locked
Split DNS And FQDN Values RRS feed

  • Question

  • I have an internal domain of the format Comp.com and an external domain of FullCompName.com, we use FullCompName.com for SMTP and for all external communiction so this is what we will use for our SIP domain, however during setup there are several DNS records to create for auto configuration and general setup, and they can't be changed or are difficult to change after the fact, so could someone please validate the following for me?

    SRV records must be in the FullCompName.com Zone since the client will be looking for the SIP domain correct?

    Pool name? This one I am not sure about since it is used internally by the servers should it be ocspool.Comp.com or ocspool.FullCompName.com ?

    Internal Web Farm I am a little confused about the naming on this, as well can I use ocs.comp.com or does it also need to match the FQDN?

    External Web Farm, this I know must be the same as the sip domain FullCompName.com but what should I call it? sip.FullCompName.com, meetings.FullCompName.com, ??? Any pros or cons?

    Wednesday, July 8, 2009 4:41 PM

Answers

  • If you are running true split brain DNS then you have an internal and External Zone for fullcompname.com, if you only have the external zone then this will be a true challenge

    the internal SRV record should point to an A record in the same Zone as the sip domain name that you are using. I prefer to use sip.fullcompname.com as this a record, because then if the srv record ever disappears (very unlikely) then the client will search automaticallyf for sip.fullcompname.com. This does mean that on the Certificate for the server or pool you have to inlcude a Subject Alternative name in the certificate of sip.fullcompname.com.

    As far as external you will need the SRV record to point to an a record (in the same zone) of your access edge server. again i use sip.fullcompname.com.

    Hope that helps some.


    mitch
    Wednesday, July 8, 2009 5:22 PM
  • To expand a bit further on what Mitch said.

    SRV records must be in the FullCompName.com Zone since the client will be looking for the SIP domain correct?  -Yes, the record must match the signin domain

    Pool name? This one I am not sure about since it is used internally by the servers should it be ocspool.Comp.com or ocspool.FullCompName.com - Your pool name for all internal use is the comp.com zone.  The cert for your pool should be self signed and should have a SN (Subject name) that maches your pool name (this will be the same as the Server FQDN in standard edition), and a SAN (Subject Alternate Name) that matches the A record you use in your SRV record internally.  I agree with Mitch, using sip.fullcompname.com would be best.

    Internal Web Farm I am a little confused about the naming on this, as well can I use ocs.comp.com or does it also need to match the FQDN? - Internal Web Farm in OCS is where Address Book Service and a number of other web components live, on a standard edition deployment this will be the same as your pool name.  All of this is run from IIS and the certificate in IIS should have a SN (Subject Name) that matches the pool FQDN (which will be the FQDN of the machine in a standard edition deployment).

    External Web Farm, this I know must be the same as the sip domain FullCompName.com but what should I call it? sip.FullCompName.com, meetings.FullCompName.com, ??? Any pros or cons? - This address is used to reference your address book and other web components from outside of the network.  This will be an address such as ABS.FullCompName.com that will point to your reverse proxy server.  Your reverse proxy will then send the request on to the front end.

    Hope this helps!

    -KP









    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Thursday, July 9, 2009 7:28 PM

All replies

  • If you are running true split brain DNS then you have an internal and External Zone for fullcompname.com, if you only have the external zone then this will be a true challenge

    the internal SRV record should point to an A record in the same Zone as the sip domain name that you are using. I prefer to use sip.fullcompname.com as this a record, because then if the srv record ever disappears (very unlikely) then the client will search automaticallyf for sip.fullcompname.com. This does mean that on the Certificate for the server or pool you have to inlcude a Subject Alternative name in the certificate of sip.fullcompname.com.

    As far as external you will need the SRV record to point to an a record (in the same zone) of your access edge server. again i use sip.fullcompname.com.

    Hope that helps some.


    mitch
    Wednesday, July 8, 2009 5:22 PM
  • To expand a bit further on what Mitch said.

    SRV records must be in the FullCompName.com Zone since the client will be looking for the SIP domain correct?  -Yes, the record must match the signin domain

    Pool name? This one I am not sure about since it is used internally by the servers should it be ocspool.Comp.com or ocspool.FullCompName.com - Your pool name for all internal use is the comp.com zone.  The cert for your pool should be self signed and should have a SN (Subject name) that maches your pool name (this will be the same as the Server FQDN in standard edition), and a SAN (Subject Alternate Name) that matches the A record you use in your SRV record internally.  I agree with Mitch, using sip.fullcompname.com would be best.

    Internal Web Farm I am a little confused about the naming on this, as well can I use ocs.comp.com or does it also need to match the FQDN? - Internal Web Farm in OCS is where Address Book Service and a number of other web components live, on a standard edition deployment this will be the same as your pool name.  All of this is run from IIS and the certificate in IIS should have a SN (Subject Name) that matches the pool FQDN (which will be the FQDN of the machine in a standard edition deployment).

    External Web Farm, this I know must be the same as the sip domain FullCompName.com but what should I call it? sip.FullCompName.com, meetings.FullCompName.com, ??? Any pros or cons? - This address is used to reference your address book and other web components from outside of the network.  This will be an address such as ABS.FullCompName.com that will point to your reverse proxy server.  Your reverse proxy will then send the request on to the front end.

    Hope this helps!

    -KP









    Kevin Peters MCSE/MCSA/MCTS/CCNA/Security+ blog: www.ocsguy.com
    Thursday, July 9, 2009 7:28 PM