Guest

Cisco Unified Communications Manager (CallManager)

Active Directory 2000 Plugin Installation for Cisco CallManager

Document ID: 15323

Updated: Jul 18, 2006

   Print

Introduction

The Cisco CallManager uses a Lightweight Directory Access Protocol (LDAP) to store user information (authentication and authorization information) for CallManager applications. This directory (the DC directory) works in conjunction with Cisco CallManager.

When you install the directory plugin, you have the choice to integrate the current directory with one of these servers:

  • Microsoft Active Directory (AD) server

  • Netscape Directory server

After you complete the LDAP configuration, you can use the Corporate Directory service on a Cisco IP phone, in order to search for users in the corporate directory.

The Cisco Customer Directory Configuration Plugin installs only on servers running Cisco CallManager 3.x and 4.x. Start with the publisher, and install the plugin on all Cisco CallManager servers in the cluster. Cisco recommends that you have either one Netscape Directory server or one AD server for each Cisco CallManager cluster. This document discusses the integration process for AD servers.

Prerequisites

Requirements

Ensure that you meet these requirements before you attempt this configuration:

  • Knowledge of AD schema management

  • Knowledge of how to edit Windows 2000 server registry values

caution Caution: If you make a mistake with regard to changes to the AD schema or in edits to the registry, you can cause a system outage. It can take hours to recover from such a problem. Only experienced system administrators must make these changes to an active system.

Components Used

The information in this document is based on these software versions:

  • Cisco CallManager version 3.x and 4.x

  • Microsoft Active Directory 2000 server

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Before You Begin

Before you install the AD server plugin, you must have a Netscape or AD server in place. (In this case, you need an AD infrastructure.)

Note: You do not have to add the Cisco CallManager server to the AD domain in order to integrate Cisco CallManager with AD.

Task 1: Create the Cisco Organizational Unit on the AD Server

Before you can install and configure the AD plugin on the Cisco CallManager server, you must establish an Organizational Unit (OU) named Cisco in the AD directory. This is where all Cisco attributes are to be stored, including profiles, system profiles, devices, and extensions.

  1. Choose Start > Programs > Administrative Tools > Active Directory Users and Computers.

  2. Expand Active Directory Users and Computers in order to locate your domain name. (In the example provided, the domain name is mycompany.com.)

  3. Right-click your domain and choose New > Organizational Unit.

    Note: Make sure you add the OU at the domain level. If you add the OU anywhere else, you cannot continue the AD plugin installation.

    ad_plugin1.gif

  4. When the New Object - Organizational Unit dialog box appears, enter Cisco in the Name field and click OK.

    ad_plugin2.gif

    Ideally, you now see the new OU, as shown in this image:

    ad_plugin3.gif

Task 2: Install the AD Plugin

caution Caution: The installation of the AD plugin is lengthy and monopolizes system CPU resources. Install the AD plugin during an off-peak time.

  1. Start with the publisher, and choose Start > Programs > Cisco CallManager > Cisco CallManager Administration and log in with administrator privileges.

  2. Choose Application > Install Plugins.

    The Install Plugins window appears.

    ad_plugin4.gif

  3. Click the plugin icon for Cisco Customer Directory Configuration Plugin.

    This dialog box appears:

    ad_plugin23.gif

  4. Click the Run this program from its current location radio button and click OK.

    Note: If you receive a warning that an Authenticode signature was not found, click Yes to continue.

    ad_plugin24.gif

    A prompt could ask you to verify whether the host server acts as the publisher or subscriber. If you have already integrated Cisco CallManager with the Netscape Directory or AD, the plugin does not display this prompt. If the host server acts as a subscriber, a prompt asks you for authentication to the publisher. Enter the Windows 2000 username and password with local administrative rights on the publisher.

    Note: Cisco CallManager requires authentication to the publisher, and certain fields automatically populate during the configuration process. You must enter the publisher password during the subscriber installation, or the plugin automatically terminates the installation.

    Note:  The plugin also tries to retrieve the userids and encrypted passwords of the Cisco CallManager system users (CCMSysUsers, CCMAdministrators and IPMASysUsers) from the publisher registry. If the password field for these system users is empty in the registry, the plugin cannot retrieve these userids and passwords. In this case, a warning message displays with a field where you can set the passwords on the publisher. If you click OK before you enter the system user passwords, a second warning message displays that indicates the plugin cannot retrieve the password. The installation continues, but you must set these passwords after the installation. Use the procedure that is described in Enabling Cisco IP Services.

  5. Check Configure Active Directory Server and click Next to continue.

    Note: If the plugin was installed previously, a different dialog box appears. In this box, check Upgrade Active Directory Configuration and click Next to continue.

    ad_plugin5.gif

  6. A dialog box appears that asks you to select a setup type for AD, either Express or Custom. Cisco recommends that you check the Express option. Click Next to continue.

    Note: If you check Express, the plugin updates the schema, configures AD, and enables Cisco CallManager integration with AD. However, you can select the Custom option if you have multiple Cisco CallManagers. If you select the Custom option, you only need to update the schema once on the AD server.

    ad_plugin6.gif

  7. In the Customer Information dialog box, confirm the AD server Host Name and Port Number and click Next to continue.

    Cisco CallManager pre-populates the Host Name and Port Number fields if the values exist in the registry. If not, you must enter the host name (or IP address) where you installed AD and the port number on which AD listens for LDAP requests (by default, port 389).

    ad_plugin7.gif

  8. The error shown in this example occurs if you enter the wrong host name or wrong port number.

    If this happens, click OK, then correct the Host Name or Port Number in the Customer Information dialog box. Click Next to continue.

    ad_plugin8.gif

  9. A second Customer Information dialog box displays more configuration options. Some of the configuration option fields display the correct data automatically, but all fields must be completed.

    ad_plugin9.gif

    See this table for more information about the value that each field requires. When the options in this dialog box are configured, click Next to continue.

    Field Recommended Action
    Directory Administrator DN Enter the AD Administrator Distinguished Name (DN), which—along with the AD Administrator password—is required for binding to the LDAP directory and in order to add Cisco-specific schema and Cisco-specific values. The entry is typically in this format:
    cn=Administrator, cn=Users, dc=mycompany, dc=com
    One way of looking at this information is to consider the information in the form of an e-mail Simple Mail Transfer Protocol (SMTP) address. In this case, it is administrator@mycompany.com. This information must be obtained from the AD server before you start the installation process.

    Note: This information could be populated automatically.

    Directory Administrator Password Enter the AD password.
    Confirm Password Enter the password again.
    Cisco Directory Configuration DN Enter the Cisco Directory Configuration DN, which specifies the DN where the Cisco-dependent schema is created for the Cisco CallManager. The Cisco Directory Configuration DN is an AD container node where all the information related to the CallManager application is stored. This node must exist in the AD or the installation fails. (This is why you created a new OU in the previous steps.) This is an example:
    ou=Cisco, dc=mycompany, dc=com

    Note: This information could be populated automatically.

    User Search Base Enter the User Search Base, which stores the AD user information. The User Search Base is the common denominator of all the containers where user data is stored. By default, all user data is stored in the user folder: If you set up different OUs, you must specify the common denominator.
    Domain Name Enter the AD Domain Name.
    User Search Attribute Enter the User Search Attribute, which is used in order to search for the users in the system. This attribute must be populated. By default, enter SamAccountName.

  10. When the AD plugin setup has enough information to start the configuration setup, a summary data window appears.

    You have the opportunity to review and change the settings before the files are configured. Click Back to return to the previous configuration window and make corrections, or click Next in order to go to file configuration.

    ad_plugin10.gif

    Note: If you see this error message, stop. Do not click OK. The installation will not complete successfully until you make a change to the registry on the AD server to resolve this problem. To correct the registry settings, follow the procedure in the Appendix A: To Change the Registry to Allow a Schema Update section of this document. Once you make the appropriate registry changes as described in Appendix A, proceed to Step 12 and continue with the plugin installation.

    ad_plugin11.gif

  11. Once file configuration starts, a message box sometimes asks Do you want to use your existing schema files?; if so, click No.

    This message only appears if you have already installed the AD plugin.

    ad_plugin14.gif

  12. When the setup completes successfully, a dialog box similar to this one appears:

    ad_plugin15.gif

  13. Click Finish to restart your server.

Task 3: Change the Registry to Permit AD Updates from Cisco CallManager

You must perform the procedure outlined here on the Cisco CallManager server before you add or search for users through the Cisco CallManager Administration.

caution Caution: If you edit the wrong registry key or make a mistake while you edit the registry, your system could be unusable until you repair the registry. You must backup your registry before you make any changes. Make sure you know how to restore the registry from the backup before you continue. An explanation of how to maintain the Windows 2000 server registry is beyond the scope of this document. Consult your system documentation for this information.

  1. Choose Start > Run.

  2. Enter regedit in the Open field and click OK.

  3. Browse to \\HKEY_LOCAL_MACHINE\Software\Cisco Systems, Inc.\Directory Configuration within the registry.

  4. In the right pane, double-click the DirAccess registry key (DIRACCESS).

  5. Delete the false registry entry and enter true as the new registry entry.

  6. Exit Regedit.

  7. Restart the Microsoft Internet Information Server (IIS) Admin Service and IIS-dependent services.

    1. Choose Start > Programs > Admin Tools > Services.

    2. Right-click IIS Admin Service and click Restart.

    3. A dialog box prompts you to restart dependent services.

      These services differ depending on your configuration. Click Yes to restart the dependent services.

  8. You can now add or search for users within the Cisco CallManager Administration. For information on how to perform these tasks, refer to the latest version of the Cisco CallManager Administration Guide.

Task 4: Test the Directory Integration

You can test the integration if you add a new user in the AD console and then display the new user on the Cisco CallManager User Administration menus.

  1. On the AD server, choose Start > Programs > Administrative Tools > Active Directory Users and Computers to open the User Manager for Domains.

  2. Right-click the User container and choose New > User.

    caution Caution: Make certain that you select the User container. It is very easy to select the wrong container and create a new user. If you select the wrong container, you are not able to see the user from the Cisco CallManager User Administration screens.

    ad_plugin16.gif

  3. Enter the First name, Last name, and User logon name of the user you want to add; then click Next to continue.

    ad_plugin17.gif

  4. Add a password for the user you want to add and click Next to continue.

    ad_plugin18.gif

  5. If you want to create a mailbox for that user, click Create an Exchange mailbox and click Next to continue.

    ad_plugin19.gif

  6. You are now ready to insert the user into the AD Domain; click Finish to add the user.

    ad_plugin20.gif

  7. The user now appears in the Users container under Active Directory Users and Computers.

    ad_plugin21.gif

  8. Log on to the Cisco CallManager server.

  9. Choose User > Global directory and search for the new user.

    The new user name must appear in the search results. If not, repeat the tasks in this document and verify the steps in each task.

    Note: You can also add users from the Cisco CallManager user page, but you are not able to set a password there. This must be done from the AD server.

    ad_plugin22.gif

Note: If you are unable to open the User > Global Directory page, you possibly need to re-run the AD plugin.

Appendix A: To Change the Registry to Allow a Schema Update

You only need to perform this step if you were referred to it from Step 11 of the Task 2: Install the AD Plugin section of this document.

  1. If the AD server is not set to 1 for the Schema Update Allowed registry key, or if the plugin fails to read the registry key, a dialog box asks you to ensure that the registry entry has been set properly. Click OK to continue.

    ad_plugin11.gif

    caution Caution: If you edit the wrong registry key or make a mistake while you edit the registry, your system could be unusable until you repair the registry. You must backup your registry before you make any changes. Make sure you know how to restore the registry from the backup before you continue. An explanation of how to maintain the Windows 2000 server registry is beyond the scope of this document. Consult your system documentation for this information.

  2. Log on to the AD server with an account that has administrative privileges.

  3. Choose Start > Run.

  4. Enter regedit in the Open field and click OK.

  5. Navigate to the key indicated in the image provided (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed) and verify that the value is set to 1.

    If it is set to 0, you must change the value to 1.

    ad_plugin13.gif

  6. If this setting is not present (Schema Update Allowed), add the DWORD key manually and set its Value data field to 1.

    To add the new DWORD value, follow this procedure:

    1. Choose Edit > New > DWORD value.

    2. Enter Schema Update Allowed in the highlighted Name field and press the Enter key.

    3. Double-click the new DWORD key.

      The Edit DWORD Value dialog box appears, as shown in the image.

    4. Enter 1 in the Value data field and click OK.

  7. Exit Regedit.

Appendix B: To View the Cisco Schema Updates

If you want to know which updates are in the schema, you must download the plugin file, rather than run the file from its current location.

  1. Save the AD plugin file to your hard disk.

  2. Right-click the plugin and extract it to a folder.

  3. Look in the .ldif scripts in the folder to which you extracted the plugin.

    ad_plugin12.gif

Related Information

Updated: Jul 18, 2006
Document ID: 15323