test DNS
          Test omitted by user request: LocatorCheck
          Test omitted by user request: Intersite

  • Need clarification on DNS, Certificate and URL? during 2010 to 2013 migration

    Hi Guys,
    I am working on a migration project Lync server 2010 to 2013.
    Lync 2010 Standard Edition and Edge 
    Lync 2013 Ent edition and Edge  (Enterprise Voice "SIP Trunk")
    I need few clarification on How to setup the DNS, Certificate and URL Pre and post migration?
    Shall we use the Lync 2010 existing internal and external URLs to lync 2013 or do we need to setup a new URLs for lync 2013?
    How about the DNS records and Certificates?
    I have gone trough the below blogs but need clear understanding on this part..
    http://lyncdude.com/2013/08/11/understanding-lync-dns-records-and-autoconfiguration/
    https://technet.microsoft.com/en-us/library/hh690044.aspx
    and few more....
    Thanks,
    Balakrishna G
    Regards, Balgates

    Hi,
    Agree with Thamara.Wijesinghe.
    You need to different Web service URL for Lync Server 2010 and Lync Server 2013. If you only have Web service URL for Lync Server 2010, then Lync 2013 mobile will fail to connect to FE Server. If you point Web service URL point to Lync Server 2013 Pool,
    then both Lync 2010 and 2013 mobile clients will connect to FE Server successfully.
    Best Regards,
    Eason Huang
    Eason Huang
    TechNet Community Support

  • Autodiscover, domain controllers, and certificate errors

    I have just deployed and Exchange 2013 server in one of my sites. I'm having tons of issues with it, but one issue I'm having trouble thinking through goes like this:
    All users have email addresses that are [email protected] Domain.com is our internal domain name and also a public domain. Now, in a Windows environment, if you were to nslookup domain.com within our network it
    will resolve to any one of the domain controllers. On our infrastructure master DC there is an IIS website, with SSL, that handles certificate services for our internal CA.
    Here's my problem: When a user opens Outlook and autodiscover attempts to find their Exchange connection info it first tries to reach the site
    https://domain.com/autodiscover/autodiscover.xml. If that PC happens to resolve domain.com to the DC that has our certificate services website on it then the Outlook client sends a certificate error.
    If the client is prior to Outlook 2013, the mailbox configuration just halts and throws an error.
    What do I do to prevent this?

    Hi,
    Yes, we can have the following “switchers”
    PreferLocalXML
    ExcludeHttpRedirect
    ExcludeHttpsAutoDiscoverDomain
    ExcludeHttpsRootDomain
    ExcludeScpLookup
    ExcludeSrvRecord
    ExcludeLastKnownGoodUR
    Thanks,
    Simon Wu
    TechNet Community Support

  • ISE EAP-Chaining with machine, certificate and domain credentials

    Good morning,
    A customer wants to do the following for their corporate wireless users (all clients will be customer assets):
    Corp. wireless to authenticate with 2-factor authentication:
    •1. Certificate
    •2. Machine auth thru AD
    •3. Domain creds
    When client authenticates, they want to match on 2 out of the 3 conditions before allowing access.
    Clients are Windows laptops and corporate iPhones.
    Certs can be issued thru GPO and MDM for iPhones
    Client supplicant on laptops is native Windows - which I understand is a compatibility issue from this thread: https://supportforums.cisco.com/thread/2185627
    My first question is: can this be done?
    Second question: how would i implement this from an AuthC/AuthZ perspective?
    Thanks in advance,
    Andrew

    You can do this configuring anyconnect with NAM modules on endpoints! But I don't make sense configure some clients with certificate and others with domains credentials...
    For your information, I'm actually configuring EAP-Chaining on ISE 1.2 and i'm gotting some problems. The first one I got with windows 8, for some reason windows was sending wrong information about the machine password but I solved the problem installing a KB on windows 8 machines (http://support.microsoft.com/kb/2743127/en-us). The second one I got with windows 7 that are sending information correctly about domain but wrong information about user credentials, on ISE logs I can see that windows 7 are sending user "anonymous" + machine name on the first longin... after windows 7 start if I remove the cable and connect again the authentication and authorization happen correctly. I still invastigate the root cause and if there is a KB to solve the problem as I did with windows 8.
    Good luck and keep in touch.
    http://support.microsoft.com/kb/2743127/en-us

Maybe you are looking for

  • Posting problem in F.05- very urgent

    Dear Expert, When doing transaction in F.05, posting doing in SAPF100 as batch input sesiion name, and the message: "posting succssesfully created". But the problem is in the FS10N, the journal did not created. Please somebody admice me for this issu

  • Contribute CS4 for the PC

    Hi there. We have a client who is using Contribute CS4 on Windows, which they downloaded and installed sometime ago. They have since lost the original install file and are in need of reloading the software. They have a serial number. Are you able to

  • To View the Document Structure

    Hi All I want to view the Document Structure (Product Structure) in the SAP PLM Table. If any body knows, could you please share the table information? My requirement is to get the Product Name (Doc Type: CE2)  which are Empty (meaning - no parts or

  • SelectBooleanCheckbox keeping its state during a session.

    Hello, I have this checkbox and I want to save its state (selected or unselected). I want to select the checkbox, go to another page and come back, and still the checkbox has to be selected. What I did so far was: Set the "binding" property on a sele

  • What is the latest firmware for the 5th Gen?

    And where is it located, have there been any problems with it? Thanks, Jim