How to Configure Unified CommunicationsManager Directory Integration in a Multi−ForestEnvironment

Document ID: 111979

Contents

Introduction Prerequisites Requirements Components Used Conventions Background Information Active Directory Multiple Forest Support Scenario in Unified CM Domain Trust Relationship Install AD LDS Install the Instance for Multiple−Forest Support Copy the Schema from Each Domain to ADAM Extend the AD LDS Schema with the User−Proxy Objects Import the Users from AD DC to AD LDS Create the User in AD LDS for Unified CM Synchronization and Authentication Configure Bind Redirection Configure Unified CM Create a Custom LDAP Filter in Unified CM Related Information

Introduction

This document discusses how to configure Unified Communication Manager Directory Integration in aMulti−Forest Environment.

Prerequisites

Requirements

Ensure that you meet these requirements:

Have knowledge of deploying and configuring Cisco Unified Communications Manager directoryintegration.

•

Are responsible for deploying, configuring, and maintaining Microsoft Active Directory ApplicationMode 2003 or Microsoft Active Directory Lightweight Directory Services 2008.

•

Your number of User Accounts to be synchronized does not exceed 60,000 accounts per Unified CMPublisher. When more than 60,000 accounts need to be synchronized, the IP Phone Services SDKmust be used to provide a custom directory. Refer to the Cisco Developer Network for additionaldetails.

•

Components Used

The information in this document is based on these software and hardware versions:

Cisco Unified Communications Manager, Release 8.0(1), or later• Microsoft Active Directory Application Mode 2003 or Lightweight Directory Services 2008•

The information in this document was created from the devices in a specific lab environment. All of thedevices used in this document started with a cleared (default) configuration. If your network is live, make surethat you understand the potential impact of any command.

Conventions

Refer to the Cisco Technical Tips Conventions for more information on document conventions.

Background Information

Microsoft Active Directory Lightweight Directory Service (AD LDS), formerly known as Active DirectoryApplication Mode (ADAM), can be used to provide directory services for directory−enabled applications.Instead of using your organization�s Active Directory Domain Service (AD DS) database to store thedirectory−enabled application data, AD LDS can be used to store the data. AD LDS can be used inconjunction with AD DS, so that you can have a central location for security accounts (AD DS) and anotherlocation to support the application configuration and directory data (AD LDS). Using AD LDS, you canreduce the overhead associated with Active Directory (AD) replication. You do not have to extend the ADschema to support the application, and you can partition the directory structure, so that the AD LDS service isonly deployed to the servers that need to support the directory−enabled application.

For more information, refer to the Background Information section of the document How to ConfigureUnified Communication Manager Directory Integration in a Multi−Forest Environment.

Active Directory Multiple Forest Support Scenario in UnifiedCM

The scenario is explained in the Active Directory Multiple Forest Support Scenario in Unified CM section ofthe document How to Configure Unified Communication Manager Directory Integration in a Multi−ForestEnvironment.

Domain Trust Relationship

For the authentication of the users to succeed, you need to have a trust between the domain where the ADAMinstance is hosted and the other domain(s) that hosts the user accounts. This trust can be a one−way trust ifrequired (outgoing trust from the domain that hosts the ADAM instance to the domain(s) that host the useraccounts). Thus, the ADAM instance can forward the authentication requests to DCs in those accountdomains.

For more information, refer to the Domain Trust Relationship section of the document How to ConfigureUnified Communication Manager Directory Integration in a Multi−Forest Environment.

Install AD LDS

The steps to install AD LDS are explained in the Install AD LDS section of the document How to ConfigureUnified Communication Manager Directory Integration in a Multi−Forest Environment.

Install the Instance for Multiple−Forest Support

AD LDS can run different instances of the services with different ports, which allows for different userdirectory �applications� to be run on the same machine. By default, AD LDS chooses ports 389/LDAP and636/LDAP. If the system already has any kind of LDAP services running, however, it uses ports 50000/LDAPand 50001/LDAPS. Each instance has a pair of ports that increment based on the previous numbers used.

For more information, refer to the Install the Instance for Multiple−Forest Support section of the documentHow to Configure Unified Communication Manager Directory Integration in a Multi−Forest Environment.

Copy the Schema from Each Domain to ADAM

This process needs to be repeated for each domain for which you need to synchronize.

Perform the steps in the Copy the Schema from Each Domain to ADAM section of the document How toConfigure Unified Communication Manager Directory Integration in a Multi−Forest Environment.

Extend the AD LDS Schema with the User−Proxy Objects

The object for the proxy authentication needs to be created and the object class �user� is not used. The objectclass being created, userProxy, allows the bind redirection. The object class detail needs to be created in anldif file. For more information, refer to the Extend the AD LDS Schema with the User−Proxy Objects sectionof the document How to Configure Unified Communication Manager Directory Integration in a Multi−ForestEnvironment.

Import the Users from AD DC to AD LDS

Perform the steps in the Import the Users from AD DC to AD LDS section of the document How to ConfigureUnified Communication Manager Directory Integration in a Multi−Forest Environment.

Create the User in AD LDS for Unified CM Synchronizationand Authentication

Perform the steps in the Create the User in AD LDS for Unified CM Synchronization and Authenticationsection of the document How to Configure Unified Communication Manager Directory Integration in aMulti−Forest Environment.

Configure Bind Redirection

By default, binding to ADAM with bind redirection requires an SSL connection. SSL requires the installationand use of certificates on the computer that is running ADAM and on the computer that connects to ADAM asa client. If certificates are not installed in your ADAM test environment, you can disable the requirement forSSL as an alternative.

For more information, refer to the Configure Bind Redirection section of the document How to ConfigureUnified Communication Manager Directory Integration in a Multi−Forest Environment.

Configure Unified CM

ADAM/AD LDS synchronization and authentication is supported in Unified CM version 8.0(1) and later.

Perform the steps in the Configure Unified CM section of the document How to Configure UnifiedCommunication Manager Directory Integration in a Multi−Forest Environment.

Create a Custom LDAP Filter in Unified CM

Perform the steps in the Create a Custom LDAP Filter in Unified CM section of the document How toConfigure Unified Communication Manager Directory Integration in a Multi−Forest Environment.

Related Information

How to Configure Unified Communication Manager Directory Integration in a Multi−ForestEnvironment

•

Technical Support & Documentation − Cisco Systems•

Contacts & Feedback | Help | Site Map© 2012 − 2013 Cisco Systems, Inc. All rights reserved. Terms & Conditions | Privacy Statement | Cookie Policy | Trademarks ofCisco Systems, Inc.

Updated: May 07, 2011 Document ID: 111979