Adding new SIP domains to Lync

I had this question come up today, and figured I would share.  What is involved in adding a new SIP domain to an already existing Lync deployment.

Its recommended for a users SIP address to be the same as their Primary STMP address, so in most cases you can gather all the current email domains to plan and deploy the appropriate SIP domains initially.  Of course cases do come up where a new SIP domain has to be added, change in company name, acquisition, or other issues.

So the process for adding a new SIP domain to a Lync deployment would roughly be the following:

1. Add the new SIP domain to the Topology.

2. Create DNS records for simple URLs

3. Request new certificates to support Auto configuration and simple URLs (both internal and external)

4. Run Enable-CSComputer on each Pool and director Server.

I will take a closer look at some of these steps.

Add the New SIP domain to the Topology

In this first step, we simply need to Open Topology builder and add the new SIP domain as a supported domain.

In the example below, is the existing SIP domain, and I am adding

1. Open Topology Builder and download the Topology from existing deployment.

2. Highlight the “Lync Server 2010” node at the top of the tree in the left hand pane to review what your current SIP domains are.


3. Right click and select “Edit Properties”.

4. Type the additional SIP domain in the appropriate box and click add.  This will also automatically add the simple Meet URL for the new domain.  Ensure that the format is appropriate for your deployment and select “OK”


5. Publish the Topology

Once the Topology is published you will be able to assign users the new SIP domain name.  However you will want to rerun the Lync Certificate Utility and create the new DNS records.

The new SIP domain is now available

Create DNS records

In most cases, the only simple URL that will be added for a  new SIP domain is the meet URL.  For my lab this takes the form of  It can take other forms however such as:

If a format like the third example is used we don’t have a new A record to create for the Simple URL.

We do however have to create new DNS records to allow for auto configuration.

Internally we must create: (or

SRV 5061 –> (or

and Externally we must create: (or

SRV 5061 –>

SRV 443 –>

Below are the screen shots for the internal DNS records created.



Note:  The need for the SRV record to point to a “” domain name is for strict domain matching and Lync phone editions.  You may have to manually add the SAN names to certificates if you don’t use

Request new certificates

You can request updated certificates using the Certificate Wizard in the Lync deployment wizard.  If you had to create new A records for either Simple URLs or user login (including you will need to update certificates.  Often this means both internal and external certificates, so cost from a Public CA provider may be involved.


Note here I add the manually to the cert request. is adding automatically so it may be easier to use that.


Run Enable-CSComputer

The last thing we have to do is to run Enable-CSComputer on each computer hosting IIS.  This will be the Front end servers in a pool and director servers.

This will configure IIS to accept the new Simple URL we created.  This sets up the mapping that allows Lync to parse the URL for the correct meeting.

There are no parameters for this command simply

PS> Enable-CSComputer


67 thoughts on “Adding new SIP domains to Lync

  1. GaneshKumar Anand

    Thanks Author for your excellent article. I have following doubts appreciate your response.

    We have primary AD domain Win2k12 with Exchange 2013 and Lync 2013 standard editions having local domain name is milan.local.
    Public domain name Primary : and SIP address is same.
    Our company acquired 4 companies each are,, and
    Exchange 2013 is easy to setup multi tenant and it works well.

    Lync has following SAN names for domain.

    But for lync we are suffering with acquired company domains especially for public certificate. 4 domain SAN certificates are going to be expensive.
    User will be accessing Lync chat, voice and video calls + conferencing and presentation or sharing features by lync client.

    1) SAN certificate name requirement for each domain (minimum required)? Each domain user must be able to use their SIP address to login into lync.
    2) DNS record setup for each domain names
    3) Any disadvantages if we buy wildcard certificate for lync?
    4) Are these minimal SAN names are enough for hosting multiple sip domains,, and,,,,,,,,

    Kindly help!

    1. Shawn Kirkpatrick Post author

      Lync does support Wildcard certificates, but only in a limited way which does not help much. It is only supported to have the wildcard in the SAN entry of the certificate, which a number of providers do not support. More can be found here

      There are ways to reduce the number of SAN entries required for each domain. The External Web Services, dialin and OWAS entries are only needed in one domain per deployment. It is also possible to condense the meet URLs for multiple domains under a single domain, this is covered under option 3 for the naming your simple URL guidance.

      This would mean only and would be required for each additional SIP domain added to the environment.

  2. Melissa Wells

    I am so glad I found this post! We have a Lync 2010 deployment that currently has multiple companies. One of those companies are changing their name so they are switching from the current domain name to a new one. How much time would you anticipate making this change would take. We all use office 365 and that side the change seems straight forward. I am trying to put together a timeframe of how long this might take and the risk involved.

    1. Shawn Kirkpatrick Post author

      It is hard to say exactly without knowing the environment. I myself would plan on a window of 10-15 mins per Front End server for the maintenance window just to add the new domain. Switching users over depends on the size of your user base and support staff, as each user who changes their SIP domain will need to update all existing Lync Meetings to match. The Lync meeting update tool can help with this, though I have had mixed luck with it. This is still a user side process however, which can be a burden on your user base.

      I would generally allow for at least a month from user notification to completion as a rough guess.

  3. thiagobeier

    Hi guys today we receive a ticket to review a lync 2010 topology and we found the error , so how can I correct this topology? , should I move it to the centralSITE at myDomain.local once this is the root o the domain and act as a central site for providing services for child domain / sites? – setup new front end and backend and move, then enable the users at child2.myDomain.local again – they just discovered this when they tried to setup lync for user at child3 domain

  4. Jeremy


    First off thank you very much for this walkthrough, many others I have found give only the high level steps that need to be completed but no further details of each individual step.

    So, we setup On-Prem Lync 2013 last year as Company A but have now begun the merger process with a recent acquisition. This process will change all users primary SMTP addresses to so we need to change Lync to match. I have followed your instructions and added the additional SIP domain to our topology and I am able to enable users with that domain. However, the certificate portion has me unsure as to what additional names need to be added to the Internal and External Certificates. Below are the current subject alternative names on my internal and public certificate. (note: Our Edge Pool is configured to just use the Access Edge Server and is set to


    External (Public):

    I spent days on the phone with Microsoft during our initial setup preparing these certificates so while I don’t understand why I have so many names, I feel they must have been added for a reason. So, just hoping you may be able to provide some direction on what additional entries need to be added to both for our setup.

    Thanks in advance!

    1. Shawn Kirkpatrick Post author


      I have to warn that without fully reviewing your environment the following may be incorrect, but from what you have listed the following names would need to be added to your certificates:



      Only a single Dialin URL is required per deployment, not one for each domain. However if the plan is to transition fully to the domain and remove then you would want to update that record as well. There are a number of records you have listed above that are not normally required, but they may apply to your environment somehow.


      1. Jeremy


        Thanks for your reply. I too agree it seems we have more entries than needed but again those were directed during a Microsoft support case so I will leave them alone. I have adjusted my internal certificate and it appears to be working. For the external, I do not currently have a entry at all but I notice you listed adding one. Is a entry typically needed? Just trying to determine how we may be bypassing that need if it is typically necessary. Also, would I need a entry as well for external?

        Thanks again,

  5. Bora Cosgun

    Hello. I have added new domains to the topology and published. But when i try to add Host A record to my internal DNS, it is letting only to add records for the current domain, not letting for a different one. I will be pleased if you can explain how to do.

  6. Greg

    Shawn, I saw your post and it kinda hits on the subject I am dealing with and was wondering if you had an idea on how to resolve it.

    We have which lync (2010) works perfect in. We acquired a company which has a domain.local (AD/DNS/Exchange). There is no domain trust, just conditional forwarders in DNS. We moved both our and their exchange mailboxes to O365. We created AD accounts + mailboxes in however the is different ( and the DNS record is in O365) for these users in order for the users to retain their company identity. We Lync enabled all the users in and they have the SIP address in their attributes. However, they can not sign into Lync using

    All traffic as far as lync is concerned between and domain.local is internal, as far as I can tell.

    The question is what do I need to do to get these users to be able to sign. Do I need to establish a trust (we are avoiding it as we plan to move the computers to anyway, but I don’t think that will solve the problem still) or do we just need to create the SIP domains in Lync and/or update our DNS SRV records/Certs on or is there something else we need to do?

    1. Shawn Kirkpatrick Post author

      I am not sure I fully understand your question. So did the users from the acquired company have accounts created in the AD, you are you trying to use as a SIP Address? If so then you would need to add that SIP domain to the Lync 2010 install and point the DNS SRV and LyncDiscover records there. I would also update their User Principal Names (UPN) in the AD domain to match to avoid the additional username prompt. They would log in using the credentials from your local AD domain (instead of theirs) using

      If you are wanting the users to be able to login to Lync using credentials from the domain.local (Acquired) AD domain, then you would need a trust in place between the two forest.

  7. Jeff

    Hi Shawn,
    Thanks so much for this–such excellent info. Here’s my scenario:
    AD is .local and Exchange is .com. I setup Lync initially as .local SIP domain because it was just going to be for test/internal use, but now we are wanting to put it into production and allow remote access and mobile devices. What’s the best/easiest way to switch domains to .com without breaking everything–we don’t have many users enabled yet, just don’t know exactly how to configure DNS and certificates. Thanks so much!

    1. Shawn Kirkpatrick Post author

      Hi Jeff,

      The easiest way is to add the .com domain as an additional secondary domain in Lync and assign this as the SIP domain for each user. The FQDNs you use for External services must be based on .com, and you cannot select supporting the .local as supported for automatic client configuration during the certificate wizards. That should be enough to allow remote access and mobile.

      The most complete way however would be to change what your primary SIP domain is however since .local will not be used in the future. It is not really necessary but removes confusion by removing the unused SIP domain. This involves a lot more work however to change the SIP domain on existing services like the audio test service.

      In either case existing users will need to update their meetings and may need to rebuild/update Outlook profiles for Lync integration once their SIP domain is changed.

  8. Alexandre

    Hi there! I have installed lync 2010 but cant comunicate with im, all my contacts have presence unknown…and i have some troubles adding them in lync control panel, maybe because some accounts are and tohers only
    Opened por 5601 on firewall, i have exchange server 2010, 2domain controllers, and installed lync on a 3rd server.

  9. JudeZhu

    Hi SHAWN

    Thank you for your great advice about How to add a new sip domain to the Lync server 2013.

    I wonder if I could ask you question

    If there is anyway, we can add a new sip domain without update any certificate?

    I’ve add all the DNS record as the CNAME type to the host domain.

    I’ve used the micorsoft lync connectivity analyzer to do the connectivity test and passed.

    but when I use the client to login, It said “the server is temporarily unavailable. If the problem continues, please contact your support team.”

    when I looked into the logger tools

    there are some warning and error about the sip track

    1. Text: The source domain of the remote user client’s message is not in the list of internally supported domains

    2. Text: Routed a locally generated response
    SIP-Start-Line: SIP/2.0 504 Server time-out

    3. Direction: outgoing;source=”local”;destination=”external edge”
    Message-Type: response
    Start-Line: SIP/2.0 504 Server time-out

    4. Severity: warning
    Text: Routing error occured during inbound processing; check Result-Code field for more information

    5. Severity: information
    Text: TLS negotiation started

    6. Severity: error
    Text: The connection was closed before TLS negotiation completed. Did the remote peer accept our certificate?

    so cloud you kindly give me some advice?

    If there is only one way that we must update the certificate, so how the office365 lync works?

    Thank you very much

    Wait for your reply.

    1. Shawn Kirkpatrick Post author


      In the vast majority of cases if you add a SIP domain to Lync, you will want to update your certificates as well. Without the new domain names on the certificates Client auto-configuration, Mobility clients and any Simple URLs using the new SIP domain name (such as Meet) will not work. The cost of updating certs is worth avoiding the administrative overhead and possible issues of using a work around. Even with CNAMEs, the client is checking the certificate for the original FQDN and not just the CNAME target. Office365 has a special setup for DNS records as well as registry keys to prevent a certificate warning.

      In your error however it looks like your new domain is not fully added as a supported internal domain, was your Topology successfully published and replicated to all Lync servers?

      1. JudeZhu

        Thanks Shawn for your quick reply.
        And you are absolutely right.
        I’ve resolved my problem after I rebooted the edge server.
        It seemed it really is the replication issue of the edge server, and the certificate warning is there too.
        And in your 4th step:

        4. Run Enable-CSComputer on each Pool and director Server.

        It included the Edge pool, right? That mean I need export-csconfiguration and import configuration file to each of the edge servers and enable-cscomputer, right?
        Anyway, it is really helped
        So Thank you very much again

  10. Wolf

    Hello Shawn, I have an question. We have Lync 2010 and deployed domain A on 1 internal server and 1 edge (in DMZ) for external connections. i added a couple of domains( B, C, D) and created all internal dns records. Certs are also updated with all SAN’s like,, etc. Internally all users in all the domains can sign in but not from external. i know there is a edge pool but it can only be associated with one cause it will otherwise break the association from the existing(domain A). How can i point external clients within the domain B, C, D (primairy domain is A wihich is working) to our edge server? Do I need to add external SRV records to the domain B (C&D) that point to our existing in this case and
    I quess if the edge accepts the connections sign in would work cause internally they can aswell.

    Thnx in advanced.

  11. Oddity

    OK here is a question, in my Lync environment, we try to use the company email as the SIP, while every user has an acceptable email address some user have a specialty SMTP that cannot be used with Lync. i have been tasked with trying to automate the Lync creation but get stopped every time i come across one of these users. Now i have tried to get the other domains added to the Lync system but that is a no go. how can i get Lync to look at the secondary email if it cant enable the primary. i know its a little off topic but hopefully not to far

    1. Shawn Kirkpatrick Post author

      Usually in these situation you have to look at either using the SAM Address, or specifically assigning the address. In a PowerShell script you should be able to pull most user information and use it to assign the SIP address, but this is not a feature of the Lync cmdlet itself.

  12. Tolga Akozenler

    Hi. I have Lync 2013 Standart and Edge Servers configured for my domain and running well with good functionality. I am able to create users for lync that i have created nt account. We have another company with different domain. If i add their domain name to additional supported domains; can i create lync users with their extension? In this case, is it possible that they will use their own domain controller but they will logon to lync from my lync servers? I couldn’t be sure because when i want to enable users; lync is able to list only the users in my domain that does not have lync account. I appreciate if you can answer my question. Thanks in advance

    1. Shawn Kirkpatrick Post author

      If you add their SIP domain to your Lync you can create users in YOUR domain with their SIP extension. It is important to keep in mind that the SIP domain and Active Directory domain are separate and do not have to correlate. If you want their domain controllers to handle authentication, then you are looking at a cross forest scenario for your Lync which does require an Active Directory Trust. More information can be found at under the multiple forest section.

      1. Tolga Akozenler

        Thank you for the answer Shawn. This was really what i was looking for, i appreciate

  13. mike

    Thank you for your article, My domain is and users are using as their SMTP address. I deployed Lync with as a sip domain. But when I was trying to enabled users I got this message “specified SIP domain is not valid”. I am thinking I have to add a SIP domain for Before I do that I just want to make sure I am on a right track or what can you suggest me to do ?

    Thank you,

    1. Shawn Kirkpatrick Post author

      It is preferred practice that your users SIP address match their primary SMTP address. When enabling users you are likely using the default value of generating their SIP address off their email address, which if is not configured in Lync the error you get is expected. You are on the right track adding as a support SIP domains, just make sure you update all your certificates and DNS entries as well.

      I normally would not have configured as a SIP domain (even though it is the AD domain the server is joined to) unless some users had their primary email address in this domain. There is no harm in leaving it however beyond the extra cost on public certs.

  14. Himanshu

    Hi Shawn,
    Someone from our team added a new SIP domain to an existing Lync 2010 deployment. Users are unable to connect to Lync with the new sip address from the internet, it works fine through LAN. The srv records and certificates are in place. I am suspecting it to be an Edge configuration issue. How do I check if the domain is configured on the Edge server? Is there an option to check sip domains for which the Edge server will accept sip connections?

    1. Shawn Kirkpatrick Post author

      In 2010 the configuration of Lync replicates out to the Edge servers, so unlike OCS 2007R2 there is no configuration needed on the Edge in order to allow a new SIP domain added to the Topology. You can double check and make sure that the configuration on the Edge is up to date however by running Get-CsManagementStoreReplicationStatus. The Edge servers should show True in the Up to Date value.

      1. Himanshu

        Thanks for your reply Shawn. We found that even though port 4443 was open between FE and Edge server, the replication was not working between the two. A manual Export and Import of configuration on Edge server fixed the issue for us.

  15. shady

    Hello Shawn,

    Thanks for the useful article,I had a similar query though.
    We have two seperate forests and with two way trust enabled. We have multiple domains within the forests. Can we have one Lync enterprise pool in one of the domains within forest and have multiple SIP domains added to the same irrespective of the forest. Your answer would be appreciated.

  16. Erwin

    Hi, I just have few questions… hope you can help me.. we have existing 2010 lync deployed , now I’m installing new lync 2013, do i need to create separate _sipininternaltls service record for my new front end server 2013 as a pilot pool ?

    1. Shawn Kirkpatrick Post author

      You can create a new record with a different priority for fail over but it is not necessary or recommended for a pilot. When a client hits a pool that _sipinternaltls points to it will be redirected to the proper user pool, in this case the 2013 pilot. You would then switch the SRV record to point to the 2013 pool when you are ready to have it in full production and are decommissioning the 2010 pool.

      1. Erwin

        Thanks Shawn, everything’s goes well , our test users was migrated successfully logged in call, message outside our network , except for the mobile devices Lync client. Shawn is it possible to test lync mobile client 2013 as well? I read some forum regarding this and said that it is possible, just need to add the FQDN name of the front end server in to the existing Edge certificates and enable the Federation port 5061 in edge 2013 . Thank you so.much

  17. Paul

    Im trying to learn as quick as I am, and Im VERY much a nooby when it comes to this stuff, so this is prob a stupid thing to ask.. by why do I get and error when I chuck Enable-CSComputer into a PS.. unknown command let.. Im trying to setup my very first Lync server to familiarise myself for work related stuff. and I cant even add a first user.. (I get invalid sip domain) even thogh every domain I have is included i the toplogy and recoginised by local dns’s.. but Enable-CSComputer is more my question.. unknow cmdlet.. ” 😦 08 r2 box btw.. with 2010 lync server..

  18. Dustain Ebaugh

    I just found this site and find it full of information. I have a situation where I have 2 companies, 2 separate forests, 2 separate Exchange Servers and 1 Lync Server. For simplicity the companies are (rv.local internally) and (sc.local internally). One is the parent of the other. Recently moved into the same building as Because we have projects and data going back and forth, I have created a 2 way trust between the domains. The Exchange servers do not see one another. This has been working fine for a couple of months now. has had Lync running for a couple years now. I would like to bring the users into the fold so they can start using Lync. What is the best way to accomplish this? The current Lync does not allow for external access, only when users on on the network or tunneled in via VPN.

  19. Pingback: Anatomy of a SIP Domain Change | Inside Lync

  20. Lushanthan

    hi LyncFreak,
    I’m new to Lync. And I have deployed Lync 2013 (in lynctest.local Domain) in my office environment which is in another domain (company.local Domain). When I was running the lync sample applications from my office domain, I got the error “There was a problem verifying the certificate from the server”. My user name was actually lyncusr1.lynctest.local and I have pointed my DNS of my dev machine to the ip address of lynctest.local domain so that it can resolve the address. I actually don’t need to connect users from different domains, but just to trust my domain from which I’m developing. I don’t need a new meeting address or anything. I wan’t to connect as a user in my lync domain from another domain. So, I think I just need my lync domain to trust my office domain. Can you please help me on this?

    1. Lync Freak Post author

      Hi Lushanthan,

      Is your SIP domain the same as your AD/DNS domain for the machine? If not then you would want to name the pool you point clients to the same as the sip domain. For example even if your Lync server machine name is SE1.lynctest.local, but your sip domain is company.local you would want to create a new A record for (and add the corresponding name to the Lync certificate). This is the name you would point your SRV records to.

      You also want to make sure the Root CA from your test dev domain is added to the trusted authorities of either your machine, or your company’s primary domain. It is not enough to trust it with just your user account.

  21. arif

    Hi. each time I create a new sip domain,, I have to request the certificate again.
    is there any methods to update the last certificate with the new created sip domain?

    1. Lync Freak Post author

      It depends on who your certificate authority is. For private certificates using your own CA, there is not really an issue with just requesting a new cert. For your public certificates, some authorities such as Digicert will let you update your existing cert to minimize cost. Be aware though that these companies charge by the number of SAN names on the certificate, so if you add a new sip domain name there will still likely be an increased charge.

  22. peter

    i need to change the primary sip domain in lync 2010, ex: to
    the domain have to exist in AD? should be a real domain?


    1. Lync Freak Post author

      It is important to remember that the different domain types do not have to coordinate. There is a SIP domain, DNS domain, AD domain, and smtp domain. Although they all use the word domain there are not the same. So you do not need an AD domain to match your new SIP domain, but you will likely need to create a matching DNS domain to support look ups.

      So to clarify, Lync does require an AD forest in order to function, but the AD domain name doesn’t have to match the SIP domain defined in Lync.

  23. Pingback: Exchange 2010 and Lync 2010 integration when SIP address does not match primary SMTP address | MS Exchange Blogs and Tutorials

  24. Nick

    Hey, just came across your blog and I was hoping that you could help me out with some issues we’ve been having.

    We currently have CUCM, and we are looking at deploying a new client (Lync or Cisco Jabber). I’d like to go with Lync, but we need to be able to route calls through CUCM to the Cisco handsets and have Lync call control (answer a call to DID, initiate a call to a DID from Lync through handset, etc). Is this feasible in a clean way with a good user experience? The CUCI client looks like a pretty poor implementation, I’d really rather avoid that route.

    Any advice you could provide would be greatly appreciated!

    1. Lync Freak Post author

      It is possible to have Lync control the Cisco handset using RCC and a Cisco CUPS server. As with almost any integration there are limitations on features and the like.

  25. Monte

    You actually make it seem so easy with your presentation
    but I find this topic to be actually something which I
    think I would never understand. It seems too complicated and very broad for me.
    I’m looking forward for your next post, I will try to get the hang of it!

  26. Frank

    I’ll be honest, I’m reading so many mixed reviews that now I’m completely and utterly confused. If you can shed any light on this I will forever be in-debt. I bet this is a no brainer for you, for whatever reason, it’s just giving me trouble. Maybe its best provided by an example Front-end and Edge certificate given the six items below.

    #1 – It’s not an option for us to continually update our public certificates when adding new SIP domains(we will have hundreds of these, new ones daily)
    #2 – It’s not a requirement for clients to be able to automatically connect their clients, manual configuration is fine.
    #3 – It is fine if users receive a security alert when signing in due to everyone’s SRV record to point to our Access Edge (
    #4 – It’s not an option for us to utilize a Multi-tenant deployment, the infrastructure and networking requirements for everything to be external facing with no NAT, was way too high. We’re going to split tenants up using a 3rd party Control Panel Product that provides basic tenancy.
    #5 – We are going to utilize the Simple URL syntax of to allow for only 1 DNS entry and 1 Certificate entry.
    #6 – We do not require any interoperability between different clients, Lync to Lync is all we need

    I would like to implement a certificate and DNS scheme that allows for the least amount of administrative effort as you can see, but allow for flexible SIP on boarding.

    Here’s where my confusion comes in from my weeks of research:
    #1 – Microsoft, does not list Wildcard Support for SIP for Front-end

    #2 Microsoft Cert. Req. External Access doesn’t show support for wildcard SIPs either.

    #3 Forum Post of on boarding 40 SIP domains ( Sean_Xiao’s post is interesting. Mentioning it may be possible to implement a SAN entry on the access edge of “” and just have all SIP domains point their SRV records to it, a security warning is displayed, but that’s fine.

    #4 Planning for Deploying External Services(Microsoft Lync Unleashed Book) “..many functions in Lync Server simply don’t work well or at all if a wildcard certificate is used. Even if it does appear to work for some clients or features, it can produce some odd behavior which makes troubleshooting very difficult. At this time, the recommendation is to avoid using a wildcard certificate for any Lync Server roles.”

    #5 – This blog brings more confusion states we can technically use Wildcards for Front-end and Edges, as long as we’re okay with no interop.

    With all of this being said and taking into consideration our goals, now you can see why I am confused hopefully. At the end of the day, would this Front-end Certificate and Edge Certificate Scheme work for our scenario? I think many other small / medium businesses would appreciate this clarification.

    – Use the exact same public certificate between our two edge servers in a pool with exported private keys
    – One certificate for Access / Web Conferencing / Edge External and A/V authentication services
    – Subject Name: is the Access Edge External Interface (
    – Subject Alternative Names:,
    * Do not include SIP FQDN for auto-configuration

    Now, say I have 40 different SIP domains that need to connect, and none of them are listed in the certificate, if they create an External DNS record for their domains SRV 443 –> and then configure their Lync client manually to point to the external host

    Will this work, what am I missing here?

    All users are going to be 100% External


    SN = LYFEPOOL01.domain.local
    SAN = LYFEPOOL01.domain.local
    *Not including any SIP domains

    Web Internal
    SN = LYFEPOOL01.domain.local
    SAN= LYFEPOOL01.domain.local
    SAN = (Simple URLS)

    Web External
    SN = LYFEPOOL01.domain.local
    SAN =
    SAN = (Simple URLS)

    Your thoughts on how I can put this to rest would be greatly appreciated!

  27. Frank

    Glad I found your Blog! I’m in a particular situation here myself. Here’s an example.

    We are constantly (every month acquiring new companies) and they need to be able to utilize their own domain names when signing in to Lync.

    Example: owns and are listed as subject alternative names in the Public Certificate for the Access Edge Service, everything works fine.

    Then we acquire two new companies(below), we cant possibly be expected to update our Public Certificate to add the new SANs for the new domains each time?

    I understand Wildcard certificates for SAN causes problems? I don’t think we have a choice?

    If worst comes to worst, are you saying we dont necessarily need to add all of our acquisitions as SANS on the Access Edge? They will just have to manually configure their Lync Clients? (Thats fine by us)

    1. Frank

      What if we just keep enter in DNS records for all of our acquisitions domains to avoid updating the certificates?


      1. Lync Freak Post author

        CNAMEs will not help with the auto client login or federation situation. The client checks for on the certificate of the FE/Edge server when attempting auto configuration. This is worth a read

        It is also important to remember the following with DNS records for Lync from the above article
        Make sure that the target of any SRV record is an A record. Using CNAME records as targets is not supported by Lync and is not allowed per RFC2782 – A DNS RR for specifying the location of services (DNS SRV) –

        Lync online gets around the requirement of domain certs on their Edge servers because is coded into the registry during install to be a trusted domain. It is not supported to add your own domain to this key, but for knowledge sake it is located here- HKEY_CURRENT_USER\Software\Microsoft\Communicator\TrustModelData. This does not affect federation however and federated partners would still need to manually federate with your access edge server.

    2. Lync Freak Post author

      Correct, you don’t have to add all of them. You would then have to manually configure the clients then and Federation discovery would not work (Federated Partners could still enter your domain and access edge server in directly and this would work.)

      1. Frank

        Thank you very much for the reply. Essentially we are a reseller of Lync. Our Primary SIP domain will be something like “” we want to be able to bring on tenants and allow them to use their own domain names within Lync, with the least administrative effort on our end.

        Would we be required to perform all other steps beside updating the certificate when bringing on new clients?

        As for their client configuration, because we won’t be updating our certificates, would they just manually configure their External IP in Lync to point to our Edge? (i.e. and boom their in with their domain?

  28. Jeremy


    I am using domain.lan for internal use and for public.
    My Lync infrastructure Works with, but I need to create a Lync User like : user@domain.lan.
    How can I add this into my Lync infrastructure so I can create the settings ?

    1. Lync Freak Post author

      I would normally advise against using a non public domain for a SIP Domain. For best practice the users SIP address should be the same as their Primary SMTP address. You can however add this SIP domain as described above with two differences. On the Meet URL configuration, make sure to add it as an extension of your public domain. For example You also will also not be able to use auto client configuration from the outside. The main reason for these restrictions is that most public cert providers now days will not approve an internal domain name on a cert.

  29. Ed

    Is there a setting on the Lync desktop client to relax the requirement that the certificates have every domain in them?

    1. Lync Freak Post author

      The records for each domain are required for automatic client configuration. The records are also used for federation discovery. You can manually configure the clients so that the records are not needed by specifying the sign in server, but any partners that federate will have to specify your Access Edge server directly as well.

  30. Rob

    @Greg S
    I’m having the same issues here at my company. They want everything and they wanted it yesterday. F5, all the same you mention above. Sigh.

  31. Brian Osley

    Hi, good article, thanks for the info. I have an existing Lync deployment with a single SIP domain (say, and same as Greg S, they are now asking me to add all 9 of our email domains to it so those working for Fabrikam have SIP addresses, for example. However, they don’t want to have to setup all of their contacts all over again if their SIP addresses change as they have a lot of Yahoo contacts in their Lync clients. For example, say I have a Lync user whose SIP address currently is and wants it to be changed to but doesn’t want to have to send out all new buddy requests to his 200 Yahoo contacts to have them add him as is there a way to change his SIP name but still have it where the Lync Edge and Front-end servers know where to route incoming IMs to his old SIP address? Thanks for any assistance you can provide.

    1. Lync Freak Post author

      There is not a built in way to redirect those request. However with UCMA and custom scripting or a third party product it may be able to accomplish this. Each user can only have one SIP address assigned unlike email, so you would need a script to identity the users with the new domain and rewrite it in transit, which would likely require a database dip. I don’t know of any products myself for this so I cannot suggest one.

      In the long run it would likely be simpler for them to send out and email update than maintaining an addon or custom code simply to keep an old address relevant.

  32. Greg S (@GregSeeber)

    So. I’m using your doc as my starter on this crazy “we gotta have all our 13 email domains SIP enabled” and YOU gotta do it. haha. The only thing that sucks about Lync is the certificate stuff … that, with the reverse proxy… with the F5 HLB … with the FE servers … all the moving pieces … it’s hard to keep everything organized and think through everything. eh? maybe it’s just me.

  33. CF

    Great post, the part that I don’t understand is how the authentication process works with the new sip domain. Do you need to have a trust between both domains in order for this to work?

    1. Lync Freak Post author

      Its important to remember that the SIP domains are different from the AD domain, just as with Exchange and accepted domains. For example a company could have just one AD domain company.local, and two SIP domains and In fact the internal AD domain would not be represented in the SIP domains at all for that case.

      That being said, Lync is a Forest level application; so if you add a new AD domain into an exsisting forest, you would simply need to run Domain prep in the new domain. At that point you could enable users in the new Domain, and the authentication would use the Domain trust within the Forest.

      In the case of a adding users from a seperate forest, there would need to be a trust between them. You also would need to create AD contact objects in the Forest that houses Lync and sync some user data from the accounts in the new forest as per Authentication does then use the trust and the credentials from the users home forest.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s