[cisco-voip] CCM 4.1(2)

Wes Sisk wsisk at cisco.com
Tue Oct 26 12:33:25 EDT 2004 

Good Morning Lukas,

Mostly you have to be concerned about domain security policies being 
pushed down to CM.  Note that a domain security policy can be used to 
change file system permission and registry permissions.  These changes 
are not backed out when the server is removed from the domain so if your 
server breaks after an AD change, a rebuild is in your future unless you 
know EXACTLY what changes your AD policy made and can back them out 
manually.

CSCee03607 need to refine support of CallManager in a windows domain

<b>Symptoms:</b>
Various including CallManager service fail to start and SQL replication 
failing

<b>Conditions:</b>
CallManager server is added to a Windows Domain that enforces domain 
security
policy or domain login scripts.

<b>Workaround:</b>
CallManager servers can be domain members so long as these criteria are met:
1. servers are in an OU that does not receive domain security policies
2. domain user accounts that login to the server must not execute login 
scripts
3. SMS or other software push tools must not be used to push software or 
security
updates to the CallManager servers.

It is preferable that CCM servers are not domain members, but remain 
workgroup
members.  This prevents the accidental case of a user with login script 
logging
into the server and impacting CallManager functionality.  It also 
prevents an
admin accidentally pushing an update out to an OU and all sub OU's.

To help address security concerns:
The win-os updates provided on Cisco.com software center are built and 
tested
within Cisco to make user rights, group membership, file and registry
permissions, local security policy, etc as secure as possible and still 
allow
CallManager to work properly.  Any additions or modifications are almost
guaranteed to break some functionality or interface of the CallManager 
software.

Łukasz Bromirski wrote:

> Carter, Bill wrote:
>
>> Anyone running CCM 4.1(2) yet?
>
>
> I have client running 4.1(2) for about 60 telephones and Q.SIG connection
> to Nortel Meridian PBX by 3600 router. As for now, everything looks quite
> good.
>
> But it's just a excuse for asking on list: did anyone encountered fatal
> heart-killing issues with CM server running as a member of
> Active Directory domain? I know it's not supported, and I know what it
> means, but client insisted trying - and we installed it without a
> problem. Anyone with some issues besides "according to docs..."?
>

More information about the cisco-voip mailing list