CUCM and Active Directory Integration

By Amy Ryan on April 28th, 2010

Directory synchronization allows for centralized user management and enables CUCM to leverage users already configured in a corporate-wide directory. It is entirely possible to be requested to do this in the voice lab as well. Lets break it down into a few simple steps.

Ensure within CUCM Serviceability, the Directory Service is activated and running.

Log onto the Active Directory Server to access Active Directory Users and Computers to determine the user search base (the path of where the users required exist).

In this case our domain controller (DC) is and our organizational unit (OU) is Users.

We first need to enable synchronization and choose the LDAP server type and matching attribute.

In this example, we will us the sAMAccountName.

Next is to set up the Directory Replication Agreement.

Populate information as listed below with the information you gained from the Active Directory. In this example, we used the Active Directory administrator account as our distinguished name. This is the access account used for synchronization. It may be necessary in most environments to set up a new account for security purposes.

Populate the LDAP Server Information and Save.

Once added click on the following to perform synchronization:

To verify: In CUCM, Go to User Management > End User to receive following user output.

Once users are synchronized from LDAP into the Unified CM database, if there were any end user entries prior that do not match up to what was in AD, they be marked inactive in the CUCM end-user database. Garbage collection will subsequently remove those users if not corrected.

Let’s now take this just one more step further. The steps above enabled synchronization, where the users and associated attributes are shared but passwords for CUCM End Users are maintained locally within CUCM. If we are being asked to centrally manage passwords, then we must also set up LDAP Authentication. Once completed, the users, attributes and passwords will be shared with AD. The End User pin (as used for Extension Mobility) will still be managed locally by CUCM.

To complete this final step, in CUCM go to: System>LDAP>LDAP Authentication and populate information as below.

At this stage, you are now ready to modify your End Users in CUCM as required. Happy Labbing!

Amy Ryan – CCIE #24677 (Voice)
Technical Instructor – IPexpert, Inc.

CUCM and Active Directory Integration, 4.4 out of 5 based on 8 ratings
Be Sociable, Share!

    Tags: ccie voice, cucm active directory

    3 Responses to “CUCM and Active Directory Integration”

    1. Cliff McGlamry says:

      AD integration and authentication can be powerful, but can also get you in trouble if not implemented carefully. Consider the situation where you have something like UCCX integrated with CUCM.

      If your CRSAdmin account is not already present within AD (a user with the same User ID), you will lose the ability to log into CRS Admin one you add AD into the mix. You’re left with some not very good alternatives at this point.

      And while you *might* be able to use the CET tool to recover (don’t count on it), that’s a really tough thing to get your hands on in UCCX version 8 (root access is required through TAC to gain access and run the tool).

      VA:F [1.9.22_1171]
      Rating: 4.5/5 (2 votes cast)
    2. ciscoguy99 says:

      That last line should read:

      “At this stage, you are now ready to modify your End Users in AD as required. Happy Labbing!”

      VA:F [1.9.22_1171]
      Rating: 5.0/5 (1 vote cast)
    3. zouhair souam says:

      HI have done the integration between CUCM and MS LDAP, but i can’t retrieve users created in LDAP on CUCM (when i perform a manual sync) ?

      Can you help me !!

      Thanks in Advance.

      VA:F [1.9.22_1171]
      Rating: 0.0/5 (0 votes cast)

    Leave a Reply