DNS Records in a Skype for Business Hybrid Deployment

The DNS records for a Skype for Business (SfB) on-premises deployment can be somewhat complex, but are well documented (see Microsoft TechNet – DNS requirements for Skype for Business).  While working on a recent hybrid Skype for Business (SfB) deployment, I realized there is a lot of confusion. This was a classic hybrid deployment – some SfB servers and users on-premises, and some in SfB Online sharing one DNS namespace. This article aims to clear up some of this confusion.

The unique question that comes up in hybrid is where should I point my DNS records for clients to logon?  On-premises or online?

The general golden rule in a SfB hybrid environment is:

All Skype for Business external DNS records should point to the on-premises infrastructure.

This is a bit hidden but documented here in this TechNet article Plan hybrid connectivity between Skype for Business Server and Skype for Business Online.

A source of this confusion usually happens when client logins do not work for Skype for Business Online (SfBO) users in a hybrid deployment. Several Microsoft sources citing SfB Online client login issues and that DNS records should point to Office 365:

NOTE – both of these resources are meant for pure Skype for Business Online deployments in Office 365, NOT for hybrid.

For hybrid deployment the client autodiscover login DNS records should point to the on-premises deployment.  The TechNet documentation is quite clear on this requirement “In a hybrid deployment that has an on-premises Lync Server deployment and Skype for Business Online, the DNS records for Lync Autodiscover must be pointed to the on-premises Lync server”.

When a Skype for Business Online user attempts to sign-in, the on-premises SfB server will go through a process of being redirected multiple times until they reach their final home server in the Skype for Business Online topology. This process is well documented in the bottom half of this Microsoft Support article: Users can’t sign in to Skype for Business Online in a hybrid deployment of Lync Server 2013.

For hybrid deployment, here is a convenient summary of the external DNS records and where they should point to on-premises:

(Note: this example uses the domain contoso.com)

sip.contoso.com A Public IP of Access Edge n/a
_sip._tls.contoso.com SRV External on-premises Access Edge Interface (sip.contoso.com) 443
_sipfederationtls._tcp.contoso.com SRV External on-premises Access Edge Interface (sip.contoso.com) 5061
webcon.contoso.com A Public IP of Access Edge n/a
av.contoso.com A Public IP of Access Edge n/a

But What about the CNAME records I read about Required for Office 365 Users?

Again, this is part of the confusion as this only applies to pure SfB online deployments.  In this case, you will want the following two DNS records, but NOT FOR HYBRID:

> A DNS CNAME record for sip.contoso.com which points to sipdir.online.lync.com

> A DNS CNAME record for lyncdiscover.contoso.com which points to webdir.online.lync.com

If you add these external DNS records, external client login will break for the SfB on-premises users.  They will receive this error:


For the internal DNS records, these are the same as the internal DNS records for a non-hybrid on-premises Skype for Business Deployment (which you can find here) so I won’t repeat them, but I will point out one exception:

> An DNS A record for sfedge.contoso.com which resolves to the IP address of the internal interface of Edge server

DNS and Using PowerShell with the Skype for Business Module in a Hybrid Environment

Now, to further confuse things, the Skype for Business Online PowerShell module relies on the DNS CNAME record for pure online deployments to connect with PowerShell. This record:

A DNS CNAME record for lyncdiscover.contoso.com which points to webdir.online.lync.com

Because this record is not used in a SfB / Lync hybrid deployment, the Remote PowerShell connection will fail.

This is well documented with the work around, here:

Lync administrators can’t connect to Skype for Business Online Remote PowerShell in a Lync hybrid environment

The work around is to use an OverrideDomain property on with the default domain for your Office 365 tenant (i.e. the *.onmicrosoft.com domain that was included with the tenant subscription).

This is also documented here: http://www.ucblog.co.uk/?p=25

3 comments to DNS Records in a Skype for Business Hybrid Deployment

  • Benjamin.

    So apart from the 5 external records in this article, no other external records are to be added ? ..what about the following records that i read somewhere that they must point to our reverse proxy server ?

    And as a follow up on the question posted by Khoj, if all records are pointed to the access edge interface and we use different IPs for the access, av, conf service; how does the client locate these services ?

    Please clarity.

  • Khoj

    Why do we require webcon and AV external records to access edge. we have three interfaces on edge server

Leave a Reply to Curtis Johnstone Cancel reply

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>