Hi everyone,

I am currently deploying Lync 2010 for a client and have run into a problem I'm struggling to find an answer to (that may well be because there isn't a "neat" solution).

The customer currently has Exchange 2007 installed, and is configured with a wildcard cert for their Exchange servers (let's call the domain on this cert publicdomain.com).

Lync 2010 has only been deployed for internal IM & presence, and the customer has stated that the SIP domain cannot match the SMTP domain at this point in time, as they are not in a position to create an internal DNS zone for publicdomain.com. We have therefore used the internal domain name internaldomain.com as the SIP address.

As mentioned above, there is no DNS zone configured internally for publicdomain.com, there is only internaldomain.com.

The issue is:

When a user logs into Lync internally, they are able to log in successfully, however after 1-2 minutes the Lync client throws a certificate warning stating "Lync is attempting to connect to publicdomain.com" and shows the wilcard cert for *.publicdomain.com. If I choose not to connect, Lync is unable to retrieve info from Exchange Web Services.

I'm struggling to think of is a way around this - I know that best practice is to ensure that the SIP address and SMTP address match, however I've suggested this and been told that at this point in time it is not an option, as we are not able to create an internal DNS zone for publicdomain.com. The only thing I could think of would potentially be to create a pin-point DNS zone and configure everyone to then have a primary SIP address of user@publicdomain.com... is there any other way that anyone can see around this?

Cheers,

Cam

Hi,

pinpoint dns records are your best option - it keeps everything clean and removes further configuration changes. Also there has been quite a few blogs by Jeff Schertz about wildcard certs and Lync. MIght be worth having a look through it - one of them is as below

http://blog.schertz.name/2011/02/wildcard-certificates-in-lync-server/

Hi,

If the SIP address and SMTP address does not match, you can try to create SRV record for _autodiscover._tcp.publicdomain.com and it will get the target autodiscover.internaldomain.com. For details you can refer to this link:

http://blogs.technet.com/b/jenstr/archive/2011/02/10/lync-cannot-verify-that-the-server-is-trusted-for-your-sign-in-address.aspx

Since you are not able to create internal DNS zone for publicdomain.com, as far as I know the only way is the pinpoint DNS records.

Thanks Murali and Kent - pin-point DNS sorted this out. Apologies for the delay... a  holiday got in the way of this issue :)