[cisco-voip] rights needed for AD integration for ccm6

Ryan Ratliff rratliff at cisco.com
Mon Jan 14 12:24:28 EST 2008 

Well CM won't search through multiple domains so you'll need a  
separate synch agreement for each domain minimum.

The SRND talks about this a bit.
http://www.cisco.com/en/US/docs/voice_ip_comm/cucm/srnd/5x/50drctry.html

-Ryan

On Jan 14, 2008, at 11:03 AM, Jonathan Charles wrote:

Yeah, it turns out their root domain is different than the domain
where their users are...


Jonathan

On Jan 14, 2008 10:02 AM, Jonathan Charles <jonvoip at gmail.com> wrote:
> Is there a requirements doc I can show them, if I am going to request
> a modification of their DNS/AD setup?
>
>
>
> Jonathan
>
>
> On Jan 14, 2008 8:09 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
>> Not sure what to tell you.  Can you try setting the search base to
>> something other than the root of the domain?
>>
>> All you can do is get a sniffer capture and show them what we are
>> searching for and how their ldap server is responding.
>>
>> -Ryan
>>
>>
>> On Jan 11, 2008, at 5:51 PM, Jonathan Charles wrote:
>>
>> The customer is saying that forestdnszones is in a different  
>> domain...
>> (cproot.net)...
>>
>>
>>
>>
>> Jonathan
>>
>> On Jan 11, 2008 8:52 AM, Ryan Ratliff <rratliff at cisco.com> wrote:
>>>  With Win2k3 AD if you make an ldap search with the search base set
>>> to the
>>> root of the domain you will always get a referral for 3 hosts;
>>> cn=Configuration, dc=domain, dc=com
>>> dc=forestdnszones, dc=domain, dc=com
>>> dc=domaindnszones, dc=domain, dc=com
>>>
>>> From what I've gathered troubleshooting a bijillion of these
>>> referral issues
>>> these DNS entries usually have all DCs in the domain listed.   Most
>>> of the
>>> time if you get a 2nd nic enabled on a DC with DHCP enabled but not
>>> reachable the server grabs the auto-assigned Windows DHCP address
>>> and this
>>> gets stuck into DNS.  CM (4.x at least) had a nasty habit of
>>> picking the one
>>> address out of all possible DNS results and using it to follow the
>>> referral.
>>> This causes all kinds of ldap issues.
>>>
>>> This is why a sniffer capture is so helpful when troubleshooting  
>>> ldap
>>> issues.  I've found that customer's AD folks tend to be quite
>>> protective and
>>> don't like to even think of there being a problem on their end
>>> until I can
>>> show them exactly what's going wrong in a sniffer capture.
>>>
>>>
>>>
>>>
>>> -Ryan
>>>
>>>
>>> On Jan 10, 2008, at 3:06 PM, Joel Perez wrote:
>>> Gotcha,
>>>
>>> Got it now, thought it was some new crazy feature of ccm6.
>>>
>>> Thanks,
>>>
>>> Joel P
>>>
>>>
>>> On 1/10/08, Scott Voll <svoll.voip at gmail.com> wrote:
>>>>
>>>> planetcrazy.net was in the trace file.  AD uses the forestdnszones
>>>> and
>>> domaindnszones as part of the AD / dns sync.
>>>>
>>>> Scott
>>>>
>>>>
>>>>
>>>> On Jan 10, 2008 11:06 AM, Joel Perez <tman701 at gmail.com> wrote:
>>>>
>>>>>
>>>>> Pardon my ignorance guys, but what does his issue have to do with
>>> 'planetcrazy.net', ' forestdnszones.planetcrazy.net', and
>>> 'domaindnszones.planetcrazy.net ?
>>>>>
>>>>> Im just curious.
>>>>>
>>>>> Thanks,
>>>>> Joel P
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 1/10/08, Scott Voll <svoll.voip at gmail.com > wrote:
>>>>>>
>>>>>> and make sure all are routable. and close.  we had issues with  
>>>>>> a DC
>>> going offsite over slower link.
>>>>>>
>>>>>> Scott
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Jan 10, 2008 6:47 AM, Jonathan Charles <jonvoip at gmail.com>
>>>>>> wrote:
>>>>>>
>>>>>>> OK, I will try that tonight...
>>>>>>>
>>>>>>> Thanks...
>>>>>>>
>>>>>>>
>>>>>>> Jonathan
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Jan 10, 2008 8:38 AM, Ryan Ratliff <rratliff at cisco.com>  
>>>>>>> wrote:
>>>>>>>> Yes it does.
>>>>>>>>
>>>>>>>> Just guessing though it looks as if you've got referral issues,
>>> just
>>>>>>>> going from some of the errors.   Is this Win2k3 AD?  If so  
>>>>>>>> do an
>>>>>>>> nslookup for ' planetcrazy.net', '
>>> forestdnszones.planetcrazy.net', and
>>>>>>>> ' domaindnszones.planetcrazy.net' and see if there are any  
>>>>>>>> bogus
>>>>>>>> entries in any of them.
>>>>>>>>
>>>>>>>>> MESSAGE [LDAP: error code 10 - 0000202B: RefErr:  
>>>>>>>>> DSID-031005E2,
>>> data
>>>>>>>>> 0, 1 access points
>>>>>>>>>         ref 1: 'planetcrazy.net '
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> -Ryan
>>>>>>>>
>>>>>>>>
>>>>>>>> On Jan 10, 2008, at 9:38 AM, Jonathan Charles wrote:
>>>>>>>>
>>>>>>>> Not that easy an option... wait...
>>>>>>>>
>>>>>>>> Doesn't CCM have a built in sniffer?
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> Jonathan
>>>>>>>>
>>>>>>>> On Jan 10, 2008 8:09 AM, Ryan Ratliff <rratliff at cisco.com>  
>>>>>>>> wrote:
>>>>>>>>> Go for a sniffer capture.  It's the easiest way to see what's
>>> going
>>>>>>>>> on.
>>>>>>>>>
>>>>>>>>> -Ryan
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On Jan 9, 2008, at 7:31 PM, Jonathan Charles wrote:
>>>>>>>>>
>>>>>>>>> The sync is not working tho...
>>>>>>>>>
>>>>>>>>> I am getting these errors in the DirSync trace...
>>>>>>>>>
>>>>>>>>> 2008-01-09 14:11:42,451 ERROR
>>>>>>>>> [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
>>>>>>>>> ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:832) -
>>>>>>>>> LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync]
>>> Caught
>>>>>>>>> NamingException
>>>>>>>>> 2008-01-09 14:11:42,452 ERROR
>>>>>>>>> [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
>>>>>>>>> ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:833) -
>>>>>>>>> LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[LDAPFullSync]
>>>>>>>>> com.sun.jndi.ldap.LdapReferralException: [LDAP: error code  
>>>>>>>>> 10 -
>>>>>>>>> 0000202B: RefErr: DSID-031005E2, data 0, 1 access points
>>>>>>>>>         ref 1: ' planetcrazy.net'
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> MESSAGE [LDAP: error code 10 - 0000202B: RefErr:  
>>>>>>>>> DSID-031005E2,
>>> data
>>>>>>>>> 0, 1 access points
>>>>>>>>>         ref 1: ' planetcrazy.net'
>>>>>>>>>
>>>>>>>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2824)
>>>>>>>>> com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2737)
>>>>>>>>> com.sun.jndi.ldap.LdapCtx.searchAux (LdapCtx.java:1808)
>>>>>>>>> com.sun.jndi.ldap.LdapCtx.c_search(LdapCtx.java:1731)
>>>>>>>>> com.sun.jndi.toolkit.ctx.ComponentDirContext.p_search
>>>>>>>>> (ComponentDirContext.java:368)
>>>>>>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search
>>>>>>>>> (PartialCompositeDirContext.java:338)
>>>>>>>>> com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.search
>>>>>>>>> (PartialCompositeDirContext.java:321)
>>>>>>>>> javax.naming.directory.InitialDirContext.search
>>>>>>>>> (InitialDirContext.java:248)
>>>>>>>>>
>>> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.searchInternal 
>>> Ex
>>>>>>>>> ac
>>>>>>>>> t(DSLDAPSyncImpl.java:1193)
>>>>>>>>>
>>> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync
>>>>>>>>> (DSLDAPSyncImpl.java:823)
>>>>>>>>> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run
>>>>>>>>> (DSLDAPSyncImpl.java:296)
>>>>>>>>>
>>>>>>>>> 2008-01-09 14:11:42,452 ERROR
>>>>>>>>> [DSLDAPSyncImpl(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)]
>>>>>>>>> ldapplugable.DSLDAPSyncImpl (DSLDAPSyncImpl.java:325) -
>>>>>>>>> LDAPSync(4ddb60b4-dadb-42d8-c587-7d08dd0a0a8f)[Run]
>>>>>>>>> com.cisco.ccm.dir.dirsync.common.DSException
>>>>>>>>> MESSAGE null
>>>>>>>>>
>>> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.LDAPFullSync
>>>>>>>>> (DSLDAPSyncImpl.java:841)
>>>>>>>>> com.cisco.ccm.dir.dirsync.ldapplugable.DSLDAPSyncImpl.run
>>>>>>>>> (DSLDAPSyncImpl.java:296)
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I have no idea what they mean....
>>>>>>>>>
>>>>>>>>> And no users are being brought over...
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Jonathan
>>>>>>>>>
>>>>>>>>> On Jan 9, 2008 3:34 PM, Craig Staffin < cmstaffin at gmail.com>
>>> wrote:
>>>>>>>>>> It just needs to be a member of Domain Users
>>>>>>>>>>
>>>>>>>>>> There are no special rights needed
>>>>>>>>>>
>>>>>>>>>> Craig
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On Jan 9, 2008 2:50 PM, Jonathan Charles <  
>>>>>>>>>> jonvoip at gmail.com >
>>> wrote:
>>>>>>>>>>>
>>>>>>>>>>> So, what rights does the LDAP user need to AD for it to
>>> sync...?
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> Jonathan
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> cisco-voip mailing list
>>>>>>>>>>> cisco-voip at puck.nether.net
>>>>>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Craig Staffin
>>>>>>>>>> Craig at staffin.org
>>>>>>>>>> (H) 262-437-7313
>>>>>>>>>> (C) 262-613-6003
>>>>>>>>> _______________________________________________
>>>>>>>>> cisco-voip mailing list
>>>>>>>>> cisco-voip at puck.nether.net
>>>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>>>>
>>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> cisco-voip mailing list
>>>>>>> cisco-voip at puck.nether.net
>>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> cisco-voip mailing list
>>>>>> cisco-voip at puck.nether.net
>>>>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>> _______________________________________________
>>> cisco-voip mailing list
>>> cisco-voip at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/cisco-voip
>>>
>>
>>
>

More information about the cisco-voip mailing list