By using the management agent for Active Directory, you can
synchronize data in Active Directory forests for Windows 2000
Server or Windows Server 2003.
The following Microsoft Identity Integration Server 2003 versions
support this management agent:
Identity Integration Feature Pack for Microsoft® Windows ServerTM Active Directory®
Microsoft Identity Integration Server 2003, Enterprise Edition
The schema is generated based on the dynamic discovery of the
data source by the management agent. When you refresh the schema
for this management agent, the connected data source schema is
rediscovered, the current management agent schema is updated, and
Management Agent Designer starts. In Management Agent Designer, you
can correct any inconsistencies that were introduced by the updated
schema, such as deleted object types or deleted attributes.
Remarks
As a security best practice, use minimal Active Directory
credentials when creating an Active Directory management agent. If
you are creating an Active Directory management agent to only
import data into MIIS 2003, supply credentials for any valid
user account (nonadministrator account) in the target forest to
successfully enumerate that forest's directory partitions and to
read the schema directory partition. However, if you want to use
MIIS 2003 to write to objects in an Active Directory forest,
the user account credentials supplied in the Active Directory
management agent must, at a minimum, have been delegated the
appropriate authority to modify objects in a particular container.
Do not use an account in the management agent that is a member of
the Domain Admins group or the Enterprise Admins group unless it is
the only available option.
If you are creating an Active Directory management agent for a
Windows 2000 forest, the management agent might not work
correctly if the user account credentials specified in the
management agent are typed by using the user principal name (UPN)
format of the user name to authenticate. If this happens, make sure
that all Windows 2000 domain controllers in that forest are
running at least Service Pack 3 (SP3) to ensure that UPNs can be
used. This is necessary because Lightweight Directory Access
Protocol (LDAP) traffic is not signed and encrypted by default on
domain controllers running Windows 2000 Service Pack 2
(SP2) or earlier. For more information about signed and encrypted
LDAP traffic, see "Connecting to domain controllers running
Windows 2000" in Windows Server 2003, Enterprise Edition
Help.
If you are using this management agent to provision a child
object, be aware that MIIS 2003 does not create a parent
object for it in the target connector space. You must import the
Active Directory container hierarchy before you provision objects
to the connector space that is associated with the management agent
for Active Directory. You can do this by creating a management
agent for Active Directory that does not have any join or
projection rules and then running the management agent in full
import mode. By doing this, you create disconnector objects in the
connector space for each of the selected containers. For more
detailed information about importing container structures from
Active Directory, see "Simple Account Provisioning"
(MIIS_2003_Account_Provisioning.doc) at the Microsoft
Web Site. (http://www.microsoft.com/)
If you rename your root Active Directory domain, you must run
the management agent for Active Directory again to discover the new
domain name before you complete the Active Directory domain rename
process.
For information about how to rename an Active Directory domain,
see "Renaming domains" in Windows Server 2003, Enterprise Edition Help.
Before you run the rendom.exe /clean step, you must
configure and run the management agent for Active Directory. This
imports the new domain name before the old domain name is
deleted.
On the Connect to Active Directory Forest page in Management
Agent Designer, type in the new forest name and credentials.
On the Configure Directory Partitions page in Management Agent
Designer, click the Refresh button, then click
OK.
Run the management agent for Active Directory in Full Import
Mode.
Complete the domain rename process.
When replication conflicts occur in an Active Directory forest
that participates in synchronization, it is possible that the
objects in conflict are staged as connectors to MIIS 2003.
Conflict objects are stored in the connector space, and they are
identified by having the substring "\0aCNF:" in their relative distinguished name.
Each Active Directory forest that participates in
synchronization requires its own management agent. For example, if
you are using MIIS 2003 to synchronize data between two Active
Directory forests, you must create two separate management agents
to represent each forest.
The Contact object type in Active Directory is the same as the
RulesRecipient object type in Exchange Server 5.5.
The Active Directory management agent has a default time-out
value for run profiles of 30 seconds.
This management agent supports password management. For more information, see Related Topics.
