Using the management agent for Active Directory global address list (GAL)

The management agent for Active Directory global address list (GAL) is preconfigured with rules that synchronize data in Active Directory forests. These forests are enabled for Microsoft Exchange Server 2000 or Microsoft Exchange Server 2003 to create a GAL across multiple forests.

The following Microsoft Identity Integration Server 2003 versions support this management agent:

Identity Integration Feature Pack for Microsoft® Windows Server^TM Active Directory®
• Microsoft Identity Integration Server 2003, Enterprise Edition

Connected data source support

• Windows 2000 Server Active Directory forest enabled for Microsoft Exchange Server 2000 or Microsoft Exchange Server 2003 to create a GAL across multiple forests.
• Windows Server 2003 Active Directory forest enabled for Microsoft Exchange Server 2000 or Microsoft Exchange Server 2003 to create a GAL across multiple forests.

Management agent type

This is a call-based management agent.

Schema

The schema is generated based on the dynamic discovery of the data source by the management agent. When you refresh the schema for this management agent, the connected data source schema is rediscovered, the current management agent schema is updated, and Management Agent Designer starts. In Management Agent Designer, you can correct any inconsistencies that were introduced by the updated schema, such as deleted object types or deleted attributes.

Remarks

• As a security best practice, use minimal Active Directory credentials when creating an Active Directory GAL management agent. If you are creating an Active Directory GAL management agent to only import data into MIIS 2003, supply credentials for any valid user account (nonadministrator account) in the target forest to successfully enumerate that forest's directory partitions and read the schema directory partition. However, if you want to use MIIS 2003 to write to objects in an Active Directory forest, the user account credentials supplied in the Active Directory GAL management agent must, at a minimum, have been delegated the appropriate authority to modify objects in a particular container. Do not use an account in the management agent that is a member of the Domain Admins group or the Enterprise Admins group, unless it is the only available option.
• In addition, the user credentials that are used in the Active Directory GAL management agent must have the following permissions and privileges:
  • The same permissions as dirsync control. Dirsync control is a Lightweight Directory Access Protocol (LDAP) server extension that enables an application to search an Active Directory partition for objects that have changed since a previous state.
  • The Read Only Delegation permission on the Exchange Organization object. Without this permission, the management agent is unable to browse Administrative Groups.
  • The SE_SYNC_AGENT_NAME privilege. This privilege enables the caller to read all objects and attributes in Active Directory, regardless of the access protections on the objects and attributes. By default, this privilege is assigned to the Administrator and LocalSystem accounts on domain controllers.
  • The DS-Replication-Get-Changes extended right. This right translates into full control rights in the synchronization organizational unit.
  • Write privileges on the proxyAddresses attribute on all authoritative mail recipient objects (users, contacts, groups, and any additional mail recipient objects you might have configured, such as dynamic distribution lists and mail-enabled Public Folders). This privilege is required only when data is being synchronized into the target forest for which you are supplying user credentials.
  • Full control of the organizational unit that was selected during the setup of the Active Directory GAL management agent. This right is required only when data is being synchronized into the target forest for which you are supplying user credentials.
• Each forest participating in the GAL synchronization must be configured by using a separate management agent for Active Directory GAL.
• If an Active Directory GAL management agent is deleted, it does not change the metaverse schema or the flow rules that apply to other GAL management agents.
• When you delete a GAL management agent, the schema object types and attributes that were created by that management agent are not removed from the metaverse schema. For example, if a GAL management agent is used to create a custom contact object type (forest1_contact) in the metaverse schema and that GAL management agent is then deleted, the forest1_contact object type remains in the metaverse schema.
• This management agent does not support password management.

Related Topics

Configuring management agents

Create a management agent

Connect to an Active Directory forest

Configure directory partitions

Configure a global address list (GAL)

Select object types

Select attributes

Configure connector filter rules

Configure join and projection rules

Configure attribute flow rules

Configure deprovisioning rules

Configure password management and specify rules extensions