Using the Management Agent for Active Directory Global Address List (GAL)
The management agent for Active Directory global address list (GAL) is preconfigured with rules that synchronize data in Active Directory forests. These forests are enabled for Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, and Microsoft Exchange Server 2007 to create a GAL across multiple forests.
Connected data source support
Windows 2000 Server Active Directory forest enabled for Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, or Microsoft Exchange Server 2007 to create a GAL across multiple forests.
Windows Server 2003 Active Directory forest enabled for Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, or Microsoft Exchange Server 2007 to create a GAL across multiple forests.
Windows Server 2008 Active Directory forest enabled for Microsoft Exchange Server 2000, Microsoft Exchange Server 2003, or Microsoft Exchange Server 2007 to create a GAL across multiple forests.
Management agent type
This is a call-based management agent.
The schema is generated based on the dynamic discovery of the data source by the management agent. When you refresh the schema for this management agent, the connected data source schema is rediscovered, the current management agent schema is updated, and Management Agent Designer starts. In Management Agent Designer, you can correct any inconsistencies that were introduced by the updated schema, such as deleted object types or deleted attributes.
- As a security best practice, use minimal Active Directory credentials when creating an Active Directory GAL management agent. If you are creating an Active Directory GAL management agent to only import data into FIM, supply credentials for any valid user account (nonadministrator account) in the target forest to successfully enumerate that forest's directory partitions and read the schema directory partition. However, if you want to use FIM to write to objects in an Active Directory forest, the user account credentials supplied in the Active Directory GAL management agent must, at a minimum, have been delegated the appropriate authority to modify objects in a particular container. Do not use an account in the management agent that is a member of the Domain Admins group or the Enterprise Admins group, unless it is the only available option.
In addition, the user credentials that are used in the Active Directory GAL management agent must have the following permissions and privileges:
The same permissions as dirsync control. Dirsync control is a Lightweight Directory Access Protocol (LDAP) server extension that enables an application to search an Active Directory partition for objects that have changed since a previous state.
The Read Only Delegation permission on the Exchange Organization object. Without this permission, the management agent is unable to browse Administrative Groups.
The SE_SYNC_AGENT_NAME privilege. This privilege enables the caller to read all objects and attributes in Active Directory, regardless of the access protections on the objects and attributes. By default, this privilege is assigned to the Administrator and LocalSystem accounts on domain controllers. For more information about how to set this privilege, see the Microsoft Web site.
The DS-Replication-Get-Changes extended right. This right translates into full control rights in the synchronization organizational unit.
Write privileges on the proxyAddresses attribute on all authoritative mail recipient objects (users, contacts, groups, and any additional mail recipient objects you might have configured, such as dynamic distribution lists and mail-enabled Public Folders). This privilege is required only when data is being synchronized into the target forest for which you are supplying user credentials.
Full control of the organizational unit that was selected during the setup of the Active Directory GAL management agent. This right is required only when data is being synchronized into the target forest for which you are supplying user credentials.
The account specified for the management agent must have read permissions on the Configuration container. This is required in order to enumerate the Administrative groups.
Each forest participating in the GAL synchronization must be configured by using a separate management agent for Active Directory GAL.
If an Active Directory GAL management agent is deleted, it does not change the metaverse schema or the flow rules that apply to other GAL management agents.
When you delete a GAL management agent, the schema object types and attributes that were created by that management agent are not removed from the metaverse schema. For example, if a GAL management agent is used to create a custom contact object type (forest1_contact) in the metaverse schema and that GAL management agent is then deleted, the forest1_contact object type remains in the metaverse schema.
If you are connecting to a Microsoft Exchange Server 2007, the following requirements must be met:
In Synchronization Service Manager, in Properties, select Exchange 2007 in the Provision for dropdown on the Configure Extensions page.
In the Exchange 2007 RUS Server (optional) text-box you can enter a target server for the powershell cmdlets.
Do not select Exchange 2007 if there are no Exchange 2007 servers in the target forest. An error will be returned for every object being exported.
To provision Active Directory accounts, the user account used by the management agent for Active Directory must be an Exchange Administrator.
Windows Powershell 1.0 and the Exchange 2007 SP1 Management Console must be installed.
You will receive an extension-dll-exception error if you attempt to synchronize to Active Directory without Powershell 1.0 and the Exchange 2007 SP1 Management Console installed.
If you are connecting to a Microsoft Exchange Server 2010, the following must be met:
In Synchronization Services Manager, in Properties, select Exchange 2010 in Provision for on the Configure Extensions page.
In the Exchange 2010 RPS URI enter the remote Exchange server in the format http://CAS_SERVER_NAME/powershell.
The account used by the AD MA must have permission to call the Update-Recipient cmdlet.
Windows Powershell 2.0 must be installed.
For both Microsoft Exchange 2007 and 2010 the following must also be met:
The FIM service account must be a domain account
The server running FIM must be joined to a domain.
This management agent does not support password management.
Configuring Management Agents
Create a Management Agent
Connect to an Active Directory Forest
Configure Directory Partitions
Configure a Global Address List (GAL)
Select Object Types
Configure Connector Filter Rules
Configure Join and Projection Rules
Configure Attribute Flow Rules
Configure Deprovisioning Rules
Configure Password Management and Specify Rules Extensions