cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
466
Views
0
Helpful
3
Replies

Active Directory Plugin - Enabling the use of multiple domain controllers

baronwright
Level 1
Level 1

I am implementing callmanager 4.13 using the customer directory plugin for Active Directory. During the installation of the customer directory plugin you are required to put the host name or IP address of the AD domain controller. The documentation specifies entering a single host, however for redundancy purposes I wish to have multiple hosts for the directory server. What is the syntax for entering multiple host names or IP addresses? I actually completed the plugin install on the publisher using a space between two host names, however when I went to use the CCMPWChangePassword utility to reset the ccm administrator and other associated accounts for the subscribers the utility returned an error callmanager is not integrated with this directory. I uninstalled and reinstalled the plugin, used a single host name and the ccmpwchangepassword utility worked fine. This error could have been unrelated but the only change was removing the second host name on the directory integration.

I also have the same question for IPCC express LDAP/AD integration.

3 Replies 3

baronwright
Level 1
Level 1

I just referenced the CallManager SRND and it suggests using several methods, the most practicle for me would be a DNS round robin methodology. would the same method be used for IPCC express?

Hi Baron,

Did you ever get this answered?

Erik

gogasca
Level 10
Level 10

WE ARE SUGGESTING CUSTOMERS TO POINT TO THE DOMAIN NAME FOR REDUNDANCY, which in short is kind of the same as having invalid entries in DNS for DC.

We all know that we fail to roll over the next DC or DNS entry (at least timely) and our services fail or timeout much more faster than we retry the next DC. This is wrong and only makes our deployment fragile since...

Well ancient times (CCM 3.x I believe).

We can fix this and we have submitted a DDTS as follows:

CSCsg00606

Symptom:

DC round robin/failover does not occurs in CallManager when integrated with AD plugin

Conditions:

All callmanager versions windows based until sept 2006

Workaround:

Decrease DNS caching value to 1

1. Start Registry Editor (Regedit.exe).

2. Locate the MaxCacheEntryTtlLimit value under the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters

3. On the Edit menu, click Modify. Type 1, and then click OK.

4. Quit Registry Editor.

Further Problem Description:

In the SRND on Active Directory Integration for CM 4.X - http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_implementation_design_guide_chapter09186a00806e8c04.html

we suggest to use the domain name in the plugin utility for redundancy.

"Planning the Directory Integration

Because the directory is an enterprise-wide resource that is used by a potentially large number of applications and end users, it is essential to plan the integration carefully to minimize the impact on all other applications."

.

.

"Use Domain Name System (DNS) domain names instead of specific domain controller host names when configuring the directory plugin.

With redundant servers, the first name returned by DNS might be the name of a server that is not as local to Cisco Unified CallManager as others returned later in the response. Also, if your DNS server has the round-robin feature enabled, by design it rotates the order in which addresses are returned in the response. Depending on mechanisms such as client-side DNS cache timeout, along with other possible clients querying for the same domain in the interim, Cisco Unified CallManager could run two consecutive operations against two different domain controllers (DCs). In addition to the locality problem already mentioned, using DNS redundancy could keep objects created in the first operation from being found by a search on a different DC by a later query if the directory has not replicated in the meantime. Therefore, before choosing to use DNS to make the implementation redundant, be sure that these issues do not affect your deployment."

However our OS does not performs round robin/try other server by nature, as we do not modify the default behavior microsoft has in the OS:

In our case should be:

http://support.microsoft.com/kb/245437/EN-US/

Since is windows 2000 in the case of windows 2003 should be:

http://support.microsoft.com/kb/318803/en-us

SUMMARY

Windows contains a client-side Domain Name System (DNS) cache. The client-side DNS caching may generate a false

impression that DNS "round robin" is not taking place from the DNS server to the Windows client.

Pinging the same A-record domain name may result in the client using the same IP address.

This behavior is different from previous Microsoft operating systems.

We just kept the MS value which is to high to do either failover when a DC is down or round robin.

The AD plugin should change its default plugin to 1 or decrease it to an acceptable value and should be documented

in the AD plugin docs

HTH

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: