Configure Directory Partitions
For this procedure, in Management Agent Designer, on the Configure Directory Partitions page, you can select Active Directory partitions and containers that contain objects and attributes that you want to synchronize. Also, you can specify credentials that the management agent uses to read from or write to those partitions. To complete this procedure, you must be logged on as a member of the FIMSyncAdmins security group.
To configure directory partitions
In Management Agent Designer, on the Configure Directory Partitions page, in Select directory partitions, click the directory partition for the Active Directory forest that you want to configure. To display configuration partitions or application directory partitions (also known as naming contexts), click Show All.
If you want the management agent to use a different domain controller when logging on for access to the partition, in Domain controller connection settings, click Configure, type a domain controller name, and then click Add. To change the order of preferred domain controllers, click the up or down arrows.
If you always want to use a preferred domain controller, click Only use preferred domain controllers.
In Configure Connection Options, click Options. Select one of the following:
To digitally sign and encrypt all communication with the server, click Sign and encrypt LDAP traffic.
To enable all communication with the server using Secure Sockets Layer, click Enable Secure Sockets Layer (SSL) for communications.
If Enable SSL for the Connection is selected, optionally select Enable Certificate Revocation List Checking.
Under Credentials, do any of the following:
If you want to use the credentials that are provided on the Active Directory Forest Configuration page, click Use default forest credentials.
If you want to use different credentials for this directory partition, click Alternate credentials for this directory partition; click Set Credentials; and then type a user name, password, and logon domain.
To filter and select specific containers for a directory partition, click Containers, and then clear the check boxes next to the containers that contain objects that you do not want to synchronize. By default, the highest-level container and all child containers for a directory partition are selected. You must select at least one container that contains the objects that you want to synchronize.
To filter and select specific containers where permissions or schema configuration do not allow you to select higher-level containers, or to exclude specific containers, click Containers; click Advanced; and then, in Advanced Container, do any of the following:
To add a container, in Specify additional container to add, type the container name, click Include, and then click Add.
To exclude a specific container when its parent container is selected, in Specify additional container to add, type the container name, click Exclude container, and then click Add.
To remove a container, in Containers to synchronize, click a container, and then click Remove.
To enable this partition to be a source for password synchronization, in Password Synchronization, click Enable this partition as a password synchronization source.
If a partition is enabled for password synchronization, to specify one or more target management agents for password synchronization, click Targets, and then, in Target Management Agents, select a management agent. To prevent cyclical password sets by limiting the number of password changes within a 24-hour period, click Specify maximum number of password changes for a 24 hour period, and then select a number.
By default, the first domain controller in Active Directory is used for logging on.
By default, all containers that exist in a directory partition are selected. However, this does not mean that all objects in those containers will be synchronized. When a container is selected, the objects of that container must be selected to be synchronized on the Select Object Types page.
When you select containers, a blue check mark in a white box next to a container indicates that the parent container and all of the child containers are selected. A white check mark in a gray box indicates that the parent container is selected and that one or more child containers are not selected. No check mark in a grey box indicates that at least one child container is selected, but the parent container is not selected. When you create a new management agent, all of the check boxes next to the container objects for the selected partitions are selected by default.
The default port used for connection is 389. If Enable SSL for the Connection is selected, then the port will be changed to 636.
Each time you run the management agent, it logs on to Active Directory by using the user account that you specify in credentials. This user account must have the required rights for the specified action. It is strongly recommended that you create a special user account that has the minimum rights necessary for the action that you want the management agent to perform. For more information, see See Also.
Using the Management Agent for Active Directory
Using the Management Agent for Active Directory Lightweight Directory Services (ADLDS)
Using the Management Agent for Active Directory Global Address List (GAL)
Forefront Identity Manager 2010 R2 Best Practices for Security