Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member

Multi-forest LDAP Sync Automation Issue - CUCM 9.1

So, we have an organization with two separate forests with phone users we need to pull and sync with their CUCM 9.1 cluster.  I've managed to follow the instructions to set this up using AD LDS (formerly ADAM).  For security reasons, we decided to put the AD LDS server in a 3rd forest, though this issue should be a problem even if we were to pu the AD LDS servers in one of the existing forests.  I was able to sync with both forests, and I was then able to setup an LDAP integration with the CUCM cluster.  The problem is in creating a scheduled task that continues the synchronization of the AD LDS with the two forests.

For the sake of this discussion, let's say we have the following domain, all in different forests: - one of the domain - the 2nd domain in different forest. - the 3rd domain/forest that houses AD LDS.

The commands we need to run every time we wish to sync with the two domains is something like the following:

ADAMSync /install localhost:50000 c:\windows\ADAM\AdamSyncConf-one.XML /log logs\install-one.log /passprompt

ADAMSync /sync localhost:50000 "dc=MultiForest,dc=local" /log logs\sync-one.log

ADAMSync /install localhost:50000 c:\windows\ADAM\AdamSyncConf-two.XML /log logs\install-two.log /passprompt

ADAMSync /sync localhost:50000 "dc=MultiForest,dc=local" /log logs\sync-two.log

The different XML specifies the different domain you wish to synchronize with, including the user account in that source domain that you'd like to use to pull the information in.  Since the AD LDS server isn't in either of the two domains, we need to specify an account in each of the domains and we need to use the /passprompt switch.  This is where the problem comes in.  The /passprompt switch forces ADAMSync to ask for the password, which is fine if you're doing it while you're in front of the server, but not when you're expecting this to run overnight via a scheduled task.

Note that this would be a problem even if the AD LDS server is in one of the two domains that you're syncing with, since you'd at least have to put the /passprompt switch on the command that is syncing with the other forest.  This is also always the problem with dealing with more than one forest to sync with, since we can't just run the ADAMSync /install once with the password, then just run the /sync process; you need to re-run the /install process every time you wish to synchronize with the other forest.

I actually tried something like the following to see if I can get the BAT process to auto-answer the password prompt:

echo Password1| ADAMSync /install localhost:50000 c:\windows\ADAM\AdamSyncConf-two.XML /log logs\install-two.log /passprompt

but when I do that, ADAMSync comes back with an error "Failed to query the console mode."

Am I missing something easy and fundamental here?  I've looked all over, and don't find any discussion on this, and I would've thought someone would've come across this already.

Everyone's tags (3)
CreatePlease to create content