DNS records for TLS in OCS 2007 R2

Posted on 2009-12-20
Last Modified: 2013-11-29
I have added two sip-domains in our AD/Communicatins Server 2007 R2 (SE)
Primary sip domain: (also the AD domain)
Secondary sip domain: (mail domain for users in is the internal servername for the OCS 2007 R2 (enabled with a real certificate from Thawte).

If enabling a user for Communicator with a username from eg. (SAM account) it works fine with automatic logons.
I've created a DNS record in the ""-zone for _sipinternaltls pointing to port 5061.

If enablig a user for Communicator with a username from it doesn't work with automatic logons. In the ""-zone i've created _sipinternaltls pointing to I've also tried creating a _sipinternal and just a _sip . But nothing seems to work.

But on the other hand - if I type the server name in the communicator client instead of using automatic logons - it works fine.

What should the DNS record look like for the secondary sip domain? ( so I can use it with automatic logons.

Question by:jetpak
    LVL 6

    Expert Comment

    It seems that everything is fine; just double check your configuration, below is your check list:

    _sipinternaltls SRV Record under the, port 5061, and the host offering this service your OCS Server

    Make Sure your Certificate include in the Subject Alternative Name (SAN).

    Finally you can enable the Turn on Windows Logging from the communicator options, under the General tap, check the event viewer while you are testing, then feed us back with the results if you still face any problems.

    Mohammad Saeed  

    Author Comment

    The certificate is signed to Can I add by myself to that certificate?

    "Secure host names on different base domains in one SSL Certificate. A wildcard certificate can protect all first-level subdomains on an entire domain, such as * But a wildcard cannot protect both and"

    Shouldn't it just be enough with a certificate for the actual host hosting the certificate for OCS and the IIS server? in this case

    LVL 6

    Accepted Solution

    unfortunately you can't add it by your self, you must create a new request (but make sure to include all the SIPDomains you are planing to support in the SAN of the certificate); then send it to your CA to sign the new request, then assign it to your server.

    the below link include instruction on creating, and assigning new certificate:

    additional, Microsoft released a very comprehensive document (just short of 100 pages) that covers everything from basic requirements down to specific scenarios, and the certificate requirements for each scenario.

    Author Closing Comment

    Thanks! Now I understad it.

    Featured Post

    Are your corporate email signatures appalling?

    Is it scary how unprofessional your email signatures look? Do users create their own terrible designs and give themselves stupid job titles? You can make this a lot easier for yourself by choosing an email signature management solution from Exclaimer today.

    Join & Write a Comment

    Consider a situation when you deploy a seemingly harmless software package to your network without testing and therefore without fully knowing the implications of your actions. I was recently involved in just this situation when a corporate IT netwo…
    Remote Desktop Protocol or RDP has become an essential tool in many offices. This article will show you how to set up an external IP to point directly to an RDP session. There are many reasons why this is beneficial but perhaps the top reason is con…
    Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
    Here's a very brief overview of the methods PRTG Network Monitor ( offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    19 Experts available now in Live!

    Get 1:1 Help Now