locked
multiple email domains under single active directory domain RRS feed

  • Question

  • Hi,

    I have a problem where we are running a single active directory domain @domain1.com, which has different companies which have seperate email address @domain2.com @domain3.com etc.

    users in @domain1.com one can log on successfully to OCS,
    those in other domains cannot, and this is the error message:

    Communicator was unable to locate the login server.  The DNS SRV record that exist for domain2.com point to an invalid server ocs.domain1.com which is not trusted to provide support for the domain because the server's domain is not an exact match..

    I have a DRV record for @domain2.com which points to the ocs.domain1.com OCS server.

    How do I get other domains to be able to logon?

    thanks
    Leighton
    Friday, August 10, 2007 2:24 PM

Answers

  • Probably a certificate problem?

     

    To prevent DNS SRV spoofing and ensure that certificates provide valid ties from the user URI to real credentials, Office Communications Server 2007 requires that the name of the DNS SRV domain match the server name on the certificate. The subject name (SN) must point to sip.<domain>.com.

    Following doesn't quite apply to your situation, but is probably similar (ie. you need to list the additional domains in the SAN of the server certificate).

     

    A certificate configured on the external interface with a subject name that matches the external FQDN of the edge server.  If you have multiple SIP domains, each supported SIP domain must be entered as sip.<domain> in the Subject Alternate Name of the certificate. For example, if your organization supports two domains a.contoso.com and b.contoso.com, SN=sip.a.contoso.com, SAN=sip.a.contoso.com, sip.b.contoso.com

     

    Wednesday, August 15, 2007 7:04 AM

All replies

  • Probably a certificate problem?

     

    To prevent DNS SRV spoofing and ensure that certificates provide valid ties from the user URI to real credentials, Office Communications Server 2007 requires that the name of the DNS SRV domain match the server name on the certificate. The subject name (SN) must point to sip.<domain>.com.

    Following doesn't quite apply to your situation, but is probably similar (ie. you need to list the additional domains in the SAN of the server certificate).

     

    A certificate configured on the external interface with a subject name that matches the external FQDN of the edge server.  If you have multiple SIP domains, each supported SIP domain must be entered as sip.<domain> in the Subject Alternate Name of the certificate. For example, if your organization supports two domains a.contoso.com and b.contoso.com, SN=sip.a.contoso.com, SAN=sip.a.contoso.com, sip.b.contoso.com

     

    Wednesday, August 15, 2007 7:04 AM
  • I have domains - "vinnitsa.com.ua", pool - "pool02.vinnitsa.com.ua", bat all sip work  "*@vmr.gov.ua"!

     

    I did so. Communicator works.


    But on a local computer such error:

     

    Code Snippet

    Тип события: Error
    Источник события: Communicator
    Категория события: not
    Код события: 2
    Дата:  29.08.2007
    Время:  9:57:42
    Пользователь:  Н/Д
    Компьютер: STN13
    Описание:


    Communicator was unable to locate the login server.  The DNS SRV record that exist for domain vmr.gov.ua point to an invalid server pool02.vinnitsa.com.ua which is not trusted to provide support for the domain because the server's domain is not an exact match.
     
     Resolution:
     The network administrator will need to double-check the DNS SRV record configuration to make sure that the SRV record for the domain points to a server name that conforms to the DNS naming convention in the server deployment guide.

     

    "http://go.microsoft.com/fwlink/events.asp".

     

     

     

    1. How to clean this error?
    2. What ot her can be problems? (all works)

    Wednesday, August 29, 2007 7:24 AM
  • You can resolve your problems by creating A records for the edge/frontend server in each hosted domain.

    I.e.
      ocs.domain1.com. in a 192.168.1.1
      _sip._tls.domain1.com. IN SRV 0 0 5061 ocs.domain1.com.

      ocs.domain2.com. in a 192.168.1.1
      _sip._tls.domain2.com. IN SRV 0 0 5061 ocs.domain2.com.

    That will work if you have alternative subjects for all the domains.
    However, I have the same problem, but I have hundreds and thousands of domains, and the list of domains changes all the time. I simply cannot add all the domains to the certificate subject.

    I have a workaround of configuring Communicator to use advanced sign-in parameters, where I specify the server directly.
    However, this is not the best soltion ever, so any other ideas are appreciated.

    Wednesday, August 29, 2007 10:32 PM
  •  

    pool02.domain1.com. in a 192.168.1.1

    sip.domain2.com. in cname  pool02.domain1.com.


    _sipinternaltls.domain2.com. IN SRV 0 0 5061 sip.domain2.com.
    _sipinternal.domain2.com. IN SRV 0 0 5060 sip.domain2.com.

    SRV  - gives an address in the domain!!!

     

    Is it a good decision?

     

     

    Thursday, August 30, 2007 6:53 AM