We are currently integrating CCM4 and CRS4 with Active Directory.
The CCM integration was straight forward and functions, as one would expect, however we are experiencing problems with CRS.
CRS installs without any errors and accepts the LDAP / Directory information provided. However when trying to create a JTAPI trigger when configuring CRS, we receive an error message: 'can't update the user on the Callmanager server'.
We have followed the documentation and re-installed this several times now, trying something different each time. We've looked at altering permissions of CCMadmin CRASAmin user as well as pointing the CRS to a different user repository, but to no avail. I've also looked in the logs, but can't see an awful lot in these either.
Any help would be greatly appreciated.
I am seeing the exact same thing here.
Brand new installation of IPCC Express Enhanced 4.0(3)_Build080. Integrated with AD.
Have you gotten anywhere with this?
Ok, we've managed to resolve the issue(s) in the end.
Firstly, we were able to overcome the problem: "can't update the user on the call manager server"
These are the steps we took:-
1. Add the JTAPI trigger as normal and receive the error message.
2. Click to refresh / resynch the directory (You should receive a message asking you to update the user in AD)
3. Set the desired password in AD for the JTAPI user.
4. Add the JTAPI trigger again and it should work.
Following this we had a further issue, in that the ICD extension radio button was not an avaialable option. We had to change directory properties manually using the 'ADSI edit' utility on the Domain Controller. This can be found on the windows 2000 / 2003 cd in the support folder.
1. Extract the utilty into c:\ and run the utility from the run prompt.
2. Change the following: LDAP entry : Cisco->CCN ->System Profiles-> ciscoCCNatIAQFlag.Set this attribute to true.
Hopefully this will help resolve your integration issues.
I did not open a TAC case for this, just worked it out through trial and error. I would be more then happy to try and help if you are still experiencing problems.
I had the same problem with the JTapi trigger on 4.0.2 but reinstalling and setup with 4.0.3 resolved the problem (AD integrated as well). Now on 4.0.3_Build80, I can't create the RM Jtapi user. The error in a popup window is "There was an error while updating the RM JTAPI information". If I create the user in AD first then the update states "Specified RmCm User already exists..." and clicking yes to proceed and update this existing user gives the same error as before. Anyone seen this problem?
I am having the same problem. Cannont create RM JTAPI user. CCM are using Active Directory integration and I have set the DIRACCESS registry key to TRUE. This should allow CCM to create the RM JTAPI user in AD....right?
Even with the DIRACCESS key set to TRUE I cannot add new users through CCM....seems like this is the root of the problem.
What happens if you actually create the RM JTAPI user in AD? Is this reflected in CCM? Maybe you can look at doing this in the first instance as a work around.
I gather it is possible to browse the user base via the CCM admin tool?
Does the account you use to admininister CCM have the priveleges to update / create users in Active Directory.
I can't speak for Jason but in the previous post above Jason's I did create the user in AD directly. It does show up in CCM and I can update and associate with it, etc. The CCM user account that is being used with the MMLA groups is also a Domain Admin, so in my case the RM JTapi create process states that it sees the account already exists and ask if I'd like to use it or change to another username. Either way the "error while updating..." message is displayed.
In my CallManager setup, it was a fairly recent upgrade to new hardware to 4.1.3 SR2 and I did not have the DIRACCESS flag set to true but I tried that and it did not change any of the outcomes. Before this step the JTapi Trigger was created and update successfully (once I tried 4.03 instead of 4.02) so I'm inclined to think this isn't just a simple CCM/Directory problem. Any other ideas?
One other interesting thing I noticed in CallManager, when I try to go into "MLA Enterprise Parameter Configuration" to change the Debug Level, I get an error about my User Group Base containing an invalid character, in my case it looks like it doesn't like the - one of the dc= portions. That is the correct path and everything else is working with the Directory Integration so I think it is just a bug in the UI Validation but I can't turn on Debugging in that section to see if that gives any better info...
I got DIRACCESS working and my RM JTAPI user created. It all centered around the ability to create accounts from CCM. I uninstalled AD integration by changing the registry back to DC Directory settings then reinstalled AD integration on the publisher and set the DIRACCESS key to true. Set my CCMAdministrator, IPMAUser and SysUser account passwords. Installed AD integration on the subscriber and set DIRACCESS key. Reloaded both CCM servers.
After all of this I was magically able to create users in AD via the CCM user administration. Created RM JTAPI user through CRS admin pages. CRS/CCM is actually smart enough to know that you are using active directory and at the end of the RM JTAPI configuration it tells you to set the password in Active Directory.
I am still confused as to why I couldn't create users in AD via CCM before all of this uninstall/reinstall hoopla (even though I could brwose users and assign devices to users). I'm sure I probably skipped a step in the AD integration.
BTW - I am using the latest and greatest CCM and CRS software.
Thanks for the update Jason. I currently can't create users in CCM even with the DIRACCESS flag set so that must be problem as well. I get a vague handled error page in CCM when I try. When you said you set the CCMAdministrator, IPMAUser and SysUser account passwords, are you talking about in DCD once you had reverted back or in Active Directory?
That is exactly what I am talking about. Here is the exact process I followed:
1) Reverted publisher back to using DC directory (there is a walkthrough on Cisco's site which basically consists of changing the Directory registry settings).
2) Rebooted publisher
3) Ran directory integration wizard/plug-in (did not select schema update option as the schema has already been extended). At the end of the installation it warns you to set the CCMAdministrator, IPMAUser and SysUser account passwords before you install the plug-in on any subscribers.
4) Set CCMAdministrator, IPMAUser and SysUser account passwords using the password utility.
5) Set DIRACCESS key to true on publisher.
6) Rebooted publisher.
7) Installed plug-in on subscriber. Subscriber actually connects to publisher via remote registry to sync CCMAdministrator, IPMAUser and SysUser accounts/passwords. If the passwords don't exist the install will fail. You can check the existance of the passwords in the registry of the Publisher and changed them there if needed.
8) Set DIRACCESS key to true on subscriber.
9) Rebooted subscriber.
10) Tested the ability to browse and create AD users via CCM.
11) Configured RM JTAPI user in CRS. This took a long time (3-4 min) but it created the user in the containter that we specified for user creation in the integration plug-in. Like I stated before, CRS/CCM is smart enough to know that your directory is AD and tells you that you need to set the password for the user via AD.
Here are the things that I think got me into trouble with this on my inital CCM AD integration:
1) Only installed the plug-in on the publisher (doh!)
2) Ignored the prompt to set the passwords for the CCMAdministrator, IPMAUser and SysUser accounts.
3) Did a lot of browsing and associating users to phones/devices via CCM user administration before I set the DIRACCESS key to true.
What threw me for a loop? The fact that CRS releases previous to 4x you created the user and then told CRS what that user is. Now CRS actually wants (and has to) create the user.
Hope this helps. Have a good weekend and don't worry about your phones!