locked
OCS R2 DNS SRV CNAME auto-login no longer works RRS feed

  • Question

  • Hey,

    My pool is still OCS 2007 R1 but I figured I would try out the OCS 2007 R2 client before moving my servers to R2. I have run into a problem with the auto-login once I use the R2 client though the R1 client auto-logins fine with my DNS 'trick' of CNAME records that I will discuss below. Anyone else have this issue?

    Basically my pool is in an internal domain name of internaldomain.local
    My SIP userID is in the SIP domain externaldomain.com

    To get the auto-login to work in R1 I did a little DNS work around as follows:
        -In the externaldomain.com zone I created a CNAME record of ocspool.externaldomain.com to resolve to ocspool.internaldomain.local
        -I then created a SRV record of _sipinternaltls._tcp.externaldomain.com to the host CNAME record I created above of ocspool.externaldomain.com  and another SRV record of _sipinternal._tcp.externaldomain.com to the host CNAME record I created above of ocspool.externaldomain.com

    This worked perfect for OCS 2007 R1 client to auto-login. Now with the the R2 client it doesn't seem to like this CNAME trick. I did a wireshark and on the R1 client it's satisfied looking up the _sipinternaltls srv record then proceeding to login but with the R2 client it resolves the SRV record the same way but then continues down the list of records to lookup then doesn't login.

    Is this intentional by MS to prevent the CNAME workaround? I'm just trying to think of a new way to do this then aside from using group policy to manually assign the server address.

    Thanks,
    Mike


    Mike
    Tuesday, February 3, 2009 8:58 PM

All replies

  • Mike,

    I'm not aware that there have been changes to this though based on your issue it's certainly possible that there have been.  However, you can avoid using group policy by creating the pool record as an A rather than CNAME and then referencing the A record in the SRV.  That's guaranteed to work and doesn't require any more records than you have now.
    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Tuesday, February 3, 2009 9:16 PM
    Moderator
  • Mike,

    Use of CNAME records were never supported in OCS, even though I had gotten them to work in test labs before.  That standpoint may have been in preparation for something in R2 although I haven't heard of a specific change that would affect it.  Sounds like you have though.

    Is there a reason you have not just created a second A record for ocspool.externaldomain.com which points to the same IP address that the current A record for ocspool.internaldomain.local points to?  The only caveat there is to only create a single PTR record, but that's for troubleshooting help, OCS doesn't utilize reverse IP lookup.
    Jeff Schertz, PointBridge | MVP | MCITP: Enterprise Messaging | MCTS: OCS
    Tuesday, February 3, 2009 9:39 PM
    Moderator
  • That makes sense to me. Looks like I am doing this on my R1 infrastructure because I didn't include the additional SAN's on my ocspool certificate for the external SIP domain and I guess found the DNS trick a quicker fix then re-requesting the certificate. When I roll out R2 I will request the certificate properly and do the DNS srv record the recommended way.

    Thanks for your time guys.

    Mike


    Mike
    Tuesday, February 3, 2009 10:13 PM
  • That should be fine - either server will act as a director and forward clients to the correct pool.


    Mike Stacy | Evangelyze Communications | http://www.evangelyze.net/cs/blogs/mike
    Tuesday, February 3, 2009 10:34 PM
    Moderator