Here are some notes from my colleague Brahim Ait Oumeri at Polycom on setting up Polycom handsets to work with Microsoft Communications Server.
To setup CX IP Phones within CS14 environment, you will need to have the following setup:
- CS14 up and running
- Certificate Authority up and running (Could be integrated in Active Directory itself)
- Network Time Protocol setup
- Could be the Active Directory itself. In this case, you will need to enable “Windows Time Services” via GPO at domain level.
- Publish Root CA in the Active Directory
- Enable “Auto-Enrollement” policy in the Active Directory Domain Controller via GPO at domain level
- DHCP setup for following options
- IP address
- Router (Gateway)
- DNS setup for 2 SRV records
- _ntp record
Below are the procedures step by step for each part of configuration. I had also added a troubleshooting case scenario.
1 – Enabling Windows Time Server
Step 1 – Open Group Policy
Step 2 – Navigate to Forests > Domain > Your Domain > Group Policy Objects > Default Domain Policy & right click and choose Edit
Step 3 – Navigate to Policy > Administrative Templates > System > Windows Time Service > Time Providers > Open Enable Windows NTP Server
Step 4 – Select Enabled and OK
You should now have the Windows Time server showing as enabled.
2 – Publish the Root CA certificate in AD Domain Controller
Step 1 – Export the certificate of the Root CA to a .cer file.
The following file formats are supported:
- DER encoded binary X.509 (.cer)
- Base-64 encoded X.509 (.cer)
– Then copy the Root CA certificate under C:windowssystem32>
Step 2 – Publish the Cert
Run the following command:
C:windowssystem32>certutil.exe –f –dspublish certnew.cer NTAuthCA
- certnew.cer is being the Root CA certificate
- NTAuthCA is being the name of your Root CA Certificate Authority server
The result message should be at the end the following:
CertUtil: -dsPublish command completed successfully.
3 – Procedure to setup in AD the “Auto-Enrollement” policy
Step 1 – Open the Group Policy Configuration and navigate to Default Domain Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies
Step 2 – Double click on Certificate Services Client – Auto Enrolment and select Enabled
Step 3 – Click on Apply and OK.
4 – DHCP setup for following options
- Router (Gateway)
You will need to pay attention to the SIP domain name you configure here.
If CX IP Phone cannot sign-in, you will need to take wireshark to see if the CX is being sent the right domain name string
5 – DNS setup for following options
- _ntp SRV record using port 123 pointing to the DC is Windows NTP is enabled on DC server
- _sipinternaltls SRV record using port 5061 pointing to the OCS pool
6 – Troubleshooting scenarios
Possible root cause 1
If you put an incorrect DNS entry in DHCP, then the CX IP phone will not be able to sign-in and you will see in the CX IP screen in sequence way the following messages in the screen of the phone:
- Acquiring IP address
- Connecting to Network Time Protocol server
- Connecting to Office Communication Server
- Cannot locate the server. If the problem persists, contact your administrator
In this case, the root cause was that the DNS entry in DHCP were wrong since the last message you see in the CX IP screen “Cannot locate the server …”.
Possible root cause 2
Check if you get the right IP address from the DHCP server in the CX IP Phone, by navigating through the IP configuration menu in the CX IP phone.
Thanks for Brahim for taking to the time to document this.