I am working with a multi-domain environment and need to configure our cucm authentication agreement.
1. Multiforest server: Server 2016
2. Remote AD domain server: Server 2016
3. CUCM: 11.5
4. Trust between domains is confirmed to work.
Users from the remote domain import successfully via the following commands and xml file. However, all users have the following attribute: MsDS-UserAccountDisabled = True. After removing all password requirements on the host server, the attribute is MsDS-UserAccountDisabled is not set.
In both cases, when attempting to enable the account an error occurs: operation failed error code: 0x52d
unable to update the password. Obviously, the error occurs because passwords are not stored, so they are considered blank.
In the current state, no users are able to login to the self-care portal
In my understanding of a multiforest environment, users are located on the local (multiforest) server and creds are requested from the remote domain. A wireshark capture reveals creds are not requested on the remote server with a login attempt of the cucm self care portal.
I need assistance enabling all imported accounts and assess why the passwords are not requested from the remote AD.
On a side note, I am able to assign a password to an imported user and login to the portal successfully but that is not a viable solution.
commands run:
C:\Windows\ADAM>ADAMSync /install localhost:50000 c:\windows\ADAM\MS-AdamSyncConfNLS7.xml /log c:\windows\adam\logs\install.log
C:\Windows\ADAM>ADAMSync /sync localhost:50000 "dc=mf2,dc=local" /log c:\windows\adam\logs\sync.log
<?xml version="1.0"?>
<doc>
<configuration>
<description>NLS</description>
<security-mode>object</security-mode>
<source-ad-name>domain</source-ad-name>
<source-ad-partition>dc=x,dc=x,dc=x,dc=x</source-ad-partition>
<source-ad-account></source-ad-account>
<account-domain>domain</account-domain>
<target-dn>dc=mf4,dc=local</target-dn>
<query>
<base-dn>dc=x,dc=x,dc=x,dc=x</base-dn>
<object-filter>(|(objectClass=Person)(objectClass=organizationalUnit)(objectclass=group)(objectclass=Computer))</object-filter>
<attributes>
<include>objectSID</include>
<include>mail</include>
<include>userPrincipalName</include>
<include>middleName</include>
<include>manager</include>
<include>givenName</include>
<include>sn</include>
<include>department</include>
<include>telephoneNumber</include>
<include>title</include>
<include>homephone</include>
<include>mobile</include>
<include>pager</include>
<include>msDS-UserAccountDisabled</include>
<include>samAccountName</include>
<include>employeeNumber</include>
<include>initials</include>
<include>ipPhone</include>
<include>displayName</include>
<include>msRTCSIP-primaryuseraddress</include>
<include>uid</include>
<exclude></exclude>
</attributes></query>
<user-proxy>
<source-object-class>person</source-object-class>
<target-object-class>userProxyfull</target-object-class>
</user-proxy>
<schedule>
<aging>
<frequency>0</frequency>
<num-objects>0</num-objects>
</aging>
<schtasks-cmd></schtasks-cmd>
</schedule>
</configuration>
<synchronizer-state>
<dirsync-cookie></dirsync-cookie>
<status></status>
<authoritative-adam-instance></authoritative-adam-instance>
<configuration-file-guid></configuration-file-guid>
<last-sync-attempt-time></last-sync-attempt-time>
<last-sync-success-time></last-sync-success-time>
<last-sync-error-time></last-sync-error-time>
<last-sync-error-string></last-sync-error-string>
<consecutive-sync-failures></consecutive-sync-failures>
<user-credentials></user-credentials>
<runs-since-last-object-update></runs-since-last-object-update>
<runs-since-last-full-sync></runs-since-last-full-sync>
</synchronizer-state>
</doc>
