cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
947
Views
0
Helpful
11
Replies

Unity v5 & Active Directory requirements

mattepps645
Level 1
Level 1

I am planning the following Unity v5 deployment:

Voicemail Only

Failover

Message Store (Exchange 2k3) hosted on Secondary Unity server

Primary & Secondary Unity servers in different Locations with a WAN between them.

SQL Server 2k on both Unity Servers.

The WAN connectivity passes all the criteria for redundancy, latency, distance etc.

My concern is over the Active Directory configuration. The system requirements document on CCO states the following:

• For the Active Directory domain, you must use one of the following configurations:

- Both Cisco Unity servers are member servers in the same Active Directory domain.

- The secondary server is a domain controller and the primary server is a member server in the

secondary server domain.

• When servers are installed in different locations, each location must have a domain controller/global

catalog server.

I will not be making these servers members of an already existing Domain hence would be looking to make the Secondary server the DC. However, what happens to the Primary as the requirement is that it should have access to a DC/GC server itself as it is in a separate location ?

The Unity Install guide provides detail as to how to create the Active Directory DC using the "dcpromo" application on the Secondary server. Do I also run this on the Primary as well ?

Basically the details of AD config and requirements are confusing in the documentation I have seen and nothing seems to give specific detail to the deployment I am looking to do.

My Customer does not want the Unity servers in the same Data Centre hence why I am faced with this issue.

Also, the Unity servers need access to DNS as part of the dcpromo process. Is this simply a case of activating the DNS service (Dynamic DNS ?)on each server ?

I hope someone can provide some clarity as I am going around in cricles with this !!

Many thanks,

Matt

1 Accepted Solution

Accepted Solutions

Matt, that is correct, just make sure that you create AD sites so Primary Unity uses the local DC as primary and remote DC as failover, the same applies to DNS. The Primary server will be the DC/GC and will be promoted as the first DC on the domain, the second server will be another DC for the same domain. That way, DC updates will be faster (BTW, You can also promote the second server as a GC).

In regards to TAC support, if you have redundant links on the WAN with different providers, you do not need the DC/GC/DNS on the primary site, just on the secondary since the only issue that we could have will be to loose connectivity which is almost impossible if the WAN connection is fully redundant.

Any of the scenarios that we have previously discussed are supported as long as we have Gb links and less than 10ms delay, this only applies to Unity 5.X/7.X.

Have a nice day!!!

View solution in original post

11 Replies 11

Tommer Catlin
VIP Alumni
VIP Alumni

If you are creating a VM only for Unity, I would make both servers GC/DC. You can create Sites and Services to limit AD replication or have it run more efficiently over the WAN.

Create DNS on both servers.

But there a few other questions I have or am concerned with.

1. Primary and Secondary should be in the SAME location with Exchange. You can't split these servers over the WAN. You can do this Unity Connection 7.x

Check over the SRND on Unity and about splitting the Primary/secondary. The replication of SQL and MWI's is your main problem and TAC. If you can get your local AM to sign off on splitting the Primary and Secondary, then TAC will support it. But typically, its a big fat no.

espereir
Level 5
Level 5

Hello Matt,

Both Unity servers should be on the same location, if the WAN fails for any reason or if the delay is too high the primary Unity will start experiencing sync issues with the DC and Exchange. This setup can be done, you just need to make the Secondary the DC/GC, DNS and Exchange server and make the Primary as a Member of the Secondary domain, however, there is a high chance that you will have delays retrieving messages, MWI delays, etc.

In addition, please check the Unity design guide since having the servers across the WAN is not supported:

http://www.cisco.com/en/US/docs/voice_ip_comm/unity/405/design/guide/udg403.pdf

Some points from page 37-38:

- A 100 Mbps or faster full-duplex network connection is required between the Cisco Unity server and the partner message store server.

- For Exchange 2000, Exchange 2003, or an Exchange mixed-mode environment, a 100 Mbps or faster full-duplex network connection is required between the Cisco Unity server and the DCs and GCs that service the message stores that home Cisco Unity subscribers.

- Cisco Unity cannot be connected to Exchange or Domino via a WAN connection.

As you can see, the only option here in order to have a supported system will be to have both servers on the main site.

Hope this helps!

Esteban,

many thanks for your response. Whilst your link was for Unity 4.x, I have noticed a similar caveat in the Version 5 Design Guide (it was nowhere near a clearly stated as in the v4 doc !!!)

The key reference I have been using is the "Systems Requirement for Cisco Unity Release 5.0" document (see attachment). This doc has specific entries for "Failover Requirements when the message store is on the Secondary server" as well as another section for "failover requirements for separating Unity servers over the WAN".

It is the section on "Failover Requirements when the message store is on the Secondary server" that gives rise to insinuation that the Primary/Secondary servers can be on separate locations (admitedly it doesn't specifically say across a WAN !!). The parts that cause the confusion are

• For the Active Directory domain, you must use one of the following configurations:

- Both Cisco Unity servers are member servers in the same Active Directory domain.

- The secondary server is a domain controller and the primary server is a member server in the

secondary server domain.

• When servers are installed in different locations, each location must have a domain controller/global

catalog server.

I think it is a fair insinuation to make as the whole section is about the Message Store being on the Secondary Unity server and also there is a clear statement that Servers can be in different Locations.

The confusion is compounded because there is also a section on separating Unity Servers by a WAN !!

As you can see, I have gone around in a few circles trying to get absolute clarity on all the different bits of information provided. I agree it makes sense to not separate the Primary box from the Message store but there is enough evidence to suggest it is possible.

I don't know if it makes any difference but the WAN links in question for my Customer are both more than the 1Gbps minimum stated in the Systems Requirements document.

Many thanks,

Matt

- The secondary server is a domain controller and the primary server is a member server in the secondary server domain.

where did you get this statement?

As long as the Unity is a member server and you have a dc/gc in each site that should work.

Randy

sorry I got it your message store is on the secondary.

Hi Randy,

this reference comes from the systems requirements document I attached in a previous post. The Unity 5 Installation guide also give instructions for making this configuration.

Best wishes,

Matt

Hello Matt,

You are welcome and the setup on Unity 5.X is quite different but not that much, on Unity 5.X/7.X the Secondary can be the DC/GC, Exchange and DNS (no need for a 3rd server on VMOnly systems), however, having just one domain is not recommended.

As stated before, this setup is possible, however, Unity design has not change that much between 4.X and 5.X/7.X; as a matter of facts, there are no big changes on the latest versions, we have just added features and capabilities into the system.

Please note that the best practice is to have the DC and MsgStore on the same LAN/site as the Unity server, but we have included WAN failover on 5.X release; just make sure that you meet the minimum requirements:

- Minimum of two paths between the Unity servers.

- Each path must be gigabit speed or higher with no stead-state congestion.

- The maximum round-trip latency must be no more than 10 ms. A fixed network latency of 5ms or less is a best practice.

- The Unity servers must not be separated by a firewall.

- If the Cisco Unity servers are being installed into an existing forest, both data centers must have one

or more DC/GCs and one or more DNS servers.

Hope it helps!

Once again a good response, many thanks.

Everyone I have spoken to seemed to not know that things were different with respect to failover and Message Store location in Unity 5 as well as the ability for the Secondary to be the DC/GC & DNS server !!

What I hope you are saying is that I should be able to deploy my design as stated. The minimum requirements you state above are all met in my scenario.

What I would like to re-clarify is the AD config if I may:-

The Secondary Server in Site B hosts the Message Store, will be the DC/GC and will run DNS (DDNS I believe is recommended). The AD config is all set-up using the DCPROMO application.

The Primary Server in Site A should also be a DC/GC & DNS server. From Microsoft resources I know this is possible within AD and I believe the same DCPROMO app can be used to add DC's into existing AD Domains with other DCs. Microsoft seem to recommend this as it makes authentication quicker at each location.

So is the deployment with respect to AD as I stated above & supported by yourselves in TAC ? I think it is this aspect of deployment that is not clearly stated.

Many thanks,

Matt

Matt, that is correct, just make sure that you create AD sites so Primary Unity uses the local DC as primary and remote DC as failover, the same applies to DNS. The Primary server will be the DC/GC and will be promoted as the first DC on the domain, the second server will be another DC for the same domain. That way, DC updates will be faster (BTW, You can also promote the second server as a GC).

In regards to TAC support, if you have redundant links on the WAN with different providers, you do not need the DC/GC/DNS on the primary site, just on the secondary since the only issue that we could have will be to loose connectivity which is almost impossible if the WAN connection is fully redundant.

Any of the scenarios that we have previously discussed are supported as long as we have Gb links and less than 10ms delay, this only applies to Unity 5.X/7.X.

Have a nice day!!!

Esteban,

this is the response I have spent a couple of days trying to get so very many thanks - well worth the 5 rating !!!.

It's actually 23:00 now in the UK so I am off to bed !!!!

Good Night and once again many thanks,

Matt

Thanks and you are really welcome.