Table Of Contents
Installing the Cisco Customer Directory Configuration Plugin for Cisco CallManager Release 3.3
Contents
Before You Begin
Installing the Cisco Customer Directory Configuration Plugin
Integrating Netscape Directory Server with Cisco CallManager
Integrating Microsoft Active Directory with Cisco CallManager
Creating the Schema Update Allowed Registry for AD 2003
Setting the Access Control Lists
Creating a DCD Admin User
Assigning Rights for ciscoatUserProfile, ciscoatuserProfileString, and ciscoatGUID
Assigning Rights for CiscoOU
Adding and Deleting Users by Using Cisco CallManager Administration
Enabling Cisco IP Services
Restoring Applications After Directory Integration
Troubleshooting
Obtaining Documentation
Cisco.com
Documentation CD-ROM
Ordering Documentation
Documentation Feedback
Obtaining Technical Assistance
Cisco.com
Technical Assistance Center
Cisco TAC Website
Cisco TAC Escalation Center
Obtaining Additional Publications and Information
Installing the Cisco Customer Directory Configuration Plugin for Cisco CallManager Release 3.3
Cisco CallManager uses an Lightweight Directory Access Protocol (LDAP) directory to store data as well as authentication and authorization information about users of Cisco CallManager applications, which interface with the Cisco CallManager. Authentication establishes the user right to access the system, while authorization identifies the telephony resources that a user is permitted to use, such as a specific telephone extension. The data that Cisco CallManager stores in an LDAP directory includes
•
Application-specific profiles for users (for example, the devices that are associated to a user, whether the devices are enabled to use CTI applications, and so on)
•Information for the Personal Directory services, Personal Address Book and Personal Fast Dials
•Authentication information for Cisco Callmanager Multilevel Administration
•User information from the User Information window in Cisco CallManager Administration
Cisco CallManager uses Data Connection Directory (DC-Directory) as an embedded LDAP directory. The Cisco Customer Directory Plugin allows you to integrate Cisco CallManager with one of the following enterprise directories:
•Microsoft Active Directory (AD 2000), available with Microsoft Windows 2000
•Microsoft Active Directory (AD 2003), available with Microsoft Windows 2003
•Netscape Directory Server, Version 4.1 and 4.2, and Sun ONE Directory Server 5.x
After the LDAP directory configuration completes, you can use the Corporate Directory service on your Cisco IP Phone Model 7940 or 7960 to look up users in the enterprise directory. You can also upload completed workflow application files to the directory. The application server downloads the files to run workflow applications when you use the administration client to start a specific application.
Note You can configure the Corporate Directory service on the Cisco IP Phone to access an enterprise directory without integrating the Cisco CallManager. For more information on integrating only the Corporate Directory service with the Cisco IP Phone, refer to the latest version of the LDAP Search Com Server Programming Guide at the following URL: http://www.cisco.com/warp/public/570/avvid/voice_ip/cm_xml/downloads/LDAPSearch_Programming_Guide.doc
Contents
•Before You Begin
•Installing the Cisco Customer Directory Configuration Plugin
•Integrating Netscape Directory Server with Cisco CallManager
•Integrating Microsoft Active Directory with Cisco CallManager
•Adding and Deleting Users by Using Cisco CallManager Administration
•Enabling Cisco IP Services
•Restoring Applications After Directory Integration
•Troubleshooting
•Obtaining Documentation
•Obtaining Technical Assistance
•Obtaining Additional Publications and Information
Before You Begin
You use the Cisco Customer Directory Configuration Plugin only if you want to integrate the Cisco CallManager with your enterprise directory, and you do not want to use the embedded DC-Directory. This plugin, which includes Netscape Directory Server and Microsoft Active Directory, installs only on servers that are running Cisco CallManager 3.0(10) or later. Starting with the publisher, you install the plugin on all Cisco CallManager servers in the cluster. On the publisher, the plugin installs the schema, configures the directory, and integrates Cisco CallManager with the directory. On the subscriber, the plugin only integrates Cisco CallManager with the directory.
Note If you upgrade to a later release of Cisco CallManager after you integrate your enterprise directory with Cisco CallManager, follow the procedures in this section to reinstall the Cisco Customer Directory Configuration Plugin on all the Cisco CallManager servers in the cluster beginning with the publisher. Reinstalling the plugin populates your enterprise directory with any additional schema extensions and data entries that are needed by that version of Cisco CallManager.
You must have a directory account with rights to extend the schema. For more information on obtaining these rights and for installation and configuration assistance, contact your Netscape Directory Server or Microsoft Active Directory administrator.
Caution Microsoft Active Directory does not support schema deletion. After you have installed the Cisco schema extensions, you cannot revert to the previous schema. Cisco recommends that you back up your Microsoft Active Directory server, especially the schema master, before you install/configure the Cisco Customer Directory Configuration Plugin and install the Cisco schema extensions on your Microsoft Active Directory server. For more information on backing up your Microsoft Active Directory server, contact your Microsoft Active Directory administrator.
Caution Using non-ISO-Latin1 characters greater than 127 with DC Directory, Netscape Directory, or Active Directory can cause directory database errors. Cisco CallManager Release 3.3 supports all ISO-Latin1 (ISO-8859-1) characters and all non-ISO-Latin1 characters in the range 0-127 with any directory. Cisco CallManager only supports ISO-Latin1 and ASCII characters in the User area of Cisco CallManager Administration. After you download the locale installer, you can display field names in the User area of Cisco CallManager Administration in your chosen language. However, Cisco CallManager only supports ISO-Latin1 (ISO-8859-1) characters and non-ISO-Latin1 characters in the range 0-127 in the fields and in all user accounts and passwords that are needed to access these windows. If a user enters data that is not in the allowed character range, a dialog box displays and states that the user must enter data by using only ISO-Latin1 characters and non-ISO-Latin1 characters in the range 0-127. CAR supports all ISO-Latin1 (ISO-8859-1) characters and non-ISO-Latin1 characters in the range 0-127.
Caution Before you install the Cisco Customer Directory Configuration Plugin on the Cisco CallManager subscribers, you must perform the procedure that is detailed in
"Enabling Cisco IP Services" section. If you attempt to install the plugin on the subscribers before performing the service integration procedure, the installation program displays an error message, and the Cisco Call Back, Cisco IP Manager Assistant (Cisco IPMA), and Cisco CallManager Extension Mobility services do not function.
Installing the Cisco Customer Directory Configuration Plugin
Perform the following steps to install the Cisco Customer Directory Configuration Plugin:
Step 1 Starting with the publisher server, choose Start > Programs > Cisco CallManager > Cisco CallManager Administration and log in with system administrative privileges.
Step 2 Choose Application > Install Plugin.
Step 3 Click the plugin icon for Cisco Customer Directory Configuration.
Step 4 A prompt may ask you to verify whether the host server acts as the publisher or subscriber. If you already integrated Cisco CallManager with Netscape Directory or Microsoft Active Directory, the plugin does not display this prompt. If the host server acts as a subscriber, a prompt asks you for authentication to the publisher. Enter the Windows 2000 user name and password with local administrative rights on the publisher.
Cisco requires authentication to the publisher, so certain fields automatically populate during the configuration process. You must enter the publisher password during the subscriber installation, or the plugin automatically terminates the installation.
The plugin also tries to retrieve the userid and encrypted password of the Cisco CallManager system users (CCMSysUser and CCMAdministrator) from the publisher registry. If plugin cannot retrieve these userids and passwords, a warning message displays with a field where you can set the passwords on the publisher. If you click OK without entering the system user passwords and the plugin cannot retrieve the system user passwords from the publisher, a second warning message displays to indicate that the plugin could not retrieve the password. The installation continues, but you must set these passwords after the installation by using the procedure that is described in "Enabling Cisco IP Services" section.
Step 5 In the Components window, you may see one or more of the following options. From the window, check one of the following options:
•If you check Configure Netscape Directory Server (or Upgrade Netscape Directory Configuration), go to the "Integrating Netscape Directory Server with Cisco CallManager" section.
•If you check Configure Active Directory Server (or Upgrade Microsoft Active Directory Configuration), go to the "Integrating Microsoft Active Directory with Cisco CallManager" section.
Note If you check Uninstall Active Directory Configuration (or Uninstall Netscape Directory Configuration), which is available after an initial installation, Cisco CallManager automatically integrates with DC-Directory.
Integrating Netscape Directory Server with Cisco CallManager
Perform the following steps to configure the Netscape Directory Server:
Step 1 You may receive a prompt with one of the two following configuration options:
a. Check Express if you want the plugin to configure Netscape Directory and enable Cisco CallManager integration with Netscape Directory. On the publisher, the plugin creates Cisco-specific containers and objects and updates the configuration settings on the Cisco CallManager server to point to the Netscape Directory server. During the configuration process, the installation program also enables you to extend the schema. On the subscriber, the plugin only updates the configuration settings.
Note Cisco recommends that you check the Express option. Cisco makes the Custom option available for administrators who are experienced with Netscape Directory Server.
b. Check Custom to choose the installation options separately:
•Configure Netscape Directory—Adds Cisco-specific containers and objects and allows you to extend the schema
•Enable CallManager Integration with Netscape Directory—Updates the configuration settings on the Cisco CallManager server to point to the Netscape Directory server
Step 2 The Customer Information window prompts you for the following information, as seen in Table 1. Most fields in this window display prepopulated information. Verify that this information is correct before continuing the configuration process.
Note On the subscriber, the prepopulated information comes from the publisher, and you can edit only the Host Name and Port Number fields.
Table 1 Customer Information Window
Field
|
Recommended Action
|
Host Name
|
Enter the hostname (or IP address) where you installed Netscape Directory.
|
Port Number
|
Enter the port number on which Netscape Directory receives the LDAP requests.
|
Directory Administrator DN
|
Enter the Netscape Directory Administrator Distinguished Name.
The Directory Administrator DN that you enter in this field must have the rights to update the Netscape Directory Schema. Typically, the users who have the rights to update the schema belong to the Schema Admin group. Contact your Netscape Directory administrator for information on users who can update the schema.
|
Directory Administrator Password
|
Enter the Netscape Directory password.
|
Confirm Password
|
Enter the Netscape Directory password again.
|
Cisco Directory Configuration DN
|
Enter the Cisco Directory Configuration Distinguished Name. This specifies the DN where the Cisco-dependent schema is created for the Cisco CallManager.
|
User Search Base
|
Enter the User Search Base. Cisco CallManager searches for users under this base.
|
User Creation Base
|
Enter the User Creation Base. Any user that is created by using Cisco CallManager Administration resides under this node in the directory.
Note Make the User Creation Base the same as the User Search Base or a subtree under the User Search Base. If you do not, you cannot look up users that you create in Cisco CallManager Administration.
|
User Name Attribute
|
Enter the Relative Distinguished Name (RDN) for user entries. Examples include cn, uid, and so forth.
|
User Search Attribute
|
Enter an attribute that you can use to search for a user in the enterprise directory. Make sure that the value for this attribute is unique for each user in the directory. Examples include mail or uid.
Note The user enters the value for this attribute in the User Identification field when the user logs in to the Cisco IP Phone User Option pages.
|
Step 3 After you enter the information into the fields, click the Next button. The system begins to verify whether you entered the configuration information correctly.
Step 4 If you entered the information correctly, a confirmation window summarizes the configuration information. Click the Next button.
Note If you did not enter the information correctly, a warning message displays and prompts you to enter the correct information.
Step 5 Click the FINISH button and reboot your server immediately.
Integrating Microsoft Active Directory with Cisco CallManager
Cisco recommends that Cisco CallManager and Active Directory use the same DNS server. If you cannot use the same DNS server, you must provide the name to IP address mapping for all of the AD servers in your AD forest in the hosts file or use another DNS server that can resolve the names of all the Active Directory (AD) servers in your AD forest.
Perform the following procedure to integrate Cisco CallManager with Microsoft Active Directory:
Step 1 If you checked Configure Active Directory Server (or Upgrade Active Directory Configuration), a prompt may ask you to check either Express or Custom, which are setup options.
a. If you check Express, the plugin configures Active Directory and enables Cisco CallManager integration with Active Directory. On the publisher, the plugin updates the schema, creates Cisco-specific objects and containers, and updates the configuration settings on the Cisco Callmanager server to point to AD server. On the subscriber, the plugin only updates the configuration settings. Click the Next button and go to Step 2.
Note Cisco recommends that you check the Express option. Cisco makes the Custom option available for administrators who are experienced with Microsoft Active Directory.
b. If you check Custom, you can choose the installation options separately and then go to Step 4.
Step 2 A prompt then asks you for the Microsoft Active Directory server host name and port number. Cisco CallManager prepopulates the fields if the values exist in the registry.
a. In the Host Name field, enter the Hostname (or IP address) of the Active Directory Schema Master server.
b. In the Port Number field, enter the port number where Microsoft Active Directory receives the LDAP requests. The default specifies 389.
If you are configuring a subscriber, go to Step 10.
Step 3 The plugin obtains the domain name in the Microsoft Active Directory server. In the Active Directory Configuration window, you may see the following information from Table 2 prepopulated in the fields. Verify the information before continuing the configuration process.
Table 2 Active Directory Configuration Window
Field
|
Recommended Action
|
Directory Administrator DN
|
Enter the Microsoft Active Directory Administrator Distinguished Name.
The Directory Administrator DN that you enter in this field must have the rights to update the Active Directory Schema. Typically, the users who have the rights to update the schema belong to the Schema Admin group. Contact your Active Directory administrator for information on users who can update the schema.
|
Directory Administrator Password
|
Enter the password for the Directory Administrator DN user.
|
Confirm Password
|
Enter the password again.
|
Cisco Directory Configuration DN
|
Enter the Cisco Directory Configuration Distinguished Name. This specifies the DN where the Cisco-dependent schema is created for the Cisco CallManager.
|
User Search Base
|
Enter the User Search Base. Cisco CallManager searches for users under this base.
|
User Creation Base
|
Enter the User Creation Base. Any user that is created by using Cisco CallManager Administration resides under this node in the directory.
Note Make the User Creation Base the same as the User Search Base or a subtree under the User Search Base. If you do not, you cannot look up users that you create in Cisco CallManager Administration.
|
User Search Attribute
|
Enter an attribute that you can use to search for a user in the enterprise directory. Make sure that the value for this attribute is unique for each user in the directory. Examples include mail or uid.
Note The user enters the value for this attribute in the User Identification field when the user logs in to the Cisco IP Phone User Option pages.
|
Domain Name
|
Enter the Microsoft Active Directory domain name. This represents the domain name of the schema master.
|
On the publisher, the plugin installs the schema, configures the Microsoft Active Directory, and integrates Cisco CallManager with the Microsoft Active Directory. On the subscriber, the plugin only integrates Cisco CallManager with this Microsoft Active Directory. To continue the Express configuration, go to Step 10.
Caution Microsoft Active Directory does not support schema deletion. After you have installed the Cisco schema extensions, you cannot revert to the old schema. Cisco recommends that you back up your Microsoft Active Directory server, especially the schema master, before you install/configure the Cisco Customer Directory Configuration Plugin and install the Cisco schema extensions on your Microsoft Active Directory server. For more information on backing up your Microsoft Active Directory server, contact your Microsoft Active Directory administrator.
Step 4 If you checked Custom, three nonexclusive custom installation options appear in the window. You may check as many of the check boxes as you want. If you want all the options, click the Select All button. After you finish making your choices, click the Next button.
If you do not want to choose all the options, see the following choices:
•For Install Schema on Schema Master, go to Step 5.
•For Enable CallManager Integration with Active Directory, go to Step 7.
•For Configure Active Directory, go to Step 8.
After you finish making your choices, click the Next button.
Step 5 If you checked Install Schema on Schema Master, a window opens. Enter the schema master host name and port number, if it is not already prepopulated.
Step 6 The plugin retrieves the domain name from the schema master and prepopulates the following information, as listed inTable 3. Verify the information before continuing the configuration process.
Table 3 Active Directory Configuration Window
Field
|
Recommended Action
|
Directory Administrator DN
|
Enter the Microsoft Active Directory Administrator Distinguished Name.
The Directory Administrator DN that you enter in this field must have the rights to update the Active Directory Schema. Typically, the users who have the rights to update the schema belong to the Schema Admin group. Contact your Active Directory administrator for information on users who can update the schema.
|
Directory Administrator Password
|
Enter the password for the Directory Administrator DN user.
|
Confirm Password
|
Enter the password again.
|
Domain Name
|
Enter the Microsoft Active Directory domain name.
|
The plugin installs the schema on the schema master, according to the information that you previously entered or verified.
If you chose Configure Active Directory or Enable CallManager Integration with Active Directory, the Credentials to configure Active Directory same as above check box displays at the bottom of this window. Checking this check box ensures that the information in Step 7 and Step 8 prepopulates.
Click Next and continue the configuration process.
Step 7 If you checked Configure Active Directory or Enable CallManager Integration with Active Directory, enter the Microsoft Active Directory server host name and port number. Click the Next button.
Step 8 The plugin retrieves the domain name from the Microsoft Active Directory server and may prepopulate the following information, as shown in Table 4. Verify the information before continuing the configuration process.
Table 4 Active Directory Configuration Window
Field
|
Recommended Action
|
Directory Administrator DN
|
Enter the Microsoft Active Directory Administrator Distinguished Name.
You can enter the same Directory Administrator DN that you entered in Step 6. The user that you entered in Step 6 serves as a schema administrator. If you do not want to use the schema administrator, you can create another user, such as dcd admin, in Active Directory and assign minimal rights. For more information, see the "Setting the Access Control Lists" section.
|
Directory Administrator Password
|
Enter the password for the Directory Administrator DN user.
|
Confirm Password
|
Enter the password again.
|
Cisco Directory Configuration DN
|
Enter the Cisco Directory Configuration Distinguished Name. This specifies the DN where the Cisco-dependent schema is created for the Cisco CallManager.
|
User Search Base
|
Enter the User Search Base. Cisco CallManager searches for users under this base.
|
User Creation Base
|
Enter the User Creation Base. Any user that is created by using Cisco CallManager Administration resides under this node in the directory.
Note Make the user creation base the same as the User Search Base or a subtree under the User Search Base. If you do not, you cannot look up users that you create in Cisco CallManager Administration.
|
User Search Attribute
|
Enter an attribute that you can use to search for a user in the enterprise directory. Make sure that the value for this attribute is unique for each user in the directory. Examples include mail or uid.
Note The user enters the value for this attribute in the User Identification field when the user logs in to the Cisco IP Phone User Option pages.
|
Domain Name
|
Enter the Microsoft Active Directory domain name.
|
Step 9 After completing the configuration information, click the Next button. The verification process begins to check whether the previous information exists in the directory. If the information exists, a confirmation window appears and summarizes the information. Click the Next button.
Step 10 The plugin attempts to read the schema update permission registry key on the destination Microsoft Active Directory server where the schema is installed.
Note Make sure that the registry entry HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters\Schema Update Allowed is set on the Microsoft Active Directory server to 1. This allows write access to the schema on that server.
Note The preceding registry entry value does not exist as a default on Microsoft AD 2003. To allow the plugin to continue if it is the first time the plugin is being run for Microsoft AD 2003, you will need to create the Schema Updated Allowed registry entry value. Perform the steps in the "Creating the Schema Update Allowed Registry for AD 2003" section.
Step 11 The plugin completes the configuration process and displays a dialog box. Click the Finish button and reboot the server immediately.
At the end of the installation on the publisher, the plugin reminds you to set the password for Cisco CallManager system users before running the plugin on Cisco Call Manager subscribers.
Caution Before you install the Cisco Customer Directory Configuration Plugin on the Cisco CallManager subscribers, you must perform the procedure that is detailed in
"Enabling Cisco IP Services" section. If you attempt to install the plugin on the subscribers before performing the service integration procedure, the installation program displays an error message, and the Cisco Call Back, Cisco IP Manager Assistant (Cisco IPMA), and Cisco CallManager Extension Mobility services do not function.
Creating the Schema Update Allowed Registry for AD 2003
If you are running the plugin for the first time for Microsoft AD 2003, perform the following procedure to create the Schema Update Allowed registry:
Step 1 On the Microsoft AD 2003 Schema Master, choose Start > Run.
Step 2 Enter regedit and click OK.
Step 3 Expend (or expand?) the registry tree HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > NTDS > Parameters.
Step 4 Create Schema Update Allowed registry value under the Parameters heading as shown in the following list:
Name : Schema Update Allowed
Type: REG_DWORD
Data : 1
Setting the Access Control Lists
You do not have to use the Administrator User ID to enable the Cisco CallManager to work with Active Directory. If you want to use a different account than the administrator account, you can create a user corresponding to the Cisco Directory Administrator in the Active Directory as described in the following sections. You can name this user "dcd admin" and enter this user when prompted for the Directory Administrator DN in Step 8 of the "Integrating Microsoft Active Directory with Cisco CallManager" section.
The dcd admin user only receives read permission to the "Users" object. Therefore, you cannot create the dcd admin user from Cisco CallManager Administration. You must create the dcd admin user with other methods, such as Active Directory Users and Computers, which are described in the following sections. After you create the user, set the access control lists for this user.
The dcd admin user needs the following permissions in the Active Directory:
•The Access Control Lists set on Active Directory, so the Cisco Directory Administrator (dcd admin) has read/modify/write privileges on the ciscoatUserProfile, ciscoatUserProfilestring, and ciscoatGUID attributes in all user objects.
Note The ciscoatGUID attribute applies only to Cisco CallManager release 3.3(3) and above.
•Read permissions for all the attributes under all the User objects
•Full control on the entire Cisco Directory Configuration DN. You need full control on this object and all objects under this object.
As seen from the above access lists, that the dcd admin user is granted only the read rights to the Users Object in the Active Directory. This means that you can't create New users through the CallManager Administration Pages. This is a common scenario in large enterprises, where the corporate active directory team is responsible for creating the new users and other applications will have read only permissions to the user attributes.
To create the dcd admin and assign permissions, perform the following procedures after extending the Active Directory Schema:
•Creating a DCD Admin User
•Assigning Rights for ciscoatUserProfile, ciscoatuserProfileString, and ciscoatGUID
•Assigning Rights for CiscoOU
Creating a DCD Admin User
This section describes how to add a user in Active Directory that is equivalent to the DC Directory Administrator.
Step 1 On the Domain Controller, choose Launch Start > Programs > Administrative Tools > Active Directory User and Computers.
Step 2 Choose the top-level user container.
Step 3 Create a user in Active Directory that is equivalent to the DC Directory Administrator. For example, create a user named "dcd admin."
Step 4 Right click the Users Container and choose New > User.
The New Object User window appears.
Step 5 In the First Name field, enter the first name of the administrative user, such as dcd.
Step 6 In the Last Name field, enter the last name of the administrative user, such as admin.
Step 7 In the User Logon Name field, enter the logon name of the administrative user, such as dcdadmin.
Step 8 Click Next.
Step 9 In the Password field, enter the password.
Step 10 In the Confirm Password field, enter the password again.
Step 11 Check the Password Never Expires check box.
Step 12 Click Next.
Step 13 Click Finish.
Active Directory creates the user. The Display Name matches the user name that you entered. For example, if you entered dcd in the First Name field and admin in the Last Name field, the display name appears as dcd admin (with a space).
In Step 8 of the "Integrating Microsoft Active Directory with Cisco CallManager" section, enter the display name of this user in the Directory Administrator DN field. In this case, enter dcd admin (with a space.)
Related Topics
•Assigning Rights for ciscoatUserProfile, ciscoatuserProfileString, and ciscoatGUID
•Assigning Rights for CiscoOU
Assigning Rights for ciscoatUserProfile, ciscoatuserProfileString, and ciscoatGUID
Use the following procedure to assign rights to the user that you created in the "Creating a DCD Admin User" section.
Step 1 On the Domain Controller, choose Launch Start > Programs > Administrative Tools > Active Directory User and Computers.
Step 2 Choose the top-level user container.
Step 3 Right click and choose Delegate Control.
The Delegate Control Wizard Welcome window displays.
Step 4 Click Next.
The Selected Users or Groups window displays.
Step 5 Click Add.
Step 6 Choose the user to whom you want to assign the rights, such as dcd admin, and click Add.
Step 7 Click OK.
The chosen user displays in the Selected users and groups list box.
Step 8 Click Next.
Step 9 In the Active Directory Object Type window, choose the Only the following objects in this folder radio button.
Step 10 Check the User objects check box and click Next.
Step 11 In the Permissions window, check the General and Property-specific check boxes.
Step 12 Check the Read check box.
The Wizard automatically checks all the read permissions as well as the Write ciscoatUserProfile, ciscoatUserProfileString, and ciscoatGUID permissions.
Note The ciscoatGUID attribute applies only to Cisco CallManager release 3.3(3) and above.
Step 13 Click Next.
A summary window displays.
Step 14 Click Finish.
Related Topics
•Creating a DCD Admin User
•Assigning Rights for CiscoOU
Assigning Rights for CiscoOU
This Cisco OU contains all the Cisco-specific attributes. Use the following procedure to give full permissions for the CiscoOU to the user that you created in the "Creating a DCD Admin User" section.
Step 1 On the Domain Controller, choose Launch Start > Programs > Administrative Tools > Active Directory User and Computers.
Step 2 Right-click the CiscoOU (for example, CiscoCM332) and choose Delegate Control.
Step 3 Click Next.
The Selected Users or Groups window displays.
Step 4 Click Add.
Step 5 Choose the user to whom you want to assign the rights; for example, dcd admin.
Step 6 Click Add.
Step 7 Click OK.
Step 8 The chosen user displays in the Selected users and groups list box.
Step 9 In the Tasks to Delegate window, choose the Create a custom task to delegate radio button and click Next.
Step 10 In the Active Directory Object Type window, choose the This folder, existing objects in this folder, and creation of new objects in this folder radio button and click Next.
Step 11 Choose the Full Control check box and click Next.
Step 12 The summary of rights display.
Step 13 Click Finish.
Related Topics
•Creating a DCD Admin User
•Assigning Rights for ciscoatUserProfile, ciscoatuserProfileString, and ciscoatGUID
Adding and Deleting Users by Using Cisco CallManager Administration
You can always modify the Cisco-specific attributes; however, by default, you cannot add or delete user entries from your enterprise directory by using Cisco CallManager Administration.
This functionality, provided for your convenience, does not replace your existing user/directory management tools. Be aware that this functionality is limited; Cisco expects that you will typically add or delete users by using other available tools.
Note You cannot set up or update user passwords from Cisco CallManager Administration when it is integrated with Microsoft Active Directory.
Before you add or delete users through Cisco CallManager Administration, perform the following procedure:
Step 1 Choose Start > Run.
Step 2 Enter regedit in the Open field and click OK.
Step 3 Browse to \\HKEY_LOCAL_MACHINE\Software\Cisco Systems, Inc.\Directory Configuration within the registry.
Step 4 In the right pane, double-click the DirAccess registry key.
Step 5 Delete the false registry entry and enter true as the new registry entry.
Step 6 Restart the IIS Admin Service and its dependent services by choosing Start > Programs > Administrative Tools> Services.
Step 7 Right-click IIS Admin Service and then choose Restart.
Step 8 A dialog box prompts you to restart dependent services. These services may differ depending on your configuration. Click Yes.
Step 9 Restart the dependent services.
You may now add, update, or delete users within Cisco CallManager Administration. Refer to the latest version of the Cisco CallManager Administration Guide for information on how to perform these tasks.
Caution When you are entering the user password in Cisco CallManager Administration, make sure that you use only alphanumeric characters.
Enabling Cisco IP Services
Cisco Extended Functions, Cisco Tomcat, and Cisco CallManager Extension Mobility services use a special user, cn=CCMSysUser and mail=CCMSysUser (Netscape) or SAMAccountName=CCMSysUser (AD), to authenticate with Cisco CallManager. You cannot view these users from Cisco CallManager Administration. If you specify a User Search Attribute other than the default when you are configuring the plugin, make sure that you set the value for the User Search Attribute for the CCMSysUser user to CCMSysUser. For example, if you specify uid as your User Search Attribute, edit the CCMSysUser user entry in your directory by setting uid to CCMSysUser.
In addition, when you integrate the Cisco CallManager with Microsoft Active Directory, you must perform the following procedure to enable the Cisco Extended Functions, Cisco Tomcat, and Cisco CallManager Extension Mobility services.
Note Cisco recommends that you use this procedure for setting the password for special Cisco CallManager system users rather than the procedure that was provided in previous versions of this document.
Step 1 On a Cisco CallManager server, choose Start > Run and enter cmd to open a command prompt. Click OK.
Step 2 Enter the command, CCMPWDChanger.
The Cisco CallManager Password Changer window opens.
Step 3 In the Administrator Password field, enter the password of the user that was created to enable Cisco CallManager to access the directory.
Step 4 Click Next.
Step 5 From the User ID drop-down list box, choose the user CCMSysUser.
Step 6 In the New Password field, enter the CCMSysUser password.
Step 7 In the Confirm New Password field, enter the password again.
Step 8 Click OK.
A confirmation message displays.
Step 9 Click OK.
Step 10 Click Exit.
Step 11 Restart the Cisco Call Back, Cisco IPMA, and Cisco CallManager Extension Mobility services on the server on which you installed the plugin, so the password change takes effect. To restart a service, choose Start > Programs > Administrative Tools > Services. Choose a service in the list, right-click the service, and choose Restart.
Note You need to repeat this procedure whenever you add a new Cisco CallManager server to the cluster.
Restoring Applications After Directory Integration
After you run the Cisco Customer Directory Configuration Plugin, you need to restore any application that previously accessed the DC-Directory; for example, applications such as, but not limited to, IP IVR, Cisco Emergency Responder, Multilevel Administration (MLA), Cisco SoftPhone, and Cisco CallManager Attendant Console. If you are working with a new Cisco CallManager installation and have not deployed any applications, you can skip this section.
Note Before performing any directory migrations, contact your Applications Administrator for more information. Applications include Cisco-provided applications or any third-party application that was developed for Cisco CallManager.
Cisco CallManager Attendant Console
You must reconfigure the "ac" user in Cisco CallManager Administration and associate the attendant phones and the pilot points with the user. If you do not configure this user, the attendant console cannot interact with CTIManager. For more information, refer to the Cisco CallManager Administration Guide.
Cisco Emergency Responder
With CER 1.1(1), you could use only DC-Directory. With CER 1.1(2), you can use either DC-Directory or Active Directory. After integration with Active Directory takes place, you must reconfigure CER. For more detailed information on simplifying the reconfiguration and on Active Directory limitations, refer to the Release Notes for Cisco Emergency Responder at the following URL:
http://www.cisco.com/en/US/products/sw/voicesw/ps842/prod_release_note09186a0080095196.html
To restore CER, you must also migrate the Java Telephony application Programming Interface (JTAPI) users. CER registers itself with some route points and CTI ports in Cisco CallManager for its functionality (911, 913XXXXXXXXXX, etc.). You associate these route points with a user name in the directory. After directory migration, you need to add the user again and reassociate the user with the route points and ports. If you do not make these associations properly, CER fails to handle emergency calls.
Cisco ICM/IPCC
Migrating to Active Directory results in ICM losing its associations with CTI route points and CTI ports and agents no longer having control of their phones.
Note Before performing any directory migrations, contact your ICM/IPCC Administrator for more information.
Cisco Multilevel Administration Access
To restore Cisco Multilevel Administration Access (MLA), perform the following procedures:
•Reinstall MLA. The installation program creates the default user groups in the corporate directory at the location that you specify.
•Re-create any custom user groups by using the MLA User Group Configuration window.
•Readd users to user group by using the MLA User Group Configuration window.
Note MLA preserves database, including the functional groups table and privileges table, during the reinstall.
Cisco Personal Assistant
Cisco Personal Assistant stores all its configuration information in the Cisco CallManager directory. When you integrate with a different directory (Netscape or AD), you must reinstall Cisco Personal Assistant as described in the Cisco Personal Assistant Administration Guide.
Cisco Softphone
To restore Cisco Softphone, enter the UserID and Password that are configured in the TSP into the directory (Netscape or AD). For more information about Cisco Softphone and TSP settings, refer to the Cisco IP Softphone Administrator Guide.
Troubleshooting
The following section provides troubleshooting procedures for applications that are using an enterprise directory.
Cisco IPMA Assistant Console Cannot Access the Enterprise Directory
Cisco CallManager provides a default directory that the assistant accesses from the Assistant Console. If the assistant needs access to a corporate directory (accessing Cisco CallManager interclusters), you must update the LDAPConfig.ini file and store it on the primary and backup IP Manager Assistant (IPMA) servers. For more detailed information, refer to the Cisco CallManager Features and Services Guide.
Personal Fast Dials and Personal Address Book Disappear
The Personal Address Book and Personal Fast Dials services use the samAccountName to build a directory structure to store information, as shown in Example 1. If you change the sAMAccountName on the enterprise directory server, you must rename the organization unit, samAccountName_info, with the new samAccountName.
Example 1 Personal Address Book and Personal Fast Dials Directory Structure
Obtaining Documentation
Cisco provides several ways to obtain documentation, technical assistance, and other technical resources. These sections explain how to obtain technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation on the World Wide Web at this URL:
http://www.cisco.com/univercd/home/home.htm
You can access the Cisco website at this URL:
http://www.cisco.com
International Cisco websites can be accessed from this URL:
http://www.cisco.com/public/countries_languages.shtml
Documentation CD-ROM
Cisco documentation and additional literature are available in a Cisco Documentation CD-ROM package, which may have shipped with your product. The Documentation CD-ROM is updated regularly and may be more current than printed documentation. The CD-ROM package is available as a single unit or through an annual or quarterly subscription.
Registered Cisco.com users can order a single Documentation CD-ROM (product number DOC-CONDOCCD=) through the Cisco Ordering tool:
http://www.cisco.com/en/US/partner/ordering/ordering_place_order_ordering_tool_launch.html
All users can order monthly or quarterly subscriptions through the online Subscription Store:
http://www.cisco.com/go/subscription
Ordering Documentation
You can find instructions for ordering documentation at this URL:
http://www.cisco.com/univercd/cc/td/doc/es_inpck/pdi.htm
You can order Cisco documentation in these ways:
•Registered Cisco.com users (Cisco direct customers) can order Cisco product documentation from the Networking Products MarketPlace:
http://www.cisco.com/en/US/partner/ordering/index.shtml
•Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco Systems Corporate Headquarters (California, U.S.A.) at 408 526-7208 or, elsewhere in North America, by calling 800 553-NETS (6387).
Documentation Feedback
You can submit comments electronically on Cisco.com. On the Cisco Documentation home page, click Feedback at the top of the page.
You can e-mail your comments to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Obtaining Technical Assistance
Cisco provides Cisco.com, which includes the Cisco Technical Assistance Center (TAC) website, as a starting point for all technical assistance. Customers and partners can obtain online documentation, troubleshooting tips, and sample configurations from the Cisco TAC website. Cisco.com registered users have complete access to the technical support resources on the Cisco TAC website, including TAC tools and utilities.
Cisco.com
Cisco.com offers a suite of interactive, networked services that let you access Cisco information, networking solutions, services, programs, and resources at any time, from anywhere in the world.
Cisco.com provides a broad range of features and services to help you with these tasks:
•Streamline business processes and improve productivity
•Resolve technical issues with online support
•Download and test software packages
•Order Cisco learning materials and merchandise
•Register for online skill assessment, training, and certification programs
To obtain customized information and service, you can self-register on Cisco.com at this URL:
http://tools.cisco.com/RPF/register/register.do
Technical Assistance Center
The Cisco TAC is available to all customers who need technical assistance with a Cisco product, technology, or solution. Two types of support are available: the Cisco TAC website and the Cisco TAC Escalation Center. The type of support that you choose depends on the priority of the problem and the conditions stated in service contracts, when applicable.
We categorize Cisco TAC inquiries according to urgency:
•Priority level 4 (P4)—You need information or assistance concerning Cisco product capabilities, product installation, or basic product configuration. There is little or no impact to your business operations.
•Priority level 3 (P3)—Operational performance of the network is impaired, but most business operations remain functional. You and Cisco are willing to commit resources during normal business hours to restore service to satisfactory levels.
•Priority level 2 (P2)—Operation of an existing network is severely degraded, or significant aspects of your business operations are negatively impacted by inadequate performance of Cisco products. You and Cisco will commit full-time resources during normal business hours to resolve the situation.
•Priority level 1 (P1)—An existing network is "down," or there is a critical impact to your business operations. You and Cisco will commit all necessary resources around the clock to resolve the situation.
Cisco TAC Website
The Cisco TAC website provides online documents and tools to help troubleshoot and resolve technical issues with Cisco products and technologies. To access the Cisco TAC website, go to this URL:
http://www.cisco.com/tac
All customers, partners, and resellers who have a valid Cisco service contract have complete access to the technical support resources on the Cisco TAC website. Some services on the Cisco TAC website require a Cisco.com login ID and password. If you have a valid service contract but do not have a login ID or password, go to this URL to register:
http://tools.cisco.com/RPF/register/register.do
If you are a Cisco.com registered user, and you cannot resolve your technical issues by using the Cisco TAC website, you can open a case online at this URL:
http://www.cisco.com/tac/caseopen
If you have Internet access, we recommend that you open P3 and P4 cases online so that you can fully describe the situation and attach any necessary files.
Cisco TAC Escalation Center
The Cisco TAC Escalation Center addresses priority level 1 or priority level 2 issues. These classifications are assigned when severe network degradation significantly impacts business operations. When you contact the TAC Escalation Center with a P1 or P2 problem, a Cisco TAC engineer automatically opens a case.
To obtain a directory of toll-free Cisco TAC telephone numbers for your country, go to this URL:
http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml
Before calling, please check with your network operations center to determine the Cisco support services to which your company is entitled: for example, SMARTnet, SMARTnet Onsite, or Network Supported Accounts (NSA). When you call the center, please have available your service agreement number and your product serial number.
Obtaining Additional Publications and Information
Information about Cisco products, technologies, and network solutions is available from various online and printed sources.
•The Cisco Product Catalog describes the networking products offered by Cisco Systems, as well as ordering and customer support services. Access the Cisco Product Catalog at this URL:
http://www.cisco.com/en/US/products/products_catalog_links_launch.html
•Cisco Press publishes a wide range of networking publications. Cisco suggests these titles for new and experienced users: Internetworking Terms and Acronyms Dictionary, Internetworking Technology Handbook, Internetworking Troubleshooting Guide, and the Internetworking Design Guide. For current Cisco Press titles and other information, go to Cisco Press online at this URL:
http://www.ciscopress.com
•Packet magazine is the Cisco quarterly publication that provides the latest networking trends, technology breakthroughs, and Cisco products and solutions to help industry professionals get the most from their networking investment. Included are networking deployment and troubleshooting tips, configuration examples, customer case studies, tutorials and training, certification information, and links to numerous in-depth online resources. You can access Packet magazine at this URL:
http://www.cisco.com/go/packet
•iQ Magazine is the Cisco bimonthly publication that delivers the latest information about Internet business strategies for executives. You can access iQ Magazine at this URL:
http://www.cisco.com/go/iqmagazine
•Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering professionals involved in designing, developing, and operating public and private internets and intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/en/US/about/ac123/ac147/about_cisco_the_internet_protocol_journal.html
•Training—Cisco offers world-class networking training. Current offerings in network training are listed at this URL:
http://www.cisco.com/en/US/learning/le31/learning_recommended_training_list.html
Copyright © 2003 Cisco Systems, Inc. All rights reserved.
Feedback
