CCNA Voice - CUCM LDAP Synchronization cont'd, User Roles, Multi-Level Access (MLA)

Transcript

1	Introduction, Agenda, and Welcome Message	0h 17m
2	What are Cisco's Unified Communication Certifications, and Where Do I Go From Here?	0h 34m
3	Fundamentals of Telephony	1h 27m
4	Quality of Service Primer	0h 29m
5	Unified Communications System Overview	1h 05m
6	Network Infrastructure Basics and Phone Registration	0h 14m
7	Network Infrastructure Overview	0h 59m
8	Network Infrastructure VLAN, NTP, DHCP	1h 25m
9	Network Infrastructure DHCP, TFTP	0h 48m
10	Cisco Unified Communications Manager Administration (CUCMA) Overview	0h 04m
11	CUCMA Serviceability Service Activation, DNS vs IP Addressing, System Shutdown	0h 21m
12	CUCMA Service Control, Bulk Administration Tool (BAT)	0h 16m
13	CUCMA BAT Report, SSH, TFTP Files, Database Replication	0h 58m
14	CUCMA Traces, RISdb, Performance Monitor (PerfMon), Real-Time Monitoring Tool (RTMT)	1h 04m
15	CUCMA BAT and TAPS	1h 09m
16	CUCMA Call Detail Records (CDR) and Call Management Records (CMR)	0h 52m
17	Cisco Unified Operating System (CUOS), Dialed Number Analyzer (DNA), Disaster Recover System (DRS)	0h 25m
18	CUOS Unified Reporting, Real-Time Monitoring Tool (RTMT)	0h 18m
19	CUCM Servers, Server Groups, Date/Time Groups, Regions, Locations Call Admission Control (CAC), Survivable Remote Site Telephony (SRST)	1h 44m
20	CUCM Device Pools, System Parameters, Enterprise Parameters, Templates	1h 09m
21	CUCM Phone Button Templates, Softkey Templates, SIP Phones, SCCP Phones	0h 40m
22	CUCM Button/Softkey Template and SCCP/SIP Phone Testing	0h 24m
23	CUCM SIP Phone Troubleshooting and Registration	0h 03m
24	CUCM Users, Groups, Lightweight Directory Access Protocol (LDAP) Overview	0h 14m
25	CUCM User Credentials, User Policies, LDAP Synchronization of Users	0h 50m
26	CUCM LDAP Synchronization cont'd, User Roles, Multi-Level Access (MLA)	1h 24m
27	CUCM User Roles with LDAP, Contact Center Users, Presence Users, Messaging Users	1h 36m
28	CUCM LDAP Custom Filters	0h 49m
29	CUCM Phone and Calling Features Overview	0h 15m
30	CUCM SCCP and SIP Phone Display	0h 23m
31	CUCM SCCP and SIP Phone Firmware	0h 12m
32	CUCM SCCP and SIP Phone Logging	0h 06m
33	CUCM SCCP and SIP Ring Setting	0h 37m
34	CUCM SCCP and SIP Phone Forwarding	0h 48m
35	CUCM SIP and SCCP Advanced Call Forwarding	0h 22m
36	CUCM SIP and SCCP Phone Auto-Answer	0h 11m
37	CUCM SIP and SCCP Phone CallBack (Camp-On)	0h 11m
38	CUCM SIP and SCCP Phone Intercom	0h 10m
39	CUCM SIP and SCCP Call Hold	0h 09m
40	CUCM SIP and SCCP Phone Call Park	0h 18m
41	CUCM SIP and SCCP Phone Call Pickup	0h 42m
42	CUCM Shared Line, Barge and cBarge Configuration	0h 27m
43	CUCM Shared Line, Barge and cBarge Testing	0h 17m
44	CUCM Media Resources Overview	0h 47m
45	CUCM Media Resources Overview cont'd	0h 44m
46	CUCM and IOS Gateways and Trunks Overview	0h 09m
47	CUCM Dial Plan Fundamental Concepts	1h 37m
48	CUCM Dial Plan Fundamental Concepts cont'd	1h 05m
49	CUCM Dial Plan - Class of Service (CoS) Calling Search Spaces and Partitions	0h 42m
50	CUCM Dial Plan - Gateways, Route Groups, Device Pools	0h 06m
51	CUCM Dial Plan - Route Lists, Standard Local Route Groups	0h 12m
52	CUCM Dial Plan - Route Patterns, Translation Patterns	0h 43m
53	CUCM Dial Plan - Calling Party Transformations and Called Party Transformations, IOS Dial Peers	1h 15m
54	CUCM Dial Plan - Private Line Automatic Ringdown (PLAR)	0h 09m
55	CUCM Dial Plan - Testing	0h 55m
56	CUCM Dial Plan - Digit Addressing, Time of Day (ToD), Hunt Group Coverage, FAC, CMC, Automated Alternate Routing (AAR) Overview	0h 58m
57	CUCM Dial Plan - Digit Addressing, Time of Day (ToD), Hunt Group Coverage, FAC, CMC, Automated Alternate Routing (AAR) Testing	1h 07m
58	Troubleshooting Endpoint Issues	0h 17m
59	Cisco Unified Border Element (CUBE) Overview	0h 50m
60	CUCM Mobility Overview	0h 42m
61	CUCM Mobile Connect Setup	1h 24m
62	CUCM Mobile Connect Ring Schedule	0h 16m
63	CUCM Mobile Connect Access Lists and Exclusivity	0h 20m
64	CUCM Mobile Voice Access Inbound Call Recognition	0h 56m
65	CUCM Mobile Voice Access Direct Inward System Access	1h 09m
66	CUCM Mobile Connect Mid-Call Features	0h 13m
67	CUCM Mobile Connect Mid-Call Features cont'd	0h 42m
68	CUCM Device and Extension Mobility Overview	0h 27m
69	CUCM Device Mobility - Between Sites but Within a Country	1h 27m
70	CUCM Device Mobility - Between Sites and Between Countries	0h 42m
71	CUCM Extension Mobility Setup	0h 51m
72	CUCME Overview, CUCME Dial Peers, Show & Debug Commands	1h 00m
73	CUCME DHCP	0h 10m
74	CUCME Clock and Network Time	0h 06m
75	CUCME TFTP Server	0h 10m
76	CUCME SIP Server Setup	0h 17m
77	CUCME SIP Phones Setup	0h 36m
78	CUCME SCCP Server Setup	0h 23m
79	CUCME SCCP Phones Setup	0h 44m
80	CUCME Directory Services	0h 10m
81	CUCME Server Redundancy for SCCP Phones	0h 13m
82	CUCME Endpoint Registration With External SIP Proxy Server	0h 06m
83	CUCME Templates	0h 17m
84	CUCME Phone Customization	0h 20m
85	CUCME Web UI	0h 34m
86	CUCME Digit Manipulation and Class of Restriction (CoR)	0h 46m
87	CUCME PSTN Dialing	0h 51m
88	CUCME Voice Translation Rules	0h 34m
89	CUCME Load Balancing VoIP Calls	0h 09m
90	CUCME Class of Restriction (CoR)	0h 23m
91	CUCME Speed Dials	0h 46m
92	CUCME Calling Features Overview	0h 19m
93	CUCME Shared Lines with SIP Phones	0h 32m
94	CUCME Shared Lines and Feature Ring with SCCP Phones	0h 17m
95	CUCME Shared Lines with Barge & Privacy with SCCP Phones	0h 27m
96	CUCME Intercom with SIP and SCCP Phones	0h 15m
97	CUCME Night Service with SCCP Phones	0h 12m
98	CUCME Call Park with SIP and SCCP Phones	0h 34m
99	CUCME Call Blocking with SIP and SCCP Phones	0h 20m
100	CUCME CallerID Blocking with SIP and SCCP Phones	0h 09m
101	CUCME Call Transfer and Call Forwarding for SIP and SCCP	0h 41m
102	CUCME as Survivable Remote Site Telephony	0h 12m
103	CUCME as Survivable Remote Site Telephony cont'd	0h 51m
104	CUCME as Survivable Remote Site Telephony cont'd	0h 23m
105	CUCME 4-Digit Reachability	0h 14m
106	CUCME Call Pickup Groups	0h 16m
107	CUCME Basic Automatic Call Distribution (B-ACD)	0h 56m
108	CUCME Basic Automatic Call Distribution (B-ACD) cont'd	0h 12m
109	CUCME Unified (Traditional) SRST	0h 12m
110	Messaging - Cisco Unity Connection (CUC) Overview	0h 14m
111	Messaging - Unity Connection Setup, Integration, Message Waiting Indicators (MWI), Users, System Call Handlers	1h 06m
112	Messaging - Unity Connection System Call Handlers, Directory Handlers, Routing Rules, Conversations, Audio Text Auto-Attendant Menus	1h 00m
113	Messaging - Cisco Unity Express (CUE) Overview	0h 49m
114	Messaging - Unity Express Setup, Integration, Message Waiting Indicators (MWI), Users, Groups	0h 52m
115	Messaging - Unity Express Administration via Web UI, Users, General Delivery Mailbox, Schedules, IVR Apps, Conversations, License Activation	1h 19m
116	Messaging - Voice Profile for Internet Mail (VPIM) Networking between Unity Connection and Unity Express	0h 31m
117	Presence Overview	0h 43m
118	Presence - Native CUCM Subscribe CSS and BLF Speed Dials	0h 45m
119	Presence - Native CUCM Presence Groups and Call History Lists	0h 23m
120	Presence - Native CUCM Presence Groups and Call History Lists cont'd	0h 18m
121	Presence - CUPS & CUCM Integration and CUPC Provisioning and Testing	1h 52m
122	Presence - CUPS & CUCM Integration and CUPC Provisioning and Testing cont'd	0h 10m
123	Presence - CUPS & CUCM with IP Phone Messenger (IPPM)	0h 25m
124	Presence 8 Updates	0h 36m
Total Duration		74h 11m

Slides - Introduction and Agenda

Slides - What are Cisco's Unified Communication Certifications...

Slides - Fundamentals of Telephony

Slides - Quality of Service Primer

Slides - Unified Communications Overview

Slides - Network Infrastructure Basics and Phone Registration

Slides - Cisco Unified Communications Manager Admininistration

Slides - Users Groups and LDAP

Slides - CUCM Phone and Calling Features

Slides - CUCM Media Resources Overview

Slides - CUCM and IOS Gateways and Trunks

Slides - Additional Call Routing Topics

Slides - Troubleshooting Endpoint Issues

Slides - Cisco Unified Border Element

Slides - Unified Mobility

Slides - Device Mobility

Slides - CUCME Overview, CUCME Dial Peers, Show & Debug Commands

Slides - CUCME Digit Manipulation and Class of Restriction

Slides - CUCME Calling Features Overview

Slides - Messaging: Cisco Unity Connection Overview

Slides - Messaging: Cisco Unity Express Overview

Slides - Presence Overview

0:00:14	We´ve already taken a look at the actual LDAP Schema
0:00:20	and we take a look at the actual LDAP server itself
0:00:25	and the concept , let´s go ahead and bring CUCM back up .
0:00:30	So now, we´re going to go over to System Column
0:00:34	and to the LDAP section, now we note that we have
0:00:37	3 sub sections that we can deal with here.
0:00:41	and I´ll note that CUCM 8 as a 4, actually has the ability to filter.
0:00:49	We´re going to see where that might be really nice
0:00:51	because today what we were told in terms of tasks
0:00:55	it would be nice to be able to filter, but instead we´ll
0:00:57	have to use sort of a work around the way.
0:01:01	OK? So let´s log in because we´ve been out at it too long.
0:01:05	So LDAP and first place we´ll go is system.
0:01:10	The very first thing we have to do is choose the server
0:01:12	the type which is already shows in to or select
0:01:16	Microsoft directory which is what we want.
0:01:19	We could choose Netscape or Sun1 LDAP server
0:01:23	and the LDAP attribute for user ID.
0:01:28	OK? So we can choose a few different actually
0:01:32	user ID attributes and these are the.
0:01:37	These are the Microsoft active directory attributes
0:01:40	that we will use or our user ID field so
0:01:44	again, let´s actually go and fill up simultaneously
0:01:47	in another tab our end users, take a look
0:01:50	and we remember that we have one user
0:01:53	OK? Note what the fields are here before we do any of this.
0:01:57	User ID, first name, last name.
0:02:01	OK? and department are the columns that we see immediately here
0:02:05	and take note of how everything looks.
0:02:10	In fact, actually here´s what we´re going to do
0:02:14	go back to end user and we´ll open in a new tab
0:02:18	so that we can see how this screen looks
0:02:21	and how this screen looks while we actually
0:02:25	are still using the native intrinsic DC
0:02:31	directory within CUCM publisher server.
0:02:39	And later we´ll contrast that with what we see
0:02:41	after we´ve done the LDAP synchronization.
0:02:43	So as for the DC directory, remember we´re not
0:02:47	getting rid of DC directory as we used to do with integration
0:02:50	or simply populating it or possibly overriding any existing users.
0:02:57	or possibly both which in this case.
0:03:00	And so we´re going to say for our user ID field
0:03:05	What Microsoft active directory field name or attribute should we use?
0:03:12	Should have be the person´s mail identifier?
0:03:16	Their SAM account, their security Account Manager
0:03:19	account name which is a little redundant, SAM,
0:03:22	Security Account Manager has been around since NT35.
0:03:27	Employee number, telephone number we can even use
0:03:31	or user principle name. OK, so like you know for instance
0:03:35	Mark Snow, rather than account name might be MSnow
0:03:40	Now their mail may also be MSnow, but it might be MSnow@ine.com.
0:03:45	So it just depends on what we want to use
0:03:49	We weren´t given anything more specific in terms of
0:03:53	what user attribute should be map to our user ID field.
0:03:58	So we´ll just go ahead and leave it as the SAM account name,
0:04:02	but we´ll enable synchronization and that´s all we do here.
0:04:06	Well actually notice that this is sandwich together right up here
0:04:12	with, click save again. There we go, update succesful.
0:04:16	OK, now remember what this look like
0:04:21	I´m just going to go ahead and open end user in another tab
0:04:24	so that we don´t get rid of what it used to look like, right here.
0:04:30	Note now instead of just user ID, first name.
0:04:34	Highlight user ID first name, last name and department.
0:04:38	We see user ID first name, last name, department and
0:04:42	LDAP sync status, this is currently inactive.
0:04:46	This user is in active and we´ll also look at,
0:04:52	let´s contrast this with what we use to see.
0:04:58	This is what we used to see with DC directory
0:05:00	Now this is what we see, note the add delete function are.
0:05:04	disable because the user directory is sync with LDAP or
0:05:07	or is sync with LDAP, great grammar there
0:05:10	i.e. or in other words, The enable synchronization
0:05:14	from LDAP server flag on the LDAP system
0:05:16	configuration checkbox is check, yes it is,
0:05:19	because we just did that, so you´re correct.
0:05:23	and the LDAP sync status, delete pending, delete pending,
0:05:29	was inactive, let´s see if it´s delete pennding now
0:05:32	that still shows inactive here, but from the actual end user
0:05:35	it shows delete pending, but notice we can
0:05:38	still change the password, OK, if we had a user
0:05:41	that wasn´t in delete pending mode.
0:05:44	And we can still change the pin, we can not change
0:05:46	last name, user ID, middle name, first name, telephone number
0:05:51	mail ID, manager user ID or department
0:05:56	or even associated PC, user locale, digest
0:06:00	firm credentials, control device associations.
0:06:06	All the attributes relating to extension mobility
0:06:09	directory number association, mobility information for mobile voice
0:06:15	security CAPF and permissions, all those are still
0:06:18	controllable and save, we can save those attributes
0:06:22	or this system, now one more that will be taken away
0:06:26	is password, but until we actually get down to LDAP
0:06:30	authentication currently LDAP authentication
0:06:38	is still disabled, uncheck
0:06:42	So let´s go back to our task. Provision the server to
0:06:45	synchronize from the island natural exports LDAP
0:06:48	that resides on the ANI, AD domain controller.
0:06:53	Use the Ad schema to garner information about the
0:06:56	server and about the LDAP schema.OK? So, let´s
0:07:01	go back to the next page, we did LDAP system
0:07:05	to enable synchronization, now we actually have to give it
0:07:07	information about the directory we want to integrate to.
0:07:12	Now, notice that there is a find and we have search criteria
0:07:19	and then add new button, then we actually have
0:07:22	the ability to have this sort of implies that we have
0:07:27	the ability to have multiple LDAP directories.
0:07:31	And we can, in fact we´re going to need to, add new note
0:07:35	the warning, dialog box, and existing end users not found
0:07:38	in the corporate directory will be deleted.
0:07:42	Remember UCCX. For the correct integration of LDAP users
0:07:47	with the Cisco Unified Communications Manager it is necessary
0:07:50	that the user ID attribute is unique for LDAP users.
0:07:55	So another words, it refreshes.
0:08:02	If we had chosen, I´ll just go briefly back here, if we had chosen
0:08:08	open a new tab under LDAP system configuration
0:08:12	a user ID field to map which was let´s say
0:08:16	telephone number, users had the same telephone number.
0:08:22	We would have a directory synchronization error
0:08:26	OK? We haven´t change it to that and we probably wouldn´t
0:08:29	and have the same telephone number, many of this fields
0:08:31	there´s no way in active directory they´d have the same one like
0:08:34	email address, account name, employee number probably not.
0:08:41	User principle name? Absolutely possible
0:08:43	Telephone number? Absolutely possible so
0:08:47	CUCM is informing you will have a directory synchronization issue
0:08:53	rather than troubleshooting it, let´s just go ahead and tell you
0:08:55	right off the bat, if any fields in the primary
0:08:58	field that we just selected, this one here.
0:09:01	Use it for our DC directory field user ID, if those are
0:09:07	on unique or non-ambig or ambiguous rather
0:09:12	then you´re noy going to sync properly.
0:09:25	OK, sorry while I pause and take a drink of water.
0:09:29	So let´s choose an LDAP configuration name.
0:09:31	Let´s go back to our task and say only synchronize from
0:09:35	executive sales, IT and security organizational unit.
0:09:39	Let´s take a look back at our active directory schema,
0:09:45	if I can get a pull up here, there it is.
0:09:51	OK, so the top level is going to be dc com
0:09:55	our next dc is going to be ine, our top level
0:09:59	organizational unit will be island natural exports or ine
0:10:04	and then we have multiple parallel organizational units.
0:10:09	Let´s actually just look right back at our dc
0:10:19	and remember that. OK? So let´s just collapse this,
0:10:22	so that we can see the parallel organizational unit.
0:10:26	Here´s our top level, here´s actually out top level dc
0:10:30	then our top level ou within the dc and then at the next level
0:10:38	executive IT operations, r and d, sales and security
0:10:48	those are all at equal
0:10:53	I'll answer that question just a second, Joseph or Yaser?
0:11:00	Those are all at equal or parallel has depicted here level
0:11:06	so we could just import the ou for islan natural export
0:11:12	and we would get all, the executive, the sales, yes
0:11:16	that´s actually, it highlighted everything, we would get all
0:11:19	of the, I´m going to go ahead and delete this at this point.
0:11:25	We would get allof these ifwe only filled out
0:11:30	dc=con, dc=ine and dc=ou island natural exports
0:11:37	we would get all the users combine and contain within.
0:11:43	OK? I´ll go ahead and answer the question real quick, Yaser.
0:11:48	You ask or mention so we´re only importing
0:11:51	the user name from the active directory.
0:11:53	No, we´re not only importing the username
0:11:57	sorry, if I wasn´t clear there, is that what
0:12:00	other people though I meant as well?
0:12:03	Couldn´t wait for you to respond while I go ahead and
0:12:05	reply, give me a X if you thought that´s what I meant
0:12:10	that we´re only importing the username or a check
0:12:13	if you think that maybe you would understood a bit different.
0:12:17	OK? So, what I´m saying here is that what we´re going is,
0:12:23	Let´s just draw it out here, with active
0:12:30	with our active directory,
0:12:38	container we´ve got users and each of them have various attributes.
0:12:44	Alright, with our dc directory container over here in CUCM
0:12:54	this is Microfoft up here, CUCM we have
0:13:02	or we had a user that´s going to be overwritten. OK?
0:13:06	So what we´re going to be doind is calling all of this users over
0:13:11	however, what we do have over here in dc directory
0:13:15	go ahead and configure in a different color are empty
0:13:20	container fields within dc directiry such as user ID
0:13:26	Let´s just put down a few of them so we can serve
0:13:29	space and don´t make it too messy, so we´ve got telephone
0:13:33	number, user ID and let´s say password, maybe not passoword
0:13:43	but user ID, telephone number and department
0:13:49	first name, last name, those are ones as well
0:13:51	OK, those are fields under dc directory and I´ll just go ahead
0:13:55	caller code, dc directory is this nice fuschia color
0:14:00	that happens to show up real nice on the screen
0:14:03	that´s why I´m using it, and then over here with
0:14:05	active directory we´ll color things blue.
0:14:11	OK? So if active directory we´ve got SAM, account name.
0:14:23	We´ve got, what else does it allow? Mail
0:14:34	By the way we´ve got mail over here as well,
0:14:37	So I´ll go ahead and and draw of that email over here.
0:14:41	in dc directory. We´ve got, let´see what else?
0:14:48	Employee number, let´s use telephone number
0:14:59	Telephone.
0:15:05	Telephone number. OK? So these are three separate
0:15:07	fields that we add here inside active directory
0:15:12	and these are four fields that we have over here and actually
0:15:19	we do have the apartment over here as well.
0:15:24	So what we´re saying is when we make this synchronization
0:15:28	and we request and actually push all the information over.
0:15:31	In fact I don´t even really like to draw an arrow
0:15:33	pointing towards active directory because we´re not informing
0:15:37	or synchronizing in that direction, we´re only asking
0:15:41	so we´re pushing all this information over to active directory,
0:15:45	but the very first thing we need to do is map a one for one.
0:15:49	And say for the CUCM and excel spot my screen, for the CUCM
0:16:00	or CUCM dc directory, our field that must be unique
0:16:16	is equal to user ID, that´s what it was telling us right here
0:16:25	OK? This field must be unique.
0:16:36	OK? It must be unique, so what field from over here
0:16:45	that´s what this drop down is saying, which one of these fields
0:16:51	do we want to use to map across to this user ID field
0:16:59	User ID, user ID, user ID, all the same thing
0:17:02	and so we´re going to leave it as the default of SAM account name
0:17:07	or short name or alias, call various words for the same thing
0:17:14	inside Microsoft active directory, in fact let´s just
0:17:16	go ahead and bring it up so we´re all clear
0:17:19	over here in active directory,
0:17:24	this grab one of the executives, Benjamin Linus looks like a good one
0:17:29	grab the properties and here we got first name
0:17:33	last name, display name, none of those are what we´re
0:17:37	talking about we mention mail, that´s email.
0:17:41	and it´s another account user log in name
0:17:47	then also pre 2000 because they can have spaces in
0:17:50	post 2000, so this right here. This is the
0:17:57	The SAM account name or Security Account Manager,
0:18:01	account name this right here, as long this is unique for everyone
0:18:06	pretty much has to be, it´s a good one to correspond
0:18:11	over to, switch back over.
0:18:17	Over to our user ID field, but what they´re saying
0:18:22	is we could choose another one, could choose
0:18:28	telephone number for instance and so if we did that,
0:18:32	what would happen is telephone number
0:18:36	would be what links over here and fills in on dc directory
0:18:46	the field that we call user ID, Microsoft active directory
0:18:50	telephone number would get filled in for every user
0:18:53	on dc directory as the user ID, we could choose that
0:18:58	that´s what we have selected on the screen or we could choose mail
0:19:02	in which case,telephone number isn´t the one anymore
0:19:07	but now email address is, that´s actually a common
0:19:12	one that people choose because then it´s not just MSnow
0:19:15	but it´s msnow@ine that´s how I´m referred
0:19:17	to in CUCM dc directory.
0:19:22	OK, does that makes sense? All the other fields will still get map
0:19:25	over and the way that were doing it, is we´re choosing account name
0:19:33	We´re going to choose account name and that´s
0:19:36	going to be mapped one for one to user ID.
0:19:41	And then what we´re going to see as do on the next page
0:19:45	is to map individual attributes mail or map email
0:19:52	telephone number, we´ll map to telephone number
0:19:55	department, we´ll map to department
0:19:57	and some of these we can choose options for.
0:20:00	OK? Does that make sense?
0:20:05	OK, so we´ve already done the system configuration
0:20:08	and by the way just to reiterate that
0:20:12	didn´t change anything it´s still there at SAM account name
0:20:17	OK? So now we´ll go to LDAP directory and add new
0:20:23	and users not found will be deleted
0:20:26	make sure that the user ID attributes unique which is
0:20:29	what we just got in talking about, so now we need to give it
0:20:32	configuration name, before we give it a name
0:20:35	which we would like to do intuitively, let´s ago ahead and
0:20:38	work on the rest of it, so that we have an idea of
0:20:40	what this should probably be so that we can name
0:20:44	So LDAP manager distinguish name, OK? Distinguish name
0:20:51	indicates maybe like a fully qualified LDAP name
0:20:56	which with previous version of Windows NT and
0:21:05	and older versions of the main controllers before
0:21:09	active directory came out, this would have been something like
0:21:13	the domain name of INE\administrator
0:21:20	something like that in fact if we look back here
0:21:23	we see user log on name pre windows 200 INE\blinus
0:21:30	OK? Like a blinus. But that´s the old way of doing it.
0:21:37	The fully qualified name is blinus@ine.com,
0:21:41	this has nothing to do with email, ine.com is the domain.
0:21:50	The one would it like administrator is the user
0:21:55	we´re going to use so it´s going to be administrator@ine.com.
0:21:59	This is the manager of the LDAP or at least someone.
0:22:03	let´s go look at it, under the users container
0:22:09	administrator is someone who is a member of and has
0:22:16	permissions or at least domain admin, they may not be
0:22:21	enterprise admins or schema admins which are higher roles
0:22:26	but it just depends at what level of the active directory heirarchy
0:22:30	of forest, trees, domain, etcetera
0:22:36	that we are wanting to peer in to or search in to and try to control.
0:22:43	In this case we don´t have a forest, we don´t have trees.
0:22:47	We simply have a domian, OK? We could build
0:22:51	something larger just for a lab sake.
0:22:57	filtering if we were working on CU8 because
0:23:00	we don´t have filtering now this is more than enough to
0:23:04	qualify as what we need, so we just need this username.
0:23:08	Let´s go back to account, general
0:23:13	and it´s actually not filled in here, but administrator
0:23:15	@ine.com is going to be the user and then its password which
0:23:20	we already but we could reset and by the way
0:23:23	if you had active directory in the CCIE voice lab
0:23:27	you most likely would not have access to this
0:23:32	active directory users in computer´s computer machine.
0:23:36	If you did, then it would probably be for reference only
0:23:40	and you would probably not need to set anything up
0:23:44	You know but it would be nice if you did just so you could come and
0:23:48	make sure you have an administrator use their
0:23:50	and reset the password if need be which I´m not going to
0:23:53	because it´s, it is CCIE Cisco and to answer
0:23:59	your other question, Yaser. Do we have active directory
0:24:05	servers on a rental racks, we do this is on the rental rack however,
0:24:09	they are being rolled out to the other racks so actually
0:24:12	if you´re watching this in recording then they´re most likely is
0:24:15	already in all of your racks, but I would say within the next
0:24:19	just depending on my development staffs.
0:24:25	Basically, readiness and an existing workload which they
0:24:29	already have some few task back log within the next week
0:24:32	to two weeks you should have it on every single voice
0:24:35	rental rack but it is already on a few
0:24:38	and then also your other kind of statement/question so there is no
0:24:42	fall back to this operation, actually there is.
0:24:45	We don´t have to stay this operation that we have to do
0:24:50	of synchronization,we can actually fall back.
0:24:55	So good questions, keep them coming. But
0:24:59	we´re not locked in to this once we start.
0:25:01	It´s not like it was in CUCM 4 where we
0:25:05	were somewhat crossing our fingers and
0:25:08	hoping that everything went right.
0:25:10	So our password as mentioned is CCIE Cisco
0:25:15	confirm CCIE Cisco.
0:25:18	Now the LDAP user search base
0:25:21	so this gets in to what do we want to search,
0:25:24	well we definitely want to search dc=con.
0:25:29	And by the way, when we´re writing fully qualified LDAP
0:25:38	RC conforming LDAP user search base formats,
0:25:48	we always go from right over to left
0:25:53	OK? So com would start on the right
0:25:56	and then we would actually have dc=ine.
0:26:03	OK? It´s not ine.com, it´s not this.
0:26:09	is dc-ine, that was a dash not an equals
0:26:15	dc=com, so from right to left.
0:26:20	ou= keep hitting down.
0:26:28	ou=island natural exports, spaces are fine, by the way
0:26:33	case sensitive, not case sensitive,
0:26:36	spaces are fine, no need to escape with the back slashes space or
0:26:39	space or confine within string indicating double
0:26:45	quotes which need to type it right, island.
0:26:54	We were told in our task to only synchronize users
0:26:58	from executive sales, IT and security and we mention
0:27:02	that if we just did dc.
0:27:10	dc, ine and
0:27:14	island natural exports that we would actually get all the users.
0:27:19	So we ned to make sure that we don´t do that
0:27:23	and that we only pull from
0:27:28	executive
0:27:31	IT, what were we told, sales.
0:27:38	Executive, sales, IT and security
0:27:42	OK. Executive, sales, It and security.
0:27:50	OK?
0:27:53	So we need to add on the ou
0:27:57	of executive.
0:28:00	and now we´ve got enough information to make a good, clear
0:28:05	name that´s going to be intuitive and useful and doesn´t
0:28:11	it ambiguous or confusing, so let´s call it INE
0:28:15	AD Executive
0:28:22	OK? Now notice that we´ve got synchronization
0:28:26	schedules, we could synchronize juts once
0:28:29	rarely is that going to be what you want to do.
0:28:31	It could perform a resync every X amount of days, hours,
0:28:35	weeks or months and tell it when the next resync is
0:28:40	if we look back at our task, we were actually instructed
0:28:44	to ensure that the LDAP resynchronizes it user base
0:28:48	as frequently as it is allowed by the system.
0:28:52	OK? Well,
0:28:54	as frequently by the system is got to be hours,
0:28:56	we can´t go minutes or seconds. So let´s put one in there
0:28:59	and just see if it will let us save.
0:29:04	Put in a host or IP address in
0:29:06	and it also tells us perform a resync every
0:29:09	can´t perform resync more frequent than every 6 hours.
0:29:13	So this is why you had a task that didn´t tell you
0:29:15	exactly what you needed, well it actually
0:29:18	did tell you exactly what you needed, if you think about it.
0:29:22	They gave you as much information as you needed
0:29:25	to be able to use the tools in your tool kit, which is in this case
0:29:30	try and save to find out that 6 hours is the minimum.
0:29:36	There we go, also documentation would be great.
0:29:38	And we will look at that documentation as per
0:29:41	couple request and also what I plan to look at in just a little bit
0:29:47	on the documentation Cisco.com documentation website.
0:29:52	Let´s before we click save again look at a few other fields
0:29:55	first we were told we need the actual server information.
0:29:58	Port 389 is the default port and will work
0:30:02	SSL only if it´s required or instructed that you can use it,
0:30:08	so probably be noted and then let´s see what our
0:30:13	DC directory is in terms of IP address, it is
0:30:19	177.1.10.110 we also saw the username and password.
0:30:30	OK, So 177.1.10., 10 is our CUCM pub, but 110 is the dc directory
0:30:39	and then here are CUCM user fields and LDAP user fields.
0:30:44	Now back in the LDAP system in that section we already
0:30:50	chosen what to map here to user ID.
0:30:54	OK, if we had chosen something else then
0:30:56	just switch off that other thing.
0:30:59	Middle name, we can choose to map to middle name or
0:31:02	initials, ok so this is from the Microsoft active directory.
0:31:05	Yes, that´s palindrome, system LDAP, LDAP system palindrome,
0:31:14	These are the Microsoft active directory fields,
0:31:16	this ones, in fact let me just get
0:31:22	soft Ad fields, Microsoft AD fields and
0:31:29	CUCM fields, CUCM fields
0:31:32	that we´re going to map one for one.
0:31:36	OK? And we see obviously,
0:31:40	actually it´s going to come back the other way
0:31:44	we´re all coming back this way.
0:31:47	OK? So we see that, there are few that we can change
0:31:52	middle name we could have initials, phone number.
0:31:57	I remember something in the task about
0:32:01	Palindrome in the lab, no, I´m sorry you don´t get any
0:32:03	credit points for that anymore.
0:32:07	Phone number, we remember there is
0:32:08	some sort of a task about that.
0:32:13	There was at, ensure that each user has his or her
0:32:17	proper phone number synchronize. OK? And then
0:32:20	because I´m nice, may take some experimentation.
0:32:24	What does that mean? Well it probably means that one of this
0:32:27	to actually contains a phone number, but we´re not sure which one.
0:32:32	Now if you have access to the dc directory
0:32:34	server, then we could just go over
0:32:37	and actually look at it, grab a user you know and try to
0:32:45	but we´re not going to do that right now. We´re going to
0:32:47	do which is experiment because maybe we´re not given that
0:32:51	information in the lab and then mail ID is it going to link to mail ID
0:32:57	or account name remember if we link maybe for instance
0:33:03	we link maybe user ID to mail or mail to user ID rather
0:33:08	then it´s very possible that we would want to link mail here to
0:33:14	account name rather than default of mail, so we´ll leave this
0:33:18	as the default. So mail to mail, telephone to phone,
0:33:24	middle name to middle name, we´ve already put in the IP address,
0:33:28	let´s go ahead and click save.
0:33:31	And awesome, all that work and we got log out.
0:33:35	We get to do it again, we turn this to the page with
0:33:38	everything intact, but it´s not going to let us save.
0:33:42	No matter how many times we click it,
0:33:43	so we will have to go back and enter it again.
0:33:47	Please copy something out of here,
0:33:51	Probably not what I should have copied.
0:33:56	OK? Let´s see if it´s populated, no. Alright.
0:34:01	Yes to the 2 warnings.
0:34:04	OK? INE AD executives, good.
0:34:08	Our fax is remembered CCIE Cisco, CCIE Cisco.
0:34:13	LDAP user base, nice, it´s already got everything that we keyed in.
0:34:18	Although this is curious and this down here is curious.
0:34:24	OK, time to restart the browser.
0:34:28	Obviously, it wasn´t bringing up our fields properly so.
0:34:31	Not much we can so about that, except to restart.
0:34:39	Make sure everything we´ve already done such as LDAP
0:34:41	system is already here, it is. OK.
0:34:44	Look through this again, we´ve already been over the fields
0:34:46	so we´ll do them a little rather quickly.
0:34:51	2 warnings, OK good, we´ve got hour,
0:34:55	we can choose the minimum which is 6.
0:35:01	Administrator. OK.
0:35:06	Administrator @ine.com, CCIE Cisco
0:35:15	CCIE Cisco, LDAP user base.
0:35:19	OK? Let´s just go backwards dc=com
0:35:24	dc=ine, ou=island natural exports
0:35:36	and ou=executives, I think it´s executive. It´s singular, it is.
0:35:48	OK?
0:35:49	comma is in the right place, island natural exports, plural good
0:35:53	OK. Middle name, telephone number, mail
0:35:56	Good, those are all map to where we´re going to try first.
0:36:01	And our IP address of .110 and now we´ll click save.
0:36:06	Add was successful.
0:36:09	I had to come back so many times, let´s not trust it.
0:36:11	Let´s go check it. Great. Now, notice what we can do
0:36:17	If we go check right now, our users
0:36:21	we´re still at that one user that is it inactive
0:36:25	or if we click on it we see pending delete or delete pending
0:36:30	close that and let´s now say, cross our fingers
0:36:33	and click perform full sync now.
0:36:37	About to perform a complete resync from the LDAP server
0:36:39	if you have not save your changes press cancel
0:36:41	now and save the changes this action may take
0:36:44	a long time to complete. It´s not, don´t worry.
0:36:47	We don´t have a large active directory
0:36:50	and now we can cancel the sync process.
0:36:53	Let´s just go back to find, and click on it again
0:36:58	and see that we don´t see cancel which means we have
0:37:03	sync, by the way if this search base was not correct
0:37:08	note what would have happened. I´ll just actually add a new one
0:37:12	and I´ll say INE TEST
0:37:16	administrator CCIE Cisco, CCIE Cisco, so the password is proper
0:37:23	but I´ll make the change that this should be.
0:37:27	You can actually have two of the exact same one by the way
0:37:30	this won´t cause any problems, executives and
0:37:35	click save and watch this.
0:37:38	Wrong LDAP user search phase while connecting.
0:37:42	Now we wouldn´t have known that it was the wrong search space
0:37:45	if the password was wrong, let´s change this just to Cisco
0:37:50	And change this to something proper.
0:37:55	Log in failure, for the first thing it´s going through is
0:37:58	try to use a username and password to log in.
0:38:01	And it´s actually going to give you some really good feedback
0:38:05	in terms of the error message to tell you what happened.
0:38:08	OK?
0:38:09	So let´s put this back to executives with the wrong
0:38:12	password, save. There´s a log in failure.
0:38:16	Alright, so let´s fix that. Let´s just add CCIE to the front.
0:38:22	Now we get very different message which is the wrong LDAP
0:38:25	user search space. So it´s telling you
0:38:28	that this portion right here
0:38:32	something isn´t right about it.
0:38:35	It´s really really great helpful error messages
0:38:39	that can help you fix whatever is wrong
0:38:42	OK? I´m not going to do it the right way because we´ve
0:38:44	already done it the right way, so let´s go check our users.
0:38:50	Find.
0:38:52	OK.
0:38:54	That´s not what we expect.
0:38:59	Back to LDAP.
0:39:04	And let´s perform a full sync now.
0:39:10	Update successful. Cancel the sync process.
0:39:13	Let´s come back to LDAP directory.
0:39:17	Check it.
0:39:19	Perform should be done
0:39:22	and there they are.
0:39:24	For whatever reason to perform, maybe I didn´t click it the first ime
0:39:28	OK? So we see a full list of users.
0:39:32	We got their first name, their user ID or
0:39:35	SAM account name, their last name, their department
0:39:38	if it was build in Microsoft and what the status is, active.
0:39:43	We still have this one user, but it´s inactive and if we click on it
0:39:47	remember it will show us delete is pending.
0:39:52	But let´s look at any of these others, Benjamin Linus.
0:39:56	OK? Password is still here locally controlled by dc directory
0:40:01	last name, first name, telephone number did not match.
0:40:07	Telephone number did not match. So when we were instructed to
0:40:12	ensure that the user has his or her proper phone number
0:40:15	synchronize may take some experimentation.
0:40:18	Looks like we need to experiment.
0:40:20	What do we want to experiment with?
0:40:23	Well, let´s go delete all these users.
0:40:26	Wait a minute, there´s no add or delete.
0:40:30	How can we deal with this?
0:40:32	Remember what I said, we´re not at a no turning back point?
0:40:36	Let´s just do this. LDAP directory. Check it and Delete it.
0:40:44	All gone.
0:40:47	No, LDAP directory is that reporting properly. Zero records.
0:40:50	By the way sometimes when it says you´re a records
0:40:52	like if you come back to a screen on CUCM web
0:40:55	admin interface, it doesn´t necessarily means 0, if you click find.
0:41:00	Sometimes when it returns you to a screen it shows your but
0:41:03	they are actually are users or entities of whatever screen you´re on.
0:41:07	This case they really are no LDAP directories. Are users gone?
0:41:12	No, they are still there. They´re inactive because their
0:41:17	LDAP directory that they were synced from, is no longer there
0:41:23	They´re inactive, but I still can´t delete them.
0:41:25	I still can not delete them, but a delete is pending on this user.
0:41:30	But if I go back to LDAP system and uncheck it and say save
0:41:36	Update was successful.
0:41:39	Now, if I come back to end user they are still there but delete is back.
0:41:45	Let´s just go ahead and delete everyone.
0:41:50	There we go. No users. By the way,
0:41:55	if that delete wouldn´t have work, I´m sorry not the delete.
0:41:57	If the original synchronization that didn´t seem to work
0:42:00	the first time, maybe because I forgot to check it and thought I did
0:42:04	had continued not to work. I would have come back to
0:42:07	service activation or probably control center feature services.
0:42:11	and ensure that for the publisher, in fact I´m going to go
0:42:14	to the subscriber to show you that it´s not here.
0:42:20	Do not anything for directory sync on the subscriber
0:42:23	but for the publisher that´s because dc directory
0:42:27	does not exist on the subscirber, it only exist on the publisher.
0:42:32	There should be, here it is, Cisco directory sync
0:42:35	and it is, I would check that it was started and I would restart it.
0:42:42	If there were any issues there.
0:42:45	Go ahead Yaser, just to make sure you get this correct.
0:42:48	What will happen do the existing users after the LDAP sync?
0:42:52	Well, first of all, they´ll be in a delete pending state.
0:42:55	They will not be usable. OK? I can not use them.
0:43:01	And they will essentially be deleted at some point if
0:43:05	LDAP synchronization continues,
0:43:10	but for awhile they remain showing up in the end user.
0:43:18	And they´ll be in a delete which we saw
0:43:20	many times in a delete pending state.
0:43:27	OK? Now what we did to be able to actually delete them
0:43:30	ourselves or add new. this button will go away, once we undo this.
0:43:35	Though there is no easy migration to LDAP.
0:43:41	You mean there is no easy migration like
0:43:44	from existing users that you have, well.
0:43:51	You have to migrate all, yes. It is an all or nothing operation.
0:43:56	You don´t really get to have your cake and eat it too.
0:43:59	It´s a kind of an all or nothing migration, yes.
0:44:07	Yes, I understand.
0:44:12	We going to experiment with it, there might be some
0:44:16	engineering specials, work arounds for those, but
0:44:22	as the default behaviour, its not a slow migration.
0:44:28	Yes, in the disappoinment there for sure,
0:44:31	especially in a large environment.
0:44:35	Yet, you could set up a different ou on the active directory
0:44:39	for your phone users, the difference is with active directory
0:44:44	we´ve got these various ou´s and things, but we´re not
0:44:47	syncing anything in to active directory, we´re syncing them
0:44:49	from active directory over to CUCM dc directory so
0:44:56	It´s replacing what we have on dc directory,
0:44:59	it´s not in conjunction with and we can´t continue
0:45:02	to create or use add new or delete users.
0:45:06	But you could set a different ou in
0:45:08	active directory for your phones, sure.
0:45:14	OK, so let´s go back to LDAP system.
0:45:18	We had to uncheck this or disable synchronization in order
0:45:22	to delete our users and we needed to delete our users because
0:45:27	because the refresh why we´re doing, what we´re doing
0:45:29	because the LDAP directory that we created
0:45:31	and subsequently deleted did not map the
0:45:38	phone number over properly, so let´s take a look at that first
0:45:40	phone number by default set to full from the Microsoft active
0:45:45	directory LDAP user field of telephone number.
0:45:47	Let´s change it to the only other thing available
0:45:50	IP phone and see if that populate the
0:45:54	CUCM dc directory user field or phone number appropriately.
0:45:59	OK? SO what do we call this? INE AD executives
0:46:04	Administrator was the user name, CCIE Cisco was the password.
0:46:11	Get that in right.
0:46:15	Search Space, I´m glad it remembers it. It´s executive singular,
0:46:19	not plural, we´re going to resync every 6 hours.
0:46:24	I´m just doing this with the keyboard and then
0:46:29	Full fromt he proper IP address, so let´s click save.
0:46:34	Add was succesful. Perform Full sync now.
0:46:41	Give it a second or 2, we´ll go over to end user.
0:46:47	They´re still not here, they´re still syncing. That´s fine.
0:46:49	We give them a little bit of time to synchronize. We won´t be too rough.
0:46:54	So INE AD executives, in the background this is syncing.
0:47:00	Remember what we change to as IP phone. Now look at the
0:47:05	questions or the active directory IP.
0:47:11	UCCX users will get impacted in this case.
0:47:14	If they´re using the same UCCM cluster.That´s exactly right,
0:47:17	that was exaclty why on the task we mention.
0:47:24	Ensure that once you integrate the server and you have to replace
0:47:30	the temporary user password which is capital Administrator
0:47:34	password Ciscocisco all one word, that´s the temporary
0:47:37	UCCX wizard password, you have to replace that with
0:47:40	username since all the users get deleted
0:47:44	and we were told here in LDAP synchronization to
0:47:48	Do not cause any harm to the existing UCCX integration.
0:47:52	You pretty much do UCCX later or whatever username you use
0:47:59	or the UCCX integration make sure that user exist in dc directory
0:48:04	Actually that´s the only thing you have to do to sort of fix it.
0:48:09	is let´s say this,
0:48:14	spring our screen down and say this, if I have CUCM server
0:48:24	and I´ve already got a full integration
0:48:27	with my UCCX server. I´ve already perform the wizard.
0:48:37	And when I perform the wizard I use the new
0:48:41	directory or user name, user ID of UCCX admin
0:48:55	OK? That was the directory idea I use and that existed
0:49:04	in dc directory up here on the subscriber
0:49:10	ask username and a password of Cisco. Terrible security, I know.
0:49:25	Then I brought in my Microsoft active directory
0:49:30	and I perform synchronization.
0:49:41	OK? I perform synchronization and once I perform that synchronization
0:49:47	I had user, let´s see Kate, Jack and John
0:49:58	Sayid, you see where my island natural exports is hold from?
0:50:04	That is users so they all populate in the directory over here.
0:50:12	We´re here in dsc directory land, they´re now created.
0:50:16	Kate, Jack, John, Sayid
0:50:25	however, there was no UCCX user, so it is flag for deletion
0:50:32	and now when I try to log in from the web admin interface,
0:50:36	I get a failure. What do I need to do?
0:50:41	Go over here with my Microsoft active directory
0:50:44	Main control and add U C C X admin.
0:50:50	This is after the fact as my user
0:50:58	if you have access to it in the lab
0:51:05	in the lab you may not add that user and then make sure that
0:51:11	you´re either authenticating locally which we haven´t gone to yet
0:51:16	off locally on dc directory or that you´re pointing up indication
0:51:20	back to dc directory whichever and
0:51:24	really doesn´t matter what the password as long as this user
0:51:27	that you already inform UCCX about exist
0:51:31	that is the user that has the adminstrative site, now you will be able to
0:51:39	Go to log in, be able to log in now.
0:51:51	OK? Does that make sense?
0:51:53	One of the things we have not done yet is
0:51:56	synchronize all of the rest, we kind of got a move on
0:51:59	well, I don´t want to push it in anyway if
0:52:02	if we go over,we can certainly carry over to another day.
0:52:05	but we need to do sales, IT and security.
0:52:07	Now what we could not do is just synchronizes
0:52:10	as I mention the entire island natural export
0:52:13	and pull all the users, but then filter
0:52:16	which ones we wanted, executives, sales, IT
0:52:20	security, but not operations and not research and devleopment.
0:52:25	We can do that in CUCM8 for those of you who use in real world, but
0:52:33	and will have even more features of 9 but
0:52:36	we don´t have that in 701 which is what´s on the lab
0:52:39	until we were focusing around in this current deep dive.
0:52:42	By the way later, and I´ll be the last to say about this
0:52:46	we will have other ddep dives that go outside
0:52:49	once we´ve covered everything pertaining to the CCIE voice lab.
0:52:53	We´ll be covering all of the off setted new features in CUCM8
0:52:58	and then as 9 comes out etcetera, as I mentioned also security
0:53:02	for 7 security for 8, design, things like that things that
0:53:07	go beyond the lab, but first we´re going to cover the lab one
0:53:10	OK? So one of the cool things in 8 that I just can´t wait
0:53:13	to demo to everyone is automatic DN dynamic routing
0:53:20	between clusters, We have three different clusters and they´ve got
0:53:23	3 different sets of thousands of DNs, they can´t actually dynamically
0:53:27	route those via EIGRP something called an SAF
0:53:33	all those DNs selectively with filters which once you want between
0:53:38	clusters without any configuration other than setting up the
0:53:41	synchronization. Really cool. 8 got some great features
0:53:44	and that´s nothing compared to the INE, but anyway
0:53:48	getting away from that we have to basically create
0:53:51	4 separate LDAP directories one for each, we already did
0:53:54	executives and now we need to do sales, the IT, then security.
0:53:58	That´s what we have to do instead of filtering.
0:54:01	So because we´re doing that let´s actually go back
0:54:04	one last time and answer your question, Yasir and
0:54:09	at the sake, or the expense of possibly being hit redundant.
0:54:15	Let´s delete this, that are users won´t take as long
0:54:19	we already know what to do, fine they´re all inactive
0:54:23	We click on anyone like Daniel Faraday, he´s in a delete
0:54:26	pending state, we can´t delete him though. We only save
0:54:30	until we come to LDAP system, unclick synchronize.
0:54:36	Update successful, go to end user.
0:54:40	Now we can delete them all, so let´s not delete all of them.
0:54:44	Let´s delete all, but let´s use Daniel Faraday.
0:54:49	Click here what are the one´s we´re going to use, let´s
0:54:55	Let´s unclick James Ford or Sawyer
0:54:59	OK, we´re going to delete everyone else. The James Ford
0:55:03	is just a user as this point, actually one thing you can do.
0:55:08	We haven´t mention this, let´s do this, let´s add a new user.
0:55:13	Let´s go create a user like hq Phone1
0:55:17	Password Cisco, Cisco 12345.
0:55:22	Let´s not do anything 99999 that´s what it was hq Phone 1
0:55:27	Save.
0:55:29	trivia whole credential. OK, C1SC0.
0:55:37	987123 C1SCO 987123, that´s not trivial.
0:55:44	OK, but they don´t match C1SCO 987123
0:55:50	again C1SCO 987123, hopefully I did that right.
0:55:58	There we go, it´s still trivial. How was that trivial?
0:56:01	hash, how about hash added to the
0:56:06	No longer trivial. Great, OK. So now the reason I´m doing this
0:56:12	is because I want to show, we´ve got 2 users, right?
0:56:17	And just to answer, just to try to maybe
0:56:20	help assuage some of Yasir´s concern about the
0:56:26	lack of modularity and lack of ability to import
0:56:30	users and retain all my existing and watch this
0:56:34	Let´s do this real quick, we´ve already done them enough time.
0:56:36	and I think you guys can follow me quickly. Enable it, save it.
0:56:43	Create a directory which all of our fields are actually there.
0:56:46	So yes, OK to the concern
0:56:50	INE AD executives administrator with INE. CCIE Cisco, CCIE Cisco.
0:57:00	OK, doesn´t really matter what that is.
0:57:05	Those we´re going to delete it. Save.
0:57:10	Perform Full Sync, OK. I fogot to do something that I want to.
0:57:23	Give it a little bit of time, see if it´s there.
0:57:26	there´s all our users. Note this user is inactive state.
0:57:33	Is in inactive state, Benjamin Linus is active.
0:57:37	We actually didn´t change anything on Ben Linus
0:57:39	which is what I wanted to do to show you, by the way there´s
0:57:43	phone number filed maps because it was in IP phones.
0:57:47	OK? But now let´s go back to LDAP directory
0:57:51	we´re going to do this whole thing again, delete, OK.
0:57:56	We´re going to back to system, LDAP system.
0:57:59	Uncheck it and save and now when I go back to users
0:58:04	OK, there´s no status. They´re all here. hq Phone1 is here.
0:58:09	B. Linus is here, they´re all here and I can delete them if I want
0:58:12	I didn´t select anyone, but I still got hq Phone 1.
0:58:17	Right? I´ve still got Ben Linus
0:58:21	and by the way let´s go ahead and add extension mobility
0:58:24	something to him. We don´t have any user device
0:58:28	profile let´s just create one, very quick.
0:58:31	User device profile, none here so let´s
0:58:35	create one and call it phone 7961
0:58:40	Yes, skinny is good. We´ll call it Bens
0:58:48	at BensUDP
0:58:52	or BLINUSUDP
0:59:00	maybe UDP_BLINUS would fit with our naming convention
0:59:03	a bit better, descirption, UDP for Ben LINUS
0:59:17	OK, you have to choose a phone button template
0:59:19	the privacy is off or maybe it´s on, whatever
0:59:23	OK. Save.
0:59:26	Add successful.
0:59:29	whatever that´s fine, we don´t even need to give a line
0:59:32	Go back to the end user, highlight Ben Linus.
0:59:37	Assign the controlled profile and the default profile.
0:59:42	There is no extension because we are not associated to a
0:59:44	phones, so let´s go ahead and associate it to a phone.
0:59:50	You may change this later.
0:59:53	Save selected changes, go back to the user.
0:59:58	So now they have a control device.
1:00:02	Controlled profile, a default profile and
1:00:05	a primary extension, we´ve save everything.
1:00:09	Go back to all the users, let´s drop back in
1:00:11	just to make sure everything´s there, it is.
1:00:14	Alright, now let´s go back and for the last time
1:00:17	enable, LDAP. This is to answer your question Yasir.
1:00:21	If we already have the users created what will happened?
1:00:26	If we already have the exact same user ID
1:00:30	by the way if the user ID in our dc directory
1:00:33	is not what is currently the account name
1:00:38	in the active directory
1:00:44	then we could use another name or we can use another field
1:00:48	and maybe we can get someone in the
1:00:52	in the AD department where they might not
1:00:54	can not badge on account name, we can´t change that it´s already
1:00:57	there. Maybe they´ll change one of these other fields for us.
1:01:00	and that will help us. It might be nice.
1:01:03	OK? Make it match what we already have.
1:01:07	Make the value of it match what we already have
1:01:09	for our value, user IDs is what I´m saying
1:01:13	Is that a little more too, make sure overhear an active directory.
1:01:20	If SAM account name,
1:01:27	is not equal to dc directory, user ID field, then in that case maybe
1:01:43	change I don´t know something else temporarily
1:01:48	like user principle name or maybe even employee number
1:01:52	or something like that if it will allow not just a number but maybe
1:01:55	user principle name, change maybe user
1:02:04	inactive directory user principle
1:02:11	name, fill that in with the value
1:02:17	equalling CUCMs, DC directory existing
1:02:29	user ID field over here
1:02:37	and make those to match
1:02:40	OK? So that´s one idea of houw you could have
1:02:44	compatibility instead of using the account name which is the default,
1:02:49	change it to something else and then go over in dc directory
1:02:54	and you know get them to change that equal this
1:03:03	OK, let´s go back to account name, save
1:03:08	and we´re going to go directory LDAP, direcroty add new
1:03:15	a couple times, put them what we need
1:03:32	phone was where we found the valid phone number.
1:03:37	Save. Log in failure.
1:03:45	sychronize and give it a few seconds
1:03:55	back, here´s our users. They´re now active.
1:04:01	BLinus drumroll, still has his control device
1:04:06	controlled profile, everything is already match so
1:04:10	is what I wanted to get to answer your question
1:04:13	if you already have existing user in your DC directory
1:04:22	either the active directory may already have the same user ID name
1:04:28	if they don´t choose a different field from active directory to map
1:04:35	to the user ID field, I meant that deadspot, suposed to be AD.
1:04:40	Choose a different field to map to you know maybe like AD
1:04:45	principle name and map that
1:04:49	up to the user ID field and then fill that in
1:04:53	over here on AD new with something that
1:04:56	close your existing CUCM user ID before doing your
1:05:01	migration or synchronization
1:05:04	and that should really aid you in migrating from
1:05:08	DC directory to LDAP synchronize
1:05:11	OK, so now we need to go back and add more
1:05:15	We need to and we can actually go ahead and copy.
1:05:30	Your question, is there a safer way to recreate the users in
1:05:34	dc directory, well that would be a safer way, but
1:05:37	you don´t have any backwards compatibility there
1:05:42	You´re going to do that, you might as well just do this
1:05:46	dc directory synchronization from the beginning,
1:05:48	from a green field deployment. OK.
1:05:52	So now we copied, we now want, I believe what was
1:05:56	next, sales? Yes, sales.
1:06:03	Password still the same, ou is the same except
1:06:08	our lowest ou which is to the left should be sales,
1:06:12	let´s make sure it´s sales, and not sale. Just to make sure.
1:06:16	OK, IP phone, everything else is still the same, we click save.
1:06:21	Perform Full Sync, OK, Copy.
1:06:27	This one is going to be, what was the next one we were told? IT?
1:06:35	The ou base
1:06:39	replace sale with IT, again remembering our
1:06:44	linear parallel bits of heirarchy here of ou´s.
1:06:51	OK, same thing for everything else. Good, perform full sync.
1:06:58	and then finally copy and what was the last one
1:07:01	we´re instructed, security. So security
1:07:13	Remember the comma and then the space, to separate each one
1:07:18	and save perform full sync.
1:07:24	And now if we go back to find, we should have four separate
1:07:29	directories or sub directories as they are in this case
1:07:33	and if we go over to user management we should have
1:07:36	a lot more users now we´re still going to have this
1:07:38	one that´s inactive, that was the one that I created in
1:07:40	dc directory that didn´t have a one for one mapping from
1:07:47	active directory Ben Linus, still has all of his features, no problems there
1:07:54	and all the other users have the ability to update
1:07:57	their pretty much all their field including password
1:08:03	OK? So
1:08:07	before we go on to the next task
1:08:09	well actually let´s just read through the rest of the task
1:08:11	and make sure each user has his or her proper phone number
1:08:14	just to make sure those are there and not every user has a
1:08:17	phone number, the once with departments should have phone numbers
1:08:24	OK? They have their proper phone number, this was the format
1:08:27	the fully qualified e164 format that we´ll look at
1:08:32	the very first day of or maybe the second day
1:08:35	I can´t remember, I think it´s the second day of dial plan
1:08:38	coming up the first week of july after networker
1:08:42	YOu have their phone number, don´t cause anything harm or
1:08:45	we do that in a minute ensure LDAP resynchronizes
1:08:49	as frequently as it allowed, 6 hours we already did that
1:08:53	by the way we can manually go resync anytime we want.
1:08:56	OK? we can go to LDAP directory
1:09:00	choose any one of these and click perform full sync manually
1:09:04	no probelm so like if we made a change and we need to take effect
1:09:07	on our dc directory now not in 4 hours because it would
1:09:11	had been 2 since our last synchronization and do that
1:09:16	Come back to end user and people that were in IT
1:09:20	I think that´s only to synchronize.
1:09:25	They have had their changes push
1:09:28	OK? Let´s just test that real quick.
1:09:35	Take Desmond Humer in IT.
1:09:41	Change to his phone number which is over here, by the way
1:09:44	general does have telephone number
1:09:46	and if we had map something to telephone, the very forst mapping
1:09:50	to telephone would have work but instead of being
1:09:54	primary telephone number general attributes page and
1:09:57	active directory it was under IP phone, notice we can´t
1:10:00	map any of the others, only telephone on general
1:10:04	and IP phone here, let´s just change it to
1:10:07	+555 we´re going to change it back, but I just want to make sure
1:10:11	that we can visibly, quickly see it. I just click apply
1:10:16	We´ll come back to LDAP directory, IT,
1:10:24	perform full sync, there´s not very many in there.
1:10:27	It shouldn´t take long.
1:10:33	Grab Desmond Hume, +555
1:10:38	Great, change it back to +31
1:10:44	and we will resync again, IT, perform full sync
1:11:00	end user Desmond Hume and he´s back to what he was
1:11:09	Before we go on, let´me just take a moment to pause any questions?
1:11:20	Yes, in regards to now accessing
1:11:25	scope of directory which is visible on our find,
1:11:28	we´ll see the same information we normally see, right?
1:11:37	That´s correct, let´s just go ahead and pull it up.
1:12:57	Search.
1:13:03	Here we've got all of our users, Kate Austen, here we got,
1:13:09	some users that don't have any phone numbers.
1:13:15	Yes?
1:13:18	Is this what you're referring to David? Yes, cool, very cool.
1:13:26	No problem. Absolutely Joe, and I will send you the link to get this
1:13:30	actually what I'll do is I'll upload your email address,
1:13:34	to VOIP integration's website to a custom portal we have built.
1:13:39	And I'll go ahead and actually just email everyone
1:13:43	or upload everyone's email address.
1:13:45	This will send you an email, if you don't want to buy it, that's fine.
1:13:48	Buy if you do, it's $50 versus their $200 that they normally charge.
1:13:54	The only thing is it comes up and it says student version.
1:13:56	And you can't use it for commercial use. It is for studying.
1:13:59	If you need to use it in your corporation, buy the student version.
1:14:03	First of all you can demo it for free for 30 days.
1:14:06	But find to buy the student version to use for your studies
1:14:10	and then once you see how much you like it for just about everything
1:14:14	else in terms of support, you can certainly buy the full version, but I do
1:14:22	stongly encourage the full version for any corporate use.
1:14:28	So we've done all of this
1:14:33	take a look at, before we do authentication, let's tell CUCM end users
1:14:39	to deal with roles and multilevel administration.
1:14:43	We're told to allow the user Jack Shepherd to have access to
1:14:47	C and manipulate information on the CUCM server relating to other end users
1:14:52	Basically each of these users are gonna have different rights and roles
1:14:55	that we want to assign to them. So let's take them one at a time.
1:14:59	Jack Shepherd should be able to have access to C and manipulate
1:15:06	information so we're speaking of read and write properties
1:15:10	read and modify as they're referred to
1:15:12	in the CUCM server as relating to other end users.
1:15:22	OK, so back at user management, we can just go ahead and go into
1:15:29	Jack Shepherd and we're gonna be dealing with permissions,
1:15:34	but we don't really know, I mean we could look at add user to a group
1:15:39	and we can click and say find all the groups
1:15:43	and just try to make sense of what they do
1:15:46	here but this might not give us enough of a picture.
1:15:54	Standard CCM end users might be what we think,
1:15:58	but it wouldn't necessarily give us everything we want.
1:16:05	So let's take a look rather instead at user management.
1:16:11	User groups,
1:16:15	and we see these groups and within each of these groups,
1:16:19	they have the ability to see what users are contained within the groups.
1:16:26	OK? So here we have for standard CTI, we've got a number of,
1:16:30	these look like, we click on one, yes it's an application user.
1:16:35	OK let's go back user group, let's click on something that
1:16:38	probably doesn't have anything in it like phone administration.
1:16:44	No, users in there. OK?
1:16:48	But from the user page we were able add a group
1:16:50	and we saw that the group had certain roles,
1:16:53	let's take a look at the roles.
1:16:56	And we see we have a number of roles here.
1:16:59	Results per page 50 and we've got 36 total records,
1:17:03	so we're looking at all the various roles.
1:17:05	But we don't necessarily know what they can do.
1:17:08	There's one that sticks out, maybe if we scan the page fast enough
1:17:13	that looks conspicuous like user management.
1:17:15	Let's make sure it can do what we wanted to do, so let's click on it.
1:17:20	And here we've got resource access information. What the resource is,
1:17:25	and then what the privilege is, are they able to read
1:17:28	or write for that privilege or both and we can choose this for everything.
1:17:35	Read or update. OK, so read and write,
1:17:37	read and modify, however you want to look that up.
1:17:41	However, let's note there's one of five pages
1:17:45	And we return, I think 50 results per page, so let's just choose 250 results.
1:17:55	Not likng me because I changed something and wanted me to save.
1:18:01	Let's choose to see 250 results per page,
1:18:07	and we'll see all of the possible
1:18:12	privileges are resources that can be read or written to modify updated.
1:18:21	And what's selected by default and if you can't see quickly we can just
1:18:27	just bring this over here so that's it very quickly visible
1:18:33	right next to each other the read and update field next to the
1:18:37	resource that it's referring to resource that it's referring to,
1:18:39	so user webpages can be read and updated,
1:18:44	scroll up and wait until we see a blue check.
1:18:48	Here we go, bulk update for users, but none of the other BAT tool,
1:18:53	not phones, insert users with BAT or bulk.
1:19:00	Delete users with the bulk tool or the BAT tool, and that's it,
1:19:04	three functions regarding users on BAT.
1:19:08	And then the user webpages, that's what's contained within user management.
1:19:16	That's pretty much what we were told relating to other end users. OK?
1:19:23	So in order to change these things, notice that we can't
1:19:27	save them. I can't click this and click save.
1:19:30	Instead what I can do is say copy,
1:19:34	well actually first of all, I don't have to change anything. It has what I need.
1:19:39	I can just assign this role, so
1:19:43	let's go over to user management, end user.
1:19:50	Jack Shepherd and add the user to a group.
1:19:56	The search with something that contains user.
1:20:06	I'm not seeing it but that's because it's just a role.
1:20:10	We need to know what group it's in.
1:20:16	Away from that I did, I didn't mean to, I meant to do right click on it.
1:20:21	OK. And it also tells us what application it
1:20:27	is in reference to, so different applications like Call Manager Administration,
1:20:32	versus end user, that would actually be one that we would want as well, CTI.
1:20:49	OK, so let's go back to the end user.
1:20:55	and what we can do is try to
1:21:02	add a few of these groups and see what roles are contained within.
1:21:13	And once we click save, it will show us the roles
1:21:17	and we can see the details for either one of these.
1:21:22	OK, user group.
1:21:32	I forgot to do here.
1:21:38	Nope, go back.
1:21:46	And we do have standard CCM user administration,
1:21:49	but we also have admin administration.
1:21:53	That's probably not the one we wanted with super users.
1:22:06	OK?
1:22:13	And so what's the next task is to allow the user Hugo Reyes,
1:22:16	to have full access to the CUCM informix database via xml.
1:22:22	So let's come back here and find Hugo.
1:22:36	Like we have two users imported, so I accidentally
1:22:41	duplicated a user, this is the one we want to use.
1:22:47	And for this, we actually want, let me open the rolls back up again.
1:22:56	Another tab and we want standard AXL API access
1:23:00	to the call manager data base via XML or AXL which is the
1:23:06	administrative XML interface.
1:23:10	OK? So that's the one we're going to want to give to Hugo.
1:23:16	Now notice we don't actually have that as an option here. Why not?
1:23:22	Only 21 records are found if I search with blank which is everything.
1:23:26	Because I cannot actually do it from an end user.
1:23:30	Instead it has to be an application user.
1:23:33	So I would have to actually create an application user
1:23:36	and call in maybe Hugo or something that he could log in
1:23:39	with as an alternative to write all passwords.

Now Viewing

CCNA Voice
Title:	CCNA Voice
Duration:	74h 11m
The CCNA Voice class is an ultimate all-in-one solution for engineers pursuing the Cisco Certified Network Associate Voice (CCNA Voice) certification. This Video-on-Demand course includes over 70 hours of instructor-led content that will fully prepare you for the latest Cisco 640-461 ICOMM v8 certification exam. Please note that per Cisco CCNA Voice certification requirements, you need to have already met the pre-requisite of having a valid regular CCNA (Routing & Switching) status.
Get instant access to our entire library!
$159/month	Add to Cart
Download this Course
$199.00	Add to Cart

CUCM LDAP Synchronization cont'd, User Roles,...

Create Bookmark