I have some questions about my options in AD synchronization for CUCM/CRS, specifically for versions 8 but I don't think it actually matters (could apply to version as far back as 6.)
In our production telephony environment we are not currently using AD synchronization (we are using it in our Proof of Concept, however.) We are preparing to migrated to a new infrustructure that will leverage AD. However, on the AD side accounts are not organized optimally, so service accounts are visible in the phone directory (obviously a problem). I've been making the point that this needs to be fixed so that CUCM is synchronizing with specific containers with accounts that should show up on the telephony side but am concerned that this reorganization may not occur in time. It may be decided later on, well after the install, that a reorganization should occur to fix the issue. So, I'd like to have a better understanding of the implications. I've been working on this issue in our POC and would like to verify with you all if my understanding of the consequences is correct.
1) If AD reorganization is done AFTER the new system installation and its corresponding AD integration and I am given a new set of OUs to synchonize with, when I delete the previous synchronization settings (in this case, unfortunately, to the root OU) this will remove all of the present root-OU-synchronized accounts from CUCM, which by extension will break their associations with the phones and also remove the CRS agents/supervisors. I will still be able to log into CUCM as an administrator with the appropriate application account, but now I will have to reassign the administrative priviledges to the newly synchronized OU accounts.
2) CRS requires user accounts in CUCM to be created in order to assign administrator, supervisors, and agents (does not see accounts created as application users). If an AD synchronization is broken and reestablished, how would you log into CRS to reassign agents?
In CCM 8, you can now specify AD filters to use in synchronising users. Since you are worried about service accounts I will use the telephonenumber filter as shown below:
To select users with a phone number
This will only return users with telephone numbers.
Also as Michael mentioned, as long as the user id is the same you wont looose your associations, I did this recently and I was pleased to see that this was the case..dont forget you have 72 hours of grace to re-synchronise the users.