Cisco Support Community
Community Member

Integrating CCM3.1 with MS Active Directory

We are trying to integrate CCM3.1 with MS Active Directory in a Lab Environment.

Since nothing is working as it should we would like to summarize our situation to check we did everything in the right way (or not).

We have followed the document we found at

We have a Win2K Server with a clean Active Directory installation.

We have installad a Call Manager 3.1 which is a stand alone server (not member of the domain but we have also tried with a member server).

We have installed the "Customer Directory Configuration Plugin" on the CCM as specified in the above document.

We selected "express cfg", inserted the proper AD hostname (port 389), we have manually created the Cisco OU under Active Directory, and changed the User search attribute into "user id". We have inserted the Directory Administrator Password.

After this we have chosen to use the EXISTING Schema (but we have tried both)

All this worked fine with no errors and it updated the AD Schema (under the Cisco OU created we had another CCN OU and several sub-OUs). Furthermore a user called "CTI Framework" was created in AD.

The problem is now in creating and searching for users in the Call Manager.

If we insert a user from the Call Manager "Add User" page, it says that access is denied after we hit the Insert button ("Could not update user -2100 Access Denied").

NOTE: A profile was created into the AD Cisco/CCN/Profiles but no user has been added to Active Directory.

NOTE2: A Javascript error appears when the value of field USERID is changed (probably it doesn't matter)

What was wrong with our installation procedure? The problem is that there is a little documentation about this and we really don't know what to do!!!

Thanks in advance


Cisco Employee

Re: Integrating CCM3.1 with MS Active Directory

Note that adding users in Global Directory of CCMAdmin by default is not allowed when using the external directory. The reason it is setup that way is 1) by default, we expect the people in charge of the directory system to add/change/delete users, not the CallManager administrators, and 2) specifically with Active Directory (not sure about Netscape) we don't have a way to set or change user passwords in the directory since we are not implementing the proprietary Windows API to do this. So the passwords have to be set in the Active Directory GUI.

If you want to be able to add users to the AD from CCMAdmin, you can go into the registry, and go to:

HKLM\SOFTWARE\Cisco Systems, Inc.\Directory Configuration

There you will see a key called DIRACCESS which says false

If you set this to true then it should work. I believe you may have to go to Services, select IIS Admin Service, and click Restart in order for the change to take effect.

Community Member

Re: Integrating CCM3.1 with MS Active Directory

This is the question about CM installation... very close to this situation....

Am I right... that CM can be installedas

1. Standalone server or domain server without any Directory services ... and then Cisco DC Directory will handle users and other stuff...

2. As Domain Controller with LDAP and then after install CM we need run integration process with LDAP...Then LDAP take care about all users....

Can anybody say am I right?

Cisco Employee

Re: Integrating CCM3.1 with MS Active Directory

1. Don't make a production CallManager a domain controller. Just don't do it.

2. Don't make a production CallManager a domain controller. Just don't do it. (yes I meant the answers to be the same)

If you want to make remote management easier, you can make the CallManager a member server in an NT domain or Active Directory.

But that has nothing to do with user data stored in LDAP. That is a separate animal. Even if you make the CM a member server it will still use DC Directory. If you want to use AD to store AVVID related user information you would use the customer directory plugin. But again that has nothing to do with who is a domain controller and who is a member server.

Community Member

Re: Integrating CCM3.1 with MS Active Directory


We fully agree with these concepts. It is ok for us to create users only in Active Directory.

But the matter is:

How do make these users visible to the Call Manager?

And some parameters like the PIN, or the telephone number or the IP Phone association, how can they be associated with the user?

These parameters cannot be found in the normal "Active Directory User properties". And when we search for users from the CCMAdmin we cannot find anybody.

By the way we have already tried to set the Registry key to true but we were still not able to insert users in the AD from the Call Manager. The answer which was given was the one we have posted in our previous message ("Access Denied").

CreatePlease to create content