Can one (A) use an AD LDS proxy server for CuciLync authentication purposes, while (B) using the actual Microsoft AD LDAP server for directory sync and directory lookups? The CUCM LDAP system configuration and directory configurations point directly at a Microsoft AD server IP. The LDAP authentication configuration page points at an AD LDS proxy server which maps the authentication requests to the user on the AD server.
I have a customer with HCS 9.1.2 CUCM/CUC integrating to a multiple forest, multiple domain AD and also disjointed namespaces. An example of their namespace is as follows: dc=widgets,dc=local while the users in that container have domain names that end in widgets.com. Due to these characteristics we have some issues and per the CUCM SRND, CUCM can't integrate with disjointed namespaces. Also, Unity Connection requires digitally networked clusters in order to support multiple forests. Cisco provides a solution whereby a Microsoft AD LDS server is used as a proxy to the actual Microsoft AD server. (https://supportforums.cisco.com/document/63136/how-configure-unified-communication-manager-directory-integration-multi-forest) Using this method, the AD can remain the same but the usernames there are mapped to usernames on the proxy server which is used by CUCM and CUC for authentication purposes. Our customer tried this and it worked with the Cisco applications but the customer had an internal reason for why they could not use this method. Instead, they configured the AD LDS proxy for authentication only, while the directory sync still connects directly to Microsoft AD. CuciLync has been unstable with regard to authentication and access to the directory using this method. Authentication has been working for 3 days but CuciLync cannot connect to the directory for some reason. CuciLync is using the same directory settings as are configured in CUCM.