Need clarification on DNS, Certificate and URL? during 2010 to 2013 migration

Similar Messages

• AS2 Certificates and URL

  Hi,
  We are setting up a party and going to exchange via AS2.
  As the messages would involve outbound and inbound, they had forwarded their certificates along with URL path.
  Also, they were requesting GLN number.  Please let me know what is it about.

  Hi Krish,
  >>As the messages would involve outbound and inbound, they had forwarded their certificates along with URL path.
  Nwo you need to provide your certificates and url.. Generally there shoudl be a template for exchanging this information...
  GLN number is an identification number, through which your messages are identified.. we call it as AS2ID
  Regards
  Suraj

• Mailbox Move Issues and Errors - Exchange 2010 to 2013

  I'm trying to move mailboxes from 2010 to 2013, but I'm experiencing a lot of issues.
  My move batches keep hanging (stalled) for minutes and hours on end, and I can't seem to keep them going consistently.
  I have two DAG's, one for Archive boxes, and one for Primary mailboxes. Each DAG has three members with DB copies of each DB. The npdes and the clusters themselves are up and healthy. However, at random some of the DB's Content Index state will go to Failed
  or SuspendedandFailed. At which point I force a catalog refresh and DB index update, and it goes to healthy.
  I've created the "ContentSubmitters" AD group (and assigned it permissions), reset the Search and Host controller services on each server, and restarted the Replication service. I also deleted and recreated the Index for each DB prior to restarting
  services. No dice. I've also already moved the system mailboxes over to the 2013 databases.
  I'm also getting some "Transient" errors in the user move log, things like this: 
  Transient error ResourceUnhealthyException has occurred. The system will retry"
  5/4/2014 8:43:55 AM [exmb1] The job encountered too many transient failures (60) and is quitting.
  5/4/2014 8:43:55 AM [exmb1] Fatal error ResourceUnhealthyException has occurred.
  Error: MigrationPermanentException: Warning: Target mailbox unlock operation was not replicated. If a lossy failover occurs after the target mailbox was unlocked, the target mailbox could remain inaccessible. Error details: The store ID provided isn‎'t an ID of an item. --> MapiExceptionNetworkError: Unable to open entry ID. ‎(hr=0x80040115, ec=0)‎ Diagnostic context: Lid: 45025 Lid: 45345 StoreEc: 0x80040115 Lid: 22894 Lid: 24942 StoreEc: 0x80040115
  Any ideas would be appreciated!!!

  Hi 
  I would suggest you to run the below command for this "My move batches keep hanging (stalled) for minutes and hours on end" issue and see the result
  Get-MoveRequest -Identity "Mailbox Name" | Get-MoveRequestStatistics -IncludeReport | FL Report
  Just check if the MRS health is fine by running the below command
  Test-MRSHealth -Identity "CAS Server" -MonitoringContext $true | Export-CliXml "C:\temp\CAS_MRSHealth.xml" and look at the xml file to get more information
  When I run the Test command against either of my CAS servers, I get: " 'EXCH1' does not have the right Exchange Server version or role required to support this operation."
  Run i run that command against any of the mailbox servers, it completes and generates the XML file, but I'm not sure what I need to be looking for within that file.
  The first command spits out a ton of data, here's a little excerpt:
  5/5/2014 8:59:28 AM [exmb1] Transient error ResourceUnhealthyException has occurred. The system will retry
  (2/60).
  5/5/2014 9:00:02 AM [exmb1] The Microsoft Exchange Mailbox Replication service 'exmb1.contoso.com'
  (15.0.847.31 caps:03FF) is examining the request.
  5/5/2014 9:00:07 AM [exmb1] Connected to target mailbox 'Primary (072dc240-bd79-495c-b7f2-c571e8f910f2)',
  database 'newmbi', Mailbox server 'Exmb1.contoso.com' Version 15.0 (Build 847.0).
  5/5/2014 9:00:07 AM [exmb1] Connected to target mailbox 'Archive (812ee554-4a1e-4feb-b591-a435fcbdee16)',
  database 'newarci', Mailbox server 'EXARC2.contoso.com' Version 15.0 (Build 847.0), proxy server
  'EXARC2.contoso.com' 15.0.847.31 caps:1FFFCB07FFFF.
  5/5/2014 9:00:07 AM [exmb1] Connected to source mailbox 'Primary (072dc240-bd79-495c-b7f2-c571e8f910f2)',
  database 'exmbi', Mailbox server 'Chsexmb2.contoso.com' Version 14.3 (Build 181.0).
  5/5/2014 9:00:08 AM [exmb1] Connected to source mailbox 'Archive (812ee554-4a1e-4feb-b591-a435fcbdee16)',
  database 'Exarci', Mailbox server 'CHSEXARC1.contoso.com' Version 14.3 (Build 181.0)
  5/5/2014 9:00:12 AM [exmb1] Request processing continued, stage LoadingMessages.
  5/5/2014 9:00:36 AM [exmb1] Messages have been enumerated successfully. 6657 items loaded. Total size:
  332.3 MB (348,411,982 bytes).5/5/2014 9:06:14 AM [exmb1] The long-running job has been temporarily postponed. It will be picked up
  again when resources become available.

• DNS, Certificates, and Active Directory - School Setup Issues

  Our school has been piloting a small iPad depolyment.  I have been struggling with getting Profile Manager to work correctly since August of last year. Here's the setup:
  1. Active Directory DNS/DHCP server (set as "school.local"--yes, I know .local is bad form, but it was set before I got here). I have changed the "Digest" to "Basic" setting
  2. Mac Mini server that has its own external IP and hostname ("mac.school.org") and is also bound to the AD server for user authentication for services (Profile Manager, WebDAV, wiki, etc.). I have a self-signed SSL certificate installed under the name "mac.school.org"
  3. About 90 iPads, and a handfull of Mac desktops
  In a perfect world, users would be able to login (with their AD credentials) to the Profile Manager self-service portal using the external hostname of the mac server ("mac.school.org/mydevices"), install the Trust Profile, and enroll the device (iPad, Mac, etc).
  However, this is not the case.  The setup seems to work for awhile; quite perfectly in fact. But then for reasons unknown to me, everything just "breaks" and Profile Manager ceases to work like it should. Here are some of issues I am seeing:
  a.) DNS service on the Mac server turns itself ON randomly.  DNS should NOT be running this server, correct? All DNS lookups internally are done by the AD server. I've used changeip and everything matches (both say "mac.school.org")
  b.) Whenever we use VPN, and at other seemingly random times, the server's hostname changes from "mac.school.org" to "mac.school.local" I would make the server external only, but it needs to have an internal IP to talk to the AD server.
  c.) AD binding breaks randomly and I have to rebind the server to AD
  d.) When enrolling devices, Profile Manager starts rejecting certificates (not a trusted source, etc.) and I have to destroy OD and PM and start all over again.
  I know this is a lot and I'm not necessarily expecting anyone to answer all of these questions. I guess I'm wondering if anyone could point me in the right direction? I've looked for help with these issues all over the place, but none of the environments I read about are quite like the one I'm in.

  Yes, I am not giving the real domain name here.
  No prob. just checking, sometimes people have weird domain names never know if they are real or they expect them to be real or they put domain names owned by someone else on their internal network eek.
  Not really needed to use mac.school.org internally, that is in local LAN. The thing to understand about DNS is the scope for which a DNS zone is relevant WRT a client machine — inside LAN or on Internet, and which DNS server is authoritative for a domain. Authoritative in the sense of 'the final word'.
  Go to Network Utility on your mac, type in your real domain name (whatever you are changing to school.org to hide it) what comes back. On my server I see the below (I have replaced my real, Internet legal domain, to 'example.com')
  In my setup I have, on the LAN, setup the Mac server to be authoritative for domain 'example.com'. On the Internet however it is another external DNS server.
  So you have set DNS forwarders on the Mac machine?
  I really don't believe that the machine's hostname is changing, it is statically configured. What I believe is happening is that DNS name resolution is telling you different things at different times because you are using different DNS servers.
  On mac machine terminal type $less /etc/resolv.conf and copy paste what it says. In server app Services | DNS right side does it say you have forwarders?
  Still it is not good to have two DNS domains in your internal LAN, there is no need to have school.org on the mac DNS unless it is going to be fully setup to be authoritative in the internal LAN for the domain school.org. You can have school.org on the Internet (Internet scope of users point 1) and school.local on internal machine (LAN scope of users).
  Lookup has started…
  Trying "example.com"
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53292
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
  ;; QUESTION SECTION:
  ;example.com.                   IN        ANY
  ;; ANSWER SECTION:
  example.com.     10800          IN        SOA          example.com. admin.example.com. 2013010907 3600 900 1209600 86400
  example.com.     10800          IN         NS          server.example.com.
  example.com.     10800          IN         MX          10 server.example.com.
  ;; ADDITIONAL SECTION:
  server.example.com. 10800       IN          A          192.168.1.20
  Received 145 bytes from 127.0.0.1#53 in 2 ms

• Need WBS split to AUC and Expanses during settlement (not %wise)

  Hi,
  We have some capital projects settling to AUC but we are also charging WBS for labor costs and travel expanses and offcouse capital costs.
  Managment wants PS team to Settle labor/travel to CCTR and Capital cost to AUC. How can WBS recognize cost elements carry expanses and Capital Costs and split them during settlment?
  expanse range: 500000-599999 travel/labor
  Capital expance range: 600000-699999 to be capitalized
  I will appreciate any clue in this regard.
  -Atif
  PS.: I am trying capital investment key at this time, so that WBS will settle only capital range in AUC.

  Hi,
  Maintain different settlement rule for WBSE with different recevier such as AUC & CTR. In settlement configuration define source structure such as CTR & AUC along with cost elements for settling the cost into different receiver.
  Hope this will help you.
  Regards,
  Rakesh Pradhan

• Need clarification for cold backup and recovery

  Hello Everyone ..
  I have much confusion on cold backup and recovery topic.
  Already i posted a scanario regarding this and i want to know some clarity points to understand.
  1. I had cold backup two days before
  2. I am creating an object *(EMP)* and inserting some records then issue log switch continiously.
  3. Manually i removed all physical files (datafiles , control files , log files , redolog files ...)
  4. then i issued STARTUP FORCE MOUNT;
  5. here i am getting error identifying control file.
  6. cold backup two days before all files restored
  6. then i issue recover database using backup controlfile until cancel;
  7. i am trying to issue select * from emp; i am getting error
  select * from emp
  *ERROR at line 1:
  ORA-00942: table or view does not existMy QUESTION IS
  After cold backup finished , i created emp table ..
  when restoring old back " There is no emp table"
  *- then , can i recover emp table ? - If so , please explain about this ..*
  Note : REF - LINK https://forums.oracle.com/forums/message.jspa?messageID=11056341#11056341
  - Above link says what i did ? . In this thread i am asking concept & logic ..
  please do NOT consider as "*DUPLICATE*"

  When you recover the database using backup controlfile until cancel, you have to apply archived logs. Did you apply all of them?
  If the create command was in the online redo, not yet archived, and you lost the online redo, then you won't have it. This is why you want to have redo multiplexed, it is a critical piece.
  In some recovery scenarios, if you haven't lost the online redo, you need to specify those files as if they were archives.
  It is normally easier to just be sure you have the latest controlfiles and let Oracle figure it out automatically (which is why you want to use online RMAN backups rather than cold backups). But yes, it is important to understand what is going on for different scenarios. I used to have manual standbys, and one of the disaster instruction sets explained to try to get online redo over to the standby to lose as few transactions as possible. That could still be useful for some snapshot hardware type scenarios, assuming the business is too cheap to do proper failovers.

• I need clarification regarding REFERENCE TYPES and CASTING.

  Hello all,
  I'm taking a course on the fundamental of JAVA. Everything's been going smoothly until I slammed into the the concept of CASTING and REFERENCE TYPES. Flat--out == I DON'T GET IT?
  I'm having trouble with...
  CONVERTING REFERENCE TYPES
  CASTING BETWEEN REFERENCE TYPES
  WORKING WITH REFERENCE TYPES
  I understand what's happening from an academic vantage point. I just don't understand why you'd want to convert REFERENCE TYPES? What would be an application of such an exercise?
  1. What IS a REFERENCE TYPE -- exactly?
  a. what are we referencing?
  b. type? type of what??
  for example... why would you want to do a widening conversion, a conversion of the hierarchy tree?
  I understand the concept of OBJECTS, CLASSES, METHODS and CONSTRUCTORS so far...
  I think it's the terminology that's screwing my up.
  Thanks,
  Alex

  ok... wow, thanks J.
  So--in a nutshell-- we're making it so that different
  objects:
  ie,. ford(), chevy(), honda(), lotus() and
  dealers()... so and so forth()...
  all share the resources(for lack of a better word) of
  the Auto Class? because all of those auto brand
  objects and one redically different object can be
  unrelated, correct?Um, yes and no.
  I just ran with the example you had, but that probably included too many concepts and they got muddied up.
  Yes, Chevy, Ford etc. all share the characteristics of Auto, since they're all subclasses. But that's just inheritance, and has nothing to do with casting.
  A "reference type" can loosely be described as a variable that refers to an object. (Constrasted with "primitive types" which are int, char, float, etc. and don't refer to objects--they just hold values.)
  Casting just tells the compiler that even though as far as it knows you only have a reference to some superclass, the object that reference points to will in fact be an instance of a subclass, and so treat it as such (e.g., we can now call methods that the subclass has that the superclass lacks).
  (You can also cast primitives, but one thing at a time.)
  So let's say you have class A (which extends object) and B extends A.
  A a = new B();
  B b = a; // won't compile. compiler sees the "A a" on the left of the =, not "new B()" on the right.
  B b = (B)a; // works because we're telling the compiler, "Dude, I'm seriously. This is a B.
  Note that if we had done new A() instead of new B(), it would still compile--the compiler would trust us. But at runtime, we'd get a ClassCastException, since we wouldn't actually have a B object.
  /**folks, I'm a web designer that has to learn Java
  so that I can perform my duties as a JSP author here
  at work. I tried to learn JSP sans Java and that was
  a simple exercise in ignorance.-- it's really hard
  without understanding the root concepts of Java and
  for that matter, C. Concepts like "polymorphism,
  inheritance, object references... are completely
  foreign to me. **/It's a rather big leap from web designing to OO concepts. Take your time, and don't be discouraged if you feel completely confused. It's a prerequisite. :-)

• 2013 Purchased Acrobat XI Pro.  Acrobat says I need to license this software and will not let my 2013 licensed software open.

  I purchased the Acrobat XI Pro license in June, 2013.  I have a license key.  It worked yesterday.  Now it says I need to license it for $20/mth.  It will not let me open my installed Acrobat XI Pro.

  So I guess that was lucky on my part, but is potentially an issue for you. If you bought a copy for each OS, then you have 4 installations you could use for yourself. I have asked before and never gotten an answer of why the MAC and PC S/Ns are different. It would be great to have the same S/N for both systems to ease situations like yours. I seem to remember hearing that the Adobe folks may have a solution for that, but like everything else it is probably hard to find, if it exists.

• BPM, Workflow and Netweaver - Need Clarification

  Hi Guru,
  I am new to workflow, BPM and Netweaver.  I have several questions about those concepts.
  1. What is/are the different between workflow and webflow.  Which scenario should take workflow into consideration? Which scenario webflow can be applied to?
  2. What is/are the different between workflow and BPM.  If I am going to implement workflow in a company, do I need to implement business workflow as well as BPM?
  3. I need clarification on Netweaver platform and concept.
  4. What is/are the different between workflow in R/3 and workflow under Netweaver?
  5. If I am going to implement workflow integrated with R/3 and Outlook email, do I need to buy new wrokflow for Netweaver and Netweaver platform or alternatively, I can use business workflow module under R/3 system?
  Sorry for many questions asked. I am new to those products.  I am now working on software selection for workflow technology.  My company is going to implement new workflow to client.  Thank you very much.
  Cheers,

  Please ask only one (or closely related) questions per thread. This makes it a lot easier to get a good structure in the database of previously answered questions. While we are on the subject of previously answered questions, I think you should have a look at them....
  My suggestion is therefore:
  1. Close this thread
  2. Read the Frequently Answered Questions. Before you ask (here are many workflow answers)
  3. Search the forum.
  4. Create new threads if you have questions afterwards.

• Use gpo to determine computername, request certificate and import certificate to computer powershell

  Hey everyone,
  For deployment of winrm i need to deploy certificates in our environment.
  Now every certificate has to have a different name (computername)
  Is there a way to automate this?
  I would like to create a script that checks the computername, requests and imports the personalised certificate.
  Kind regards,
  Borrie

  Jrv,
  I don't think that's correct, as you can see in the link underneath for each computer or server you need to create a certificate and import in:
  http://blogs.technet.com/b/meamcs/archive/2012/02/25/how-to-force-winrm-to-listen-interfaces-over-https.aspx
  That's why i would like to create a script to automate this task.
  The script should check the computername, check if the cert already exists, if not request and import it with the computername as parameter.
  Borrie
  * edit, the procedure in the link describes using the domain name in stead of computername but I really need the computername, after importing the cert i also need it's thumbnail for use with configuring winrm and soon also another application.

• Some quick help needed with certificates and split brain dns.

  I run exch 2010 and have one cas server(srv03).  I have split brain dns configured and working in my system.  I got a new certificate this year because of the new regulations that won't allow .internal names in the san portion of an ssl cert.
   I have followed several tids on the internet and still when I tried to implement it today the outlook clients started getting a popup that says [the name on the certificate is invalid or does not match the name of the site]  At the top of this popup
  is srv03.abccorp.internal which is what it was before.
  The certificate is for mail.abccorp.com and also includes autodiscover.abccorp.com and srv03.abccorp.com.  
  When I run [Get-clientAccessServer | fl Name,AutoDiscoverServiceInternalUri] the name and the Url is correct and has the .com value.
  When I run the test email autoconfiguration from my Outlook icon, and look at the log, Autodiscover URL found through SCP, is correct and it says Succeeded at the end.  In the results tab however the Server, Availability Service, OOF URL are still showing
  the .internal instead of .com.  The Internal OWA, External OWA and the OAB are correctly displaying the .com.  What commands do I need to run to change these as they seem to be the problem.
  I wasted a lot of time chasing the autodiscover before I found out about this test in outlook and realized the autodiscover url was correct. :-)
  I have two days left on my old cert that has both .com and .internal SANs so I rolled that back into service so the users stop getting messages.  Any help would be appreciated.

  Hi OTS,
  You can run the following command to Change the InternalUrl attribute of the EWS:
  Set-WebServicesVirtualDirectory -Identity "CAS_Server_Name\EWS (Default Web Site)" -InternalUrl https://mail.abccorp.com/ews/exchange.asmx
  Best regards,
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact [email protected]
  Niko Cheng
  TechNet Community Support

• Why SharePoint 2013 Hybrid need SAN certificates and what SAN needs ?

  I've read this article of technet, but I couldn't undarstand requied values of SubjectAltname.
  https://technet.microsoft.com/en-us/library/b291ea58-cfda-48ec-92d7-5180cb7e9469(v=office.15)#AboutSecureChannel
  For example, if I build following servers, what SAN needs ?
  It is happy to also tell me why.
  [ServerNames]
   AD DS Server:DS01
   AD FS Server:FS01
   Web Application Proxy Server:PRX01
   SharePoint Server(WFE):WFE01
   SharePoint Server(APL):APL01
   SQL Server:DB01
  [AD DS Domain Name]
   contoso.local
   (Please be assumed that above all servers join this domain)
  [Site collection strategy]
   using a host-named site collection
  [Primary web application URL]
   https://sps.contoso.com
  Thanks.

  Hi,
  From your description, my understanding is that you have some doubts about SAN.
  If you have a SAN, you can leverage it to make SharePoint
  a little easier to manage and to tweak SharePoint's performance. From a management standpoint, SANs make it easy to adjust the size and number of SharePoint's hard disks. What you could refer to this blog:
  http://windowsitpro.com/sharepoint/best-practices-implementing-sharepoint-san. You could find what SAN needs from part “Some
  SAN Basics” in this blog.
  These articles may help you understand SAN:
  https://social.technet.microsoft.com/Forums/office/en-US/ea4791f6-7ec6-4625-a685-53570ea7c126/moving-sharepoint-2010-database-files-to-san-storage?forum=sharepointadminprevious
  http://blogs.technet.com/b/saantil/archive/2013/02/12/san-certificates-and-sharepoint.aspx
  http://sp-vinod.blogspot.com/2013/03/using-wildcard-certificate-for.html
  Best Regard
  Vincent Han
  TechNet Community Support

• By changing CDP do i need to reissue the CA certificate and all previously certificates?

  Hi all,
  Given a Windows 2003 based CA what would be the impact of changing the CRL Distribution Point?
  I mean if i change the CDP by adding or removing entries in the Extensions tab of the CA properties, do i need to reissue a CA certificate and all  previously issued certificates?
  Many thanks,

  Well, that depends. When you change the extension for a new CDP location, that setting is used for certificates issued or renewed from that moment going forward. Do you have to renew the old certificates? That's the part that depends on your objective. If
  you want ALL certificates to use the new location and not the old one, then yes, all the existing certificates would need to be renewed. The extension property is permanently affixed to the certificate.
  If the CDP point in question is an HTTP location it may be possible to use DNS to "move it". One of the things I often advocate is the use of a DNS name alias that is resolvable internally and externally. With this defined as the CDP/AIA location,
  you can move the location around as future needs dictate without reissuing anything. 
  If you were not fortunate enough to have an alias, one other option is to retire the host name that the current CDP is located on (some random server) and use that as an alias in DNS (A Record or C Name) and point to a new location.
  Mark B. Cooper, President and Founder of PKI Solutions Inc., former Microsoft Senior Engineer and subject matter expert for Microsoft Active Directory Certificate Services (ADCS). Known as “The PKI Guy” at Microsoft for 10 years.

• Multiple additional SIP domains - certificate and DNS requirements

  We've setup Lync 2010 Enterprise in our organisation and have successfully enabled a couple of thousand users.
  This is working successfully internally, externally and through Lync Mobile.
  However, we've only enabled users who are using the main company domain for SMTP and SIP addresses aaaaa_group.com (so all nice and easy so far!)
  In other words, user A has a primary SMTP and SIP address of
  UserA@aaaaa_group.com
  However, due to numerous mergers and acquisitions over the years, we have quite a lot of users who have other primary SMTP addresses e.g. bbbbb_co.uk, ccccc_company.com, ddddd_ltd.co.uk, de.ccccc_company.com etc etc
  There must be in excess of 40 to 50
  of these other domains in use as primary SMTP addresses.
  (Nearly all
  these users have secondary SMTP addresses of aaaaa_group.com).
  I have been told to approach this from a best practices point of view and give all users a SIP address that matches their primary SMTP address and calculate how much it will cost to buy certificates to cover enabling every user for Lync on all these domains.
  I know from reading that wilcard certificates are considered to be a bad thing generally with Lync, especially if using Lync Mobility as the phone Lync clients don't accept them. 
  Wilcard certificates aside, what are the names that will I need to add to my SAN certificates?  Presumably sip.domain.com, access.domain.com, meet.domain.com, dialin.domain.com, edge.domain.com, autodiscover.domain.com, lyncdiscover.domain.com
  The potential cost of all these names is frankly getting pretty scary considering we currently use Verisign for all our cert requirements, and they charge like a wounded bull.  However, I still need to report back with a cost of doing this, no matter
  what it is.
  Any thoughts/comments would be very welcome. :-)

  Actually the Mobility clients for mobile devices (cell phones, tablets) DO support wildcard entries in the certificates, it's the Lync Phone Edition client (desktop handset devices) which does not work with wildcards.  So you may be able to use wildcards,
  but do plenty of research on how to approach this.  Here are some articles to get started:
  http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/
  http://blog.schertz.name/2011/02/lync-phone-edition-incompatible-wildcard-certificates/
  That said, if you decide to skip the wildcard approach then you do NOT need to add additional entries for ALL FQDN types, only some.
  For both the Edge Server external certificate and any internal Front End certificate you'll need to add the 'sip' FQDN for every domain to the SAN field.
  sip.domain1.com, sip.domain2.com, sip.domain3.com, etc
  The Front End certificate will also need the lyncdiscover and lyncdiscoverinternal
  FQDNs, and the Reverse Proxy certificate will require the lyncdiscover
  FQDNs.
  For Exchange Server you'll need to an autodiscover.domainX.com record as well, although this can also be covered by the wildcard entry.  The remainder of names (web conferencing, external web services, dialin, meet, etc.) can all remain in the primary
  SIP domain only as these FQDNs will be passed in-band to the clients after they have successfully signed-in to Lync.  Unless you need users to all user their own domain names for the SimpleURLs (which it doesn't not sound like in your scenario) then you'd
  have to add all those as well.
  So if you are not supporting any Lync Phone Edition devices I would try going with the wildcard route first to see how well things work.  And even if you do have some of those devices you could simply add the 40-50
  sip.domain.com FQDNs to both the FE and Edge certificate but still use a wildcard entry for the mobility clients, SimpleURls, etc.  Just make sure that the certificates Common Name (e.g. Subject Name) is NOT the wildcard entry, use the primary
  domain name entry in the CN and then place the wildcard entries in the SAN field.  It is also best practice to duplicate the CN as a SAN field entry for the widest range of support by all clients.
  For example:
  Edge Server external certificate
  Common Name: sip.domain1.com
  Subject Alternative Name: sip.domain1.com, *.domain1.com, *.domain2.com, *.domain3.com, *.domain4.com,
  etc...
  Jeff Schertz | Microsoft Solutions Architect - Polycom | Lync MVP

• I teach Continuing education classes to Real Estate agents and I need to issue them certificates at the class, whihc need to be signed by me and it needs to contain their info on the certificate. The certificate is currently saved in a word format.What i'

  I teach Continuing education classes to Real Estate agents and I need to issue them certificates at the class, whihc need to be signed by me and it needs to contain their info on the certificate. The certificate is currently saved in a word format.What i'm trying to accomplish is to do a "mail merge " ( as some classes i have as many as 150 attendees) for the document, digitally sign each one with my signature on the certificate and then e-mail it out to the respective attendees. can this be done? if so How?

  This is the step that I took after inputting my signature.
  On the right, after saving my document, I click "Get Others to Sign."  I was confused because it says that it's powered by EchoSign.  Like I stated before, my clients are able to sign this document when I send it to them, but it is returned to me with their signature (not in the signature field, but at the end of the document), and my signature is missing.  I tested this on myself - my signature is missing when they receive it.