I have a question with Unity and multiple domain users. I have a customer that runs 2 domains and both domain use the same EXCH message store. BTW, is this even possible? I am a new bird for exch, so please bear with me.
Long store short, if Unity joins into one domain and some of the usres are in another domain, can Unity still talk to that domain? What is required to get this kind of envirnment working? If I do mail forward, I think the MWI doesn't work, right?
Any input is appreciated.
Under Exchange admin sw-> Add user/computer, I can't see those users under the main tree. So I guess they are not part of the same domain forest. I need to confirm though.
I am running AD2003, EXCH 2003 with Unity 5.0 UM.
From your description, it sounds like they are are in the same AD forest. To confirm, do the following:
1. Open up Active Directory Users and Computers.
2. Right-click on the container at the very top of the tree in the left pane, and select "Connect to Domain."
3. In the Connect to Domain dialog box, click the "Browse" button and see if the other domain is listed there. If so, you're in the same AD forest.
So I am guessing if they are in the same AD forest then I am good then, right?
Even though users are in different domain, as long as they share the same EXCH msg storage, and they are in the same AD forest tree, Unity will be able to handle that????
Can you confirm,please? And I will try your suggestion to verify.
Yes, the users can be in different domains or homed on different Exchange servers, but as long as they are all in the same AD forest Unity is fine.
We've got a ton of documentation, and it must seem overwhelming when you aren't familiar with AD and Exchange. But here's the link so you can start exploring:
I tried it and I can see the domains that I want. So we are in the same forest tree. Matter of fact, the 2nd domain that I want to add is just a child domain of the main domain. So say Unity is in abc.com, and I want to add users from prefix.abc.com
When I ran permission wizard, I added permission to abc.com only. Now when I tried to add those users in prefix.abc.com, it gave me an error saying"unrecognized error...E_accessdenied". I had this problem before in my abc.com and I fixed it by enabling inheritable permission from parent. However, now I can't because the check box is greyed out which I think the accounts that I am using Unityadmin, doesn't have the previledge to change, right?
What should I do now? Should I run permission wizard to that perfix.abc.com or should look into permission for Unityadmin account on prefix.abc.com domain? BTW, is it even possible to enable an account in another domain to be domain admin account? Doesn't sound logical.
I've got the same problem with a customer of mine. Exact same scenario, multiple domains, same forrest. I get the same E_ACCESSDENIED error message when attempting to import subscribers. There's an event log entry that corresponds:
Event Type: Error
Event Source: CiscoUnity_DSAD
Event Category: Error
Event ID: 1046
Time: 9:37:19 AM
The Cisco Unity service that monitors Active Directory (AvDSAD) failed to modify object.
Name: CN=Doe\, John,OU=BT,OU=Users,OU=Somewhere,DC=hst,DC=company,DC=net
Reason: ERROR_ACCESS_DENIED: Access is denied.
Domain Controller: hstdc01.hst.company.net
Possible causes include: 1) Network connectivity to the Domain Controller. 2) Insufficient rights for The Cisco Unity service that monitors Active Directory (AvDSAD) account.
Ensure that The Cisco Unity service that monitors Active Directory (AvDSAD) can contact the Domain Controller and has sufficient rights to modify objects. If the problem persists, enable all the micro traces for The Cisco Unity service that monitors Active Directory (AvDSAD) in the Unity Diagnostic Tool. Report the problem to Cisco TAC and include the diagnostic log.
For more information, click: http://www.CiscoUnitySupport.com/find.php
I'm guessing that the problem surrounds the lack of Domain Admin privileges in the second domain. Any thoughts?
I think you need to re-run Permissions Wizard and select that domain\OU as a container that you will be importing and/or creating subscribers in.
So basically I need to run permission wizard and select the main domain and child domain as a container at the root level so all the containers below the root level will have the proper Unity previllege set?
I asked our Permissions Wizard wiz kid to take a look at your question, and she replied:
I'd probably tell him to do this just to cover all of the bases:
1) login to the Unity server in question as the root domain administrator
2) download latest applicable PW version from www.ciscounitytools.com
3) run PW as the root domain admin and select each of the Ous that contain/will contain AD account of Unity subs.
4) ensure you know what you need as far as either import only vs. create and select appropriate options
5) restart Unity (for the service accounts to get their new credentials from AD)
6) log off of Unity as root admin and back on as whatever the UnityAdmin account is
7) confirm ability to do whatever he needs to do w/out errors being generated
8) if there are other errors, ensure that in ADUC, the "inherit permissions" checkbox is checked on the Ous that have Unity subs in them.
That should solve it all.....