cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
3065
Views
0
Helpful
23
Replies
Highlighted
Beginner

[SOLVED] Problem with MultiForest and AD LDS

Hello,

I followed the procedure "How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment"  many times but I have always the same problem : no users in ADSI Edit MMC, no users in CUCM.


Domains Trusts Relationship are ok.
I have create the AD LDS Instance (in the domain1) :
* Instance Name : MultiForest
* LDAP port : 50900
* SSL port : 50901
* Distinguished name : DC=MultiForest
* Imports LDIF Files : MS-AdamSyncMetadata.LDF, (MS-ADLDS-DisplaySpecifiers), MS-InetOrgPerson.LDF, MS-User.LDF, MS-UserProxy.LDF, MS-UserProxyFull.LDF

With LDP I have create two child (domain1 = Windows 2012 R2 / domain2 = Windows 2008 R2) :
DC=domain1,DC=MultiForest
InstanceType:5
ObjectClass:domainDNS

DC=domain2,DC=MultiForest
InstanceType:5
ObjectClass:domainDNS


With ADSchemaAnalyzer, I have create the ldif file
Target schema : Domain1_IP:389
Base schema => localhost:50900
Mark all non-present elements as included

cd \Windows\adam
mkdir logs

ldifde -i -s localhost:50900 -c CN=Configuration,DC=X #ConfigurationNamingContext -f domain1.ldf -j c:\windows\adam\logs


ADSchemaAnalyzer, I have create the ldif file
Target schema : Domain2_IP:389
Base schema => localhost:50900
Mark all non-present elements as included

ldifde -i -s localhost:50900 -c CN=Configuration,DC=X #ConfigurationNamingContext -f domain2.ldf -j c:\windows\adam\logs

ldifde -i -s localhost:50900 -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-UserProxy-Cisco.ldf -j c:\Windows\adam\logs


ADAMSync /Install localhost:50900 c:\Windows\ADAM\MS-AdamSyncConfDomain1.xml /log c:\Windows\ADAM\logs\Install.log
ADAMSync /sync localhost:50900 "dc=domain1,dc=MultiForest" /log c:\Windows\ADAM\logs\sync.log


ADAMSync /Install localhost:50900 c:\Windows\ADAM\MS-AdamSyncConfDomain2.xml /log c:\Windows\ADAM\logs\Install.log
ADAMSync /sync localhost:50900 "dc=domain2,dc=MultiForest" /log c:\Windows\ADAM\logs\sync.log


With ADSI Edit, I created root user (msDS-UserAccountDisabled > FALSE / msDS-UserDontExpirePassword > TRUE)
DC=MultiForest > CN=Roles > CN=Administrators > Propriétés > member > add CN=root,DC=MultiForest

I have updated schema and reboot AD DLS


For my test, I disabeld SSL (RequireSecureProxyBind=0)

I configured CUCM (no errors) with parameters :
* Microsoft Active Directory Application Mode
* IP for authentication : domain1_IP:50900
* LDAP : DC=MultiForest
* Filter : (&(objectClass=userProxy)(!(objectClass=Computer))(!(msDS-UserAccountDisabled=TRUE)))

No synchronization error.

But no users in CUCM... No users in ADSI Edit.

If I test a LDP connexion with many users, no problem.

No errors in logs.


Where is my error?

EDIT : I updated xml files

Solution :

* Workaround for "Ldap error occured. ldap_add_sW: Object Class Violation " : http://clintboessen.blogspot.fr/2011/06/ldap-error-occured-ldapaddsw-object.html

Workaround for "Error: We seem to be in an infinite recursive loop" : https://support.microsoft.com/en-us/kb/926933

23 REPLIES 23
Highlighted

Yeah share what you can there may be some clues. I would be happy to do a short webex with you if you want to review your setup.

Mike

Highlighted

Thanks Mike , that might work. When suits?

Highlighted

In 30min or it will have to be around 5pm EDT. You can send me an invite to miskaone+cmlds@gmail.com or your contact and I can host.

Mike,

Highlighted

Hello,

The problem is solved?

Highlighted

No not yet. I was communicating with Mike and I've update the Xml file attributes to match for case sensitives. I ran the command last night but keep getting back "no such attribute" I even took out all the attributes and tried again , but the same problem occurred. Any ideas?

Highlighted

I sent you youtube of my screen capture of some modifications that I did to LDAP.

From my notes looks like the User-Proxy attribute does not get updated with MayContain elements which should happen with custom cisco LDF import in the steps prior to the Adam config installation. I had to manually add these to the schema. I added the attributes/settings we discussed yesterday. 

Please email me if you cannot access of need further explanation.  Note I was lead to this issue from Denis.Morgen comment and the associated link...

http://clintboessen.blogspot.fr/2011/06/ldap-error-occured-ldapaddsw-object.html

Highlighted

Hi Mike, where did you send the youtube clip to?

Highlighted

The email account you contacted me on. Just sent another one.

Highlighted

Hi Fergie,

Did you follow the this procedure : http://clintboessen.blogspot.fr/2011/06/ldap-error-occured-ldapaddsw-object.html

It's the workaround from my first problem

The workaround from my second problem : https://support.microsoft.com/en-us/kb/926933

Content for Community-Ad