<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
  <head>
    <meta content="text/html; charset=ISO-8859-1"
      http-equiv="Content-Type">
  </head>
  <body text="#000000" bgcolor="#ffffff">
    Mike,<br>
    <br>
    Honestly my AD is a bit fuzzy.  If the article doesn't answer the
    question then let me know the case number and I will get it
    re-opened so we can get the right answer.<br>
    <br>
    Regards,<br>
    Wes<br>
    <br>
    On 1/29/2011 10:03 AM, Mike Lydick wrote:
    <blockquote
      cite="mid:AANLkTi=RSG7Z2bkbwFzhZ+HTPK7vffEE0zEdOvXG0qab@mail.gmail.com"
      type="cite">Thanks Wes
      <div><br>
      </div>
      <div>So all the domain we are working with are in the same forest.
        Does will ADAM provide the referral process to each domain. I
        believe from what I have read it will but wanted to confirm that
        this is still recommended for a single forest environment.</div>
      <div><br>
      </div>
      <div><br clear="all">
        Best Regards,<br>
        <br>
        Mike Lydick<br>
        <br>
        <br>
        <br>
        <br>
        <div class="gmail_quote">On Sat, Jan 29, 2011 at 9:18 AM, Wes
          Sisk <span dir="ltr"><<a moz-do-not-send="true"
              href="mailto:wsisk@cisco.com">wsisk@cisco.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin: 0pt 0pt 0pt
            0.8ex; border-left: 1px solid rgb(204, 204, 204);
            padding-left: 1ex;">
            <div text="#000000" bgcolor="#ffffff"> The supported method
              is Microsoft ADAM:<br>
              <br>
              <a moz-do-not-send="true"
href="http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a0080b2b103.shtml"
                target="_blank">http://www.cisco.com/en/US/products/sw/voicesw/ps556/products_configuration_example09186a0080b2b103.shtml</a><br>
              <br>
              Regards,<br>
              Wes
              <div>
                <div class="h5"><br>
                  <br>
                  On 1/29/2011 1:10 AM, Dennis Heim wrote: </div>
              </div>
              <blockquote type="cite">
                <div>
                  <div class="h5">
                    <div>
                      <p class="MsoNormal"><span style="font-size: 11pt;
                          color: rgb(31, 73, 125);">You need some sort
                          of LDAP proxy of sorts, that companies
                          multiple LDAP directories together and
                          presents that unified directory as a single
                          directory to CallManager. I know that ANDtek
                          make a metadirectory application that does
                          exactly this.</span></p>
                      <p class="MsoNormal"><span style="font-size: 11pt;
                          color: rgb(31, 73, 125);"> </span></p>
                      <p class="MsoNormal"><span style="font-size: 10pt;
                          color: rgb(31, 73, 125);">Dennis Heim<br>
                          Network Voice Engineer<br>
                          CDW  Advanced Technology Services<br>
                          11711 N. Meridian Street, Suite 225<br>
                          Carmel, IN  46032<br>
                          <br>
                          317.569.4255 Single Number Reach<br>
                        </span><span style="font-size: 10pt; color:
                          black;">317.569.4201 Fax</span><span
                          style="font-size: 10pt; color: rgb(31, 73,
                          125);"></span></p>
                      <p class="MsoNormal"><span style="font-size: 11pt;
                          color: rgb(31, 73, 125);"><a
                            moz-do-not-send="true"
                            href="mailto:dennis.heim@cdw.com"
                            title="mailto:dennis.heim@berbee.com"
                            target="_blank">dennis.heim@cdw.com</a><br>
                        </span><span style="color: rgb(31, 73, 125);"><a
                            moz-do-not-send="true"
                            href="http://www.cdw.com/content/solutions/unified-communications/"
                            target="_blank">cdw.com/content/solutions/unified-communications/</a></span></p>
                      <p class="MsoNormal"><span style="font-size: 11pt;
                          color: rgb(31, 73, 125);"> </span></p>
                      <p class="MsoNormal"><b><span style="font-size:
                            10pt;">From:</span></b><span
                          style="font-size: 10pt;"> <a
                            moz-do-not-send="true"
                            href="mailto:cisco-voip-bounces@puck.nether.net"
                            target="_blank">cisco-voip-bounces@puck.nether.net</a>
                          [<a moz-do-not-send="true"
                            href="mailto:cisco-voip-bounces@puck.nether.net"
                            target="_blank">mailto:cisco-voip-bounces@puck.nether.net</a>]
                          <b>On Behalf Of </b>Mike Lydick<br>
                          <b>Sent:</b> Saturday, January 29, 2011 12:45
                          AM<br>
                          <b>To:</b> Paul<br>
                          <b>Cc:</b> <a moz-do-not-send="true"
                            href="mailto:cisco-voip@puck.nether.net"
                            target="_blank">cisco-voip@puck.nether.net</a><br>
                          <b>Subject:</b> Re: [cisco-voip] UCM 8x. LDAP
                          Filters with group members</span></p>
                      <p class="MsoNormal"> </p>
                      <p class="MsoNormal">TAC is saying that filtering
                        on Group membership in multiple Domains is not
                        possible. There is also a referance in the UCM
                        8x SRND that states that indicates its not
                        supported. So the real problem how you import CM
                        users with Active Directory forest that contain
                        more than 5 domains? This seems to be a serious
                        limitation for enterprise environments.</p>
                      <div>
                        <p class="MsoNormal"> </p>
                      </div>
                      <div>
                        <p class="MsoNormal">From the SRND:</p>
                        <p class="MsoNormal"> </p>
                        <p class="MsoNormal"><span style="font-size:
                            10pt;">A synchronization agreement for a
                            domain will not synchronize users outside of
                            that domain nor within a child domain
                            because Unified CM does not follow AD
                            referrals during the synchronization
                            process. The example in Figure 16-9 requires
                            three synchronization agreements to import
                            all of the users. Although Search Base 1
                            specifies the root of the tree, it will not
                            import users that exist in either of the
                            child domains. Its scope is only VSE.LAB,
                            and separate agreements are configured for
                            the other two domains to import those users.</span></p>
                        <p class="MsoNormal"><span style="font-size:
                            10pt;"> </span></p>
                        <p class="MsoNormal"> </p>
                        <p class="MsoNormal" style="margin-bottom:
                          12pt;">Best Regards,<br>
                          <br>
                          Mike Lydick<br>
                          <br>
                          <br>
                          <br>
                        </p>
                        <div>
                          <p class="MsoNormal">On Tue, Jan 18, 2011 at
                            10:27 AM, Paul <<a moz-do-not-send="true"
                              href="mailto:asobihoudai@yahoo.com"
                              target="_blank">asobihoudai@yahoo.com</a>>

                            wrote:</p>
                          <p class="MsoNormal">according to this URL<br>
                            <a moz-do-not-send="true"
href="http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm"
                              target="_blank">http://www.petri.co.il/ldap_search_samples_for_windows_2003_and_exchange.htm</a><br>
                            <br>
                            It certainly appears you can filter out
                            users according to group membership in<br>
                            an LDAP filter.<br>
                            <br>
                            <br>
                            <br>
                            <br>
                            ________________________________<br>
                            From:Mike Lydick <<a
                              moz-do-not-send="true"
                              href="mailto:mike.lydick@gmail.com"
                              target="_blank">mike.lydick@gmail.com</a>><br>
                            <a moz-do-not-send="true"
                              href="mailto:To%3Acisco-voip@puck.nether.net"
                              target="_blank">To:cisco-voip@puck.nether.net</a><br>
                            Sent: Mon, January 17, 2011 7:46:51 PM<br>
                            Subject: [cisco-voip] UCM 8x. LDAP Filters
                            with group members</p>
                          <div>
                            <div>
                              <p class="MsoNormal" style="margin-bottom:
                                12pt;"><br>
                                <br>
                                Is it possible to use group membership
                                as element in a LDAP filter?<br>
                                <br>
                                We are working with an AD LDAP forest
                                that has 6 domains. We need to
                                selectively<br>
                                <br>
                                import user from LDAP as we migrate to
                                the cluster.<br>
                                <br>
                                The thought is to set the root path to
                                the top level Domain OU, the use the
                                ldap<br>
                                <br>
                                to filter on iphone=* and member of
                                group. We will add members to this group<br>
                                with a script as we migrate.<br>
                                <br>
                                mike<br>
                                <br>
                                <br>
                              </p>
                            </div>
                          </div>
                        </div>
                        <p class="MsoNormal"> </p>
                      </div>
                    </div>
                  </div>
                </div>
                <pre><fieldset></fieldset>
_______________________________________________
cisco-voip mailing list
<div class="im"><a moz-do-not-send="true" href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a>
</div><a moz-do-not-send="true" href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a>
</pre>
              </blockquote>
            </div>
          </blockquote>
        </div>
        <br>
      </div>
    </blockquote>
  </body>
</html>