Support-Info: (CONNECTORS): How to work around the "Replicate Directory Changes" to connect to AD for the ADMA or GalSync MA

  • Artikel

PRODUCTS INVOLVED

  • Forefront Identity Manager 2010, R2, R2 SP1
  • Microsoft Identity Manager 2016, SP1

COMPONENTS INVOLVED

  • Active Directory Management Agent
  • GalSync Management Agent

PROBLEM SCENARIO DESCRIPTION

  • By default out of the box, the Active Directory Management Agent and/or GalSync Management Agent connect to Active Directory utilizes the DirSync Control. In doing so, it needs/requires the "Replicate Directory Changes" to communicate with Active Directory. However, if we do not want to provide the "Replicate Directory Changes", how can we access the Active Directory.

RESOLUTION

Resolution Steps
      1. Open the Windows Registry on the Synchronization Service Machine
      2. Navigate to HKLM\System\CurrentControlSet\Services\FIMSynchronizationService\Parameters
      3. Add a New DWORD Key called ADMAUseACLSecurity
      4. Provide it a value of 1
0 Use the DirSync Control and the Replicate Directory Changes
1 Use Active Directory ACLs for permission
 

ADDITIONAL INFORMATION

You may run into issues with permissions on the Deleted Objects container. Here are steps to resolve that issue if encountered.

Resolution Steps for Deleted Objects Container
To make this work, we had to explicitly grant the AD MA account list and read permissions to the Deleted Objects container in the domain.  This is done using the dsacls.exe utility to:

1. Change ownership of the Deleted Objects container to the currently logged in user

2. Grant the ADMA account list and read permissions

More information: Use the dsacls.exe utility to explicitly grant the AD MA account list and read access to the Deleted Objects container in the domain.  Without this permission, we can't guarantee that the user will be able to read from the deleted objects container during delta import.This utility will need to be run as a domain administrator from an administrative cmd.exe prompt.https://support.microsoft.com/en-us/help/892806/how-to-let-non-administrators-view-the-active-directory-deleted-objects-containerOne of the differences between the domain administrator and the standard user object, is that the domain administrator automatically has access to the deleted objects container.  This list/read property access that domain administrators have may make the difference in being able to discover the object deletion in delta import, and not.Please use the dsacls.exe utility to check the current permissions on the deleted objects container.  If the AD MA account doesn’t have list and read properties access, please use the dsacls.exe utility to add these permissions, and re-test.Default permissions on Deleted Objects containerC:\Users\mimadmin>dsacls.exe "cn=deleted objects,DC=contoso,dc=com" /takeownershipOwner: CONTOSO\Domain AdminsGroup: NT AUTHORITY\SYSTEMAccess list:{This object is protected from inheriting permissions from the parent}Allow BUILTIN\Administrators  SPECIAL ACCESSLIST CONTENTSREAD PROPERTYAllow NT AUTHORITY\SYSTEM     SPECIAL ACCESSDELETEREAD PERMISSONSWRITE PERMISSIONSCHANGE OWNERSHIPCREATE CHILDDELETE CHILDLIST CONTENTSWRITE SELFWRITE PROPERTYREAD PROPERTY The command completed successfullyUpdated permissions with my AD MA account addedC:\Users\mimadmin>dsacls.exe "cn=deleted objects,DC=contoso,dc=com" /takeownershipOwner: CONTOSO\Domain AdminsGroup: NT AUTHORITY\SYSTEM Access list:{This object is protected from inheriting permissions from the parent}Allow CONTOSO\ma_ADMA  SPECIAL ACCESSLIST CONTENTSREAD PROPERTYAllow BUILTIN\Administrators   SPECIAL ACCESSLIST CONTENTSREAD PROPERTYAllow NT AUTHORITY\SYSTEM      SPECIAL ACCESSDELETEREAD PERMISSONSWRITE PERMISSIONSCHANGE OWNERSHIPCREATE CHILDDELETE CHILDLIST CONTENTSWRITE SELFWRITE PROPERTYREAD PROPERTY The command completed successfully

ADDITIONAL LINKS / INFORMATION