Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10369
Views
20
Helpful
38
Replies

UCCE 8.5(2) install on W2008 R2 SP1 - 2008 DC Problems

geoff
Level 10
Level 10

‎08-23-2011 12:22 PM - edited ‎03-14-2019 08:25 AM

I recently installed from 8.0.1A a UCCE and CVP system in my lab - DC (W2003), RGR, AW-HDS, PG with CUCM, CUPS, CVP. As noted, the Domain Controller was a W2003 box. Basically no worries.

So now I try to do it again with a W2008 R2 Domain Controller and this thing is wild. I've ensured that the Firewalls are off at all three levels, but the Domain Manager is complaining and I have trouble logging into the Web setup tool.

Anyone have any tips to make this play nice. It was simple with a 2003 DC, but the 2008 R2 DC is a spider's web of security layers.

Regards,

Geoff

Labels:
0 Helpful
38 Replies 38

Chad Stachowicz
Level 6
Level 6
In response to geoff

‎08-24-2011 05:58 PM

Geoff,

  I am going to be giving this a shot tomorrow on my new 2008 lab, I just got the a software today.  I also have a 2008 domain controller, but its at 2003 functional level, I will raise it before trying to see what happens.

Also a little FYI if this is to be a CAD install, 8.5(2) was pulled off the Cisco site because the Client package doesn't install (of course we found out during an upgrade and had to roll back).... and 8.5(1) still has some variable bugs that are impacting our clients...

Not exactly stable yet... at all :<

Chad

0 Helpful

geoff
Level 10
Level 10
In response to Chad Stachowicz

‎08-24-2011 06:04 PM

Chad,

I'll be very interested in what you find. As I said - with a Windows 2003 server as the DC, no worries. Now I'm thinking I should rebuild the domain with the 2008 DC at 2003 functional level and retry

Not what the customer has - and not what the release notes say. They CLEARLY say that 2008 R2 level is supported. Well, we have tried that one too.

Suggestion: before running the DomainManager, edit the registry to put that SAD library trace on.

We have an open TAC case - engineer (who does not have 2008 in his lab, so that's pretty sad) found a bug documented and suggested we try the DomainManager after the install of 8.0.1A and before 8.5.2 - but that fails in exactly the same way.

Regards,

Geoff

0 Helpful

shirpati
Cisco Employee
Cisco Employee
In response to geoff

‎08-25-2011 09:23 AM

Hi Geoff,

I have installed win2008R2 at 2008 R2 functional level and  ICM 8.5.2 on win2003 enterprise server and I able to run domain manager and create facility/instance my domain manager never crashes.

So it must be something specific to your enviornment. Currently I am unable to login to websetup getting "Service unavailable" but this must be a different issue which i need to troubleshoot but as far as the domain manager and creation of instance is concerned it works ok on win 2008 AD.

Shirish.

0 Helpful

geoff
Level 10
Level 10
In response to shirpati

‎08-25-2011 09:54 AM

Shirish,

Thanks for your post. Not quite the same though. If I can summarize:

W2003 Domain Controller and all servers at W200R2 SP1 - no problem (me)

W2008R2 SP1 Domain Controller and all servers at W2003 - no problem (Shirish)

W2008R2 SP1 Domain Controller and all servers at W200R2 SP1 - big problems (me)

I have a colleague working on the same trial installs and he has the same issues. These are standard R2 installs with nothing unusual.

DC

---

1. Install W2008R2

2. Install SP1

3. Set up Domain Controller role (loads .NET)

4. dcpromo

Member

------------

1. Install W2008R2

2. Install SP1

3. Set DNS to be the DC

4. Join the domain

5. Install 8.0.1A, pointing it at 8.5.2 SR

6. When the box reboots, it starts to install 8.5.2

7. Reboot

8. Start Domain Manager

Regards,

Geoff

0 Helpful

Chad Stachowicz
Level 6
Level 6
In response to shirpati

‎08-25-2011 08:22 PM

Shrish,

   I can confirm what Geoff is experiencing..  The problem and only difference between us and you is that you installed 8.5(2) on windows 2003, which tell me the issue must actually be with the security settings on the windows 2008 server by default!

I guess a TAC case really needs to be opened and pursued!


Chad

0 Helpful

Chad Stachowicz
Level 6
Level 6
In response to Chad Stachowicz

‎08-25-2011 08:33 PM

After a little googling and ACE is an Access Control Entry, and a dacl is a discretionary access control list...

My simple guess, if the Machine, OU or whatever doesn't have the right access controls, its not gonna work...

Chad

0 Helpful

Chad Stachowicz
Level 6
Level 6
In response to Chad Stachowicz

‎08-25-2011 09:10 PM

I got it working, it seems to be a difference in default permissions given to Domain administrators over computers.

If you go into Active Directory Users and Computers create Cisco_ICM by hand, now at the top select View->Advanced Features.. This opens up some new windows in the 2008 properties..

now go and delegate control to DomainAdmins full control and give it every checkbox for the Cisco_ICM root.

Finally go to your UCCE computer in the domain, go to properties, look at Domain Admins and notice that Full Control isn't checked, check this box...

Don't forget to log out and back into the UCCE box to let the policies propagate down

From here go back to your UCCE, open domain manager and you will See Cisco_ICM root... you will now be able to add the Facility and Instance with no error. Finally you can go into Web Setup and add the instance with no Errors!

Tada!

Let me know if it sorts you out!

Chad

Chad Stachowicz
Level 6
Level 6
In response to Chad Stachowicz

‎08-25-2011 09:11 PM

Hey Cisco, we should get this documented that the 2008 permissions are different by defautl!


Chad

0 Helpful

geoff
Level 10
Level 10
In response to Chad Stachowicz

‎08-25-2011 09:27 PM 

From here go back to your UCCE, open domain manager and you will See Cisco_ICM root... you will not be able to add the Facility and Instance with no error. Finally you can go into Web Setup and add the instance with no Errors!

Did you mean "now" instead of "not" ?

Regards,

Geoff

0 Helpful

Chad Stachowicz
Level 6
Level 6
In response to geoff

‎08-25-2011 09:29 PM

I did, I went back and corrected it.. Thanks for the catch.

Chad

0 Helpful

Chad Stachowicz
Level 6
Level 6
In response to Chad Stachowicz

‎08-25-2011 11:37 PM

Make sure to activate Computer Browser Service and enable it before using icmdba, it doesn't like it without that.

Chad

0 Helpful

geoff
Level 10
Level 10
In response to Chad Stachowicz

‎08-26-2011 03:33 PM

I worked with Chad this morning and he showed me his method, and I've been playing with it a bit today, using a VM snapshot to be able to go back to the state of the DC prior to making any changes, whether these changes are made by running the ICM DomainManager.exe from another box, or made on the DC itself as Chad pointed out.

Now I have the solution. I can run the DomainManager tool on the UCCE box and it works without any errors or warnings and I can then use the Web Setup to add the instance.

On your Domain Controller:

1. First do as Chad noted above. Open Active Directory Users and Computers and from the menu bar select View->Advanced Features which places a check box in the menu, but does not do anything. From now on, Properties will show advanced items.

2. Select the computer that has been added to the Domain, probably it's going to be Rogger A.

3. Right click for Properties

4. Select the "Delegation" tab. You will see that the top radio button is selected. This says "Do not trust this computer for delegation".

5. Select the second radio button - "Trust this computer fro delegation for any service (Kerberos only)"

6. Press Apply and Close, or OK (whichever is your style).

I simply went to the Rogger A and ran the Domain Manager.

I was still logged in and did not logout and log back in - just ran the DomainManager and made the Cisco_ICM OU, the facility and the instance. No errors or warnings. Then logged into the Web Setup page and added the instance.

A big thanks to Chad for pointing the way. Brickbats to Cisco for not documenting this.

Regards,

Geoff

Chad Stachowicz
Level 6
Level 6
In response to geoff

‎08-26-2011 03:36 PM

Thanks for going through the testing and confirming our suspicions Geoff!

0 Helpful

geoff
Level 10
Level 10
In response to Chad Stachowicz

‎08-29-2011 11:37 AM

Well, that was strange.

I'm at the customer site today - and they have a very complicated domain structure. Not a standalone domain for ICM - we are creating the OU in their corporate domain. One of the domain admins for the customer was logged in on RoggerA under his account, and Domain Manager worked with no issues and the Websetup worked fine too.

Must be something to do with the default permissions for the Domain Administrator. Maybe if I created another user and put them in the Domain Admins group, that would have worked.

Clearly it's working for some. And not working for others.

Regards,

Geoff

0 Helpful

Chad Stachowicz
Level 6
Level 6
In response to geoff

‎08-29-2011 11:42 AM

My guess is that their Domain have truly full permissions against all PC's that can be set elsewhere then where we were on te PC directly.  Or maybe when they add new PC's they trust as we show above as their default policy for new Servers or PC's in the domain.

It could be a myriad of things but it would be interesting to look at that PC under their domain and see what the above setting regarding trust delegation is set too on your new ICM box.

Cheers,

Chad

0 Helpful
Customers Also Viewed These Support Documents