Lync or Skype for Business Edge servers are different. Most of the time, when we configure a Windows server in our infrastructures, it has one interface on a trusted network, we provide our Domain Controllers’ IP addresses for DNS server settings, and join the machine to the domain. But Edge servers have two interfaces (one inward facing and one outward facing), and is not a Domain member. In theory, this unique configuration should force us to reconsider how we handle DNS configurations, but more often than not administrators apply the same DNS design to their Edge server. Generally, there aren’t any adverse effects… until there are.
I’ve encountered this enough times that any time I hear about quirky, otherwise inexplicable, communication errors related to Lync or Skype for Business federation I immediately ask “Is the Edge using internal DNS servers?”
Why would this matter? It turns out that when communicating with federated partners, the Edge server will look up its own federation SRV record (_sipfederationtls._tcp.domain.com) and use the resulting information in the federated communication.
So, if you have an authoritative DNS zone on your internal DNS servers that matches your public SIP domain, the edge server could get DNS info that is incorrect (internal address) or missing (no SRV) record. Both of these scenarios can lead to the aforementioned quirkiness.
The best way to avoid this – and this matches Microsoft’s documentation: https://docs.microsoft.com/en-us/previous-versions/office/lync-server-2013/lync-server-2013-set-up-network-interfaces-for-edge-servers?redirectedfrom=MSDN – is to only specify internet based DNS servers on the external interface, leaving internal DNS entries blank, and utilize the hosts file to provide resolution to the FQDNs of the Front End Pool and servers. This will ensure that when the Edge looks up the federation SRV record, it will get information that matches what an internet based partner would find and require.
So, resist the temptation to use internal DNS servers like you would for your domain machines. Edge servers are different, and need to be treated as such.
Shane Skriletz, PEI