cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
7784
Views
15
Helpful
13
Replies

CUCM LDAP Migration

somjade.p
Level 1
Level 1

Hi All,

I'm running CUCM 8.6x and UCCX 8.5x and I have cucm is integrated with MS AD.

The problem is my company is about to migrate all users is this AD to another AD (new ip address, new search base, but all users information remain the same). But, I don't know to make this happened without any damages to my system.

The simple question is how can I achieve it ?

- If I delete the configured AD integration, all the users will be marked deleted and will be cleaned up in 24 hours, which means I will lose all users information and theri associations. This is doom. Although, all the users info is the same (userid, firstname,lastname,etc....), but I don't think it will work that smooth. I'm I right?

- Worse, these users are also UCCX agent/supervisor in UCCX. If these users are cleaned up, this means my contact centers is dead. My configuration will be all gone. This is also doom.

Does anyone know or have experieces doing this ?

I want to change ip adddress and search base of my AD and want to maintain all the end users configurations and their configuration/associations, and UCCX agent stuff.

Please advise, I really don't know how to make this happen.

Thanks in advance,

13 Replies 13

Mark Lyman
Level 5
Level 5

As long as the userid remains the same, it doesnt matter what you do to LDAP, the user accounts will remain and will not be deleted.

In other words, if you delete the LDAP directory config in UCM, this will mark all users for deletion.  If you then sync UCM to a new LDAP directory (even with a different IP or even different domain) all those users WHO HAVE THE SAME USERID will no longer be marked for deletion.

The easiest way to do this is just update the directory config inside the LDAP directory that is already configured in UCM, then you dont actually have to delete anything.

But again, having the same userid is the key.

Thanks for the responce,

Have you already tested this ?

To be more specific,

CUCM is integrated both to "Existing AD" and "NEW AD" together at the same time. . The user is in "Existing AD" or "New AD". Let's say, we move user A from Existing AD to New AD (Which means User A is no logner in "Existing AD" but appear in "New AD". It will work just fine after i click "perform sync now" in the ldap sync page ? Also in the uccx side ? All configurations are there ?

       

User A      ====>     User A

If i remember correctly, I uses to try this once. Everything looks okay. But I found out later that, If i make any changes for the migrated user in "AD", those new information didn't get synced to CUCM anymore. Even if the user status is active. I'm afraid this will be a problem.

Please advise,

This should be fairly easy to test.  You can point to multiple LDAP directories at the same time.

UCCX gets its users from CUCM, so as long as you maintain the users in CUCM, there should be no effect on UCCX.

Yes I have tested it.  I work for a Cisco partner and we were migrating a division of a company to their own CUCM environment.  When we initially installed their new CUCM, they were pointed to the LDAP of the old company.  A couple weeks later they finally installed their own Microsoft AD environment and we repointed their CUCM to the new LDAP servers (new ip, new domain, everything) and as long as the userid was the same, the user was unaffacted in CUCM & CUC - none of their users were marked inactive.

This was done on version 9.1.2.

Same question was posted here with the same response

https://supportforums.cisco.com/thread/2226633

I take that back.  CUCM uses the GUID (global user id) to sync the CUCM user to the LDAP user.  If you change AD environments, the GUID will change, and CUCM will no longer think it's the same user.

 

The only way to possibly make this work is to convert the users to local users, then re-configure your LDAP connection, then use SQL commands that you can get from TAC to convert the user back to an LDAP user.  This will cause the user to download the GUID from LDAP and match it to the user with the same userid.

 

 

This is interesting. In my case we moved from an AD source to an AD-LDS source (still the same backend AD environment though).  The AD attribute for user ID is the sAMAccountName but you cannot use this if you change to an AD-LDS (or ADAM) environment so we used UID.  In our environment the sAMAccountName and the UID is the same so this is not a problem for CUCM it just sees user with sAMAccountName j.bloggs go inactive and then active again when it see UID j.bloggs in the new environment.  Is my assumption correct that UID and GUID the same thing?

These two are not the same. GUID is a unique value that gets created by AD when a object of any type is created in AD. Think about like in CM the equivalent of this is PKID, that for each and every configuration objects gets automatically created when any object is created in the DB. Neither one of them has anything to do with the name of the object as such, it’s a alphanumeric value that is a unique reference for the object.



Response Signature


HRS
Level 1
Level 1

One of the customer had 4 different LDAP directories point to the same Server with different search creteria, Once we deleted the 3 unwanted LDAP directories, Restarted DirSync Service. but later in 30 mins all the UCCX agents were affected and all the agents skill groups went back to default.

CUCM Version - 10.5.1.10000-7

UCCX Version - 10.5.1.11001-49

I had same issue. I changed the IP /  port of LDAP configuration on CUCM, than I performed the re-sync. After that, all agents on UCCX were affected, and their teams and skills were cleaned up to default configuration.

Anybody knows the root cause of this uccx problem?

I had this issue as well.  Removed an LDAP config and even though the users existed in another LDPA config the users in UCCX were cleaned up.  This didn't even wait for the next sync (which happens once per day), it happened withing an hour.  We have called TAC but they are unhelpful saying that is expected behavior but offering no solution for removing the desired LDAP directory configuration.  Have you found a solution to keep UCCX from dumping the user info?

Hi

I too have had the same issue and TAC are suggesting that this is expected behaviour.  I am also using the exact same UCCX version as stated above (10.5.1.11001-49).

I have also been told by TAC that any change to a user to make them go inactive in CUCM, will mean the user is 'deleted' from UCCX meaning that their skills and teams will be lost, for example, if a user is accidentally put into the wrong OU and they're marked inactive in CUCM, they will be immediately deleted from the UCCX, upon realising the mistake if the user in put in the correct OU again, he will need to be reconfigured?  This is ok with one user but what if a whole OU is removed from the sync and all the users are marked inactive?

 

Can I ask what UCCX and CUCM version you are using?

 

Regards

Martin

Steven Landon
Level 1
Level 1

CUCM uses a Globally Unique ID within AD to identify the user. You can change the user name but it will still associate the user with the AD object since the GUID has not changed.

 

When moving between AD environments, even if the user name is the same, it is likely the GUID has changed.

 

I am not sure there is a way to do this easily.

Regards,
Steve
Please rate all helpful posts.

I need to do this exact change, what was your solution/method to do this without pain?

Providing all the attributes are the same for the users, power down UCCX, delete and recreate the LDAP directory sync, watch the users go into an inactive state, perform a full LDAP directory sync and check users go into active state and then power back up UCCX. If you leave UCCX powered on, it will think the users are new again (when they change from inactive to active) and you'll have to do a UCCX restore to get the user data back (skills, resources etc)