I had all of this working fine until a power outage caused my ActiveDirectory/DomainController/DNS/CA server to not boot up.
So I decided to rebuild it - this time as a virtual machine (on top of ESXi).
So: I've got it up and running - users can log in to the domain, etc. without any problems.
I can add users into AD and they appear just fine in Lync Control Panel.
I've added the following on the DNS Server section of the Server Manager:
_sipinternaltls SRV record
domain is pstocs.com
Service is _sipinternaltls
Protocol is _tcp
Port number is 5061
Host offering this service is ocshost1.pstocs.com (this is the Lync Server)
But when I try to log in a Lync Client, it always gives the same error.
Here's how the user appears in AD: