cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4061
Views
10
Helpful
6
Replies

What is involved in going from local user accounts to active directory accounts with CCM 9.1.2?

Mike Traylor
Level 1
Level 1

We are currently using local user accounts with CUCM 9.1.2 and are looking at integrating it into the active directory structure.

 

We do utilize the same structure for user ID's.

 

I am looking to find out what the changeover will entail and if anything else needs to be done prior to the integration.

 

We also have Unity syncing up with CUCM for users as well as Contact Center sync'ed up for our ACD system.

 

Thanks

 

Mike

2 Accepted Solutions

Accepted Solutions

Jason Pennell
Level 4
Level 4

Hey Mike,

The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  

I recommend the following if you'd like to move to AD.

  1. Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  2. Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  3. Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  4. Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  5. In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  6. Also in CUCM, navigate to the administration page and do the following:
    1. Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
    2. Go to System > LDAP > LDAP Directory
      1. Click Add New
      2. Give it a name (whatever you want).
      3. Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
      4. Enter the password for the account.
      5. Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
      6. Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
      7. Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
      8. Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
      9. Click Save and Click the "Perform Full Sync Now" button.
  7. I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:
    1. Go to System > LDAP > LDAP Authentication.
      1. Click Add New
      2. Check the box to use LDAP Authentication
      3. Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
      4. Click Save

You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.

I hope this helps!

View solution in original post

Hey Mike,

I'm glad you found it useful.  Yes, I work with this all of the time.  My company's own UC deployment is AD integrated and we also do this for the majority of our customers.  

UCCX just references CUCM for its credentials so if CUCM is now integrated with AD then it will just pass along those requests to AD.  For Unity Connection, the same thing is true when it is integrated with CUCM via AXL.  You can also choose to integrate Unity Connection directly with AD using the same steps as I outline above with CUCM.  If you do then you'll have a choice when you import new users into the system on if you want to integrate via CUCM or using LDAP.  Existing users will stay as they are.  It isn't necessary to that but if I'm doing a new implementation then I'll normally integrate both CUCM and Unity Connection directly with AD.  

I hope this helps!

View solution in original post

6 Replies 6

Aman Soi
VIP Alumni
VIP Alumni

Hi Mike,

 

LDAP enhancement was introduced in CUCM 9 where the users fetched/synhcronised  from AD could be converted to Local users and fields could be edited but the reverse is not possible[ what I think].

you need to create same existing end users in AD and then, synchronise with CUCM.

regds,

aman

Jason Pennell
Level 4
Level 4

Hey Mike,

The process is pretty straight forward.  CUCM 9.X supports the coexistence of AD integrated users and local users so you don't have to worry about local accounts disappearing if they don't have an AD account.  The biggest thing to watch out for is that if you decide to revert back for whatever reason then the accounts that were in AD will be marked for deletion (from the CUCM, not AD) and will be removed after approximately 24 hours.  

I recommend the following if you'd like to move to AD.

  1. Run a DRS backup of CUCM.  This is not necessary for the integration but is good practice in my opinion.  I'd also do a full export of your users using the BAT so you can reimport users to how they were before the integration should you decide to revert for any reason.
  2. Determine if you want to put the user's extensions in the telephonenumber field or ipPhone field in AD.  Once you make a decision, I recommend populating that information in AD so it is available when you do the integration.  
  3. Make sure your local CUCM user accounts usernames are exactly the same as your domain accounts.  That way when you do the integration the local users become AD users and keep all of their phone associations, group memberships, etc.  If you need to change the usernames then be sure to notify your users ahead of time so they can start logging into UCCX or UCM user pages, etc. using their new username. 
  4. Create an account in AD that has read-only rights to your directory.  Set the password to never expire.  You will use this account later for the integration.  
  5. In CUCM, go into Serviceability and make sure the "Cisco DirSync" service is activated on the Publisher server.
  6. Also in CUCM, navigate to the administration page and do the following:
    1. Go to System > LDAP > LDAP System and Check the box to enable Synchronizing.  Confirm the LDAP server type and attribute for User ID is accurate.  This is typically Microsoft Active Directory and sAMAccountName respectively.
    2. Go to System > LDAP > LDAP Directory
      1. Click Add New
      2. Give it a name (whatever you want).
      3. Put in the Distinguished Name of the AD integration account you created earlier. For example, if you created an account called ciscoldap in the Service Accounts OU in the abc.com domain then it would look something like this... CN=ciscoldap,OU=Service Accounts,DC=abc,DC=com
      4. Enter the password for the account.
      5. Enter the search base.  This can be a specific OU where your users exist, a parent OU which contains other OUs which contain all of your users or the entire domain.  If you do the entire domain then in the abc.com example you would specify DC=abc,DC=com.
      6. Select the option to perform a sync with AD on periodic intervals.  The lowest interval you can set is every 6 hours.
      7. Select either the telephonenumber or ipPhone field to be used for the user's extensions.  This will be whatever you decided and populated in AD in an earlier step.
      8. Add your primary and any backup domain controllers and ports.  If they are just domain controllers and you are not using SSL then specify port 389.  If they are also global catalog servers then you can do port 3268.
      9. Click Save and Click the "Perform Full Sync Now" button.
  7. I recommend that you also use LDAP for authentication as well so you only have one username and password to remember which is all controlled by AD.  To add this do the following:
    1. Go to System > LDAP > LDAP Authentication.
      1. Click Add New
      2. Check the box to use LDAP Authentication
      3. Add the same Distinguished name, passwords and user seach base that you used for your integration account earlier under the synchronization section.  Also add the same primary and secondary LDAP servers and ports you used earlier.  
      4. Click Save

You can go a step further and create a filter to only pull in the users within the search base you specified and apply that.  For example, maybe only pull in users that have their ipPhone field populated.  Let me know if you have any questions on that or any of the above.

I hope this helps!

Thank you for the response Jason.  That is some great info.  Do you have any experience in how the integration will affect Unity and our contact center agents that are sync'ed up with CUCM?

 

Thanks

Hey Mike,

I'm glad you found it useful.  Yes, I work with this all of the time.  My company's own UC deployment is AD integrated and we also do this for the majority of our customers.  

UCCX just references CUCM for its credentials so if CUCM is now integrated with AD then it will just pass along those requests to AD.  For Unity Connection, the same thing is true when it is integrated with CUCM via AXL.  You can also choose to integrate Unity Connection directly with AD using the same steps as I outline above with CUCM.  If you do then you'll have a choice when you import new users into the system on if you want to integrate via CUCM or using LDAP.  Existing users will stay as they are.  It isn't necessary to that but if I'm doing a new implementation then I'll normally integrate both CUCM and Unity Connection directly with AD.  

I hope this helps!

Jason,

I have another question about the cisco user agents in UCCX.  When they are converted over, do they keep their assigned skills/groups?  Or will that all need to be reassigned.

 

Thanks

Hey Mike,

 

As long as you confirm the Local Users in CUCM match the username of the user it is to be paired with in AD then that CUCM Local User will be converted to an AD integrated user and will keep all of it's CUCM permissions, device associations, skills in UCCX, etc.

 

For example, if you had a local CUCM user with a username of miketraylor and an AD username of miketraylor then you'll be good.  The local user will migrate to an AD Integrated user and keep all of its settings.  But if you had a local CUCM user with a username of miketraylor and an AD username of mtraylor then after you do the integration you will have 2 users... the original miketraylor local CUCM user with all of the permissions and settings as before and a new AD integrated user of mtraylor with no permissions and settings.  In the 2nd scenario where the usernames don't match, you'll need to manually migrate the settings and eventually delete the old user which can be a pain.   It is best to confirm the local users match before you do the integration but assuming they do then you'll be good to go.

The only thing I'll caution you of is that if you have a local CUCM user of miketraylor and an AD user of MikeTraylor (notice the uppercase M and T) then it will sync up fine but the log in to the agent desktop is case sensitive so your users may need to modify their log in the first time they try after the integration.  

I hope this helps!

 

A quick edit for something I forgot to mention when I first replied... when I say that a local user will be converted to an AD user and keep "all of its settings", I'm referring to settings such as the CUCM User Groups, Device associations, UCCX skills, Primary Extension and things like that.  Other items such as Department and Telephone Number and a few others will be overwritten by the values stored in AD.