Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
624
Views
5
Helpful
6
Replies

Excluding a child domain from directory searches in CCM?

PATRICK ALAND
Level 1
Level 1

‎09-21-2005 12:36 PM - last edited on ‎03-25-2019 06:48 PM by Community Manager

Anyone know if its possible to tell the AD plugin with CCM to not search child domains (or even just specific child domain).

I've got an install with all the CCM users in the root domain in different OU's. They don't have any CCM users in the child domains and some of the child domains are across slower speed or less reliable links causing slow downs in ccm when performing any user directory functions.

Labels:
0 Helpful
6 Replies 6

kthorngr
Cisco Employee
Cisco Employee

‎09-22-2005 05:25 AM

CCM performs a subtree scope search and as a result will receive search references potentially pointing to the undesired child domains. There are no filters that can be applied. We have seen many issues as you described when pointing to the root.

Maybe you can persue this with your Cisco account team to create a feature request for a way to filter undesired domains.

Kevin

0 Helpful

PATRICK ALAND
Level 1
Level 1
In response to kthorngr

‎09-22-2005 05:37 AM

Kevin,

Thanks for the reply. I'll pursue it with our AM.

I have worked around the probem by creating a host file entry for the child domain and pointing at the local host, this results in an immediate connection refused and not timeouts. WOrks relatively decent too.

kthorngr
Cisco Employee
Cisco Employee
In response to PATRICK ALAND

‎09-22-2005 05:39 AM

Interesting workaround. I hadn't thought of doing that :-)

Kevin

0 Helpful

jasyoung
Level 7
Level 7
In response to PATRICK ALAND

‎09-22-2005 06:38 PM

Patrick,

It's true that you can't get CCM to scope or filter the search query. However, assuming you've gone with best practices and used a special low-privileged user to integrate with Active Directory instead of Administrator, as shown here:

http://www.cisco.com/en/US/partner/products/sw/voicesw/ps556/products_installation_and_configuration_guide09186a00802e066d.html#wp54764

you can get tricky with Active Directory permissions to effectively filter your searches. If you use the Active Directory Users and Computers tool to place an explicit deny of all read permissions ACL for your integration user on a given OU, searches will not descend into that OU. You should be able to solve your immediate problem by denying permissions on your child domain or the OUs within it. You can even put a deny on individual single objects if you need to.

0 Helpful

PATRICK ALAND
Level 1
Level 1
In response to jasyoung

‎09-23-2005 03:36 AM

I'll be testing this however, will a deny on an entire domain stop AD from returning the ldap referrer's in its results? If not it only partially solves the problem because CCM will still attempt to contact the remote DC's, some of which are over lower speed or unreliable links, which ends up causing the delays.

0 Helpful

PATRICK ALAND
Level 1
Level 1
In response to PATRICK ALAND

‎10-10-2005 07:54 AM

Just to follow up on this, deny rights doesn't stop AD from returning the referals in the LDAP queries so CCM will still attempt to contact the other child domains.

0 Helpful
Customers Also Viewed These Support Documents