Office 365 Tenants with multiple Domains have become fairly common place. Be it the international organization with a primary domain and a number of child domains, or the university with a faculty and student domain. Perhaps it’s the merger of two or more organizations, where some domains are Hybrid and others will remain in the cloud (for now).

scenario

This is easily addressed with a Hybrid deployment; I hear you say. True BUT..

In some cases, the requirement is to have some of these domains as cloud ONLY.

What reasons might an organization have to keep one domain on premises and another in the cloud only?

Two I have come across are: –

User Accounts

In one instance I saw an environment where university students (60 0000 +) were on line only, while faculty were Onprem. The university was not keen to add 60 0000 + users account to Active Directory so that we could enable hybrid mode (especially since the students were never going to be moved to Onprem)

In a Hybrid scenario, all the users (regardless of whether they will be homed in the Cloud or Onprem) need to exist in Active Directory. When you have two organizations merging then this can be a big limiting factor. Sure you can setup trusts and use resource accounts etc., limiting and intensive non the less.

DNS

When enabling Hybrid mode its required to point the DNS records to the On premise infrastructure. Consider a deployment where the Tennant is in the USA and the On premise deployment is in New Zealand. Potentially the on Premise deployment may be expanded to other continents, BUT I find it rather challenging to explain to a customer that I need to point the DNS records to an NZ deployment that’s probably not considered “Enterprise” in terms of High Availability.

 

For the sake of understanding let’s talk about SIP Domains.

We will consider three SIP Domain configurations: –

Onprem SIP Domain – All users homed on premise, domain does NOT exist in the O365 Tenant

Hybrid SIP Domain – All user accounts in on premise AD, Skype users homed to either On premise or online

Online SIP Domain – Users DO NOT exist in On premise AD. SIP Domain is created in O365 Tenant and there is no requirement to have these users on premise

So to be clear, what we will be looking at is “Federation” between an Onprem or Hybrid domain with an Online Domain.

Here’s what you need to do:-

Step 1

Configure Hybrid mode for the On premise SIP Domain (if it’s not already done). Details of configuring Hybrid can be found HERE

NOTE

You do not need to add the child\additional domains to the on premise topology (there is no harm in doing so either)

Step 2

Configure the DNS

A rule of thumb is to point the On premise\Hybrid SIP domain DNS records to the On premise deployment, and the Cloud SIP Domain DNS records to the O365 cloud.

TIP

Be sure to add the “Cloud SIP Domain” to the internal DNS Zones as any users considered internal will need to resolve the SRV records to the Online servers.

SIP Domain Record Type DNS Record Port Target
Onprem\Hybrid SRV _sipfederationtls._tcp.ucsorted.com 5061 access.ucsorted.com
SRV _sip._tls.ucsorted.com 443 access.ucsorted.com
A access.ucsorted.com Onprem Access Edge Public IP
A\CNAME lyncdiscover.ucsorted.com Onprem Reverse Proxy Public IP
A meet.ucsorted.com Onprem Reverse Proxy Public IP
A dialin.ucsorted.com Onprem Reverse Proxy Public IP
A sfbweb.ucsorted.com Onprem Reverse Proxy Public IP
Cloud SRV _sipfederationtls._tcp.uc-heroes.co.nz 5061 Sipfed.online.lync.com
SRV _sip._tls.uc-heroes.co.nz 443 sipdir.online.lync.com
CNAME sip.uc-heroes.co.nz sipdir.online.lync.com
CNAME lyncdiscover.uc-heroes.co.nz Webdir.online.lync.com

 

If you have the DNS for the Online domain pointing to Onprem you will get a user not found error when trying to message an Online user.

Conversely, if you have the DNS for the Onprem domain pointing to Online you will get a user not found error when trying to message an Onprem user.

error

Step 3

Certificates

You will need to add a sip.domain.com SAN to the Edge server certificate for each online SIP domain that needs to be included in the “federation”.

In my case I had to add sip.uc-heroes.co.nz as a SAN to the existing UC SAN Certificate already deployed.

 

Under the hood

O365 will actually handle the on premise SIP domain as if it’s in a fully deployed hybrid deployment.

The on premise deployment will handle the Online SIP domain as if it’s a federated partner. Thus the usual behavior for federation will be followed.

 

Limitation

The primary limitation is with regard to Federation behavior between these On premise\Hybrid SIP Domains and the Online SIP Domains.

Typically, you won’t see rich presence, Presence Notes, detailed contact card etc for Federated contacts. These same limitations will apply in this setup.

The inverse in not true though, the Online SIP Domain users will see the Onprem\Hybrid users as if they were fully Hybrid.

Also, if you are “federating” between Onprem\Hybrid and Online as I have just described, then the Onprem deployment is authoritive for the Onprem\hybrid users and the online deployment is authoritive for the online users.

Note

This is not an officially supported configuration.

Advertisements