locked
OCS Standard 2007 in Multiple Domains Environment cannot communicate between domains RRS feed

  • Question

  • Hello,

     

    we've just deployed OCS 2007 Standard Edition in our company and we encounter several problems:

     

    Our Current topology consist of:

    • 1 Forest - root.corp (Windows 2003 Functional Level) - with no users or any objects.
    • 3 Child Domains - AA.root.corp / bb.root.corp / cc.root.corp
    • Each child domain has it's own Exchange 2007 server, and the external email address for all users are the same @root.com
    • The global settings are kept in the configuration container.
    • Each Child domain was installed with an OCS 2007 standard edition, and is working properly internally between users.
    • Internal CA server is existing on the root domain for certificates.
    • Port 5061 & 5062 is opened between the servers.
    • All services are running, and the installations were completed successfully on each server including the certificates enrollment.
    • Each OCS server have the Root CA certificate installed.
    • the SIP domains are: root.corp, aa.root.corp, bb.root.corpcc.root.corp
    • Each certificate was issued with the subject alternate name of it's FQDN name.
      for example on the server :AA-OCS.aa.root.corp those are the SAN:

      DNS Name=aa-ocs.aa.root.corp

      DNS Name=sip.root.corp

      DNS Name=sip.aa.root.corp

    • in the DNS, there is a SRV record of  _sipinternaltls.<domain name> that points to AA-OCS.aa.root.corp for all other child domain (bb.root.corp and cc.root.corp).

    When I'm using a user from the aa.root.com domain, I can search for users in other domains, but I can't see their presence and I can't send them message because I'm receiving error on the Office Communicator:

    "The following message was not delivered to ryantest. More details (ID:504)"

    In addition, I get the following error in the event viewer:

     

    Event Type:       Error

    Event Source:    OCS Protocol Stack

    Event Category: (1001)

    Event ID:          14428

    Date:                8/4/2008

    Time:                3:28:34 PM

    User:                N/A

    Computer:         AA-OCS1

    Description:

    TLS outgoing connection failures.

     

    Over the past 0 minutes Office Communications Server has experienced TLS outgoing connection failures 1 time(s). The error code of the last failure is 0xC3E93D6A (SIPPROXY_E_ROUTING_UNKNOWN_SERVER) while trying to connect to the host "BB-OCS.bb.root.corp".

    Cause: Wrong principal error could happen if the peer presents a certificate whose subject name does not match the peer name. Certificate root not trusted error could happen if the peer certificate was issued by remote CA that is not trusted by the local machine.

    Resolution:

    For untrusted root errors, ensure that the remote CA certificate chain is installed locally. If you have already installed the remote CA certificate chain, then try rebooting the computer.

     

     

    as I mentioned before, the root ca certificate is installed, what could be the reason for the error?

    1. something regarding wrong issued certificates or subject alternate names?

    2. incorrect DNS records implementation?

    3. other ports in the firewall that needs to be open?

     

    I'll appreciate your help...

     

    Monday, August 4, 2008 10:22 PM

Answers

  • Hi,

     

    In the end i've solved the problem, it was wrong issued certificates.

    I've created a new certificate that include only:

    1. The name of the server - aa-ocs.aa.root.corp

    2. sip domain name of the server - sip.aa.root.corp

     

    aftet doing it (and restarting the OCS services including the iis) - the ocs servers could communicate with each other.

    Wednesday, August 6, 2008 7:08 AM

All replies

  •  

    Do you have any network traces taken between servers when trying to make this communication?  This would be very helpful in resolving the issue.  You als mentioned that SAN has the Machine FQDN.  What is CN of the certificate.  The server is going to use the CN for MTLS communication.

     

    --geoff

    Monday, August 4, 2008 11:53 PM
  • i don't have network trace between the servers - i'll try to get one today.

     

    the CN is:

    aa-ocs.aa.root.corp

    and the SAN is:

    DNS Name=sip.root.corp

    DNS Name=sip.aa.root.corp

    DNS Name=aa-ocs.aa.root.corp

    Tuesday, August 5, 2008 7:21 AM
  • Have you enabled federation between the different domains?  Since these servers are not in the same pool, they won't just be able to connect and talk to each other. 

     

    Tuesday, August 5, 2008 12:20 PM
  • Hi,

     

    In the end i've solved the problem, it was wrong issued certificates.

    I've created a new certificate that include only:

    1. The name of the server - aa-ocs.aa.root.corp

    2. sip domain name of the server - sip.aa.root.corp

     

    aftet doing it (and restarting the OCS services including the iis) - the ocs servers could communicate with each other.

    Wednesday, August 6, 2008 7:08 AM