Additional Considerations for Microsoft Active Directory

The use of Global Catalog for authentication becomes even more efficient  if the users synchronized from Microsoft AD belong to multiple domains,  because it allows Unified CM to authenticate users immediately without  having to follow referrals. For these cases, point Unified CM to a  Global Catalog server and set the LDAP User Search Base to the top of  the root domain.

In the case of a Microsoft AD forest that encompasses multiple trees,  some additional considerations apply. Because a single LDAP search base  cannot cover multiple namespaces, Unified CM must use a different  mechanism to authenticate users across these discontiguous namespaces.

As mentioned in the section on LDAP  Synchronization, in order to support synchronization with an AD  forest that has multiple trees, the UserPrincipalName (UPN) attribute  must be used as the user ID within Unified CM. When the user ID is the  UPN, the LDAP authentication configuration page within Unified CM  Administration does not allow you to enter the LDAP Search Base field,  but instead it displays the note, "LDAP user search base is formed using  userid information."

In fact, the user search base is derived from the UPN suffix for each  user, as shown in Figure 17-14.  In this example, a Microsoft Active Directory forest consists of two  trees, avvid.info and vse.lab. Because the same user name may appear in  both trees, Unified CM has been configured to use the UPN to uniquely  identify users in its database during the synchronization and  authentication processes.

http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/7x/directry.html#wp1045381

HTH

java

If this helps, please rate

www.cisco.com/go/pdihelpdesk