01 June 2011

Changing Cisco UCM's LDAP Field Mapping

Just had another request from a Cisco UCM customer that is using the LDAP synchronization feature (DirSync) where they initially set up the field mapping between "Phone Number" field to the Active Directory "telephoneNumber" field. They have other plans for the "telephoneNumber" field and want to change the mapping to something else, but they found that the field mapping cannot be edited once sync has been setup. I've been asked by several colleagues the method I use to resolve this.

CUCM uses DirSync service to perform one-way replication from a LDAP directory (such as AD).  I'm not going to go into detail about it but you can find more about it in the Cisco SRND UCM 8.x.  If you do a search you will also find a few blog posts on the subject because most Cisco UCM engineers do not have a background with Microsoft products.  Especially getting the correct X.500 search base can be unfamiliar to most network engineers.

Whenever I put in a Cisco UCM solution from scratch or setting up LDAP synchronization for the first time I choose to sync "Phone Number" in CUCM to the "ipPhone" field in AD.  The "ipPhone" field has been in the AD schema since version 2000 and you may not have even noticed it on the standard user properties sheet, but it is there.

The issue is that Microsoft products like Exchange and OCS/Lync make considerable use of the telephoneNumber field for different things.  Exchange will use this field when users receive voice mail notifications from internal users. If you are a mobile user, you want to see the DID of the calling user on the Email, not a 4-digit extension that you cannot dial from your cell phone.  Exchange GAL is another use case where a company has multiple locations with a consolidated Exchange organization, but still have a partially distributed call processing architecture. It doesn't make sense to have CUCM hijack the telephoneNumber field for the purposes of the "Corporate Directory" for just those locations where CUCM is deployed.

Anyone who has gone to the LDAP configuration settings notices that they cannot simply modify the mapping.  So the next logical thing an engineer will do is A) Screen shot the 5-6 lines of configuration, B) delete it, and C) re-create it. That will work, right?

So you get to step B and you see this warning, "You are about to permanently delete this Directory Configuration. This will delete all users from Cisco Unified Communications Manager that were synchronized by this configuration. This action cannot be undone. Continue?"

Scary Message
If you read all the gory details of the SRND and its past iterations you would know that when sync is down it doesn't delete the End-Users, it simply flags their state as "inactive".  When an account is "inactive" it disables PIN/Password (that is the impact).  At 3:15am cluster time, if an account has been "inactive" for more than 24-hours, THEN it is deleted (and you loose CUCM group membership, PIN, Controlled Device associations, IPCC Extension, User Device Profile associations, etc.).

I just did this on a production 7.1(5) system last week. Now, if you click "OK" on the Scary Message above what happens in real life is that all user accounts immediately switch to the "inactive" state.  Now you have at least 24-hours to re-configure the LDAP configuration with your new field mapping, this time the way you want, before they get deleted.  In this window where the accounts are in an "inactive" state, all authentication with the accounts is DOWN so plan accordingly.

With the UserID field, same rules apply as if you are setting up LDAP with a pre-existing End User database. The UserIDs MUST match up or else the account will be deleted.  So don't think you can use this method to go from sAMAccountName to UPN.  If you want to switch from sAMAccountName to UPN or Email, do a BAT Export, delete the sync, delete the users, re-sync with the new field mappings, and use BAT import to get all the CUCM elements back into the End-User config.

As with all changes like this with CUCM, run a full backup before you do anything.  With CUCM you never know when some bug will show up and ruin your evening plans.  I also like to do a BAT User Export All Details, just in case :)

17 May 2011

HP Enterprise Networking Products Technical Qualification

Along my path to the Master ASE Networking Infrastructure 2011 I made a quick stop acquiring the pre-sales certification for the data center A-series platform.  There was a significant amount of studying I had to do on IRF (awesome), RRPP, and L2/L3 MPLS.

HP A5820
I have a pair of A5800s waiting to be unboxed and racked to be my A-series playground but the racking and power situation needs some sorting before that stage.  I thought I would be mostly playing with IRF, but now that I know more about RRPP it is something I definitely want to get my hands on.

10 May 2011

Microsoft UC + Skype

I'm sure I am not the only one thinking this but with Microsoft picking up Skype, it is going to be a huge win for Lync 2010.  Skype is notorious in the enterprise UC space for NOT integrating or playing nice with anyone, and every enterprise CXO uses Skype when they travel.

Now if Microsoft does this right Lync will be federated with Skype sometime soon, which is always the #1 question I'm asked when I show customers Lync and is the only "public IM" federation they care about.

UPDATE 12:15 10 May 2011:  In this morning's joint Ballmer & Bates press conference they have confirmed that they are targeting Lync + Skype integration to bring Skype access to the enterprise.  Awesome!

09 May 2011

Hey! You are a network guy, get all these HP certs please...

Just started a new new job with a new kind of partner.  I've been working with Cisco partners for pretty much my entire IT career so I have been heavily insulated from other routing and switching platforms.  I saw this job as a opportunity to diversify and to make a clean break solely being a Cisco solutions architect for CUCM.  Here I'll be selling and supporting HP, Juniper, and Cisco networking solutions.

The plan is for me is to get my Master ASE in Network Infrastructure, quickly.  I have already obtained my AIS and ASE by "upgrading" from my Cisco certifications which was a few online tests.  Here are my thoughts on each.

AIS - Network Infrastructure 2011
This entry level cert for HP networking required me to be familiar with both the HP E-series (legacy ProCurve) and the HP A-series (legacy H3C) platforms.  These products have a massive amount of overlap in product lines  that serve the same purpose, as well as completely different software platforms.  That was the challenging part, getting my head wrapped around all these products and their capabilities.

ASE - HP ProCurve Campus LANs 2010
Doesn't look like this one will qualify me for the current Master ASE (2011 version), but getting this certification only took a single online test I could take because I have a CCNP Voice.  Much less drilling on the product platforms, but it was a fair assessment making sure I understood routing protocols, wireless, and 802.1x.  The questions on VRRP kicked my ass because I've been under that Cisco rock for so long I forgot everything I learned when I installed  Nokia IPSO :)

HP Networking Lab
While I do have a decent amount of hands on experience with the E-series switching platform, I have no experience with the A-series (H3C) products which appear to be solid products on paper.  My company is putting together a lab where I will have a couple A-series switches and routers at my disposal in addition to a bunch of E-series switches, and A-series wireless (interesting).  Come back later and I'll let you know what I think about this platform for the enterprise after I've played with it for awhile.