By using the management agent for Active Directory, you can synchronize data in Active Directory forests for Windows 2000 Server, Windows Server 2003, or Windows Server 2008.
Connected data source support
- Windows 2000 Server Active Directory
- Windows Server 2003 Active Directory
- Windows Server 2008 Active Directory
Management agent type
This is a call-based management agent.
The schema is generated based on the dynamic discovery of the data source by the management agent. When you refresh the schema for this management agent, the connected data source schema is rediscovered, the current management agent schema is updated, and Management Agent Designer starts. In Management Agent Designer, you can correct any inconsistencies that were introduced by the updated schema, such as deleted object types or deleted attributes.
- As a security best practice, use minimal
Active Directory credentials when creating an Active Directory
management agent. If you are creating an Active Directory
management agent to only import data into Microsoft® Forefront
Identity Manager (FIM) 2010, supply credentials for any valid user
account (non-administrator account) in the target forest to
successfully enumerate that forest's directory partitions and to
read the schema directory partition.
A non-administrator must have Replicating Directory Changes permissions for each domain of the forest that the management agent accesses. For more information about how to grant the Replicating Directory Changes permission, see the Microsoft Web Site (http://go.microsoft.com/fwlink/?LinkId=47854).
- However, if you want to use FIM to write to
objects in an Active Directory forest, the user whose user account
credentials are supplied in the Active Directory management agent
must, at a minimum, have appropriate permissions to modify objects
in a particular container. Do not use an account in the management
agent that is a member of the Domain Admins group or the Enterprise
Admins group unless it is the only available option.
- If you are creating an Active Directory
management agent for a Windows 2000 forest, the management
agent might not work correctly if the user account credentials
specified in the management agent are typed by using the user
principal name (UPN) format of the user name to authenticate. If
this happens, make sure that all Windows 2000 domain
controllers in that forest are running at least Service Pack 3
(SP3) to ensure that UPNs can be used. This is necessary because
Lightweight Directory Access Protocol (LDAP) traffic is not signed
and encrypted by default on domain controllers running
Windows 2000 Service Pack 2 (SP2) or earlier. For more
information about signed and encrypted LDAP traffic, see
"Connecting to domain controllers running Windows 2000" in
Windows Server 2003, Enterprise Edition Help.
- If you are using this management agent to
provision a child object, be aware that FIM does not create a
parent object for it in the target connector space. You must import
the Active Directory container hierarchy before you provision
objects to the connector space that is associated with the
management agent for Active Directory. You can do this by creating
a management agent for Active Directory that does not have any join
or projection rules and then running the management agent in full
import mode. By doing this, you create disconnector objects in the
connector space for each of the selected containers. For more
detailed information about importing container structures from
Active Directory, see "Simple Account Provisioning" (FIM_Account_Provisioning.doc) at
- If you rename your root Active Directory
domain, you must run the management agent for Active Directory
again to discover the new domain name before you complete the
Active Directory domain rename process.
- For information about how to rename an Active
Directory domain, see "Renaming domains" in
Windows Server® 2008 operating system Help.
- Before you run the rendom.exe /clean
step, you must configure and run the management agent for
Active Directory. This imports the new domain name before the old
domain name is deleted.
- On the Connect to Active Directory Forest page in Management
Agent Designer, type in the new forest name and credentials.
- On the Configure Directory Partitions page in Management Agent
Designer, click the Refresh button, then click OK.
- Run the management agent for Active Directory in Full Import
- Complete the domain rename process.
- For information about how to rename an Active Directory domain, see "Renaming domains" in Windows Server® 2008 operating system Help.
- When replication conflicts occur in an Active
Directory forest that participates in synchronization, it is
possible that the objects in conflict are staged as connectors to
FIM. Conflict objects are stored in the connector space, and they
are identified by having the substring "\0aCNF:" in their relative
- Each Active Directory forest that
participates in synchronization requires its own management agent.
For example, if you are using FIM to synchronize data between two
Active Directory forests, you must create two separate management
agents to represent each forest.
- The Contact object type in Active Directory
is the same as the RulesRecipient object type in Exchange Server
- The Active Directory management agent has a
default time-out value for run profiles of 30 seconds.
- If you are connecting to a Microsoft Exchange
Server 2007, the following requirements must be met:
- In Synchronization Service Manager, in
Properties, select Exchange 2007 in the Provision for
dropdown on the Configure Extensions page.
- In the Exchange 2007 RUS Server
(optional) text-box you can enter a target server for the
Do not select Exchange 2007 if there are no Exchange 2007 servers in the target forest. An error will be returned for every object being exported.
- To provision Active Directory accounts, the
user account used by the management agent for Active Directory must
be an Exchange Administrator.
- Windows Powershell 1.0 and the Exchange 2007
SP1 Management Console must be installed.
You will receive an extension-dll-exception error if you attempt to synchronize to Active Directory without Powershell 1.0 and the Exchange 2007 SP1 Management Console installed.
- In Synchronization Service Manager, in Properties, select Exchange 2007 in the Provision for dropdown on the Configure Extensions page.
- If you are connecting to a Microsoft Exchange
Server 2010, the following must be met:
- In Synchronization Services Manager,
in Properties, select Exchange 2010 in Provision
for on the Configure Extensions page.
- In the Exchange 2010 RPS URI enter the
remote Exchange server in the format
- The account used by the AD MA must have
permission to call the Update-Recipient cmdlet.
- Windows Powershell 2.0 must be installed.
- The FIM service account must be a domain
- The server running FIM must be joined to a
- In Synchronization Services Manager, in Properties, select Exchange 2010 in Provision for on the Configure Extensions page.
- This management agent supports password
management. For more information, see See Also.
- Configuring Management Agents
- Create a Management Agent
- Connect to an Active Directory Forest
- Configure Directory Partitions
- Select Object Types
- Select Attributes
- Configure Connector Filter Rules
- Configure Join and Projection Rules
- Configure Attribute Flow Rules
- Configure Deprovisioning Rules
- Configure Password Management and Specify Rules Extensions
- Password Management