Polycom 7000 User Manual
Integrations with Other Systems
Polycom, Inc.
159
Active Directory Integration Procedure
Before performing the procedure below, read
and
You should also have a good idea of how many enterprise users you expect the system to retrieve.
To integrate with Active Directory
1 In Windows Server, add the service account (read-only user account) that the RealPresence DMA
system will use to read the Active Directory. Configure this account as follows:
User can’t change password.
Password never expires.
User can only access services on the domain controllers and cannot log in anywhere.
If you are integrating the RealPresence DMA system with Lync 2013 and plan to use the automatic
conference contact creation feature, the service account you create here should have full
permissions to add, change, and delete entries in the OU where the conference contacts are stored,
along with full administrative permissions for Lync administration to manipulate these contacts.
2 In the RealPresence DMA system, replace the default local administrative user with your own user
account that has the same user roles. See
3 Log into the RealPresence DMA system as the local user you created in step
and go to Admin >
Integrations > Microsoft Active Directory.
4 Check Enable integration with Microsoft® Active Directory Server and complete the information
in the Active Directory Connection section.
a Unless you have a single domain environment and no global catalog, select Auto-discover from
a Unless you have a single domain environment and no global catalog, select Auto-discover from
FQDN and enter the DNS domain name.
Note: Active Directory must trust the RealPresence DMA system certificate
Unless the Allow unencrypted connections to the Active Directory security option is enabled, the
RealPresence DMA system offers the same SSL server certificate that it offers to browsers
connecting to the system management interface. The Microsoft Active Directory server must be
configured to trust the certificate authority.
Unless the Allow unencrypted connections to the Active Directory security option is enabled, the
RealPresence DMA system offers the same SSL server certificate that it offers to browsers
connecting to the system management interface. The Microsoft Active Directory server must be
configured to trust the certificate authority.
Note: Active Directory Integration Accounts
If you have a Polycom RealPresence Resource Manager system, be aware that the machine account
used for AD integration by the RealPresence Resource Manager system and the service account
used for AD integration by the RealPresence DMA system have different requirements. Don’t try to
use the same account for both purposes. In particular, the whitelist of machines that the Polycom
RealPresence Resource Manager system is allowed to log into should contain only the RealPresence
Resource Manager system, while the whitelist of machines the RealPresence DMA system is allowed
to log into should contain only the domain controllers.
If you use Active Directory attributes that aren’t replicated across the enterprise via the Global Catalog
server mechanism, the system must query each domain for the data. Make sure that the whitelist for
this service account is correct and that it can connect to all the LDAP servers in each domain.
If you have a Polycom RealPresence Resource Manager system, be aware that the machine account
used for AD integration by the RealPresence Resource Manager system and the service account
used for AD integration by the RealPresence DMA system have different requirements. Don’t try to
use the same account for both purposes. In particular, the whitelist of machines that the Polycom
RealPresence Resource Manager system is allowed to log into should contain only the RealPresence
Resource Manager system, while the whitelist of machines the RealPresence DMA system is allowed
to log into should contain only the domain controllers.
If you use Active Directory attributes that aren’t replicated across the enterprise via the Global Catalog
server mechanism, the system must query each domain for the data. Make sure that the whitelist for
this service account is correct and that it can connect to all the LDAP servers in each domain.
Note: Auto-discover vs. IP address
Polycom doesn’t recommend using the IP address or host name option in a multi-domain
environment. If you must, enter the host name or IP address of a specific global catalog server, not the
DNS domain name.
Polycom doesn’t recommend using the IP address or host name option in a multi-domain
environment. If you must, enter the host name or IP address of a specific global catalog server, not the
DNS domain name.