Management Agent for Active Directory
Applies To: Windows Server 2003 with SP1
Use the management agent for Active Directory® directory Service to synchronize data in Active Directory forests for Windows Server 2000 or Windows Server 2003.
Available in Identity Integration Feature Pack for Microsoft® Windows Server™ Active Directory® (IIFP)
Management agent type
Supported connected data source versions
MIIS 2003 features supported
- The schema is generated based on the dynamic discovery of the data source by the management agent. When you refresh the schema for this management agent, the connected data source schema is rediscovered, the current management agent schema is updated, and Management Agent Designer starts. In Management Agent Designer, you can correct any inconsistencies that were introduced by the updated schema, such as deleted object types or deleted attributes.
As a security best practice, use minimal Active Directory credentials when creating a management agent for Active Directory. If you are creating a management agent for Active Directory to only import data into MIIS 2003, supply credentials for any valid user account (non-administrator account) in the target forest to successfully enumerate that forest's directory partitions and to read the schema directory partition. However, if you want to use MIIS 2003 to write to objects in an Active Directory forest, the user account credentials supplied in the Active Directory management agent must, at a minimum, have been delegated the appropriate authority to modify objects in a particular container. Do not use an account in the management agent that is a member of the Domain Admins group or the Enterprise Admins group unless it is the only available option.
If you are creating a management agent for Active Directory for a Windows 2000 forest, the management agent might not work correctly if the user account credentials specified in the management agent are typed by using the user principal name (UPN) format of the user name to authenticate. If this happens, make sure that all Windows 2000 domain controllers in that forest are running at least Service Pack 3 (SP3) to ensure that UPNs can be used. This is necessary because Lightweight Directory Access Protocol (LDAP) traffic is not signed and encrypted by default on domain controllers running Windows 2000 Service Pack 2 (SP2) or earlier. For more information about signed and encrypted LDAP traffic, see "Connecting to domain controllers running Windows 2000" in Windows Server 2003, Enterprise Edition Help.
If you are using this management agent to provision a child object, be aware that MIIS 2003 does not create a parent object for it in the target connector space. You must import the Active Directory container hierarchy before you provision objects to the connector space that is associated with the management agent for Active Directory. You can do this by creating a management agent for Active Directory that does not have any join or projection rules and then running the management agent in full import mode. By doing this, you create disconnector objects in the connector space for each of the selected containers. For more detailed information about importing container structures from Active Directory, see the Simple Account Provisioning Walkthrough (http://go.microsoft.com/fwlink/?LinkId=72068).
If you rename your root Active Directory domain, you must run the management agent for Active Directory again to discover the new domain name before you complete the Active Directory domain rename process.
For information about how to rename an Active Directory domain, see "Renaming domains" in Windows Server 2003, Enterprise Edition Help.
Before you run the rendom.exe /clean step, you must configure and run the management agent for Active Directory. This imports the new domain name before the old domain name is deleted.
To configure and run the management agent for Active Directory
On the Connect to Active Directory Forest page in Management Agent Designer, type in the new forest name and credentials.
On the Configure Directory Partitions page in Management Agent Designer, click the Refresh button, and then click OK.
Run the management agent for Active Directory in Full Import Mode.
Complete the domain rename process.
When replication conflicts occur in an Active Directory forest that participates in synchronization, it is possible that the objects in conflict are staged as connectors to MIIS 2003. Conflict objects are stored in the connector space, and they are identified by having the substring "\0aCNF:" in their relative distinguished name.
Each Active Directory forest that participates in synchronization requires its own management agent. For example, if you are using MIIS 2003 to synchronize data between two Active Directory forests, you must create two separate management agents to represent each forest.
The Contact object type in Active Directory is the same as the RulesRecipient object type in Exchange Server 5.5.
The Active Directory management agent has a default timeout value for run profiles of 30 seconds
If you are connecting to a Microsoft Exchange Server 2007, the following requirements must be met:
- In Identity Manager, in Properties, select Enable Exchange 2007 provisioning on the Configure Extensions page.
Do not select Enable Exchange 2007 provisioning if there are no Exchange 2007 servers in the target forest. An error will be returned for every object being exported.
The MIIS 2003 service account must be a domain account
The server running MIIS 2003 must be joined to a domain.
Windows Powershell 1.0 and the Exchange 2007 SP1 Management Console must be installed.
You will receive an extension-dll-exception error if you attempt to synchronize to Active Directory without Powershell 1.0 and the Exchange 2007 SP1 Management Console installed.