PointBridge Blogs

DNS Lookups with OCS Automatic Configuration

By: Jeff Schertz Posted: November 7, 2007 at 9:19 PM

Between the OCS 2007 Deployment documentation, official Resource Kit, and blog/forum posts I've seen some discrepancies regarding the exact names (and order) of lookups performed by an Office Communicator 2.0 client when attempting to connect to an Office Communications Server when utilizing Automatic Configuration. Specifically I've seen reference to the automatic fall-back of looking for A records starting with sip, or instead with sipinternal, and sipexternal. Well, I discovered that it's actually all three.

To view the behavior I purposely deleted the DNS records I previously created in my lab environment during initial OCS deployment. After removing the SRV record _sipinterntls._tcp.schertz.local and the A record sip.schertz.local I flushed the DNS cache on my XP guest and launched Office Communicator, and was immediately presented with the error message: "Cannot sign in because the server is temporarily unavailable. If the problem persists, contact your system administrator."

Although you can enable logging from within Office Communicator it is not neccasary as the following Application event log entries will be created during the connection failure:

Event ID: 1

Communicator was unable to locate the login server. No DNS SRV records exist for domain schertz.local, so Communicator was unable to login.

Event ID: 3

Communicator was unable to resolve the DNS hostname of the login server sipinternal.schertz.local.

Event ID: 3

Communicator was unable to resolve the DNS hostname of the login server sip.schertz.local.

Event ID: 3

Communicator was unable to resolve the DNS hostname of the login server sipexternal.schertz.local.

So it appears that if no SRV record is found then the fall-back is to look for standard DNS name records in the following order:

sipinternal.domain.com
sip.domain.com
sipexternal.domain.com

(Note: Microsoft documentation can be a little misleading in a few places as there are specific requirements on A records versus CNAME records, but this appears to refer to the name records paired with SRV records, meaning that a SRV record must always point to an A record, and not a CNAME record. but for the standard DNS fallback it appears that either a CNAME or A record will work the same.)

Next I created a new DNS Alias (CNAME) record of sipinternal.schertz.local and verified my client could resolve the new record. After reopening Office Communicator and attempting to sign-in, a slightly different error message appeared: "There was a problem verifying the certificate from the server. Please contact your system administrator." A peak at the Application log showed two new events:

Event ID: 1

Communicator was unable to locate the login server. No DNS SRV records exist for domain schertz.name, so Communicator was unable to login.

Event ID: 4

Communicator could not connect securely to server sipinternal.schertz.name because the certificate presented by the server did not match the expected hostname (sipinternal.schertz.name).

We can see that again the SRV lookup was tried first and failed, but the first name record lookup for sipinternal resolved to a server and a connection attempt must have been successful as the client received a certificate, but failed with a name-mismatch. Using the OCS management tool to access the Front End Server Properties on the server object we can see the currently applied certificate. Clicking Select Certificate, then highlighting the current open from the list and clicking View Certificate will let us look at the Subject Name and Subject Alternative Name fields under the Details tab.

The certificate verification error is reported because sipinternal.schertz.local is not in the certificate's SAN field, although sip.schertz.local is. This behavior underlines the importance of including any potential sip DNS names in the OCS server certificates.

cert screen shot

Next I created another new DNS record for sip.schertz.local, but left the malfunctioning sipinternal record in DNS. Although there was still a certificate error when using sipinternal, Office Communicator will not continue to look for other DNS records, it simply stops at the first successful resolution regardless of what happens after a connection attempt is made to the remote server. So I deleted the sipinternal record and tested sign-in again, which worked correctly utilizing the sip.schertz.local record. At this point I recreated the previous SRV record to restore the previous configuration.

Comments

Add Comment

Share It

	Your Name:
	Your Email:		**will not be displayed
	Comment Title:
*	Comments:
		If you cannot read the code, please click here to get a new one. You won't lose your comments by doing so.
*	Security Code:

*	Your Name:
*	Your Email:		**will not be displayed
*	Recipient's Email:
*	Subject:
		If you cannot read the code, please click here to get a new one. You won't lose your comments by doing so.
*	Security Code:

Need a help

By: Logs | Posted: July 1, 2010 at 1:24 PM

Hi Jeff, thanks for this blog. I am currently facing the same problem (DNS records unavailable - server temporarily unavailable error) when I sign in from home. I use MS OCS 2007. My TSP is Comcast. Any idea how do I go about fixing this issue? Thanks, Logs

VPN (Voice Quality)

By: Micky Landrum | Posted: March 10, 2009 at 8:20 AM

Hello, is there a way to set up when folks come in using VPN (Citrix IP SEC)to stay connected to the edge server and not have the voice calls go through VPN? When we eliminate the route to the frontend server from VPN the client fails because it finds the SRV record of the FE and can't get there. The quality over IP Sec is not good.

Live Meeting DNSs

By: Jurij | Posted: November 8, 2008 at 10:11 AM

I have found these DNS addresses with Wireshark. Since it's in clear text yo can see the sequence. As Jeff mentioned, it is imortant to have correct records or better no additional records at all.

By: iamme | Posted: August 23, 2008 at 7:17 PM

You talk about Communicator, have you tested this with Live Meeting? The microsoft docs said it works like this with OCS clients, so I assume they mean both Communicator and Live Meeting, but just curious for sure.

By: FK | Posted: July 24, 2008 at 3:27 AM

Is there a way to register both of the SRV Records (intenal / external) on external DNS-Server? In one of our scenario we have only one external DNS server and client are redirected directelly to the external DNS from external network? Any ideas, how to handle automatic configuration for Communicator 2007 for internal and external configuration on one external DNS server? Thansk FK

By: Dino Caputo | Posted: March 14, 2008 at 10:23 PM

I've noticed the same behaviour even in a properly configured environment with autodiscover enabled. For specific users this behaviour comes to light simply ignoring the srv record which works fine for other users.. I can resolve the issue if I add CNAMEs for the 3 'auto-fallback' hostnames and create new certificates but this should not be necessary!! Have you implemented adding these fallback alias as a standard best practice to cover off for these strange scenarios? If so the cert companies must love it as you add more and SANs to the cert.. Regards, Dino

Nice find

By: OCS dude | Posted: February 6, 2008 at 2:59 PM

I've been dealing with this weirdness for a while (since beta), glad to see it confirmed. nicely done and informative.

Certificate naming...

Posted: January 16, 2008 at 4:35 PM

That was very informative - its much easier to delpy clients on automatic if you use sipinternal for the OCS certificate! Cheers Chris

Hello dear Jeff Schertz

Posted: November 12, 2007 at 1:39 AM

your help is very good thank you majid7575majid@yahoo.com

Subscribe to Jeff's Blog

See all of Jeff's Posts

About Jeff Schertz

Senior ConsultantJeff Schertz is a senior consultant for PointBridge, focused on unified communications. He has over 10 years of experience in the IT industry ranging from family-owned businesses to global product dev... [more]