Configuring OCS 2007 for DNS Splitting
Automatic configuration allows Communicator to find and connect to the appropriate OCS server without manually entering a server name into its settings. Communicator has special requirements for DNS and certificates to make this work properly.
The problem that OCS likes other Microsoft UC solutions does not support multiple SIP name. Most of organizations need DNS splitting as security requirement.
Here you are the Scenario: We have organization that its internal domain name is Contoso.ad and have E2K3 server with E-mail Policy @contoso.com, they need to implement new OCS server to support internal and external users.
Easy, maybe it looks like that…The problem that office communicator is designed to log-on using server within same domain name i.e. the OCS FQDN must be in our case OCSSRV.contoso.ad.
Until now, it is okay but the user must log-on with name email@example.com so we have to support contoso.com SIP domain.
Are you confused? It is little tricky… here you are the solution
Hosting Domain Contoso.ad, Contoso.com
OCS Computer FQDN OCSSRV.contoso.ad
Supported SIP Domains:
Contoso.ad (default inherited from AD)
DNS Records (Internal)
Split DNS configuration is a requirement for automatic configuration. Simply put, split DNS means you have two DNS zones for one domain name. One DNS zone exists on internal DNS servers and provides name resolution only for internal clients. Another DNS zone exists on external DNS servers to service external clients.
Split DNS is required so that users can use the same sign-on name in Communicator and have their correct login server resolved inside and outside the network.
First, we have to create primary DNS zone in internal domain with name Contoso.com. Create A record in it for OCSSRV server.
The following SRV records need to be created. Note that these records must be created in the DNS database of the servers authoritative for the particular zone.
Service Records (SRV)
To support multiple domains for encrypted communications we require that all front-ends in the Pool be configured with a certificate. The certificate must match the FQDN returned by any DNS SRV query. Therefore, the certificate must contain multiple entries. We call these SANs (Subject Alternate Name) and the certificate must include the FQDN of the pool and one entry for each supported SIP domain.
Subject Alternate Name
I tried to do that through the OCS certificate configuration wizard …It should work.
but if it failed you can do it through another way.
You have to obtain Subject Alternative Name (SAN) to your OCS certificate. The OCS certificate is submitted to a certification authority (CA) that is configured on a Microsoft Windows Server 2003-based computer. The SAN lets you connect to a domain controller by using a Domain Name System (DNS) name other than the computer name. I will explain how to add SAN attributes to a certification request that is submitted to an enterprise CA (ContosoCA)
How to configure a CA to accept a SAN attribute from a certificate request
By default, a CA that is configured on a Windows Server 2003-based computer does not issue certificates that contain the SAN extension. If SAN entries are included in the certificate request, these entries are omitted from the issued certificate. To change this behavior, run the following commands at a command prompt on the server that runs the Certification Authority service.
Certutil -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
net stop certsvc
net start certsvc
How to create and submit a certificate request
When you submit a certificate request to an enterprise CA, the certificate template must be configured to use the SAN in the request instead of using information from the Active Directory directory service.
How to use Web enrollment pages to submit a certificate request to an enterprise CA
To submit a certificate request that contains a SAN to an enterprise CA, follow these steps:
- In Internet Explorer, connect to http://contoso.ad/certsrv.
- Click Request a Certificate.
- Click Advanced certificate request.
- Click Create and submit a request to this CA.
- In the Certificate Template list, click Web Server.
- Provide identifying information as required.
- In the Name box, type the fully qualified domain name of the OCS server.
- Under Key Options, set the following options:
- Create a new key set
- CSP: Microsoft RSA SChannel Cryptographic Provider
- Key Usage: Exchange
- Key Size: 1024
- Automatic key container name
- Store certificate in the local computer certificate store
- Under Advanced Options, set the request format to CMC.
- In the Attributes box, type the desired SAN attributes. SAN attributes take the following form:
Multiple DNS names are separated by an ampersand (&).
- Click Submit.
- If you see the Certificate Issued Web page, click Install this Certificate.
Now return to OCS deployment and choose configure certificate wizard,
Choose to assign existing certificate and choose OCSSRV.contoso.ad server authentication certificate.
Assign the certificate in the IIS and restart it.
Now you can sign in with firstname.lastname@example.org although your pool is OCSSRV.contoso.ad.
Check this also at the UC Guy