Microsoft Identity Integration Server 2003 graphic

Configure directory partitions

For this procedure, in Management Agent Designer, on the Configure Directory Partitions page, you can select Active Directory partitions and containers that contain objects and attributes that you want to synchronize. Also, you can specify credentials that the management agent uses to read from or write to those partitions. To complete this procedure, you must be logged on as a member of the MIISAdmins security group.

This procedure applies to management agents for the following Microsoft Identity Integration Server 2003 editions:

Enterprise Edition	Identity Integration Feature Pack for Active Directory
Active Directory, Active Directory global address list (GAL), Active Directory Application Mode (ADAM)	Active Directory, Active Directory global address list (GAL), Active Directory Application Mode (ADAM)

To configure directory partitions

In Management Agent Designer, on the Configure Directory Partitions page, in Select directory partitions, click the directory partition for the Active Directory forest that you want to configure. To display configuration partitions or application directory partitions (also known as naming contexts), click Show All.
If you want the management agent to use a different domain controller when logging on for access to the partition, in Domain controller connection settings, click Configure, type a domain controller name, and then click Add. To change the order of preferred domain controllers, click the up or down arrows, and then complete any of the following optional steps:
- If you always want to use a preferred domain controller, click Only use preferred domain controller.
- If you want to digitally encrypt communication with the domain controller by using the Kerberos authentication protocol, click Sign and encrypt LDAP traffic.
Under Credentials, do any of the following:
- If you want to use the credentials that are provided on the Active Directory Forest Configuration page, click Use default forest credentials.
- If you want to use different credentials for this directory partition, click Alternate credentials for this directory partition; click Set Credentials; and then type a user name, password, and logon domain.
To filter and select specific containers for a directory partition, click Containers, and then clear the check boxes next to the containers that contain objects that you do not want to synchronize. By default, the highest-level container and all child containers for a directory partition are selected. You must select at least one container that contains the objects that you want to synchronize.
To filter and select specific containers where permissions or schema configuration do not allow you to select higher-level containers, or to exclude specific containers, click Containers; click Advanced; and then, in Advanced Container, do any of the following:
- To add a container, in Specify additional container to add, type the container name, click Include, and then click Add.
- To exclude a specific container when its parent container is selected, in Specify additional container to add, type the container name, click Exclude container, and then click Add.
- To remove a container, in Containers to synchronize, click a container, and then click Remove.
To enable this partition to be a source for password synchronization, in Password Synchronization, click Enable this partition as a password synchronization source.
If a partition is enabled for password synchronization, to specify one or more target management agents for password synchronization, click Targets, and then, in Target Management Agents, select a management agent. To prevent cyclical password sets by limiting the number of password changes within a 24-hour period, click Specify maximum number of password changes for a 24 hour period, and then select a number.

Notes

By default, the first domain controller in Active Directory is used for logging on.
By default, all containers that exist in a directory partition are selected. However, this does not mean that all objects in those containers will be synchronized. When a container is selected, the objects of that container must be selected to be synchronized on the Select Object Types page.
When you select containers, a blue check mark in a white box next to a container indicates that the parent container and all of the child containers are selected. A white check mark in a gray box indicates that the parent container is selected and that one or more child containers are not selected. No check mark in a grey box indicates that at least one child container is selected, but the parent container is not selected. When you create a new management agent, all of the check boxes next to the container objects for the selected partitions are selected by default.
Each time you run the management agent, it logs on to Active Directory by using the user account that you specify in credentials. This user account must have the required rights for the specified action. It is strongly recommended that you create a special user account that has the minimum rights necessary for the action that you want the management agent to perform. For more information, see Related Topics.