Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Excluding a child domain from directory searches in CCM?

Anyone know if its possible to tell the AD plugin with CCM to not search child domains (or even just specific child domain).

I've got an install with all the CCM users in the root domain in different OU's. They don't have any CCM users in the child domains and some of the child domains are across slower speed or less reliable links causing slow downs in ccm when performing any user directory functions.

6 REPLIES
Cisco Employee

Re: Excluding a child domain from directory searches in CCM?

CCM performs a subtree scope search and as a result will receive search references potentially pointing to the undesired child domains. There are no filters that can be applied. We have seen many issues as you described when pointing to the root.

Maybe you can persue this with your Cisco account team to create a feature request for a way to filter undesired domains.

Kevin

New Member

Re: Excluding a child domain from directory searches in CCM?

Kevin,

Thanks for the reply. I'll pursue it with our AM.

I have worked around the probem by creating a host file entry for the child domain and pointing at the local host, this results in an immediate connection refused and not timeouts. WOrks relatively decent too.

Cisco Employee

Re: Excluding a child domain from directory searches in CCM?

Interesting workaround. I hadn't thought of doing that :-)

Kevin

Gold

Re: Excluding a child domain from directory searches in CCM?

Patrick,

It's true that you can't get CCM to scope or filter the search query. However, assuming you've gone with best practices and used a special low-privileged user to integrate with Active Directory instead of Administrator, as shown here:

http://www.cisco.com/en/US/partner/products/sw/voicesw/ps556/products_installation_and_configuration_guide09186a00802e066d.html#wp54764

you can get tricky with Active Directory permissions to effectively filter your searches. If you use the Active Directory Users and Computers tool to place an explicit deny of all read permissions ACL for your integration user on a given OU, searches will not descend into that OU. You should be able to solve your immediate problem by denying permissions on your child domain or the OUs within it. You can even put a deny on individual single objects if you need to.

New Member

Re: Excluding a child domain from directory searches in CCM?

I'll be testing this however, will a deny on an entire domain stop AD from returning the ldap referrer's in its results? If not it only partially solves the problem because CCM will still attempt to contact the remote DC's, some of which are over lower speed or unreliable links, which ends up causing the delays.

New Member

Re: Excluding a child domain from directory searches in CCM?

Just to follow up on this, deny rights doesn't stop AD from returning the referals in the LDAP queries so CCM will still attempt to contact the other child domains.

198
Views
5
Helpful
6
Replies
CreatePlease login to create content