Cisco Unified Communications Manager (CallManager)

Downloads Active Directory and Cisco CallManager Integration Troubleshooting Guide Related Documents • Active Directory and Cisco CallManager Integration Troubleshooting Guide[Cisco Unified Communications Manager (CallManager)] • How to Change Active or Netscape Directory Integration Back to DC Directory in CallManager[Cisco Unified Communications Manager (CallManager)] • Securing LDAP Directory Integration with Cisco Unified CallManager 4.x[Cisco Unified Communications Manager (CallManager)] • Active Directory 2000 Plugin Installation for Cisco CallManager[Cisco Unified Communications Manager (CallManager)] • Cisco Unity-CallManager TAPI Service Provider (TSP) Troubleshooting Guide[Cisco Unity] More... Related Products/Technology • Cisco Unified Communications Manager (CallManager) Related Discussion

Introduction

This document explains the most common problems related to Active Directory integration with Cisco CallManager and discusses common problems in the field. The document addresses issues in these areas:

• Installation of the Active Directory plug-in.

• Working of Cisco CallManager / User Pages with Active Directory integration.

• Application problems related to Active Directory.

Prerequisites

Requirements

There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

• Cisco CallManager 3.x

• Cisco CallManager 4.x

• Cisco CallManager 5.x

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

Conventions

Refer to Cisco Technical Tips Conventions for more information on document conventions.

Installation

Refer to Active Directory 2000 Plug-in Installation for Cisco CallManager for installation instructions and common issues with the install.

Note: You can integrate either Active Directory or DC Directory with Cisco CallManager, but not both. In order to determine whether you use DC Directory or Active Directory with Cisco CallManager, choose C:\dcdsrvr, and open the DirectoryConfiguration.ini file with your Notepad application.

Note: A line similar to this appears at the start of the file:

ldapURL=ldap://<HOSTNAME>:8404

Note: If the number is 8404, such as it is in this example, you are integrated with DC directory. If the number is 389, you are integrated with Active Directory.

CCMAdmin Pages do not Work After Running Plug-in

Verify that the Cisco-specific schema extensions are installed. In order to do this, open ADSIEdit, LDP, or any similar Active Directory utility to view the schema extensions. These tables provide lists of the Active Directory schema extensions the plug-in installs.

• Cisco CallManager Version 3.3 Specific Attributes (earlier versions of Cisco CallManager vary slightly)

• Customer Response Application (CRA) Specific Attributes

• Personal Assistant (PA) Specific Attributes

• The Administrator DN/password does not have the right privileges to modify the schema and add entries.

• The plug-in installation did not successfully run. You might need to run the plug-in again. Choose the CUSTOM option in order to do this.

• The local registry setting in Cisco CallManager is not populated correctly. Refer to the Unable to Update User Fields from the User Preference Pages section.

Error Message: Some of the configuration data is missing in systemProfile in DC Directory

This error message is generated because some of the values in the SystemProfile of the DC directory have changed.

1. Open DC Directory Administrator, not the DC Directory Administration, from Start > Programs >DC Directory Administrator.

   

2. Choose Directory > cisco.com > CCN > systemProfile.

3. Double-click System Profile on the right side window.

4. Go to the CCM Configuration tab, and click Modify. This allows you to change the values. Set the value of the User Search Attribute field to mail.

   

5. Restart the World Wide Web Publishing Service. Choose Start > Programs > Administrative Tools > Services. Choose World Wide Web Publishing Service and click Restart Service.

Error Message: User or User Profile doesn't exist or user profile attribute not set for the user

A user receives this error message when the user goes to Cisco CallManager Administrator page > User > Access Rights > User Group.

Error Number: -1005 Description: User or User Profile doesn't exist or
user profile attribute not set for the user.

This issue occurs if users do not have a device associated to their profiles and is documented by Cisco Bug ID CSCsb33173 (registered customers only) . As a resolution to this problem, associate a device, then remove the device association from the user profile. This updates the ciscoUserProfile and ciscoUserProfileString attributes in Active Directory. If this does not work, you may need to use DC directory.

Unable to Create or Edit Users from CallManager Admin Pages after Active Directory Integration

After you install the Active Directory 2000 plug-in on Cisco CallManager release 4.0(1) or later, an error is generated when you try to create or edit users from the Cisco CallManager administration pages.

Error
The following error occurred while trying to load the requested page.    

The phone administrator is currently not allowed to add or delete users. 
Click here to reload.

There are no issues when you view the users from the Cisco CallManager administration pages. As a workaround for this issue, set the value for the LDAP Directory Configuration parameter UserDirAccess to true in the C:\dcdsrvr\Config\UMDirectoryConfiguration.ini file. Also, make sure that the DirectoryConfiguration.ini password is the same as the password shown in this registry entry: \\HKEY_LOCAL_MACHINE\Software\Cisco Systems, Inc.\Directory Configuration\MGRPW. This issue is tracked by Cisco bug ID CSCef00533 (registered customers only) .

Unable to Login from the Cisco CallManager User Page When the User is Created from Active Directory

The Active Directory adds with Common Name First Name, by default. When you try to login from the Cisco CallManager User pages, they search for the user with the Common Name. This causes the problem and is explained in Cisco bug ID CSCdu65765 (registered customers only) .

• Workaround 1—Login to the Cisco CallManager User page with First Name, Last Name, and the password.

• Workaround 2—Create a new user in the system with userID. See this procedure for instructions:

1. Choose Start > Programs > Administrative Tools > Active Directory Users and Computers.

   

2. Right-click Users, and choose New > User.

   

3. Enter your relevant information

   when the New Object - User window appears, and click Next.

   

4. Enter your password settings, and click Next.

   

5. Verify your information, and click Finish.

   

Cisco CallManager 5.x LDAP Directory

In Cisco CallManager 5.x, changes to LDAP Directory information and LDAP Authentication settings are possible only if synchronization from the LDAP directory of the customer is enabled in the Cisco CallManager Administration LDAP System window.

If end users exist in the Cisco CallManager database before synchronization with a corporate directory occurs, these end users are deleted. If Cisco CallManager is already synchronized with a different type of server, current users are marked with a Delete Pending status. A garbage collector program that runs nightly deletes these users from the database.

Note: In Cisco Callmanager 5.x, if you need to create new users, you need to do it after the DirSync service is completed. Refer to LDAP System Configuration for more information on the LDAP system in Cisco CallManager 5.0.

Users Created from Active Directory are not Visible from the Cisco CallManager Admin Pages

When you are unable to view the users you just created from the Active Directory in the Cisco CallManager Admin pages, it is because email is not a mandatory user attribute in Active Directory. However, it is a required attribute in Cisco CallManager. After you create a new user from Active Directory, complete these steps in order to populate the email field.

1. From the Active Directory window, right-click the user, and choose Properties.

   

2. Click the General tab, ensure that the user information is correct when the Properties window of the user appears, and click OK.

   

Unable to Update User Fields from User Preference Pages

An error is generated when you try to access User > Add a New User or User > Global Directory.

This is an example of the error report.

The error report was:
---------------------------------------------------------------------------
The following error occurred while trying to load the requested page.    
Couldn't create user object.0

By default, the Cisco CallManager Admin User pages are set so that only Cisco CallManager-specific fields can be modified from the User Pages. This can be easily changed with this procedure:

1. Run Regedit.

2. Choose HKEY_LOCAL_MACHINE > SOFTWARE > Cisco Systems, Inc. > Directory Configuration.

3. You see a key named DIRACCESS. By default, the value of this key is set to false. Change the value of this key to true.

4. Restart the IIS Admin Service.

User is Created from Active Directory and DIRAccess Flag is Set to False - Changes not Saved in Editable Fields

This problem is described further in Cisco bug ID CSCdu38177 (registered customers only) and will be fixed in future releases of Cisco CallManager.

The workaround for this problem is to set DirAccess flag to true. Once each user that is created from the Active Directory console is modified at least once from the Cisco CallManager User pages, the DirAccess flag can be set to false.

Web Attendant does not Work After the Plug-in Runs

For Web Attendant, the installation creates a user named CTI Framework. This user is used by Web Attendant and is not visible from the Cisco CallManager Admin User Search page. The password for this user is not set by the installation. Go to the Active Directory console and modify the password for this user to ciscocisco in order to get Web Attendant to work.

Does Cisco CallManager Need to be Part of the Same Domain as Active Directory?

No, the Cisco CallManager Server does not need to be a member of any Active Directory domain to install this plug-in. It is recommended that you keep all of your Cisco CallManager servers in Windows workgroups rather than Active Directory domains.

User cannot be Authenticated / Unable to Connect to the LDAP Server

After the installation of the Active Directory plug-in for Cisco CallManager in a Multi Level Administration (MLA) environment, access to the administration pages fails with the You can not be authenticated successfully. Unable to connect to the LDAP server error message.

In a Cisco CallManager environment where MLA is enabled, if the Active Directory plug-in is installed, access to the administration pages is lost. You can observe this problem if MLA is installed before the Active Directory plug-in is installed. Install the Active Directory plug-in before the MLA installation.

Complete these steps in order to address this issue:

1. Uninstall MLA.

   Refer to the Uninstalling Cisco CallManager Multilevel Administration Access section of the Cisco CallManager Multilevel Administration Access Guide.

2. Re-install the Active Directory plug-in.

   Refer to Active Directory 2000 Plug-in Installation for Cisco CallManager.

3. Re-install MLA.

   Refer to the Installing Cisco CallManager Multilevel Administration Access section of the Cisco CallManager Multilevel Administration Access Guide.

Cannot Modify Users in the Active Directory or Update Device Associations with Cisco CallManager Administration

After an upgrade to Cisco CallManager 4.x, the user cannot modify users in the Active Directory or update device associations with Cisco CallManager Administration. This results in the Could not update user. Error No: -1009 violation constraint error message.

The problem is discussed in Cisco bug ID CSCeg34036 (registered customers only) and is resolved in Cisco CallManager releases 4.0(2a) ES21, 4.1(2) ES13 or later versions. However, existing users with problems still need to be manually repaired with the mentioned instructions. The defect is observed in two conditions:

• When the GUID is appended to an existing account that does not have the GUID because the user was originally configured with an earlier version of Cisco CallManager. For example, when a user profile Directory Number (DN) or application profile DN does not contain the GUID appended in the end, but the ciscoAtGUID attribute is populated for the user or vice versa.

  Consider this user profile and application profile DN:

  cn=user-Profile-{GUID}, ou=profiles,ou=CCN,o=cisco.com 
  and 
  cn=user-CCNProfile-{GUID}, ou=profiles,ou=CCN,o=cisco.com 

• Every time a user is modified, the ciscoAtUserProfile and ciscoAtAppProfile attribute is created again and updated for the user. If the ciscoAtGUID attribute is not present, the new user profile DN is created as shown:

  cn=user-Profile, ou=profiles,ou=CCN,o=cisco.com 
  and 
  cn=user-CCNProfile, ou=profiles,ou=CCN,o=cisco.com

  Since these DNs do not exist in the directory, a constraint violation error is thrown, and the user update fails.

Complete these steps in order to resolve this issue:

1. Launch ADSIEdit to look directly at the attributes in the Active Directory for the user in question.

2. Navigate to the CN=user1,OU=evt,OU=avvid,DC=irvine,DC=com entry.

3. Right-click the object, and choose Properties.

4. Select ciscoatGUID under Select a Property to View.

5. Take a backup of the value present for the ciscoatGUID attribute for this user. In order to do this save the ciscoatGUID value into Notepad so that it can be put back, if required.

6. Remove the value present for the ciscoAtGUID attribute from these three entries in the Active Directory server:

   • CN=user1-profile,OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com

   • CN=user1-CCNProfile,OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com

   • CN=user1,OU=evt,OU=avvid Unit,DC=irvine,DC=com

7. Try to associate a device to the user1 user from the Cisco CallManager Administration pages.

This behavior also occurs when you attempt to update a device association for a user that has been renamed in the Active Directory. For example, the DNs do not contain the GUID attribute, but the ciscoAtGUID attribute is populated.

Complete these steps in order to resolve this issue:

Note: The resolution steps for the second condition also resolve the first condition with the removal of all the Cisco CallManager-specific information related to this user in the Active Directory.

1. Launch ADSIEdit to directly look at the attributes in the Active Directory for the user in question.

2. Navigate to the CN=user1,OU=evt,OU=avvid,DC=irvine,DC=com entry.

3. Right-click the object, and choose Properties.

4. Select ciscoatGUID under Select a Property to view.

5. Clear the current value present for the ciscoAtGUID attribute.

6. Select the ciscoatUserProfile attribute for the same user, and clear it.

7. Select the ciscoatUserProfileString attribute for the same user, and clear it.

8. (Optional) For housekeeping, delete the orphan profile entries for the user from the Cisco OU, such as OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com.

   For example, if olduser1 is renamed to user1, the entries in the Cisco OU beginning with user1 or olduser1 can be deleted. The new ones are recreated when the new device association is done. Refer to these examples:

   • CN=olduser1-profile-{00229191414072004},OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com

   • CN=olduser1-CCNProfile-{00229191414072004},OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com

   • CN=user1-CCNProfile-{00229191414072004},OU=profiles,OU=CCN,OU=Cisco,DC=irvine,DC=com

9. Try to associate a device to the user1 user from the Cisco CallManager Administration pages.

   Note: If these steps do not resolve the issue, re-run the AD plug-in.

Unable to Add/Edit Users from the Cisco CallManager Administration Page

This error message is received when you try to add/edit users through the Cisco CallManager Administration page:

Error: The following error occurred while trying to load the requested page. 
Could not update user.
Error No: -2100
Error Description: Access Denied

An Access denied message appears when the DC Directory does not run completely or is in a paused state. Restart the DC Directory in order to resolve the issue. Also, look into hard drive space problems, since low hard drive space can cause the DC Directory to go into a paused state.

In Active Directory integrations, this error can occur if the correct permissions are not set properly for the Active Directory users. Double check these permissions with the documentation and retry.

Cisco CallManager Administration Pages Are Inaccessible to the Cisco CallManager Administrator (MLA is enabled)

After Cisco CallManager is integrated with the Active Directory (AD) through the Directory Configuration Plugin, the Cisco CallManager Administration pages are inaccessible to the Cisco CallManager Administrator.

When CCMPWDChanger is used to set the password for the CCMAdministrator account, this error appears:

Error: User id CCMAdministrator is not valid

When the Cisco CallManager Administrator, Cisco CallManager SysUser and IPMA SysUser accounts are created within the User Creation Base, any user that is created through Cisco CallManager Administration resides under the User Creation Base node in the directory. Make sure the User Creation Base is the same as the User Search Base, or a subtree under the User Search Base. If this is not ensured, users created in the Cisco CallManager Administration cannot be found.

The User Search Base stores the Microsoft AD user information. The User Search Base is the common denominator of all the containers where user data is stored. By default, all user data is stored in the user folder. If other organizational units (OUs) are set up, the common denominator must be specified.

Error Message: DCD09400032: Domain version information could not be obtained. Master Admin and Domain Admin privileges are not available

The user is not able to log in to CCMAdmin by name or ip address on the subscriber server, and the DCD09400032: Domain version information could not be obtained. Master Admin and Domain Admin privileges are not available, error message appears. However, the user can login to both ccmadmin and dc directory on the publisher.

This problem occurs when there is a situation of password mismatch between the publisher and subscriber before an upgrade. During an upgrade of the subscriber, an attempt to re-create the replication agreements is initiated. The script responsible for the recreation of the replication agreements is supplied with the Admin password by the subscriber. Since the subscriber and publisher have different passwords, the password supplied by the subscriber is incorrect and hence, the script fails to establish replication agreements. Due to this, the subscriber does not function at the end of the upgrade and displays the error message.

In order to resolve this issue, complete these steps:

1. From the Cisco CallManager publisher , choose Start > Run, type CCMPWDChanger and press Enter. Refer to Change the Password for more details on the CCMPWDChanger tool.

2. Run reconfig_cluster.cmd.

3. Also, make sure the host and lmhost files are updated on all of the servers.

Error: operations error (-1)

Active directory returns the ("operations error (-1)") error, with this detailed error:

 LDAPMessage searchResDone(135) operationsError (000020D6: SvcErr: 
> DSID-031006CC, problem 5012 (DIR_ERROR), data 0) [0 results]

Complete these steps in order to resolve this issue:

1. On the Cisco CallManager server, choose Start > Programs > Microsoft SQL Server to open the SQL Enterprise Manager.

2. Drill down to the most recent CCM database > Tables >.

3. Select Open Table > Return all rows.

4. Update the MLAParameter table in the CM Database with the correct value (for the AD Userbase).

Applications

Unable to See the ICD Link with Active Directory

The ICD link is activated only when the ICD application is installed. In some versions of the ICD application, this does not happen (DDTS). Complete these steps as a workaround:

1. Run this script and add it in a file.

   dn: cn=System Profile, ou=systemProfile, 
   ou=CCN, ou=Cisco, dc=sakapur, dc=cisco, dc=com
   changeType: modify
   replace: ciscoCCNatIAQFlag
   ciscoCCNatIAQFlag :  true

2. Save this in C:\dcsrvr\run\dcx500\config\AD\setICD.ldif.

3. In the lines in step 1, change the ciscobase to the right value for the system (for instance, ou=Cisco, dc=sakapur, dc=Cisco, dc=com) by your system ciscobase.

4. Run this command and replace the IP address of the Active Directory machine, the Administrator DN, and password.

   C:\dcdsrvr\bin\ldapmodify -h 10.10.10.21 -p 389 -D 
   "cn=Administrator, cn=users, dc=sakapur, dc=cisco, dc=com" -w 
   "mypassword" -a -c -v -f C:\dcdsrvr\run\dcx500\config\AD\setICD.ldif
   

5. After this command successfully runs, restart the IIS Admin service. Once restarted, you should see the ICD link.

Cisco IP SoftPhone is not Browsing Active Directory

Cisco IP SoftPhone 1.2 and later versions support browsing Active Directory. It is not available with earlier versions of SoftPhone. There is workaround for this problem for earlier versions of SoftPhone if you allow the anonymous browse. Refer to the information from Microsoft on configuring Active Directory for anonymous access for further information.

Cisco Support Community - Featured Conversations

Related Information

• Active Directory 2000 Plug-in Installation for Cisco CallManager
• Voice Technology Support
• Voice and Unified Communications Product Support
• Troubleshooting Cisco IP Telephony
• Technical Support & Documentation - Cisco Systems