Sorry, I have been working on some high priority tickets here, and have not had a chance to run the MOSDAL software yet. I have typed out the issue in more detail to try and clarify our setup/issue. I will get the MOSDAL info shortly.
Site A:
All servers located here, including ADFS, forefront TMG, PDC and backup DC etc. These servers are all on Subnet A, which is in the 10.x.x.x range. All traffic on that subnet is restricted with no access to the internet. The forefront TMG array are the only servers that have access to the Public network. We have a /27 block of public IPs for incoming traffic, and outbound proxy connections.
There are 2 DNS zones in our AD infrastructure. Our internal domain is DOMAIN.local. The second zone is for our public domain DOMAIN.com. This is only used internally by the servers on Subnet A to resolve external URL to private IP.
There are NO users located at this site. Only admins using VPN can even access the private network to administer the servers.
Site B:
This is our office location, where most users work from. The only server here is a single DC, which handles DNS for our internal domain. This domain controller only synchronizes our DOMAIN.local DNS zone. It does NOT have the DOMAIN.com zone with private IPs. So all DNS queries to DOMAIN.com are handled by the external authoritative name servers, which will direct the traffic to our Forefront TMG array. There is no direct access to the ADFS server on Subnet A, or access via private IP/FQDN. It is only accessible through the public URL (fs.DOMAIN.com).
Domain users at this site can log on to lync successfully.
Site C:
This is a new office that only has 3 users right now. There is no domain controller on site, and all DNS is handled by public name servers.
Users at this site CANNOT log onto lync. They are not prompted for a password and just get the service is temporarily unavailable error.
These users can log into portal.microsoftonline.com with no issues. They can also access the /MEX xml file hosted on the ADFS server with no issues.
ADFS Server Info:
Server Name: FS01
External URL: fs.DOMAIN.com
Cert: *.DOMAIN.com
Kerberos: SPN configured for fs.DOMAIN.com only
ADFS Service: Running as a domain account
We have 1 server, but have configured windows NLB with a VIP (To be able to add a second server in the near future). We have pointed fs.DOMAIN.com in the internal DNS at site A to the VIP.
The forefront TMG array listens on the public IP for fs.DOMAIN.com, and routes requests to the VIP. There are no blocked packets for any packets destined to the ADFS VIP. The listener/publishing rules were created following the Microsoft guides.
So the only way for users to access our ADFS site is by the external URL fs.DOMAIN.com, regardless of being at Site B or C. The only difference between the 2 sites is that Site B does not have a DC on site.
I have also verified the issue at site B by changing the DNS on the network adapter from the DC to the router gateway. This causes lync to fail authenticating, until I change the DNS back to the DC.