Using the Management Agent for Active Directory
By using the management agent for Active Directory, you can synchronize data in Active Directory forests for Windows 2000 Server, Windows Server 2003, or Windows Server 2008.
Connected data source support
Windows 2000 Server Active Directory forest
Windows Server 2003 Active Directory forest
Windows Server 2008 Active Directory forest
Management agent type
This is a call-based management agent.
The schema is generated based on the dynamic discovery of the data source by the management agent. When you refresh the schema for this management agent, the connected data source schema is rediscovered, the current management agent schema is updated, and Management Agent Designer starts. In Management Agent Designer, you can correct any inconsistencies that were introduced by the updated schema, such as deleted object types or deleted attributes.
As a security best practice, use minimal Active Directory credentials when creating an Active Directory management agent. If you are creating an Active Directory management agent to only import data into Microsoft® Forefront Identity Manager (FIM) 2010 R2, supply credentials for any valid user account (non-administrator account) in the target forest to successfully enumerate that forest's directory partitions and to read the schema directory partition.
A non-administrator must have Replicating Directory Changes permissions for each domain of the forest that the management agent accesses. For more information about how to grant the Replicating Directory Changes permission, see the Microsoft Web Site (http://go.microsoft.com/fwlink/?LinkId=47854).
However, if you want to use FIM to write to objects in an Active Directory forest, the user whose user account credentials are supplied in the Active Directory management agent must, at a minimum, have appropriate permissions to modify objects in a particular container. Do not use an account in the management agent that is a member of the Domain Admins group or the Enterprise Admins group unless it is the only available option.
If you are creating an Active Directory management agent for a Windows 2000 forest, the management agent might not work correctly if the user account credentials specified in the management agent are typed by using the user principal name (UPN) format of the user name to authenticate. If this happens, make sure that all Windows 2000 domain controllers in that forest are running at least Service Pack 3 (SP3) to ensure that UPNs can be used. This is necessary because Lightweight Directory Access Protocol (LDAP) traffic is not signed and encrypted by default on domain controllers running Windows 2000 Service Pack 2 (SP2) or earlier. For more information about signed and encrypted LDAP traffic, see "Connecting to domain controllers running Windows 2000" in Windows Server 2003, Enterprise Edition Help.
If you are using this management agent to provision a child object, be aware that FIM does not create a parent object for it in the target connector space. You must import the Active Directory container hierarchy before you provision objects to the connector space that is associated with the management agent for Active Directory. You can do this by creating a management agent for Active Directory that does not have any join or projection rules and then running the management agent in full import mode. By doing this, you create disconnector objects in the connector space for each of the selected containers. For more detailed information about importing container structures from Active Directory, see "Simple Account Provisioning" (FIM_Account_Provisioning.doc) at http://go.microsoft.com/fwlink/?LinkID=34336.
If you rename your root Active Directory domain, you must run the management agent for Active Directory again to discover the new domain name before you complete the Active Directory domain rename process.
For information about how to rename an Active Directory domain, see "Renaming domains" in Windows Server® 2008 operating system Help.
Before you run the rendom.exe /clean step, you must configure and run the management agent for Active Directory. This imports the new domain name before the old domain name is deleted.
On the Connect to Active Directory Forest page in Management Agent Designer, type in the new forest name and credentials.
On the Configure Directory Partitions page in Management Agent Designer, click the Refresh button, then click OK.
Run the management agent for Active Directory in Full Import Mode.
- Complete the domain rename process.
When replication conflicts occur in an Active Directory forest that participates in synchronization, it is possible that the objects in conflict are staged as connectors to FIM. Conflict objects are stored in the connector space, and they are identified by having the substring "\0aCNF:" in their relative distinguished name.
Each Active Directory forest that participates in synchronization requires its own management agent. For example, if you are using FIM to synchronize data between two Active Directory forests, you must create two separate management agents to represent each forest.
The Contact object type in Active Directory is the same as the RulesRecipient object type in Exchange Server 5.5.
The Active Directory management agent has a default time-out value for run profiles of 30 seconds.
If you are connecting to a Microsoft Exchange Server 2007, the following requirements must be met:
In Synchronization Service Manager, in Properties, select Exchange 2007 in the Provision for dropdown on the Configure Extensions page.
In the Exchange 2007 RUS Server (optional) text-box you can enter a target server for the powershell cmdlets.
Do not select Exchange 2007 if there are no Exchange 2007 servers in the target forest. An error will be returned for every object being exported.
To provision Active Directory accounts, the user account used by the management agent for Active Directory must be an Exchange Administrator.
Windows Powershell 1.0 and the Exchange 2007 SP1 Management Console must be installed.
You will receive an extension-dll-exception error if you attempt to synchronize to Active Directory without Powershell 1.0 and the Exchange 2007 SP1 Management Console installed.
If you are connecting to a Microsoft Exchange Server 2010, the following must be met:
In Synchronization Services Manager, in Properties, select Exchange 2010 in Provision for on the Configure Extensions page.
In the Exchange 2010 RPS URI enter the remote Exchange server in the format http://CAS_SERVER_NAME/powershell.
The account used by the AD MA must have permission to call the Update-Recipient cmdlet.
Windows Powershell 2.0 must be installed.
For both Microsoft Exchange 2007 and 2010 the following must also be met:
The FIM service account must be a domain account
The server running FIM must be joined to a domain.
This management agent supports password management. For more information, see See Also.
Configuring Management Agents
Create a Management Agent
Connect to an Active Directory Forest
Configure Directory Partitions
Select Object Types
Configure Connector Filter Rules
Configure Join and Projection Rules
Configure Attribute Flow Rules
Configure Deprovisioning Rules
Configure Password Management and Specify Rules Extensions