Powered by Blogger.

Cisco CUCM 8.6.5 with AD LDS for Multi forest environment

This was a huge pain… worth posting J
I’ve got two domains that we are consolidating over to just one.  One is running AD 2003, and has three child domains. The other is a 2008 AD, and the new domain is 2008 R2. For the sake of this post, I will be calling the domains AD2003, AD2008, AD2008R2.
I have a brand new CUCM 8.6.5 cluster I’m bringing up, and need to authenticate users on all three domains until my migration is complete. I have a root CA already configured on my new AD2008R2 domain, so LDAP over SSL is the way I’ll be configuring this.
First off, I’d like to post the websites and give the people who wrote them thanks for doing so. I would be completely lost without their help.
How to Configure Unified Communications Manager Directory Integration in a Multi-Forest Environment
https://supportforums.cisco.com/docs/DOC-16356 by Greeshma Bernad and edited by Gabriel Sroka
AD LDS 101 – Part 4 – MS-AdamSyncConf.XML: A Detailed Look
Merging & Syncing multiple Active Directory databases into one ADAM instance
Using SSL with ADAM (AD LDS)
Firstly, Greeshma on the Cisco KB pretty much lays it out as to how to do this, however, there’s a lot that is not covered and of course would be impossible to cover every single deployment scenario for this. So I’m just going to cover how my deployment went and what I needed to do to make it work. I’ll shorthand a bunch of it and refer back to the links above, but will include some screenshots on stuff that isn’t covered.
All was pretty much good for me on the KB until,
     One thing I didn’t understand from step 8 on this procedure was that the partition name is a brand new partition. The KB names the partition the same as the host AD DC domain. For me a more descriptive “DC=Multiforest,DC=local” works better.
     For the Service Account, I created a new account on the domain I was hosting it on
       AD2008R2\ADAMMultiforest is the account I used. I think it prompted me to give the user rights to start the service and I went ahead and clicked yes on that. I rebuilt this AD LDS a few times, so I don’t know if it just didn’t prompt me anymore, or if it was a different installation that gave me that prompt…
    AD LDS Administrators, I chose AD2008R2\Domain Admins for my instance.
Now for the next section:
CoreLAN team does a great job explaining exactly what you are doing. Definitely a good read if you need some more info on this.
    Referencing the Cisco KB article, I ran steps 1-7 for my first domain AD2008R2. Please remember that step 3 references your target schema which is the standard AD on each domain (going through LDAP port 389) and the base schema is the new AD LDS on port 50000.
   Ran Step 8 (simple,) and ran step 9 for the first domain AD2008R2.
   Now we need to rerun steps 1-7 for my next domain, AD2008. Then you can skip step 8, and run step 9.
     One thing to note here is that I got an error on step 9 for the second domain. So I ran the ldife command with a “-k” to ignore the errors and keep processing the other entries. I tried updating the schema using ADSI and then restarting the Multiforest AD LDS instance, but I still got that error on the third domain too. Not sure what that exact error is there, or if it even matters.
ldifde -i -s localhost:50000 -c CN=Configuration,DC=X #ConfigurationNamingContext -f diff-schema.ldf -j c:\windows\adam\logs -k
   I then finally ran steps 1-7 from the Cisco KB for my third domain, and ran step 9 with the –k switch.
That’s it. My new AD LDS instance includes all the schema extensions from my other domains, so now we are ready to import users.
In the Cisco KB, extending the AD LDS Schema with User-Proxy is pretty simple, just download the file and run the command mentioned. No need to change anything.
After that we configure the system to import users using the KBs procedure:
    Since Greeshma used the same AD name on his AD LDS instance, I got a bit confused here. Doug from www.thegeekispeak.com cleared things out for me. His detailed look at MS-AdamSyncConf.XML is of great help.

   There’s really just 4 lines that need to be modified, see the www.thegeekispeak.com post I mentioned earlier for a “detailed look”
 For my setup this was the first config file. I have a IT OU that I’m only synching in this case.
<?xml version="1.0"?>
<description>Sample ADAMSync Config File</description>
   <base-dn>OU=IT,dc= AD2008R2,dc=local</base-dn>
 Now here’s the tricky part that got me on the target DN. For the second domain AD2008, it needs to look like this. In my case I also added a source-ad-account and domain. When I ran the sync, just put in the switch “/passprompt” (see CoreLAN link)
<?xml version="1.0"?>
<description>Sample ADAMSync Config File</description>
<target-dn> dc=Multiforest,dc=local</target-dn>     
   <base-dn>OU=CorpUsers,dc= AD2008,dc=local</base-dn>
 From here, I’m sure you know what I did for my third domain.
Here are my commands that I ran:
 ADAMSync /install localhost:50000 AdamSyncConfAD2008R2.xml
 ADAMSync /sync localhost:50000 "dc=Multiforest,dc=local"
 ADAMSync /install localhost:50000 AdamSyncConfAD2008.xml /passprompt
 ADAMSync /sync localhost:50000 "dc=Multiforest,dc=local"
 ADAMSync /install localhost:50000 AdamSyncConfAD2003.xml /passprompt
 ADAMSync /sync localhost:50000 "dc=Multiforest,dc=local"
     After the config setup above, just run steps commands from the Cisco KB on this section, and you should be good. Create the appropriate BAT file for and that ends this section.
The next section, is pretty much as is.
For the LDAP over SSL certificate use the following links to get yourself all set up.
One thing that the above link didn’t include a screenshot of was the subject name config on the template. Please see below for that. I went with DNS name for the Subject name format.
Here’s another link from Microsoft.
One thing I would like to mention is that I had to create the certificate under the “Local Computer” personal store, then I had to move it to my Multiforest instance personal store. I tried exporting it but it wouldn’t work.
Also don’t forget to set the appropriate permissions under the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory
Then after you’ve restarted you AD LDS instance, verify LDAP over SSL works by using the ADSIedit or another LDAP tool, such as Softerra.
Once it’s been verified, upload your RootCA and Intermediates to the Cisco Cluster under Tomcat_Trust (very important step, took me a while to find this one, had to open a TAC case and the guy from some support cases on the forums pointing me to this.)
Here are some screenshots that the Cisco KB was missing when I went through it. After that just followed the rest of the KB and it worked for me.
Figure 47
Figure 48

  • Digg
  • Del.icio.us
  • StumbleUpon
  • Reddit
  • RSS


Unknown said...

Great article!!! Question do you have your users signing in via email address? I had to use Microsoft Active Directory Application Mode mail.


Unknown said...

Hi Mando
To give credit where credit is due, I didn't write the article on cisco.com, Greeshma Bernad did. I merely made a few minor edits.

Mando said...
This comment has been removed by the author.
Mando said...

Thanks Gabriel. I've edited the post to reflect your correction.

Randy, my users are authenticating using "Microsoft Active Directory" using LDAP attribute "sAMAccountName" and they are just typing in their UserIDs without the need for the email address part.

Brian Rota said...

should you be able to see the users in LDS after the sync?
I do not see any users except the one that I made.

Thank you

Mando said...

Yes. Under ADSI Edit if you connect to your ADAM, you should see all the users. Otherwise I would go through the logs and see what errors are popping up preventing the sync to take place.

Unknown said...

Thanks for the article, this has been a great help. I have a similar situations, the only difference is that the ADAM instance was configured by someone else for other applications to authenticate. I can connect just fine to ADAM with Softerra and see the users I want to import, but when I do the sync, it seems to never finish. There are no users imported as far as I can see.
Any ideas where to begin troubleshooting. I admit, I am not an expert Cisco guy, just at the wrong place at the right time!


Mando said...

Michael, are you connecting via SSL? If so, did you import the certificate used to connect?

pvturtle said...

How would you automate this with the adamsync /install step with the /passcode switch? You run it in Batch, and it is expecting you to enter the password. I've tried to see if you can echo the password, but you can't do it in console (which is how adamsync /install runs). Not sure how you got this to be scheduled and run automatically...

Mark Batts said...

Hi, I'm currently looking at this for a CUCM 10.5 install.My AD knowledge isn't great so apologise if this is a stupid question.If I use SAMaccountname and I get duplicates in AD LDS , what happens in CUCM.I know that LDS doesn't mind due to userproxy attributes but I'm confused with what happens in CUCM

Post a Comment