Showing results for 
Search instead for 
Did you mean: 

[SOLVED] Problem with MultiForest and AD LDS



I followed the procedure "How to Configure Unified Communication Manager Directory Integration in a Multi-Forest Environment"  many times but I have always the same problem : no users in ADSI Edit MMC, no users in CUCM.

Domains Trusts Relationship are ok.
I have create the AD LDS Instance (in the domain1) :
* Instance Name : MultiForest
* LDAP port : 50900
* SSL port : 50901
* Distinguished name : DC=MultiForest
* Imports LDIF Files : MS-AdamSyncMetadata.LDF, (MS-ADLDS-DisplaySpecifiers), MS-InetOrgPerson.LDF, MS-User.LDF, MS-UserProxy.LDF, MS-UserProxyFull.LDF

With LDP I have create two child (domain1 = Windows 2012 R2 / domain2 = Windows 2008 R2) :


With ADSchemaAnalyzer, I have create the ldif file
Target schema : Domain1_IP:389
Base schema => localhost:50900
Mark all non-present elements as included

cd \Windows\adam
mkdir logs

ldifde -i -s localhost:50900 -c CN=Configuration,DC=X #ConfigurationNamingContext -f domain1.ldf -j c:\windows\adam\logs

ADSchemaAnalyzer, I have create the ldif file
Target schema : Domain2_IP:389
Base schema => localhost:50900
Mark all non-present elements as included

ldifde -i -s localhost:50900 -c CN=Configuration,DC=X #ConfigurationNamingContext -f domain2.ldf -j c:\windows\adam\logs

ldifde -i -s localhost:50900 -c CN=Configuration,DC=X #ConfigurationNamingContext -f MS-UserProxy-Cisco.ldf -j c:\Windows\adam\logs

ADAMSync /Install localhost:50900 c:\Windows\ADAM\MS-AdamSyncConfDomain1.xml /log c:\Windows\ADAM\logs\Install.log
ADAMSync /sync localhost:50900 "dc=domain1,dc=MultiForest" /log c:\Windows\ADAM\logs\sync.log

ADAMSync /Install localhost:50900 c:\Windows\ADAM\MS-AdamSyncConfDomain2.xml /log c:\Windows\ADAM\logs\Install.log
ADAMSync /sync localhost:50900 "dc=domain2,dc=MultiForest" /log c:\Windows\ADAM\logs\sync.log

With ADSI Edit, I created root user (msDS-UserAccountDisabled > FALSE / msDS-UserDontExpirePassword > TRUE)
DC=MultiForest > CN=Roles > CN=Administrators > Propriétés > member > add CN=root,DC=MultiForest

I have updated schema and reboot AD DLS

For my test, I disabeld SSL (RequireSecureProxyBind=0)

I configured CUCM (no errors) with parameters :
* Microsoft Active Directory Application Mode
* IP for authentication : domain1_IP:50900
* LDAP : DC=MultiForest
* Filter : (&(objectClass=userProxy)(!(objectClass=Computer))(!(msDS-UserAccountDisabled=TRUE)))

No synchronization error.

But no users in CUCM... No users in ADSI Edit.

If I test a LDP connexion with many users, no problem.

No errors in logs.

Where is my error?

EDIT : I updated xml files

Solution :

* Workaround for "Ldap error occured. ldap_add_sW: Object Class Violation " :

Workaround for "Error: We seem to be in an infinite recursive loop" :

23 Replies 23

Yeah share what you can there may be some clues. I would be happy to do a short webex with you if you want to review your setup.


Thanks Mike , that might work. When suits?

In 30min or it will have to be around 5pm EDT. You can send me an invite to or your contact and I can host.



The problem is solved?

No not yet. I was communicating with Mike and I've update the Xml file attributes to match for case sensitives. I ran the command last night but keep getting back "no such attribute" I even took out all the attributes and tried again , but the same problem occurred. Any ideas?

I sent you youtube of my screen capture of some modifications that I did to LDAP.

From my notes looks like the User-Proxy attribute does not get updated with MayContain elements which should happen with custom cisco LDF import in the steps prior to the Adam config installation. I had to manually add these to the schema. I added the attributes/settings we discussed yesterday. 

Please email me if you cannot access of need further explanation.  Note I was lead to this issue from Denis.Morgen comment and the associated link...

Hi Mike, where did you send the youtube clip to?

The email account you contacted me on. Just sent another one.

Hi Fergie,

Did you follow the this procedure :

It's the workaround from my first problem

The workaround from my second problem :

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers