Showing results for 
Search instead for 
Did you mean: 
Walkthrough Wednesdays

[SOLVED] Problem with MultiForest and AD LDS


I followed the procedure "How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment"  many times but I have always the same problem : no users in ADSI Edit MMC, no users in CUCM.

Domains Trusts Relationship are ok.
I have create the AD LDS Instance (in the domain1) :
* Instance Name : MultiForest
* LDAP port : 50900
* SSL port : 50901
* Distinguished name : DC=MultiForest
* Imports LDIF Files : MS-AdamSyncMetadata.LDF, (MS-ADLDS-DisplaySpecifiers), MS-InetOrgPerson.LDF, MS-User.LDF, MS-UserProxy.LDF, MS-UserProxyFull.LDF

With LDP I have create two child (domain1 = Windows 2012 R2 / domain2 = Windows 2008 R2) :


With ADSchemaAnalyzer, I have create the ldif file
Target schema : Domain1_IP:389
Base schema => localhost:50900
Mark all non-present elements as included

cd \Windows\adam
mkdir logs

ldifde -i -s localhost:50900 -c CN=Configuration,DC=X #ConfigurationNamingContext -f domain1.ldf -j c:\windows\adam\logs

ADSchemaAnalyzer, I have create the ldif file
Target schema : Domain2_IP:389
Base schema => localhost:50900
Mark all non-present elements as included

ldifde -i -s localhost:50900 -c CN=Configuration,DC=X #ConfigurationNamingContext -f domain2.ldf -j c:\windows\adam\logs

ldifde -i -s localhost:50900 -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-UserProxy-Cisco.ldf -j c:\Windows\adam\logs

ADAMSync /Install localhost:50900 c:\Windows\ADAM\MS-AdamSyncConfDomain1.xml /log c:\Windows\ADAM\logs\Install.log
ADAMSync /sync localhost:50900 "dc=domain1,dc=MultiForest" /log c:\Windows\ADAM\logs\sync.log

ADAMSync /Install localhost:50900 c:\Windows\ADAM\MS-AdamSyncConfDomain2.xml /log c:\Windows\ADAM\logs\Install.log
ADAMSync /sync localhost:50900 "dc=domain2,dc=MultiForest" /log c:\Windows\ADAM\logs\sync.log

With ADSI Edit, I created root user (msDS-UserAccountDisabled > FALSE / msDS-UserDontExpirePassword > TRUE)
DC=MultiForest > CN=Roles > CN=Administrators > Propriétés > member > add CN=root,DC=MultiForest

I have updated schema and reboot AD DLS

For my test, I disabeld SSL (RequireSecureProxyBind=0)

I configured CUCM (no errors) with parameters :
* Microsoft Active Directory Application Mode
* IP for authentication : domain1_IP:50900
* LDAP : DC=MultiForest
* Filter : (&(objectClass=userProxy)(!(objectClass=Computer))(!(msDS-UserAccountDisabled=TRUE)))

No synchronization error.

But no users in CUCM... No users in ADSI Edit.

If I test a LDP connexion with many users, no problem.

No errors in logs.

Where is my error?

EDIT : I updated xml files

Solution :

* Workaround for "Ldap error occured. ldap_add_sW: Object Class Violation " :

Workaround for "Error: We seem to be in an infinite recursive loop" :


Well, I had not looked at the end of the sync log.

I had UpdErr error: DSID-0315166D, problem 6002 (OBJ_CLASS_VIOLATION) (

In the <base-dn> I filtered directly to the OU users.

But adamsync / sync runs for 45 minutes and the log file exceeds 1GB ... and continues to extend.


I had similar issues. Hopefully you are sync users now. Question did you the User Authentication working?


Hi Mike,

Sorry for the answer time. I was in holiday.

Yes, all work for me.

What is your problem exactly?

For my part, this was due to Microsoft problem :


I am still working on this. Thanks to Mike for helping out.

I am getting closer but still no cigar.

When I run the adamsync /sunc command , in the log file I get the error "skipping deletion of object which does not exist locally"


Hi, Morgen,

I'm also followed the procedure"How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment", everything is ok except the authentication in domain2

did your environment is success in ldap authentication in domain2?


Hello rilak_kuma,

Yes, authentication in all domains works.

Have you check if users in domain2 are in AD LDS instance?

You can sync AD LDS instance for LDAP directories and check if users are present.

Have you check logs (AD LDS sync)?


Hi, Morgen,

All user showed in cucm is active user.

But the behavior of cucm (10.5.1 or 10.5.2) is quite interesting.

as my understanding, the ldap auth process should:

cucm --ldap search request-->LDS

cucm <--search ok--- LDS

cucm --ldap bind request--> LDS

cucm <-- bind ok -- LDS

but when domain 2 user did the ldap authentication:

cucm --ldap search --> domain 2's dc

since  domain2 dc don't have ldap manager a/c i set in cucm page, so the user auth failed.

After change to cucm 11.5, everything is ok.

will update again when do more testing about it


Hi rilak_kuma,

Strange... And you're connected you with your email as login?



Hi Denis,

After the testing I can make the conclusions:

1. The fail of ldap authentication in domain 2 is caused by using UPN as ldap attribute id. When I change it to mail, ldap user auth is ok.

2. cucm 11.5 can use UPN as ldap attribute id. Both ldap sync and auth is success.




So... I have many problems.

The first, adamsync /sync never stop and log file is huge.

Solution :

Second, I have an error : OBJ_CLASS_VIOLATION like

But the solution doesn't work.

I discovered that the problem is with accents and special characters (@). It's a French OS...


After manualy addattributs in UserProxy class via AD Schema, I have all my users in my instance and CUCM!


I am in the middle of a domain migration. As such, users will live in 2 domains until the old domain is closed down. I need to set my cucm to allow users from both domains to log on and have been following the steps outlined by Cisco.

I can not get past the following part.

ADAMSync /Install localhost:50900 c:\Windows\ADAM\MS-AdamSyncConfDomain1.xml /log c:\Windows\ADAM\logs\Install.log

When I run that command I get the error

"An ldap error occurred while sabing the configuration file: No such Attribute"

Anybody got any experience with this?


Some notes:

I recall not having write permission with the account that adam-sync is run as to any system protected directories.

I had to try different LDIF templates. Never got them to fully add all the attributes. I had to manual edit the cisco provide LDIF configuration I think there was a case difference in the documentation and directory. See: Extend the AD LDS Schema with the User-Proxy Objects and the follow attributes --> Carefully compare LDS via ADSI

systemMayContain: givenName
systemMayContain: middleName
systemMayContain: sn
systemMayContain: manager
systemMayContain: department
systemMayContain: telephoneNumber
systemMayContain: mail
systemMayContain: title
systemMayContain: homephone
systemMayContain: mobile
systemMayContain: pager
systemMayContain: msDS-UserAccountDisabled
systemMayContain: samAccountName
systemMayContain: employeeNumber

I recall ipphone was not imported so I had to add this attribute as well because I wanted to filter CUCM LDAP based on this. 

Do you have more of the log that you can share, it may help me recall some additional details that that I had issue with.

One other thing, when you get the sync working, if you try to use the same Application Partition in LDS sync will stop if there are duplicated objects between domains. i.e if administrators or users have the same mail id or UPN or samaccountname in different domains the overlap will cause sync to stop. I was not able to overcome this so I was forced to use different application partitions. This limits number of domains that you can use because of the Callmanger/UC directory limitations. 


I don't know if I fully extend the partitions with ldp correctly. I followed the document , but I have nothing to go on if it was a success or not.

I need each domain to sync to a different ldp partition as the users names are the same in both domains.

I have log files but there isn't much in them.I can share them all if you like.

Content for Community-Ad