Adding new SIP domains to Lync

I had this question come up today, and figured I would share.  What is involved in adding a new SIP domain to an already existing Lync deployment.

Its recommended for a users SIP address to be the same as their Primary STMP address, so in most cases you can gather all the current email domains to plan and deploy the appropriate SIP domains initially.  Of course cases do come up where a new SIP domain has to be added, change in company name, acquisition, or other issues.

So the process for adding a new SIP domain to a Lync deployment would roughly be the following:

1. Add the new SIP domain to the Topology.

2. Create DNS records for simple URLs

3. Request new certificates to support Auto configuration and simple URLs (both internal and external)

4. Run Enable-CSComputer on each Pool and director Server.

I will take a closer look at some of these steps.

Add the New SIP domain to the Topology

In this first step, we simply need to Open Topology builder and add the new SIP domain as a supported domain.

In the example below, Lyncfreak.com is the existing SIP domain, and I am adding Lyncfreak.net

1. Open Topology Builder and download the Topology from existing deployment.

2. Highlight the “Lync Server 2010” node at the top of the tree in the left hand pane to review what your current SIP domains are.

image

3. Right click and select “Edit Properties”.

4. Type the additional SIP domain in the appropriate box and click add.  This will also automatically add the simple Meet URL for the new domain.  Ensure that the format is appropriate for your deployment and select “OK”

image

5. Publish the Topology

Once the Topology is published you will be able to assign users the new SIP domain name.  However you will want to rerun the Lync Certificate Utility and create the new DNS records.

The new SIP domain is now available

Create DNS records

In most cases, the only simple URL that will be added for a  new SIP domain is the meet URL.  For my lab this takes the form of https://meet.lyncfreak.net.  It can take other forms however such as:

https://lync.lyncfreak.net/meet

https://lync.lyncfreak.com/lyncfreaknet/meet

If a format like the third example is used we don’t have a new A record to create for the Simple URL.

We do however have to create new DNS records to allow for auto configuration.

Internally we must create:

lspool1.lyncfreak.net (or sip.lyncfreak.net)

SRV _sipinternaltls._tcp.lyncfreak.net 5061 –> lspool1.lyncfreak.net (or sip.lyncfreak.net)

and Externally we must create:

access1.lyncfreak.net (or sip.lyncfreak.net)

SRV _sipfederationtls._tcp.lyncfreak.net 5061 –> access1.lyncfreak.net

SRV _sip._tls.lyncfreak.net 443 –> access1.lyncfreak.net

Below are the screen shots for the internal DNS records created.

image

image

Note:  The need for the SRV record to point to a “lyncfreak.net” domain name is for strict domain matching and Lync phone editions.  You may have to manually add the SAN names to certificates if you don’t use sip.domain.com

Request new certificates

You can request updated certificates using the Certificate Wizard in the Lync deployment wizard.  If you had to create new A records for either Simple URLs or user login (including sip.domain.com) you will need to update certificates.  Often this means both internal and external certificates, so cost from a Public CA provider may be involved.

image

Note here I add the lspool1.lyncfreak.net manually to the cert request.  sip.lyncfreak.net is adding automatically so it may be easier to use that.

image

Run Enable-CSComputer

The last thing we have to do is to run Enable-CSComputer on each computer hosting IIS.  This will be the Front end servers in a pool and director servers.

This will configure IIS to accept the new Simple URL we created.  This sets up the mapping that allows Lync to parse the URL for the correct meeting.

There are no parameters for this command simply

PS> Enable-CSComputer

About these ads

56 thoughts on “Adding new SIP domains to Lync

  1. Jeff

    Hi Shawn,
    Thanks so much for this–such excellent info. Here’s my scenario:
    AD is .local and Exchange is .com. I setup Lync initially as .local SIP domain because it was just going to be for test/internal use, but now we are wanting to put it into production and allow remote access and mobile devices. What’s the best/easiest way to switch domains to .com without breaking everything–we don’t have many users enabled yet, just don’t know exactly how to configure DNS and certificates. Thanks so much!

    Reply
    1. Shawn Kirkpatrick Post author

      Hi Jeff,

      The easiest way is to add the .com domain as an additional secondary domain in Lync and assign this as the SIP domain for each user. The FQDNs you use for External services must be based on .com, and you cannot select supporting the .local as supported for automatic client configuration during the certificate wizards. That should be enough to allow remote access and mobile.

      The most complete way however would be to change what your primary SIP domain is however since .local will not be used in the future. It is not really necessary but removes confusion by removing the unused SIP domain. This involves a lot more work however to change the SIP domain on existing services like the audio test service.

      In either case existing users will need to update their meetings and may need to rebuild/update Outlook profiles for Lync integration once their SIP domain is changed.

      Reply
  2. Alexandre

    Hi there! I have installed lync 2010 but cant comunicate with im, all my contacts have presence unknown…and i have some troubles adding them in lync control panel, maybe because some accounts are first.lastnama@domain.com and tohers only firstname@domain.com
    Opened por 5601 on firewall, i have exchange server 2010, 2domain controllers, and installed lync on a 3rd server.

    Reply
  3. JudeZhu

    Hi SHAWN

    Thank you for your great advice about How to add a new sip domain to the Lync server 2013.

    I wonder if I could ask you question

    If there is anyway, we can add a new sip domain without update any certificate?

    I’ve add all the DNS record as the CNAME type to the host domain.

    I’ve used the micorsoft lync connectivity analyzer to do the connectivity test and passed.

    but when I use the client to login, It said “the server is temporarily unavailable. If the problem continues, please contact your support team.”

    when I looked into the logger tools

    there are some warning and error about the sip track

    1. Text: The source domain of the remote user client’s message is not in the list of internally supported domains
    Result-Code: 0xc3e93d72 SIPPROXY_E_EPROUTING_MSG_CLIENT_DOMAIN_NOT_INTERNAL

    2. Text: Routed a locally generated response
    SIP-Start-Line: SIP/2.0 504 Server time-out

    3. Direction: outgoing;source=”local”;destination=”external edge”
    Peer: 116.228.78.174:39431
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out

    4. Severity: warning
    Text: Routing error occured during inbound processing; check Result-Code field for more information
    Result-Code: 0xc3e93d72 SIPPROXY_E_EPROUTING_MSG_CLIENT_DOMAIN_NOT_INTERNAL

    5. Severity: information
    Text: TLS negotiation started

    6. Severity: error
    Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?

    so cloud you kindly give me some advice?

    If there is only one way that we must update the certificate, so how the office365 lync works?

    Thank you very much

    Wait for your reply.

    Reply
    1. Shawn Kirkpatrick Post author

      Jude,

      In the vast majority of cases if you add a SIP domain to Lync, you will want to update your certificates as well. Without the new domain names on the certificates Client auto-configuration, Mobility clients and any Simple URLs using the new SIP domain name (such as Meet) will not work. The cost of updating certs is worth avoiding the administrative overhead and possible issues of using a work around. Even with CNAMEs, the client is checking the certificate for the original FQDN and not just the CNAME target. Office365 has a special setup for DNS records as well as registry keys to prevent a certificate warning.

      In your error however it looks like your new domain is not fully added as a supported internal domain, was your Topology successfully published and replicated to all Lync servers?

      Reply
      1. JudeZhu

        Thanks Shawn for your quick reply.
        And you are absolutely right.
        I’ve resolved my problem after I rebooted the edge server.
        It seemed it really is the replication issue of the edge server, and the certificate warning is there too.
        And in your 4th step:

        4. Run Enable-CSComputer on each Pool and director Server.

        It included the Edge pool, right? That mean I need export-csconfiguration and import configuration file to each of the edge servers and enable-cscomputer, right?
        Anyway, it is really helped
        So Thank you very much again

  4. Wolf

    Hello Shawn, I have an question. We have Lync 2010 and deployed domain A on 1 internal server and 1 edge (in DMZ) for external connections. i added a couple of domains( B, C, D) and created all internal dns records. Certs are also updated with all SAN’s like sip.domainB.com, meet.domainB.com, av.domainB.com etc. Internally all users in all the domains can sign in but not from external. i know there is a edge pool but it can only be associated with one cause it will otherwise break the association from the existing(domain A). How can i point external clients within the domain B, C, D (primairy domain is A wihich is working) to our edge server? Do I need to add external SRV records to the domain B (C&D) that point to our existing in this case _sip._tls.domainA.com and _sipfederationtls._tcp.domainA.com?
    I quess if the edge accepts the connections sign in would work cause internally they can aswell.

    Thnx in advanced.

    Reply
  5. Oddity

    OK here is a question, in my Lync environment, we try to use the company email as the SIP, while every user has an acceptable email address some user have a specialty SMTP that cannot be used with Lync. i have been tasked with trying to automate the Lync creation but get stopped every time i come across one of these users. Now i have tried to get the other domains added to the Lync system but that is a no go. how can i get Lync to look at the secondary email if it cant enable the primary. i know its a little off topic but hopefully not to far

    Reply
    1. Shawn Kirkpatrick Post author

      Usually in these situation you have to look at either using the SAM Address, or specifically assigning the address. In a PowerShell script you should be able to pull most user information and use it to assign the SIP address, but this is not a feature of the Lync cmdlet itself.

      Reply
  6. Tolga Akozenler

    Hi. I have Lync 2013 Standart and Edge Servers configured for my domain and running well with good functionality. I am able to create users for lync that i have created nt account. We have another company with different domain. If i add their domain name to additional supported domains; can i create lync users with their extension? In this case, is it possible that they will use their own domain controller but they will logon to lync from my lync servers? I couldn’t be sure because when i want to enable users; lync is able to list only the users in my domain that does not have lync account. I appreciate if you can answer my question. Thanks in advance

    Reply
    1. Shawn Kirkpatrick Post author

      If you add their SIP domain to your Lync you can create users in YOUR domain with their SIP extension. It is important to keep in mind that the SIP domain and Active Directory domain are separate and do not have to correlate. If you want their domain controllers to handle authentication, then you are looking at a cross forest scenario for your Lync which does require an Active Directory Trust. More information can be found at http://technet.microsoft.com/en-us/library/gg398173.aspx under the multiple forest section.

      Reply
      1. Tolga Akozenler

        Thank you for the answer Shawn. This was really what i was looking for, i appreciate

  7. mike

    Hello,
    Thank you for your article, My domain is corp.abc.com and users are using abc.com as their SMTP address. I deployed Lync with corp.abc.com as a sip domain. But when I was trying to enabled users I got this message “specified SIP domain is not valid”. I am thinking I have to add a SIP domain for abc.com. Before I do that I just want to make sure I am on a right track or what can you suggest me to do ?

    Thank you,

    Reply
    1. Shawn Kirkpatrick Post author

      It is preferred practice that your users SIP address match their primary SMTP address. When enabling users you are likely using the default value of generating their SIP address off their email address, which if abc.com is not configured in Lync the error you get is expected. You are on the right track adding abc.com as a support SIP domains, just make sure you update all your certificates and DNS entries as well.

      I normally would not have corp.abc.com configured as a SIP domain (even though it is the AD domain the server is joined to) unless some users had their primary email address in this domain. There is no harm in leaving it however beyond the extra cost on public certs.

      Reply
  8. Himanshu

    Hi Shawn,
    Someone from our team added a new SIP domain to an existing Lync 2010 deployment. Users are unable to connect to Lync with the new sip address from the internet, it works fine through LAN. The srv records and certificates are in place. I am suspecting it to be an Edge configuration issue. How do I check if the domain is configured on the Edge server? Is there an option to check sip domains for which the Edge server will accept sip connections?

    Reply
    1. Shawn Kirkpatrick Post author

      In 2010 the configuration of Lync replicates out to the Edge servers, so unlike OCS 2007R2 there is no configuration needed on the Edge in order to allow a new SIP domain added to the Topology. You can double check and make sure that the configuration on the Edge is up to date however by running Get-CsManagementStoreReplicationStatus. The Edge servers should show True in the Up to Date value.

      Reply
      1. Himanshu

        Thanks for your reply Shawn. We found that even though port 4443 was open between FE and Edge server, the replication was not working between the two. A manual Export and Import of configuration on Edge server fixed the issue for us.

  9. shady

    Hello Shawn,

    Thanks for the useful article,I had a similar query though.
    We have two seperate forests abc.com and xyz.com with two way trust enabled. We have multiple domains within the forests. Can we have one Lync enterprise pool in one of the domains within abc.com forest and have multiple SIP domains added to the same irrespective of the forest. Your answer would be appreciated.

    Reply
  10. Erwin

    Hi, I just have few questions… hope you can help me.. we have existing 2010 lync deployed , now I’m installing new lync 2013, do i need to create separate _sipininternaltls service record for my new front end server 2013 as a pilot pool ?

    Reply
    1. Shawn Kirkpatrick Post author

      You can create a new record with a different priority for fail over but it is not necessary or recommended for a pilot. When a client hits a pool that _sipinternaltls points to it will be redirected to the proper user pool, in this case the 2013 pilot. You would then switch the SRV record to point to the 2013 pool when you are ready to have it in full production and are decommissioning the 2010 pool.

      Reply
      1. Erwin

        Thanks Shawn, everything’s goes well , our test users was migrated successfully logged in call, message outside our network , except for the mobile devices Lync client. Shawn is it possible to test lync mobile client 2013 as well? I read some forum regarding this and said that it is possible, just need to add the FQDN name of the front end server in to the existing Edge certificates and enable the Federation port 5061 in edge 2013 . Thank you so.much

  11. Paul

    Im trying to learn as quick as I am, and Im VERY much a nooby when it comes to this stuff, so this is prob a stupid thing to ask.. by why do I get and error when I chuck Enable-CSComputer into a PS.. unknown command let.. Im trying to setup my very first Lync server to familiarise myself for work related stuff. and I cant even add a first user.. (I get invalid sip domain) even thogh every domain I have is included i the toplogy and recoginised by local dns’s.. but Enable-CSComputer is more my question.. unknow cmdlet.. ” :-( 08 r2 box btw.. with 2010 lync server..

    Reply
  12. Dustain Ebaugh

    I just found this site and find it full of information. I have a situation where I have 2 companies, 2 separate forests, 2 separate Exchange Servers and 1 Lync Server. For simplicity the companies are RV.com (rv.local internally) and SC.net (sc.local internally). One is the parent of the other. Recently SC.net moved into the same building as RV.com. Because we have projects and data going back and forth, I have created a 2 way trust between the domains. The Exchange servers do not see one another. This has been working fine for a couple of months now. RV.com has had Lync running for a couple years now. I would like to bring the SC.net users into the fold so they can start using Lync. What is the best way to accomplish this? The current Lync does not allow for external access, only when users on on the network or tunneled in via VPN.

    Reply
  13. Pingback: Anatomy of a SIP Domain Change | Inside Lync

  14. Lushanthan

    hi LyncFreak,
    I’m new to Lync. And I have deployed Lync 2013 (in lynctest.local Domain) in my office environment which is in another domain (company.local Domain). When I was running the lync sample applications from my office domain, I got the error “There was a problem verifying the certificate from the server”. My user name was actually lyncusr1.lynctest.local and I have pointed my DNS of my dev machine to the ip address of lynctest.local domain so that it can resolve the address. I actually don’t need to connect users from different domains, but just to trust my domain from which I’m developing. I don’t need a new meeting address or anything. I wan’t to connect as a user in my lync domain from another domain. So, I think I just need my lync domain to trust my office domain. Can you please help me on this?

    Reply
    1. Lync Freak Post author

      Hi Lushanthan,

      Is your SIP domain the same as your AD/DNS domain for the machine? If not then you would want to name the pool you point clients to the same as the sip domain. For example even if your Lync server machine name is SE1.lynctest.local, but your sip domain is company.local you would want to create a new A record for SE1.company.local (and add the corresponding name to the Lync certificate). This is the name you would point your SRV records to.

      You also want to make sure the Root CA from your test dev domain is added to the trusted authorities of either your machine, or your company’s primary domain. It is not enough to trust it with just your user account.

      Reply
  15. arif

    Hi. each time I create a new sip domain,, I have to request the certificate again.
    is there any methods to update the last certificate with the new created sip domain?

    Reply
    1. Lync Freak Post author

      It depends on who your certificate authority is. For private certificates using your own CA, there is not really an issue with just requesting a new cert. For your public certificates, some authorities such as Digicert will let you update your existing cert to minimize cost. Be aware though that these companies charge by the number of SAN names on the certificate, so if you add a new sip domain name there will still likely be an increased charge.

      Reply
  16. peter

    hi,
    i need to change the primary sip domain in lync 2010, ex: contoso.com to uc.contoso.com..
    the domain uc.contoso.com have to exist in AD? should be a real domain?

    thx

    Reply
    1. Lync Freak Post author

      It is important to remember that the different domain types do not have to coordinate. There is a SIP domain, DNS domain, AD domain, and smtp domain. Although they all use the word domain there are not the same. So you do not need an AD domain to match your new SIP domain, but you will likely need to create a matching DNS domain to support look ups.

      So to clarify, Lync does require an AD forest in order to function, but the AD domain name doesn’t have to match the SIP domain defined in Lync.

      Reply
  17. Pingback: Exchange 2010 and Lync 2010 integration when SIP address does not match primary SMTP address | MS Exchange Blogs and Tutorials

  18. Nick

    Hey, just came across your blog and I was hoping that you could help me out with some issues we’ve been having.

    We currently have CUCM, and we are looking at deploying a new client (Lync or Cisco Jabber). I’d like to go with Lync, but we need to be able to route calls through CUCM to the Cisco handsets and have Lync call control (answer a call to DID, initiate a call to a DID from Lync through handset, etc). Is this feasible in a clean way with a good user experience? The CUCI client looks like a pretty poor implementation, I’d really rather avoid that route.

    Any advice you could provide would be greatly appreciated!

    Reply
    1. Lync Freak Post author

      It is possible to have Lync control the Cisco handset using RCC and a Cisco CUPS server. As with almost any integration there are limitations on features and the like.

      Reply
  19. Monte

    You actually make it seem so easy with your presentation
    but I find this topic to be actually something which I
    think I would never understand. It seems too complicated and very broad for me.
    I’m looking forward for your next post, I will try to get the hang of it!

    Reply
  20. Frank

    I’ll be honest, I’m reading so many mixed reviews that now I’m completely and utterly confused. If you can shed any light on this I will forever be in-debt. I bet this is a no brainer for you, for whatever reason, it’s just giving me trouble. Maybe its best provided by an example Front-end and Edge certificate given the six items below.

    #1 – It’s not an option for us to continually update our public certificates when adding new SIP domains(we will have hundreds of these, new ones daily)
    #2 – It’s not a requirement for clients to be able to automatically connect their clients, manual configuration is fine.
    #3 – It is fine if users receive a security alert when signing in due to everyone’s SRV record to point to our Access Edge (access.lync.wehostlync.com).
    #4 – It’s not an option for us to utilize a Multi-tenant deployment, the infrastructure and networking requirements for everything to be external facing with no NAT, was way too high. We’re going to split tenants up using a 3rd party Control Panel Product that provides basic tenancy.
    #5 – We are going to utilize the Simple URL syntax of https://lync.wehostlync.com/TenantSip/Meet to allow for only 1 DNS entry and 1 Certificate entry.
    #6 – We do not require any interoperability between different clients, Lync to Lync is all we need

    I would like to implement a certificate and DNS scheme that allows for the least amount of administrative effort as you can see, but allow for flexible SIP on boarding.

    Here’s where my confusion comes in from my weeks of research:
    #1 – Microsoft, does not list Wildcard Support for SIP for Front-end http://technet.microsoft.com/en-us/library/gg398094.aspx

    #2 Microsoft Cert. Req. External Access http://technet.microsoft.com/en-us/library/gg398920.aspx doesn’t show support for wildcard SIPs either.

    #3 Forum Post of on boarding 40 SIP domains (http://social.technet.microsoft.com/Forums/en-US/ocsplanningdeployment/thread/7ef06be5-b03d-4d0a-a54d-e52fc0dd08fe/) Sean_Xiao’s post is interesting. Mentioning it may be possible to implement a SAN entry on the access edge of “access.domain.com” and just have all SIP domains point their SRV records to it, a security warning is displayed, but that’s fine.

    #4 Planning for Deploying External Services(Microsoft Lync Unleashed Book) “..many functions in Lync Server simply don’t work well or at all if a wildcard certificate is used. Even if it does appear to work for some clients or features, it can produce some odd behavior which makes troubleshooting very difficult. At this time, the recommendation is to avoid using a wildcard certificate for any Lync Server roles.”

    #5 – This blog brings more confusion http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/ states we can technically use Wildcards for Front-end and Edges, as long as we’re okay with no interop.

    With all of this being said and taking into consideration our goals, now you can see why I am confused hopefully. At the end of the day, would this Front-end Certificate and Edge Certificate Scheme work for our scenario? I think many other small / medium businesses would appreciate this clarification.

    EDGE CERTIFICATE SETUP
    - Use the exact same public certificate between our two edge servers in a pool with exported private keys
    - One certificate for Access / Web Conferencing / Edge External and A/V authentication services
    - Subject Name: is the Access Edge External Interface (access.lync.wehostlync.com)
    - Subject Alternative Names: access.lync.wehostlync.com, webconf.lync.wehostlync.com
    * Do not include SIP FQDN for auto-configuration

    Now, say I have 40 different SIP domains that need to connect, and none of them are listed in the certificate, if they create an External DNS record for their domains SRV _sip._tls.domain.net 443 –> access.lync.wehostlync.com and then configure their Lync client manually to point to the external host access.lync.wehostlync.com

    Will this work, what am I missing here?

    All users are going to be 100% External

    FRONT END CERTIFICATE SETUP

    Default
    SN = LYFEPOOL01.domain.local
    SAN = LYFEPOOL01.domain.local
    *Not including any SIP domains

    Web Internal
    SN = LYFEPOOL01.domain.local
    SAN= LYFEPOOL01.domain.local
    SAN = lync.wehostlync.com (Simple URLS)

    Web External
    SN = LYFEPOOL01.domain.local
    SAN = lsweb-ext.lync.wehostlync.com
    SAN = lync.wehostlync.com (Simple URLS)

    Your thoughts on how I can put this to rest would be greatly appreciated!

    Reply
  21. Frank

    Glad I found your Blog! I’m in a particular situation here myself. Here’s an example.

    We are constantly (every month acquiring new companies) and they need to be able to utilize their own domain names when signing in to Lync.

    Example: CompanyOwnsAll.com owns

    Name@CompanyA.com

    Name@CompanyB.com

    CompanyA.com and CompanyB.com are listed as subject alternative names in the Public Certificate for the Access Edge Service, everything works fine.

    Then we acquire two new companies(below), we cant possibly be expected to update our Public Certificate to add the new SANs for the new domains each time?

    Name@CompanyC.com

    Name@CompanyD.com

    I understand Wildcard certificates for SAN causes problems? I don’t think we have a choice?

    If worst comes to worst, are you saying we dont necessarily need to add all of our acquisitions as SANS on the Access Edge? They will just have to manually configure their Lync Clients? (Thats fine by us)

    Reply
    1. Frank

      What if we just keep enter in DNS records for all of our acquisitions domains to avoid updating the certificates?

      CNAME

      sip.acquisition.com

      sipedge.maincompany.com

      Reply
      1. Lync Freak Post author

        CNAMEs will not help with the auto client login or federation situation. The client checks for sip.acquisition.com on the certificate of the FE/Edge server when attempting auto configuration. This is worth a read http://blogs.technet.com/b/jenstr/archive/2011/02/10/lync-cannot-verify-that-the-server-is-trusted-for-your-sign-in-address.aspx.

        It is also important to remember the following with DNS records for Lync from the above article
        Make sure that the target of any SRV record is an A record. Using CNAME records as targets is not supported by Lync and is not allowed per RFC2782 – A DNS RR for specifying the location of services (DNS SRV) –

        Lync online gets around the requirement of domain certs on their Edge servers because lync.com is coded into the registry during install to be a trusted domain. It is not supported to add your own domain to this key, but for knowledge sake it is located here- HKEY_CURRENT_USER\Software\Microsoft\Communicator\TrustModelData. This does not affect federation however and federated partners would still need to manually federate with your access edge server.

    2. Lync Freak Post author

      Correct, you don’t have to add all of them. You would then have to manually configure the clients then and Federation discovery would not work (Federated Partners could still enter your domain and access edge server in directly and this would work.)

      Reply
      1. Frank

        Thank you very much for the reply. Essentially we are a reseller of Lync. Our Primary SIP domain will be something like “WeHostYourLync.com” we want to be able to bring on tenants and allow them to use their own domain names within Lync, with the least administrative effort on our end.

        Would we be required to perform all other steps beside updating the certificate when bringing on new clients?

        As for their client configuration, because we won’t be updating our certificates, would they just manually configure their External IP in Lync to point to our Edge? (i.e. sip.lync.wehsotyourlync.com) and boom their in with their domain?

  22. Jeremy

    Hello,

    I am using domain.lan for internal use and domain.com for public.
    My Lync infrastructure Works with domain.com, but I need to create a Lync User like : user@domain.lan.
    How can I add this into my Lync infrastructure so I can create the settings ?

    Reply
    1. Lync Freak Post author

      I would normally advise against using a non public domain for a SIP Domain. For best practice the users SIP address should be the same as their Primary SMTP address. You can however add this SIP domain as described above with two differences. On the Meet URL configuration, make sure to add it as an extension of your public domain. For example https://meet.domain.com/domain.lan. You also will also not be able to use auto client configuration from the outside. The main reason for these restrictions is that most public cert providers now days will not approve an internal domain name on a cert.

      Reply
  23. Ed

    Is there a setting on the Lync desktop client to relax the requirement that the certificates have every domain in them?

    Reply
    1. Lync Freak Post author

      The sip.domain.com records for each domain are required for automatic client configuration. The records are also used for federation discovery. You can manually configure the clients so that the records are not needed by specifying the sign in server, but any partners that federate will have to specify your Access Edge server directly as well.

      Reply
  24. Rob

    @Greg S
    I’m having the same issues here at my company. They want everything and they wanted it yesterday. F5, all the same you mention above. Sigh.

    Reply
  25. Brian Osley

    Hi, good article, thanks for the info. I have an existing Lync deployment with a single SIP domain (say, sip.contoso.com) and same as Greg S, they are now asking me to add all 9 of our email domains to it so those working for Fabrikam have fabrikam.com SIP addresses, for example. However, they don’t want to have to setup all of their contacts all over again if their SIP addresses change as they have a lot of Yahoo contacts in their Lync clients. For example, say I have a Lync user whose SIP address currently is JoeBlow@contoso.com and wants it to be changed to JoeBlow@fabrikam.com but doesn’t want to have to send out all new buddy requests to his 200 Yahoo contacts to have them add him as JoeBlow@fabrikam.com. is there a way to change his SIP name but still have it where the Lync Edge and Front-end servers know where to route incoming IMs to his old SIP address? Thanks for any assistance you can provide.

    Reply
    1. Lync Freak Post author

      There is not a built in way to redirect those request. However with UCMA and custom scripting or a third party product it may be able to accomplish this. Each user can only have one SIP address assigned unlike email, so you would need a script to identity the users with the new domain and rewrite it in transit, which would likely require a database dip. I don’t know of any products myself for this so I cannot suggest one.

      In the long run it would likely be simpler for them to send out and email update than maintaining an addon or custom code simply to keep an old address relevant.

      Reply
  26. Greg S (@GregSeeber)

    So. I’m using your doc as my starter on this crazy “we gotta have all our 13 email domains SIP enabled” and YOU gotta do it. haha. The only thing that sucks about Lync is the certificate stuff … that, with the reverse proxy… with the F5 HLB … with the FE servers … all the moving pieces … it’s hard to keep everything organized and think through everything. eh? maybe it’s just me.

    Reply
  27. CF

    Great post, the part that I don’t understand is how the authentication process works with the new sip domain. Do you need to have a trust between both domains in order for this to work?

    Reply
    1. Lync Freak Post author

      Its important to remember that the SIP domains are different from the AD domain, just as with Exchange and accepted domains. For example a company could have just one AD domain company.local, and two SIP domains Contoso.com and Fabrikam.com. In fact the internal AD domain would not be represented in the SIP domains at all for that case.

      That being said, Lync is a Forest level application; so if you add a new AD domain into an exsisting forest, you would simply need to run Domain prep in the new domain. At that point you could enable users in the new Domain, and the authentication would use the Domain trust within the Forest.

      In the case of a adding users from a seperate forest, there would need to be a trust between them. You also would need to create AD contact objects in the Forest that houses Lync and sync some user data from the accounts in the new forest as per http://technet.microsoft.com/en-us/library/gg670884.aspx. Authentication does then use the trust and the credentials from the users home forest.

      Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s