cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
834
Views
0
Helpful
1
Replies

Verifying CTS-MAN multiple AD doman (forest) capabilities

Michael Boscia
Level 4
Level 4

As per the release notes located here:

http://www.cisco.com/en/US/docs/telepresence/cts_manager/1_8/release/ctm_rn1_8.html#wp72803

It says that CTS-MAN supports multiple Active Directory forests since 1.6.x.

Maybe I am being paranoid, but I am interpreting this to mean that I can set up multiple "users" each with a totally different root domain.

So I would have a user in domain A (dc=domainA,dc=com), another user in domain B (dc=domainB,dc=com), and yet a 3rd user in domain C (dc=domainC, dc=com).

I'm asking because I've deployed this server dozens of times, but I've never had a multiple domain (not subdomain, that is different) solution, and I am just making sure that I am covered.

1 Accepted Solution

Accepted Solutions

tihopper
Cisco Employee
Cisco Employee

Unfortunately, no, that is not what multiforest means regarding CTS-Manager. Domain is different than forest in Microsoft-speak.

You can configure CTS-Manager with multiple domains in the *same* forest simply by adding each domain under the User Container field.  In that case, you still only have one forest.  For example:

Forest:  company.com

Domain: us.company.com, eu.company.com, apac.company.com

Default Context:  DC=company,DC=com

User Containers: DC=us,DC=company,DC=com, DC=eu,DC=company,DC=com, DC=apac,DC=company,DC=com

If you want to specify user containers within each domain, using the above scenario, then the configuration would be similiar to below (depending on the existing AD deployment, of course):

User Containers: CN=Users,DC=us,DC=company,DC=com, CN=Users,DC=eu,DC=company,DC=com, CN=Usere,DC=apac,DC=company,DC=com

I believe in the 1.7 documentation they are called peer domains:

http://www.cisco.com/en/US/partner/docs/telepresence/cts_manager/1_7/admin/ctm_cfg.html#wp1092434

Caveat:  we have run into authentication issues using the above scenario if the account configured under CTM for Exchange doesn't have needed rights/permissions to access resources in the other domains, especially true in large organizations.  However, the above can work.

For multiforest, Microsoft supports two deployment methods - cross-forest and resource-forest.  For CTS-Manager, we only support the resource-forest model - in one forest, you have Exchange resources (rooms) and another you have an authentication forest (users).  There are disabled user accounts in the Exchange resource forest that are linked to users in the authentication forest. 

More information can be found here:

http://technet.microsoft.com/en-us/library/aa998031.aspx

For CTM configuration, the first, and hence Default, LDAP server in CTM must contain the Exchange resource forest, and the second LDAP server in CTM contains the authentication forest.  The Exchange server configured in CTM must be the forest where, of course, Exchange is installed.  All of this should already be set up on the customer's back end before deploying CTS-Manager.

View solution in original post

1 Reply 1

tihopper
Cisco Employee
Cisco Employee

Unfortunately, no, that is not what multiforest means regarding CTS-Manager. Domain is different than forest in Microsoft-speak.

You can configure CTS-Manager with multiple domains in the *same* forest simply by adding each domain under the User Container field.  In that case, you still only have one forest.  For example:

Forest:  company.com

Domain: us.company.com, eu.company.com, apac.company.com

Default Context:  DC=company,DC=com

User Containers: DC=us,DC=company,DC=com, DC=eu,DC=company,DC=com, DC=apac,DC=company,DC=com

If you want to specify user containers within each domain, using the above scenario, then the configuration would be similiar to below (depending on the existing AD deployment, of course):

User Containers: CN=Users,DC=us,DC=company,DC=com, CN=Users,DC=eu,DC=company,DC=com, CN=Usere,DC=apac,DC=company,DC=com

I believe in the 1.7 documentation they are called peer domains:

http://www.cisco.com/en/US/partner/docs/telepresence/cts_manager/1_7/admin/ctm_cfg.html#wp1092434

Caveat:  we have run into authentication issues using the above scenario if the account configured under CTM for Exchange doesn't have needed rights/permissions to access resources in the other domains, especially true in large organizations.  However, the above can work.

For multiforest, Microsoft supports two deployment methods - cross-forest and resource-forest.  For CTS-Manager, we only support the resource-forest model - in one forest, you have Exchange resources (rooms) and another you have an authentication forest (users).  There are disabled user accounts in the Exchange resource forest that are linked to users in the authentication forest. 

More information can be found here:

http://technet.microsoft.com/en-us/library/aa998031.aspx

For CTM configuration, the first, and hence Default, LDAP server in CTM must contain the Exchange resource forest, and the second LDAP server in CTM contains the authentication forest.  The Exchange server configured in CTM must be the forest where, of course, Exchange is installed.  All of this should already be set up on the customer's back end before deploying CTS-Manager.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: