CUCM and Active Directory Integration

Posted: 16th November 2010 by Mark in Cisco

When completing a fresh installation of CUCM it will use its own embedded LDAP directory to store End User information. In most cases it is preferred to integrate CUCM with a corporate LDAP directory such as Micrsoft Active Directory rather than managing two separate user databases. This becomes even more apparent when there are multiple CUCM clusters as they can share the same corporate directory.

Step 1 – In CUCM Serviceability > Tools > Service Activation the Cisco DirSync box must be checked and the service Activated.

Step 2 – Go to Cisco Unified CM Administration > System > LDAP > LDAP System to identify what type of LDAP system to synchronize with and how to reference the users. Enable Synchronizing from LDAP Server must be checked. The attribute sAMAccountName refers to the logon name for the domain.

Step 3 – Click on System > LDAP > LDAP Directory and click Add New. In this example the Active Directory domain in my lab is ccie.local and the IP address of the Domain controller is 142.100.64.18. The LDAP Manager Distinguished Name in this case is the default Windows system administrator account for my domain (administrator) but best-practice in a production deployment would be to use an isolated user account different than the default administrator account so it’s setup specifically for CUCM and Active Directory integration.  The LDAP User Search Base uses two attributes to make up a dn (distinguished name). This includes the cn (common name) and the dc (domain component). The rules of LDAP define the most significant part of the distinguished name is furthest to the right.  In this case it is dc=local. The last thing to note for this step is that synchronization occurs once per day at 6:00 AM. The smallest window of time to synchronize is six hours.


Step 4 – Click on System > LDAP > LDAP Authentication. This will authenticate CUCM End Users using Active Directory instead of the embedded CUCM directory.

At this point CUCM should be ready to synchronize with Active Directory. Before doing this, note that any End Users on the CUCM cluster that do not exist in Active Directory will be set to Inactive.  For example, I had user HQ4 created prior to configuring LDAP.  After configuring LDAP the user appears as Inactive under the End User listing. I went to my Windows 2008 Server and added user HQ4 to the domain ccie.local and the user is now active.

Click on System > LDAP > LDAP Directory then click Perform Full Sync Now

I have a total of six users in my Active Directory. Prior to performing the synchronization step in CUCM I had one End User called HQ4 that was managed locally using CUCM’s embedded LDAP directory.  I proceeded to create users HQ1, HQ2, HQ3, HQ4, SITEB1, and SITEB2 in Active Directory without having them present in CUCM (except for HQ4).

After performing the synchronization the users which were created in Active Directory are now appearing in the CUCM End User list and LDAP Sync status is showing Active.

Take note that when clicking on an End User the display of information is different compared to using the embedded database.

The following is a screenshot of the Active Directory Server Users.

A similar procedure as the one just discussed may be used to integrate Unity Connection with Microsoft Active Directory using the LDAP menu options under System Settings.

Configure LDAP Setup, LDAP Directory, and LDAP Authentication and enter the same the information used for the CUCM LDAP configuration.  You will want to set LDAP to sync with Active Directory at least once per day.

Next in Unity Connection click Import to import users. Note that in versions earlier than Unity Connection 8 the Import option is at the bottom of the page under Tools.

In the drop down list select LDAP Directory. The phone number associated in the “Telephone Number” field in Active Directory will be the extension that is populated in Unity Connection for the user. This is the same field from Active Directory that CUCM uses to populate the number for the End User.

One very important step after selecting LDAP Directory and clicking Find is to change the default selection administratortemplate to the voicemailusertemplate (or whatever custom template my be preferred). If the default admin template is used then users will be imported as Administrators and they will not have a mailbox assigned.

The users listed above were retrieved from Active Directory and have been imported into Unity Connection.

If the users that were imported do not reside in the default timezone of the Unity Connection system you will want to go into each user and change the timezone. Otherwise voice mail timestamps will be incorrect.

This concludes CUCM and Unity Connection integration with Active Directory.

  1. Renato says:

    Great post as always!
    sorry about my ignorance, but Do I need to do this on publisher or subscriber?

  2. Mark says:

    All of this takes place on the Publisher which then automatically replicates the information the Subscriber nodes.

  3. Renato says:

    Hi Mark, thanks!
    My company has more than 4 User Search Base and OU. Is it possible to integrate?
    Regards

  4. Nat Bell says:

    Hi Mark just a quick question –

    If AD user has a telphone number in format (xxx) xxx-xxxx is there a filter in CUCM to extract only the final 4 numbers to populate the CUCM Phone Number field properly, or will the AD user’s telephone number field need to be changed to xxxx format prior to synchronization?

    Thanks a lot for the article, very informative.

    Best,
    Nat

  5. A. Karl Kornel says:

    Hi Mark,

    We’ve been doing this here since we started with CUCM 7, and we noticed something: After the initial import of users, new users (that are added to Active Directory and picked up by the regular sync) do not automatically have the same attributes set as the users initially imported. For example, we have to manually add new users into the “Standard CTI Enabled” and “Standard CCM End Users” groups.

    We just upgraded to CUCM 8.0(2), so this might be different now, but I just wanted to give a heads-up, and see if you’ve observed the same.

    Later!

  6. German RIco says:

    Hello… i have the problem with the integration CUCM 8.0 —openLDAP.

    The CUCM and open LDAP are synchronized, but end users do not appear in the CUCM.

    Any idea what might be happening?
    What tests I can do?

    If I can help is the grateful

    regards

  7. Shen says:

    Hi,

    Is there a possibility to import contacts from LDAP not only the users, i have the case i need to import also created contacts from LDAP into the CUCM.

    regards

  8. Emanuel Damasceno says:

    Hello Mark,

    I currently have a customer who has all his end users on his CUCM. Now he wants to synchronize with AD. He is concerned about his current Unity users and their voice mail. If we create the exact same users, will the mailboxes contents’ be deleted? Is there a workaround? This customer has 340 users… Should I instruct them to delete all the unwanted messages prior to the synchronization? What’s the best course of action?

    Thank you!!

  9. Carl Gutierr says:

    Mark, Gran aporte!!!

    Desde Santiago de Chile te envío muchas gracias por este aporte !!!

    Muchas gracias.

  10. Fernando says:

    My AD have more then 5 OU. I can create only 5 LDAP Directories.
    How can I create just one LDAP Directory whith more then one OU?

    Ex.: LDAP User Search Base : OU=(How do I aplly more then one OU ??),DC=domain,DC=net

    Thanks.

  11. Marios says:

    i have already install and synchronize AD and LDAP.Corporate directory working fine.i want to add another LDAP but i want in the ip phone to see only in the corporate directory of the new AD.
    Can you advise me how i will do this.

  12. Marlo says:

    is there a way to update LDAP Directory with CUCM IP Phone information (e.g. name and extension number)

  13. Jacky Reinbold says:

    Hi Mark,

    in a case of password changes policies in the AD, with LDAP integration enabled in CUCM, CUC,CUPS, and perhaps using also Jabber as phone client, is there a way to have the sync made less than every 6 hours (one or two hours…) to prevent a login gap ?

    The admins cannot make a manual sync every time a users password is expiring, or The user cannot wayt 6 hours to be able to login again.

    Any idea for this situation ?

    Regards,

    Jacky

  14. Oscar says:

    Hello good day.

    Very good post. Just one question, now I have a running LDAP with the following name dominio.com
    I have the admin user
    CN=Administrador,DC=dominio,DC=com
    and users en ou=People,dc=dominio,dc=com

    I have enabled sync from a LDAP in En LDAP System configuration.

    LDAP Server Type OpenLdap
    LDAP Attribute for User ID uid

    I did the config directory as follows.

    LDAP Manager Distinguished NameRequired Field CN=Administrador,DC=dominio,DC=com
    LDAP PasswordRequired Field xxxxxxx
    Confirm PasswordRequired Field xxxxxxx
    LDAP User Search BaseRequired Field ou=People,dc=dominio,dc=com
    LDAP Custom Filter

    I have activated dirsync, in ldap Authentication i have.

    LDAP Manager Distinguished Name CN=Administrador,DC=dominio,DC=com
    LDAP Password xxxxx
    Confirm Password xxxxx
    LDAP User Search Base ou=People,dc=dominio,dc=com

    The problem is I can not see users OPENLDAP end users.
    Have you ever thought of something similar?

  15. raheel says:

    I have integrated all LDAP Users with CUCM 8.5.
    In Corporate Directory, i m getting all Users of Active Directory.
    Issue is this: I can not login to Cisco IP Phone 9971 and 7975 in EM/Enterprise Mobility if i use LDAP.

  16. Russ says:

    There are some good questions – are there any answers ?

    Have simliar question on Unity Connection 8.6 – moving from a AXL integration to LDAP in order to use AD for Visual VM in Jabber. Question is – do the VM accounts merge when LDAP is switched on and for those mail boxes such as a generic teams one (not in AD) are they still active?

    Can you reference multiple OUs for user accounts in AD?

    cheers!

  17. Davide says:

    Hi,

    in CUCM, if i want to configure the sync with LDAP, the field managed into LDAP will be populated on CUCM, but if i don’t want to configure the Authentication too, when i’ll run the first sync, the password on CUCM will be the same on LDAP, or will be blank?

    Regards

  18. Nhlanhla says:

    Hi,

    I integrated AD with CUCM 8.6 and forgot to start the services, now the Dirsync status under users configuration shows inactive and under user configuration it show pending delete, is there a way to reverse that

    Imformative site indeed thanks

    Thanks

  19. Fer Cordova says:

    Hi there, a simple Question: is it necesary that CUCM, CUC, and CUPS be on Domain with Windows Server or they can Work only using LDAP and be standalone of the Domain???

  20. Luiz Maia says:

    Hi there,

    I have a CUCM Cluster Running version 9.1 with CWMS (Cisco Webex Meeting Server) connected over a SIP Trunk.

    The CWMS solution is synchronized to CUCM, importing just the Standard Webex End users group from CUCM.

    My point is that I have to manually import users to group Webex end users.

    Is that any way to automatically import users from AD directly over a CUCM user group ?

    That would be very helpfull to not increase one more step to access controll guys.

    Regards,
    Luiz Maia

  21. Pedro says:

    Hello… i have the problem with the integration CUCM 8.0 —openLDAP.

    The CUCM and open LDAP are synchronized, but end users do not appear in the CUCM.

    Any idea what might be happening?
    What tests I can do?

    If I can help is the grateful

    regards

  22. Claudio says:

    Hello Mark,
    Can you explain how to set 2 different domains for sinchronization and authentication?
    Why didn´t you set OU in your example? Is the OU = ccie.local in your example?

  23. Alex says:

    Claudio,

    I believe cucm can only authenticate to one domain. You may need to look into an ADLDS solution to authenticate a multidomain environment.

  24. Sukesh says:

    Hi,

    after syncing with AD , its shows that inactive users , we have re-created the search base and also tried to create a new user in Ad and try to sycn , but it shows inactive users.

    We have done all the torubleshooting like telnet, colletcing logs but still no luck

    what will be the reason ??

  25. KingRichard says:

    After many years of previous management, I have now come in to move my CUCM, Unity Connection and CUPS into the AD integration level…
    However, I have over 2,600 users in each server… many of them are same, but sometimes the end users were not updated with the correct extension (or left with the old extension when a new person took this extension), and also the Unity connection user name may not reflect the same user name as the CUCM end user or AD user name…
    Are there any tools to help sync or find errors in this kind of preparation for AD integration?

  26. Cecil Wilson says:

    Hello, I am using CUPS and CUCM 10.5.1 I was able to follow the steps everything seems to work. a new user was sync from AD to CUCM to CUPS however when i tried login into the jabber client using the username and password setup in AD I am getting an invalid username and password error message.
    what do you think im doing wrong
    Cecil

  27. claudio says:

    Hello Mark,
    When you set manually users, you set PIN in end users page of UCM.
    If you import the users from LDAP, What type of PIN will the users use in order to active their voicemails?

  28. Libin says:

    Hi Claudio,

    You can set the PIN the same way you set of normal users in Unity connection. Under Edit > Change password.

  29. Jim W says:

    Hi! What happens to the users marked inactive? I want to setup AD integration but we have about 600 users in CUCM and only about 80 of them are actual domain users… I’m really only looking to use the AD directory for jabber and only the AD users will be using jabber…thanks!