When do you need to use DHCP option 119 with OCPE powered devices?

In our documentation we tell you to use the DHCP option 119 when you deploy Office Communicator Phone Edition (OCPE) powered devices. But why do you need it? It has to do with how the device can find a domain controller (DC) to talk to.

You can sign in to a OCPE powered device in two different ways. Either using NetBIOS style (<domain>\<user>) or using User Principal Name (UPN) style (<user>@<domain>).

When you use NetBIOS style the device needs to use the <domain> name to find a DC. If WINS is configured for use by the device (via DHCP) it will use that. However if WINS is not configured, and the device is on another subnet than the DC, it needs to use DNS to find it.

The way it looks for a DC is using the DC locator SRV records in DNS (_ldap._tcp.dc._msdcs.<DNS domain>). When it looks up these records it uses domain information received using DHCP (option 15 and option 119). So let's assume that we have the situation:

  • The device receives the DNS domain fabrikam.dk in DHCP option 15 (DomainName)
  • The device receives the DNS domains fabrikam.dk and dk in DHCP option 119 (DomainSearch)
  • The DC is located in fabrikam.dk and can be found by locating the SRV record _ldap._tcp.dc._msdcs.fabrikam.dk
  • The user signs in with Fabrikam\Jens

The device will try to locate the DC using this sequence:

  • _ldap._tcp.dc._msdcs.fabrikam - takes the NetBIOS name directly - fails
  • _ldap._tcp.dc._msdcs.fabrikam.fabrikam.dk - adds the DomainName value - fails
  • _ldap._tcp.dc._msdcs.fabrikam.fabrikam.dk - adds first element in DomainSearch - fails
  • _ldap._tcp.dc._msdcs.fabrikam.dk - adds second element in DomainSearch - success

So if dk was not added to DHCP option 119 the device would have been unable to locate a DC and hence the user couldn’t sign in and the device would have be unable to download certificates.

The conclusion is therefore: You need to configure the DNS Suffix list such that the device can construct the correct DNS domain based on the NetBIOS name used.

An alternative approach is to instruct users to sign in using UPN style, i.e. jens@fabrikam.dk, and in this way the user provides the correct DNS domain directly at sign in.

If you have configured the NetBIOS name to be completely different to the AD DNS domain name, i.e. NetBIOS fabrikam and AD DNS domain is contoso.net, it is not possible to use the DNS Suffix list to create the mapping. In such a scenario the best approach is to instruct the users to use UPN style login. Alternatively use WINS.