Cisco Unity

Table Of Contents

White Paper: Cisco Unity Data and Active Directory (Cisco Unity 5.x and Later with Microsoft Exchange)

Introduction to the Cisco Unity Objects Stored in Active Directory

About Subscribers

About Distribution Lists

About Locations

In the Future: Cisco Unity Sites

About the Cisco Unity Database and Active Directory

Cisco Unity Database

Why the SQL Database Is Used

Why Cisco Unity Stores Data in Active Directory

Support for Unified Messaging

Support for Networking

Flexible Administration

Customizable Permissions

About the Cisco Unity Schema Extensions to Active Directory

Extending the Schema

Viewing the Version of the Schema Extensions

Classes

Property Sets

Attributes

User and Contact Attributes

Distribution List Attributes

Location Object Attributes

Chronology of Changes to Schema Extensions

Changes to Extensions Required by Cisco Unity

Changes to Bridge Networking Extensions

Changes to VPIM Networking Extensions

About Synchronization

Updates to the Directory Are Synchronous

Updates to the SQL Database Are Asynchronous

Active Directory Monitors

White Paper: Cisco Unity Data and Active Directory (Cisco Unity 5.x and Later with Microsoft Exchange)

---

Published September 17, 2007

This document describes the Cisco Unity data that is stored in Active Directory. See the following sections:

•Introduction to the Cisco Unity Objects Stored in Active Directory—Describes the Cisco Unity objects that are stored in Active Directory.

•About the Cisco Unity Database and Active Directory—Explains why information about Cisco Unity objects needs to be stored in Active Directory.

•About the Cisco Unity Schema Extensions to Active Directory—Provides details about the schema extensions that Cisco Unity makes to Active Directory.

•Chronology of Changes to Schema Extensions—Provides a brief summary of the changes to the Active Directory schema extensions, and the version of Cisco Unity in which the changes occurred.

•About Synchronization—Explains the synchronization process between the database on the Cisco Unity server and Active Directory.

For information about the size impact of the Cisco Unity schema extensions on Active Directory, see the White Paper: Active Directory Capacity Planning (Cisco Unity Version 5.x and Later with Microsoft Exchange), at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/prod_white_papers_list.html.

For detailed information about the Active Directory permissions required by Cisco Unity, see the Permissions wizard Help file, which is available on www.ciscounitytools.com, or the file PWHelpPermissionsSet_<language>.htm on the Cisco Unity server.

Introduction to the Cisco Unity Objects Stored in Active Directory

Almost all of the information about subscriber accounts and other Cisco Unity objects is stored in a SQL database on the Cisco Unity server. However, a minimal amount of information about subscribers, distribution lists, and locations is stored in Active Directory. The following sections provide an introduction to the objects that Cisco Unity stores in Active Directory:

•About Subscribers

•About Distribution Lists

•About Locations

•In the Future: Cisco Unity Sites

About Subscribers

Anyone who has an account on Cisco Unity is a subscriber. Each Cisco Unity subscriber account is associated with an Active Directory user with an Exchange mailbox in which Cisco Unity stores voice messages. The associated user objects for subscribers in Active Directory contain Cisco Unity-specific attributes (see Table 1).

When you create a subscriber account in Cisco Unity, the associated user object in Active Directory is created with Cisco Unity-specific attributes. You can also create subscriber accounts by importing existing users. In this case, when the subscriber account is created, the Cisco Unity-specific attributes are written to the existing user object in Active Directory.

Cisco Unity supports networking with other voice mail systems. This networking functionality includes the ability to create remote subscriber accounts for people who do not have mailboxes on the local Exchange network. You create remote subscriber accounts in Cisco Unity to allow callers to find them in the Cisco Unity phone directory, and to allow Cisco Unity subscribers to send messages to them as they would to any other subscriber. There are different types of remote subscribers: AMIS, Bridge, Internet, Trusted Internet, and VPIM. Voice messages for Internet and Trusted Internet subscribers are sent to an e-mail address that you specify when you create the subscriber account. Voice messages for AMIS, Bridge, and VPIM subscribers are sent to a mailbox on the remote voice messaging system.

When a remote subscriber is created, an associated Active Directory contact is also created. The contacts in Active Directory for remote subscribers contain Cisco Unity-specific attributes.

About Distribution Lists

A Cisco Unity public distribution list is an Active Directory group that contains Cisco Unity-specific attributes (see Table 3).

When you create a distribution list in Cisco Unity, the associated group object in the directory is created with Cisco Unity-specific attributes. You can also create distribution lists by importing existing groups. In this case, when the distribution list is created, the Cisco Unity-specific attributes are written to the existing group object in the Active Directory.

Distribution lists can contain both subscribers and non-subscribers. When a voice message is sent to a distribution list, it is delivered to the mailboxes of non-subscribers as an e-mail with a WAV attachment. Depending on the codec used to record the message, non-subscribers can use Windows Media Player or another program to listen to the voice message.

About Locations

The Cisco Unity schema extensions include the definition for a class of objects called locations. Locations are Cisco Unity objects that are used in Cisco Unity networking. (See Table 4 for a list location attributes.) There are two types of locations: primary locations and delivery locations.

Each Cisco Unity server is associated with one location object—referred to as the primary location—which is created during installation and which cannot be deleted. Each primary location contains the network information that identifies the Cisco Unity server to other Cisco Unity servers and to other voice messaging systems.

A delivery location contains the network information that Cisco Unity needs to send messages to and receive messages from other voice messaging servers. You create a delivery location for each voice messaging server with which the local Cisco Unity server will communicate. The delivery location identifies the voice messaging system to Cisco Unity.

For more information about networking in Cisco Unity, see the Networking Guide for Cisco Unity, available at http://www.cisco.com/en/US/products/sw/voicesw/ps2237/products_feature_guides_list.html.

In the Future: Cisco Unity Sites

The Cisco Unity schema extensions include the definition for a class of objects called Cisco Unity sites. Although they are not currently used, future versions of Cisco Unity may create and make use of Cisco Unity site objects. The class definition for Cisco Unity sites was added to the schema extensions in Cisco Unity 5.0(1) to avoid additional schema extensions in the future.

Although the plans are not firm yet, in the future, multiple Cisco Unity servers configured for Digital Networking could be associated with a Cisco Unity site object. Configuration settings common to all the servers could be applied to the site object instead of having to configure the same settings on each server. The use of site objects would save an administrator configuration time, and would ensure that all the servers have consistent settings.

About the Cisco Unity Database and Active Directory

Cisco Unity stores its data in an SQL database on the Cisco Unity server, and a subset of that data is also stored in Active Directory. The following sections provide more information:

•Cisco Unity Database—This section briefly describes the structure and content of the tables in the SQL database on the Cisco Unity server.

•Why the SQL Database Is Used—This section explains the benefits of storing data in the SQL database.

•Why Cisco Unity Stores Data in Active Directory—This section explains the benefits of storing selected data in Active Directory.

•Customizable Permissions—This section briefly describes how you can use the Cisco Unity Permissions wizard to restrict Cisco Unity access to Active Directory.

Cisco Unity Database

The Cisco Unity database is a Structured Query Language (SQL)-based, scalable, relational database. Depending on your configuration, the database that Cisco Unity uses is either Microsoft SQL Server 2000 or Microsoft Data Engine 2000 (MSDE 2000)¹ . (Note that the MSDE 2000 data engine is fully compatible with SQL Server.)

Cisco Unity stores its data in a database called Unitydb. Unitydb contains tables for each type of Cisco Unity object. These tables contain data about all of the Cisco Unity objects that have been created on the local Cisco Unity server. Additionally, there are global subscriber and global location tables that contain information about the subscriber accounts and locations that were created on other Cisco Unity servers. When subscriber accounts and location objects from other servers replicate in Active Directory, Cisco Unity detects these objects and saves information about them in the global tables.

You use the Cisco Unity Administrator and tools such as Bulk Edit to make changes to the data that is stored in Unitydb. You can also use the Cisco Unity Data Link Explorer (CUDLE), found in Tools Depot, to view the raw data in Unitydb. Although you can also use the standard database tools on the Cisco Unity server to run SQL queries on the tables, you should not change values directly in the database. In particular, do not add or delete tables, and do not add or delete columns from the tables in the Unitydb.

Note that recorded voice names and greetings are stored in files on the Cisco Unity server (in the \CommServer\StreamFiles directory) and not in the SQL database.

Why the SQL Database Is Used

Storing Cisco Unity data in a SQL database has the following benefits:

•Performance—Because the SQL database is on the Cisco Unity server and because the database is heavily indexed, accessing data is fast. For example, when callers use the Cisco Unity phone directory to spell the name of a subscriber, Cisco Unity does an SQL query to look up the subscriber extension, and can quickly return the extension (or list of extensions) to the caller.

•Reliability—Because subscriber data is stored on the Cisco Unity server, Cisco Unity can answer calls, let outside callers look up subscriber extensions, and take messages when the Exchange network is down. While the Exchange network is unavailable, the Unity Messaging Repository (UMR) stores messages from outside callers on the Cisco Unity server (in the \CommServer\UnityMTA directory), and subscribers have access to those messages.

•Scalability—SQL Server 2000 is designed to support the largest enterprise data processing systems, so there is more than enough room for storing the Cisco Unity data. MSDE is based on the same data engine as SQL Server. Although MSDE has storage limitations, it is more than adequate for the Cisco Unity configurations for which it is sold.

•Network Impact—Only a small subset of subscriber information needs to be stored in Active Directory, and that information does not change frequently. Therefore, after subscriber accounts have been created, directory replication caused by changes to Cisco Unity data is minimal.

Why Cisco Unity Stores Data in Active Directory

Because there is a SQL database on the Cisco Unity server, it may not be clear why any Cisco Unity objects are stored in Active Directory. At first glance, it seems to add complexity, because of the need to keep two data stores synchronized. While this is a valid concern, there are three main reasons for storing information in Active Directory:

•To support Unified Messaging. See the "Support for Unified Messaging" section.

•To support networking. See the "Support for Networking" section.

•To provide flexible administration. See the "Flexible Administration" section.

Support for Unified Messaging

Cisco Unity provides true Unified Messaging: voice messages are stored along with e-mails and faxes in the Exchange mailbox store. Cisco Unity uses the Exchange message transfer agent to route voice messages to subscribers. Because of the reliance on Exchange, some information about subscribers and distribution lists must be stored in Active Directory to support Unified Messaging.

Cisco Unity needs access to Active Directory user account information and/or the associated Exchange mailboxes in order to:

•Authenticate subscribers when they log on to Cisco Unity.

•Provide the Text to Speech feature, allowing subscribers to have their e-mail messages read to them over the phone.

•Allow subscribers to use the same address book when addressing voice mails by using the phone that they use when addressing messages by using Outlook.

•Support Cisco Unity ViewMail for Microsoft Outlook, which allows subscribers to record and play voice messages from within Outlook.

•Turn on and off message waiting indicators on subscriber phones.

Support for Networking

In organizations with two or more Cisco Unity servers in the same Active Directory forest, subscribers are served by the Cisco Unity server on which their accounts were created. In Cisco Unity, "networking" is the general term for messaging between Cisco Unity servers, and between Cisco Unity and other voice messaging systems. The term networking has a broad definition and encompasses the following ideas:

•Subscribers associated with one Cisco Unity server can use the phone to send voice messages to:

–Subscribers associated with another Cisco Unity server (by using Digital Networking).

–Individuals with access to a computer connected to the Internet (by using Internet or Trusted Internet subscribers).

–Individuals who use a voice messaging system other than Cisco Unity (by using AMIS, Bridge, or VPIM Networking).

•Outside callers can find any subscriber in the directory and leave a voice message. Depending on the phone system and network configuration, outside callers who reach the Cisco Unity automated attendant or directory assistance can be transferred to any subscriber phone, even to the phone of a subscriber who is not associated with the local server.

By storing all the attributes for primary and delivery location objects in Active Directory, the addressing information that Cisco Unity needs for messaging between other Cisco Unity servers and other voice messaging systems replicates to all Cisco Unity servers in the Active Directory forest.

In order to address messages to subscribers who are associated with another Cisco Unity server, each server in the network needs access to some subscriber attributes such as the location with which the subscriber is associated and the subscriber extension. These subscriber attributes (and others) are stored in Active Directory so that they replicate to all Cisco Unity servers on the network. Cisco Unity stores this replicated data in a table for global subscriber data in the SQL server.

Like other voice messaging systems, Cisco Unity allows subscribers to record their names. A subscriber must have a recorded name in order to be listed in Cisco Unity phone directory. The recorded name is played when outside callers use the phone directory to look up a subscriber extension by pressing keys on the phone to spell part of the recipient name ("For John Smith at extension 5512, press 1; for Jane Smith at extension 5591, press 2."). To allow outside callers to look up a subscriber in the phone directory no matter which Cisco Unity server the subscriber is associated with, the recorded name must be stored in Active Directory so that it replicates to the other Cisco Unity servers.

Similarly, when subscribers use the phone to address messages, the recorded name is played so that the subscribers can confirm that the extension they entered is correct. To provide voice name confirmation to subscribers when they address messages over the phone to subscribers on other Cisco Unity servers, the recorded name must be in the directory.

Before Cisco Unity is installed, the Active Directory schema is extended to store the Cisco Unity-specific information. To support the Cisco Unity Bridge or VPIM networking options, the schema must be further extended to store information needed by Bridge and VPIM delivery location objects.

Flexible Administration

Because information is stored in Active Directory, Cisco Unity allows for flexible administration of subscribers and distribution lists. You can create subscriber accounts and distribution lists by using the Cisco Unity Administrator, which is a Web-based interface to all Cisco Unity data. When creating a subscriber, external subscriber, or distribution list, Cisco Unity creates the corresponding user, contact, and group automatically; it is not necessary to first create the directory objects by using the standard Microsoft tools.

In addition, if the directory objects already exist, they can be imported into Cisco Unity. For example, if your organization has an existing directory of Exchange users, these users can be imported into Cisco Unity. When the user data is imported, the Cisco Unity-specific data is added to the user accounts. You can then use the Cisco Unity Administrator to view and modify the subscriber accounts as needed.

However, if you delete a subscriber or distribution list in the Cisco Unity Administrator, the objects are not deleted from Active Directory, for security reasons. Instead, only the Cisco Unity-specific attributes are deleted from the directory object. You can then use standard Microsoft tools to delete the directory object.

Because Cisco Unity synchronizes the information between the SQL database and Active Directory, if you make a change to a subscriber account in the Cisco Unity Administrator (such as changing the last name of the subscriber), this information is written to Active Directory. Similarly, if you change the last name of a user in Active Directory Users and Computers, Cisco Unity detects the change and updates the SQL database. See the "About Synchronization" section for more information.

---

Note The Cisco Unity Permissions wizard allows a greater amount of control over the types of Active Directory objects that administrators can administer through Cisco Unity. See the following "Customizable Permissions" section for more information.

---

Customizable Permissions

While some organizations like the convenience of being able to create and modify Active Directory objects by using the Cisco Unity Administrator, other organizations with stringent security policies need to lock down administrative access to Active Directory. The Cisco Unity Permissions wizard allows a greater amount of control over the types of Active Directory objects that administrators can administer through Cisco Unity.

The Permissions Wizard sets only the permissions that Cisco Unity requires to function rather than setting permissions at a higher level. To simplify the setting of permissions for the Cisco Unity-specific properties, a property set that contains these individual properties—ciscoEcsbuUnityInformation—has been added to the schema. Permissions for Cisco Unity-specific attributes are set at the property set level instead of at the object level, and permissions for non-Cisco Unity-specific attributes that Cisco Unity requires access to are set at the property level.

For detailed information about the Active Directory permissions required by Cisco Unity, see the Permissions wizard Help file, which is available on www.ciscounitytools.com, or the file PWHelpPermissionsSet_<language>.htm on the Cisco Unity server.

About the Cisco Unity Schema Extensions to Active Directory

This section describes the extensions that Cisco Unity makes to the Active Directory schema. A basic understanding of Active Directory schema concepts is assumed. See the following sections for details:

•Extending the Schema—This section describes the application that you use to extend the schema, and how to determine the version of the schema extensions.

•Classes—This section describes the classes that Cisco Unity adds to the schema.

•Property Sets—This section describes the property set that Cisco Unity adds to the schema.

•Attributes—This section describes the attributes that Cisco Unity adds to users, contacts, groups, and locations.

Extending the Schema

Active Directory supports the use of LDAP Data Interchange Format (LDIF) scripts to extend the schema. Before installing Cisco Unity for use with an Exchange partner server, you must run a script that makes Cisco Unity-specific modifications to the Active Directory schema. To support VPIM Networking or Bridge Networking, the schema must be further extended. There are separate LDIF files for VPIM and Bridge Networking.

To extend the Active Directory schema, you run a Cisco Unity utility called ADSchemaSetup. The utility applies the schema extensions specified in the LDIF script files located on Cisco Unity DVD 1 and CD 1 in the directory Schema\LdifScripts. The user interface for ADSchemaSetup.exe consists of a dialog box with check boxes that correspond to the LDIF script files, as shown in Figure 1.

Figure 1 Active Directory Schema Setup Interface

The LDIF files have changed among Cisco Unity versions as needed to provide additional features and functionality, as described in "Chronology of Changes to Schema Extensions" section.

---

Note Changes to Active Directory schema extensions are always backward compatible. When using Digital Networking to network different versions of Cisco Unity, always extend the schema by using the latest version of Avdirmonex2k.ldf. In addition, if you are using the Cisco Unity Bridge or VPIM to communicate with other voice-messaging systems, extend the schema by using the latest version of Omnigateway.ldf or VPIMgateway.ldf, respectively.

---

All Cisco Unity attributes added by avdirmonex2.ldf, omnigateway.ldf, and vpimgateway.ldf are replicated in the Global Catalog server. These are the attributes marked with "ismemberofpartialattributeset = TRUE" in the script files.

Attributes with the "searchFlags" property set to a non-zero number are indexed.

Viewing the Version of the Schema Extensions

Each time changes are made to an LDIF script, the script is updated to write a new version description. The updated description will be added to the existing description rather than replacing it so that there is a history of the schema extensions that have been applied.

See the following procedures for instructions for viewing the schema version:

•To View the Version of the Schema Extensions on the Server on Which ADSchemaSetup Was Run

•To View the Version of the Schema Extensions by Using ADSI Edit

To View the Version of the Schema Extensions on the Server on Which ADSchemaSetup Was Run

---

Step 1 On the desktop of the server on which ADSchemaSetup was run, open the folder Ldif logs.

This folder contains subfolders that are named based on the date on which ADSchemaSetup was run.

Step 2 Open the folder named with the most recent date.

This folder contains a separate folder for Avdirmonex2k.ldf (Cisco Unity schema extensions), Omnigateway.ldf (Cisco Unity Bridge extensions), and Vpimgateway.ldf (VPIM extensions).

Step 3 Open the folder for the appropriate type of schema extensions, and open the file Ldif.log in Notepad.

Step 4 Scroll to the end of the file, and click the last line. There is more than one instance of cisco-Ecsbu-UM-Schema-Version in the file, and you need to locate the last instance that contains a version description.

Step 5 Click Edit > Find, enter cisco-Ecsbu-UM-Schema-Version, and click Up for the direction of the search.

Step 6 Click Find Next one or more times until you find an instance that is followed a few lines down by a line containing the word "Description" and one of the following, as applicable:

•Cisco Unity <version>

•Cisco Unity Bridge <version>

•Cisco Unity VPIM <version>

Note that the version displayed is the Cisco Unity version when the LDIF file was last modified, which may be older than your Cisco Unity version.

The following example shows two parts of an ldif.log file for the Avdirmonex2k.ldf extensions for a server that was installed using a version 4.2(1), and then upgraded to 5.0(1):

51: CN=cisco-Ecsbu-UM-Schema-Version,CN=Schema,CN=Configuration,DC=Media,

	DC=cisco-uty-123456,DC=cisco,DC=com

Entry DN: CN=cisco-Ecsbu-UM-Schema-Version,CN=Schema,CN=Configuration,DC=Media,

	DC=cisco-uty-123456,DC=cisco,DC=com

change: modify

Attribute 0) Description:Unity 4.2

Attribute or value exists, entry skipped.

...

106: CN=cisco-Ecsbu-UM-Schema-Version,CN=Schema,CN=Configuration,DC=Media,

	DC=cisco-uty-123456,DC=cisco,DC=com

Entry DN: CN=cisco-Ecsbu-UM-Schema-Version,CN=Schema,CN=Configuration,DC=Media, 
	DC=cisco-uty-123456,DC=cisco,DC=com

change: modify

Attribute 0) Description:Cisco Unity 5.0

Entry modified successfully.

---

To View the Version of the Schema Extensions by Using ADSI Edit

If you do not know the server on which ADSchemaSetup was run, or if you do not have access to the server, you can use the Microsoft utility, ADSI Edit, to view the contents of the attribute cisco-Ecsbu-UM-Schema-Version. ADSI Edit comes with Cisco Unity and also comes with Windows 2000 Support Tools. ADSI Edit can be run on a Cisco Unity server or any server in the domain.

---

Note The steps in the procedure apply to using the version of ADSI Edit that is included in the TechTools directory. They may not apply to newer versions of ADSI Edit that are downloaded from Microsoft.

---

---

Caution Be very careful when running ADSI Edit. Do not make any changes to the schema. Making changes to the schema could cause problems with Cisco Unity, Exchange, and/or Active Directory.

---

---

Step 1 Log on to the Cisco Unity server. If you have already registered adsiedit.dll, or if you have installed the Windows 2000/2003 support tools on the server (which registers adsiedit.dll automatically), skip to Step 3. Otherwise, open a command prompt window and change to the directory <drive>:\CommServer\TechTools. Then change to the win2000 or win2003 directory, as applicable. Enter the following:

regsvr32 adsiedit.dll

Step 2 Close the command prompt window.

Step 3 In Windows Explorer, browse to the applicalbe subdirectory in <drive>:\CommServer\TechTools and double-click adsiedit.msc.

Step 4 Enter your user name and password when prompted.

Step 5 In tree in the left pane, expand the Schema container so that the schema attributes and classes are displayed in the right pane.

Step 6 In the right pane, scroll down as needed and right-click CN=cisco-Ecsbu-UM-Schema-Version, and click Properties.

Step 7 In the Select a Property to View list, click Description.

•If the Omnigateway.ldf schema extensions have been applied, the description will contain:
Unity Bridge <version>

•If the Vpimgateway.ldf schema extensions have been applied, the description will contain:
Unity VPIM <version>

•If the Avdirmonex2k.ldf schema extensions have been applied, the description will contain:
Unity <version>

Note that the version displayed is the Cisco Unity version when the LDIF file was last modified, which may be older than your Cisco Unity version.

---

Classes

The Cisco Unity schema extensions contain the following classes:

•ciscoEcsbuUMLocation—This structural class defines the Cisco Unity location object. For a description of what location objects are used for, see the "About Locations" section. For a list of the attributes in the location object, see the "Location Object Attributes" section.

•ciscoEcsbu-UM-Site—This structural class defines Cisco Unity site objects, but it is not currently used. That is, Cisco Unity currently does not create any site objects. For an explanation of how site objects may be used in the future, see the "In the Future: Cisco Unity Sites" section. The class contains the ciscoEcsbuUMAttributes auxiliary class as well as the following attributes:

–organizationalUnit

–ciscoEcsbuObjectType

–ciscoEcsbuUnityBehaviorVersion

•ciscoEcsbuUMAttributes—This auxiliary class contains the following attributes:

–ciscoEcsbuUnityAttributes—Used to store a secure messaging setting on user objects. If needed in future Cisco Unity versions, additional data can be stored in this attribute, which avoids further extensions to the schema.

–ciscoEcsbuUnityAttributesIndexed—Not currently used.

–ciscoEcsbuUnityAttributesEncoded—Not currently used.

Although the ciscoEcsbuUMAttributes auxiliary class was added to users, contacts, groups, and locations, currently, users are the only objects that contain data.

Property Sets

The property set ciscoEcsbuUnityInformation was added to accommodate changes to the Cisco Unity Permissions wizard. In general, permissions for ciscoEcsbu... attributes in Active Directory are granted on the ciscoEcsbuUnityInformation property set, not on the individual attributes.

For a complete list of the attributes that appear in the property set and the type of object to which each attribute applies, refer to the section "Attributes in the ciscoEcsbuUnityInformation Property Set" in the Permissions wizard Help file, which is available on www.ciscounitytools.com, or on the Cisco Unity server.

Attributes

This section lists the attributes that Cisco Unity adds to users, contacts, groups, and locations.

•User and Contact Attributes

•Distribution List Attributes

•Location Object Attributes

User and Contact Attributes

•Table 1 shows attributes for users and contacts.

•Table 2 shows attributes for users to support Bridge Networking.

Table 1 User and Contact Attributes in Active Directory 

Cisco Unity Attribute1	Active Directory Attribute	Description
Alternate Extensions	ciscoEcsbuAlternateDtmfIds	Multi-valued collection of unique alternate DTMF access codes that callers can dial to access the Cisco Unity subscriber that is associated with this user or contact.
AMIS Disable Outbound	ciscoEcsbuAmisDisableOutbound	For an AMIS subscriber, indicates no messages are being delivered to this target.
Extension	ciscoEcsbuDtmfId	Primary unique DTMF access code that callers can dial to access the Cisco Unity subscriber that is associated with this user or contact.
List In Phone Directory	ciscoEcsbuListInUMDirectory	List the subscriber in the phone directory for outside callers.
Call Transfer String	ciscoEcsbuTransferId	The primary call handler contact rule transfer string for the subscriber, accessed by directory handlers when doing searches on remote Cisco Unity servers in the same dialing domain and for automated attendant transfers.
Location Object ID	ciscoEcsbuUMLocationObjectId	Identifies the location with which the subscriber is associated.
Undeletable	ciscoEcsbuUndeletable	If true, this object cannot be deleted by using the Cisco Unity Administrator or other tools (used to prevent deletion of factory defaults).
Recorded Voice Name	msExchRecordedName2	The recorded name of the subscriber.
Object Type	ciscoEcsbuObjectType	Cisco Unity enumeration for type of object.
Order of Alternate Extensions	ciscoEcsbuAlternateDtmfIdsOrder	Used to determine the order of the alternate DTMF ids.
Message Security Encryption Setting	ciscoEcsbuUnityAttributes	Used to store the secure messaging encryption setting on user objects. If needed in future Cisco Unity versions, additional data can be stored in this attribute.
N/A	ciscoEcsbuUnityAttributesIndexed	Not currently used.
N/A	ciscoEcsbuUnityAttributesEncoded	Not currently used.

1 Cisco Unity attribute names vary slightly depending on the tool that you use to view the attributes. For example, the "List in Directory" attribute above has the following names: "ListInDirectory" is the column name when using SQL Enterprise Manager to view the Subscriber table in the Unitydb database; "AVP_LIST_IN_DIRECTORY" is the object property name when using the DohPropTest tool; "List in phone directory" is the field name on the Subscriber > Profile page in the Cisco Unity Administrator. 2 Cisco Unity extends the schema with and uses msExchRecordedName by written permission of the Microsoft Corporation.

For regular and Internet subscribers, the Location Object ID is the Object ID of the primary location. For AMIS, Bridge, and VPIM subscribers, the Location Object ID is the Object ID of the delivery location with which the subscribers are associated.

Table 2 User Object Attributes in Active Directory to Support Bridge Networking 

Cisco Unity Attribute	Active Directory Attribute	Description
Unity Node Serial Number	ciscoEcsbuRemoteNodeID	The Octel network serial number of the node with which the Cisco Unity subscriber is associated. Added in Cisco Unity 4.0(3).
Legacy Mailbox ID	ciscoEcsbuLegacyMailbox	The number that Octel subscribers dial (excluding the location Dial ID and/or prefix) to address messages to the Cisco Unity subscriber. Added in Cisco Unity 4.0(3).

Distribution List Attributes

The Cisco Unity-specific attributes shown in Table 3 are added to Active Directory groups.

Table 3 Distribution List Attributes in Active Directory 

Cisco Unity Attribute	Active Directory Attribute	Description
Extension	ciscoEcsbuDtmfId	Primary unique DTMF access code that callers can dial to access the Cisco Unity Distribution List that is associated with this distribution list.
Location Object ID	ciscoEcsbuUMLocationObjectId	Identifies the location that the distribution list was created on.
Undeleteable	ciscoEcsbuUndeletable	If true, this object cannot be deleted by using the Cisco Unity Administrator (used to prevent deletion of factory defaults).
Voice Enabled	ciscoEcsbuVoiceEnabled	Set when the distribution list is enabled for voice.
Alias	mailNickname	Mail name of the distribution list.
Recorded Voice Name	msExchRecordedName1	Distribution List recorded name.
Object Type	ciscoEcsbuObjectType	Cisco Unity enumeration for type of object.
N/A	ciscoEcsbuUnityAttributes	Not currently used.
N/A	ciscoEcsbuUnityAttributesIndexed	Not currently used.
N/A	ciscoEcsbuUnityAttributesEncoded	Not currently used.

1 Cisco Unity extends the schema with and uses msExchRecordedName by written permission of the Microsoft Corporation.

Location Object Attributes

•Table 4 shows the attributes for location objects in Active Directory.

•Table 5 shows the attributes for location objects in Active Directory that support Bridge Networking.

•Table 6 shows the attributes for location objects in Active Directory that support VPIM Networking.

Table 4 Location Object Attributes in Active Directory 

Cisco Unity Attribute	Active Directory Attribute	Description
Addressing Max Scope	ciscoEcsbuAddressingMaxScope	Used to indicate the type of addressing that is supported by this location (local, dialing domain, global).
Allow Blind Addressing	ciscoEcsbuAllowBlindAddressing	If true, messages can be addressed to this location without an existing handler or mail user.
AMIS Delivery Phone Number	ciscoEcsbuAmisDialId	Corresponds to the AMIS dial ID on the Delivery Location page in the Cisco Unity Administrator.
AMIS Node Active	ciscoEcsbuAmisNodeActive	True if the node is active.
AMIS Node ID	ciscoEcsbuAmisNodeId	Identifier for the AMIS Node.
Blind Addressing Max Scope	ciscoEcsbuBlindAddressingMaxScope	Scope of blind addressing search.
Destination Type	ciscoEcsbuDestinationType	Indicates the destination type for the location (SMTP, AMIS, VPIM, Bridge).
Dialing Domain Name	ciscoEcsbuDialingDomainName	Name of the dialing domain for networking.
Location Dial ID	ciscoEcsbuDtmfId	Primary unique DTMF access code that callers can dial to access the Cisco Unity Location.
Include Locations	ciscoEcsbuIncludeLocations	If set on the primary location, the Cisco Unity conversation will include locations in search results.
SMTP Domain	ciscoEcsbuUMDomain	For the primary location, the domain name that the remote voice messaging system uses when addressing messages to Cisco Unity subscribers. Corresponds to the SMTP Domain Name field on the Primary Location page in the Cisco Unity Administrator. For a VPIM or SMTP delivery location, the domain name that Cisco Unity uses when addressing messages to subscribers on the remote voice messaging system. Corresponds to the SMTP Domain Name field on the Delivery Location page in the Cisco Unity Administrator. For an AMIS delivery location, the phone number used to reach the remote AMIS system. Corresponds to the Delivery Phone Number field on the Delivery Location page in the Cisco Unity Administrator.
Domain ID	ciscoEcsbuUMDomainId	Not currently used.
Location Object ID	ciscoEcsbuUMLocationObjectId	The unique identifier for this location object.
System ID	ciscoEcsbuUMSystemId	Used to identify the Cisco Unity system on which this location was created.
Schema Version	ciscoEcsbuUMSchemaVersion	The version of schema extensions that has been applied. (Note that the version displayed is the Cisco Unity version when the LDIF file was last modified, which may be older than your Cisco Unity version.)
Undeletable	ciscoEcsbuUndeletable	If true, this object cannot be deleted by using the Cisco Unity Administrator (used to prevent deletion of factory defaults).
Display Name	displayName	Spelled name.
Alias	ciscoEcsbuDirectoryAlias	Unique text name for this object.
Recorded Voice Name	msExchRecordedName1	Location recorded name.
Object Type	ciscoEcsbuObjectType	Cisco Unity enumeration for type of object.
Home Server	ciscoEcsbuUMServer	The Cisco Unity server which owns this location.
System State	ciscoEcsbuUMSystemState (Added in Cisco Unity 4.0(1).)	Licensing information for the Cisco Unity server that is associated with this location. Only present on non-delivery locations.
N/A	ciscoEcsbuUnityAttributes	Not currently used.
N/A	ciscoEcsbuUnityAttributesIndexed	Not currently used.
N/A	ciscoEcsbuUnityAttributesEncoded	Not currently used.
AVP_OPTION_FLAGS	ciscoEcsbuOptionFlags	A bit mask that controls various options including the secure messaging encryption settings on delivery locations.

1 Cisco Unity extends the schema with and uses msExchRecordedName by written permission of the Microsoft Corporation.

Table 5 Location Object Attributes in Active Directory to Support Bridge Networking 

Cisco Unity Attribute	Active Directory Attribute	Description
Octel Serial Number	ciscoEcsbuRemoteNodeID	The serial number of the Octel node that corresponds to this location.
Bridge Server Address	ciscoEcsbuRemoteServer	The fully qualified domain name of the Bridge server that is used for messaging with this delivery location.
Prefixes	ciscoEcsbuPrefixes (Added in Cisco Unity 4.0(3).)	A list of the node prefixes that are assigned to this location. Corresponds to the entries on the Prefixes page of the Delivery Location in the Cisco Unity Administrator.
Remote Mailbox Length	ciscoEcsbuRemoteMailboxLength (Added in Cisco Unity 4.0(3).)	The number of digits required for mailboxes as specified in Octel for the node that corresponds to this delivery location.
AVP_OPTION_FLAGS	ciscoEcsbuOptionFlags (Added in Cisco Unity 4.0(3).)	A bit mask that controls various options including how Bridge subscribers are automatically created, and the secure messaging encryption settings for incoming and outgoing messages to the Bridge location.

Table 6 Location Object Attributes in Active Directory to Support VPIM Networking 

Cisco Unity Attribute	Active Directory Attribute	Description
Unity Phone Prefix	ciscoEcsbuLocalPhonePrefix	Used to construct To/From addresses for Cisco Unity subscribers. Corresponds to the Cisco Unity Phone Prefix field on the Delivery Location page in the Cisco Unity Administrator.
Remote Phone Prefix	ciscoEcsbuRemotePhonePrefix	Used to construct To/From addresses for VPIM subscribers. Corresponds to the Remote Phone Prefix field on the Delivery Location page in the Cisco Unity Administrator.
AVP_OPTION_FLAGS	ciscoEcsbuOptionFlags	A bit mask that controls various options including whether the recorded name or vCard of the sender are included in outgoing messages, how VPIM subscribers are automatically created, and the secure messaging encryption settings for incoming and outgoing messages to the VPIM location.
Remote Server	ciscoEcsbuRemoteServer	Not currently used.

Chronology of Changes to Schema Extensions

This section summarizes the changes to the Active Directory schema extensions and the version of Cisco Unity when the changes occurred. Changes to the schema are always backwards compatible with earlier version of Cisco Unity. See the following sections:

•Changes to Extensions Required by Cisco Unity

•Changes to Bridge Networking Extensions

•Changes to VPIM Networking Extensions

Changes to Extensions Required by Cisco Unity

Table 7 provides a chronology of the schema extension changes in the LDIF script file name Avdirmonex2k.ldf, which corresponds to the ADSchemaSetup check box called "Directory Monitor."

Table 7 Changes to Schema Extensions Required by Cisco Unity 

Cisco Unity Versions	Description
5.0(1)	Several Cisco Unity-specific attributes, an auxiliary class, and a structural class were added to Avdirmonex2k.ldf, and the schema was extended in ways that will reduce the need for further schema extensions in the future. The following classes were added: •ciscoEcsbu-UM-Site—This structural class defines Cisco Unity site objects, but it is not currently used. That is, Cisco Unity does not create any site objects. The class contains the new ciscoEcsbuUMAttributes auxiliary class as well as the following attributes: –organizationalUnit –ciscoEcsbuObjectType –ciscoEcsbuUnityBehaviorVersion—New attribute, but not currently used. •ciscoEcsbuUMAttributes—This auxiliary class was added to avoid schema extensions in the future. It contains the following new attributes: –ciscoEcsbuUnityAttributes—Used to store a secure messaging setting on user objects. If needed in future Cisco Unity versions, additional data can be stored in this attribute, which avoids further extensions to the schema. –ciscoEcsbuUnityAttributesIndexed—Not currently used. –ciscoEcsbuUnityAttributesEncoded—Not currently used. Although the ciscoEcsbuUMAttributes auxiliary class was added to users, contacts, groups, and locations, currently, users are the only objects that contain data.
4.2(1)	The property set ciscoEcsbuUnityInformation was added to accommodate changes to the Cisco Unity Permissions wizard.
4.0(1) - 4.1(1)	The following attributes were added: •ciscoEcsbuUMSystemState attribute to the location object class •ciscoEcsbuAlternateDtmfIdsOrder attribute to the user object class. •ciscoEcsbuUMSchemaVersion
3.0(1) - 3.1(6)	The core schema extensions required by Cisco Unity itself, Digital Networking, SMTP Networking, and AMIS Networking.

Changes to Bridge Networking Extensions

Table 8 provides a chronology of the schema extension changes in the LDIF script file name Omnigateway.ldf, which corresponds to the ADSchemaSetup check box called "Bridge Connector."

Table 8 Changes to Bridge Networking Schema Extensions 

Cisco Unity Versions	Description
5.0(1) and later	Only the version number of Omnigateway.ldf was changed. However, the Cisco Unity Permissions wizard will not let you proceed if the version of the Bridge Connector schema extensions is not the same as the version of Directory Monitor schema extensions.
4.2(1)	The schema extensions for Bridge Networking changed slightly to accommodate changes to the Cisco Unity Permissions wizard.
4.0(3) - 4.1(1)	The schema extensions for Bridge Networking changed significantly in Cisco Unity 4.0(3), and the attribute ciscoEcsbuUMSchemaVersion was added. The ciscoEcsbuDtmfId attribute was not indexed. The following attributes were added to user objects: •ciscoEcsbuRemoteNodeID •ciscoEcsbuLegacyMailbox The following attributes were added to location objects: •ciscoEcsbuRemoteMailboxLength •ciscoEcsbuRemoteMailboxLength •ciscoEcsbuOptionFlags
4.0(1) - 4.0(2)	The ciscoEcsbuDtmfId attribute was indexed.
3.1(3) - 3.1(6)	The schema extensions required for Bridge Networking.

Changes to VPIM Networking Extensions

Table 9 provides a chronology of the schema extension changes in the LDIF script file name Vpimgateway.ldf, which corresponds to the ADSchemaSetup check box called "VPIM Connector."

Table 9 Changes to VPIM Networking Schema Extensions 

Cisco Unity Versions	Description
5.0(1)	Only the version number of Vpimgateway.ldf was changed. However, the Cisco Unity Permissions wizard will not let you proceed if the version of the VPIM Connector schema extensions is not the same as the version of Directory Monitor schema extensions.
4.2(1)	The schema extensions for VPIM Networking changed slightly to accommodate changes to the Cisco Unity Permissions wizard.
4.0(3) - 4.1(1)	The attribute ciscoEcsbuUMSchemaVersion was added.
4.0(1) - 4.0(2)	The schema extensions required for VPIM Networking.

About Synchronization

Cisco Unity includes directory monitors that keep the Cisco Unity objects in the directory synchronized with the SQL database on the Cisco Unity server. In addition to monitoring Active directory for changes, the monitors also work in the other direction, and write changed information from Cisco Unity to Active Directory. Note that the changes that Cisco Unity makes to Active Directory depends on the permissions set in the Permissions wizard.

There are two Active Directory monitors: one monitors changes to Cisco Unity objects that are associated with the local server, and the other monitors the Active Directory global catalog for changes to objects that are associated with other Cisco Unity servers.

See the following sections for more detailed information about synchronization:

•For information on updates to Active Directory, see the "Updates to the Directory Are Synchronous" section.

•For information on updates to the SQL database, see the "Updates to the SQL Database Are Asynchronous" section.

For information on the attributes that are synchronized in Active Directory, refer to the Permissions wizard Help file, which is available on www.ciscounitytools.com, or the file on the Cisco Unity server called PWHelpPermissionsSet_<language>.htm. Note that in the lists of attributes, a "W" indicates that Cisco Unity writes data to the attribute, and a "R" means that Cisco Unity reads the data in the attribute. In most cases, when Cisco Unity does a read, it updates data in the Unitydb database, but in some cases, Cisco Unity reads the data to perform some operation, and does not store the data.

Updates to the Directory Are Synchronous

Changes to subscriber accounts, distribution lists, and location objects made by using the Cisco Unity Administrator (or another Cisco Unity application) are written to the directory when the change occurs, so that both the SQL database and the directory remain consistent, as Figure 2 illustrates.

The changes made to the directory depend on the action in the Cisco Unity application: create, import, modify, or delete.

•Create—When subscriber accounts, distribution lists, and location objects are created, the objects are written to both the SQL database and the directory. The objects in the directory include Cisco Unity-specific attributes.

•Import—When subscriber accounts and distribution lists are created by importing existing directory objects, the objects are written to the SQL database, and the Cisco Unity-specific attributes are written to the directory objects.

•Modify—When a subscriber account, distribution list, or location object is modified by using a Cisco Unity application, the updated information is written to both the SQL database and the directory.

•Delete—When subscriber accounts and distribution lists are deleted by using the Cisco Unity Administrator, the objects are deleted from the SQL database, and most of the Cisco Unity-specific attributes are deleted from the directory objects. You then use standard Microsoft tools to delete the directory objects.

When location objects are deleted by using the Cisco Unity Administrator, the location objects are deleted from both the SQL database and the directory.

Figure 2 Updates to the Directory Are Synchronous

Updates to the SQL Database Are Asynchronous

Every few minutes the directory monitor polls for new, changed, and deleted objects and then queues the detected changes. The changed information is pulled from the queue and written to the SQL database. Figure 3 illustrates this process.

Figure 3 Updates to the SQL Database Are Asynchronous

Active Directory Monitors

The Active Directory monitors run as services on the Cisco Unity server. Both Active Directory domain controller (DC) databases and global catalog (GC) databases are polled for changes. There are two monitors:

•AvDSAD.exe—Initiates updates to objects associated with the local Cisco Unity server (that is, the Cisco Unity server on which AvDSAD is running). In installations with multiple Cisco Unity servers networked together, other domains could contain objects associated with other Cisco Unity servers. The AvDSAD for each server monitors only those domains that contain objects that are associated with the local Cisco Unity server. Polling is done at regular, configurable intervals; the default is every two minutes.

Changes to Active Directory objects that appear on a DC that AvDSAD is monitoring will be reflected in Cisco Unity within the two-minute polling interval. If a change to an object occurs on a DC that AvDSAD is not monitoring, the change first has to be replicated to the monitored DC. In this case, the time that it takes for the change to be reflected in Cisco Unity depends on your network configuration and replication schedule.

•AvDSGlobalCatalog.exe—Monitors the Active Directory global catalog for changes to distribution lists, mailbox stores, locations, and for objects associated with other Cisco Unity servers in the network. The subscriber and location changes detected by AvDSGlobalCatalog result in updates to the global tables in the SQL database. Polling is done at regular, configurable intervals; the default is every fifteen minutes. This service is read-only; that is, it makes no directory changes.

In order for changes to objects associated with other Cisco Unity servers to be reflected, the changes first have to be replicated to the Active Directory global catalog, and then the monitor can detect the changes. The time that it takes for changes to be reflected in the global catalog depends on your network configuration and replication schedule.

All directory objects have an attribute called uSN-Changed, which contains the update sequence number (USN). Whenever an object is changed, uSN-Changed is updated to be the highest number (plus one) of all the objects in the directory. For example, assume the uSN_Changed of object A is 100, the uSN-Changed of object B is 101, and the uSN-Changed of object C is 102. In this case, when a change is made to object A, its uSN-Changed is updated to 103. Each time the monitors perform a synchronization cycle, they store the highest USN encountered during the synchronization.

During synchronization, the monitors query the DC and GC databases (as applicable) to obtain a list of objects. The monitors filter out all non-Cisco Unity objects. By comparing the LastUSN to the current USN of each object, all objects that have not changed since the last polling (that is, objects with a uSN-Changed value that is less than LastUSN) are filtered out of the list.

If the monitors encounter an error while synchronizing an object, the synchronization cycle is aborted, and the LastUSN value is not updated. Updates to SQL are not performed for the object on which the error was encountered and for subsequent objects on the list. When the next synchronization occurs, because LastUSN was not updated, the list of objects to be updated is the same as in the previous synchronization.

When a change is detected, the monitor sends a notification by using Microsoft Message Queue (MSMQ). The notification specifies whether the object has been changed or deleted, and whether the change has been detected in the DC or in the GC. The notification includes the value of each object property that is used by Cisco Unity. In case of conflict, changes to an object made by using the Cisco Unity Administrator take precedence over changes detected in Active Directory.

The monitor uses a table called ADMonitorDirObjsList in the SQL database that associates each object used by Cisco Unity with the domain in which it resides. Additionally, the monitor uses a table called ADMonitorDistributionListMember in the SQL database that associates each distribution list used by Cisco Unity with the members of the list.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

© 2007 Cisco Systems, Inc. All rights reserved.

¹ At the time of this writing, SQL Server 2005 is not supported, but it may be supported in future Cisco Unity versions.