PRODUCTS INVOLVED
- Forefront Identity Manager 2010, R2, R2 SP1
- Microsoft Identity Manager 2016, SP1
COMPONENTS INVOLVED
- Active Directory Management Agent
- GalSync Management Agent
PROBLEM SCENARIO DESCRIPTION
- By default out of the box, the Active Directory Management Agent and/or GalSync Management Agent connect to Active Directory utilizes the DirSync Control. In doing so, it needs/requires the "Replicate Directory Changes" to communicate with Active Directory. However, if we do not want to provide the "Replicate Directory Changes", how can we access the Active Directory.
RESOLUTION
- On the Synchronization Service Machine, you can utilize the ADMAUseACLSecurity registry key setting: https://msdn.microsoft.com/en-us/library/ff800821(v=ws.10).aspx
| Resolution Steps | ||||
|
ADDITIONAL INFORMATION
You may run into issues with permissions on the Deleted Objects container. Here are steps to resolve that issue if encountered.
| Resolution Steps for Deleted Objects Container |
| To make this work, we had to explicitly grant the AD MA account list and read permissions to the Deleted Objects container in the domain. This is done using the dsacls.exe utility to:
1. Change ownership of the Deleted Objects container to the currently logged in user 2. Grant the ADMA account list and read permissions More information: Use the dsacls.exe utility to explicitly grant the AD MA account list and read access to the Deleted Objects container in the domain. Without this permission, we can't guarantee that the user will be able to read from the deleted objects container during delta import. This utility will need to be run as a domain administrator from an administrative cmd.exe prompt. One of the differences between the domain administrator and the standard user object, is that the domain administrator automatically has access to the deleted objects container. This list/read property access that domain administrators have may make the difference in being able to discover the object deletion in delta import, and not. Please use the dsacls.exe utility to check the current permissions on the deleted objects container. If the AD MA account doesn’t have list and read properties access, please use the dsacls.exe utility to add these permissions, and re-test. Default permissions on Deleted Objects container C:Usersmimadmin>dsacls.exe "cn=deleted objects,DC=contoso,dc=com" /takeownership Owner: CONTOSODomain Admins Group: NT AUTHORITYSYSTEM Access list: {This object is protected from inheriting permissions from the parent} Allow BUILTINAdministrators SPECIAL ACCESS LIST CONTENTS READ PROPERTY Allow NT AUTHORITYSYSTEM SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY
The command completed successfully Updated permissions with my AD MA account added C:Usersmimadmin>dsacls.exe "cn=deleted objects,DC=contoso,dc=com" /takeownership Owner: CONTOSODomain Admins Group: NT AUTHORITYSYSTEM
Access list: {This object is protected from inheriting permissions from the parent} Allow CONTOSOma_ADMA SPECIAL ACCESS LIST CONTENTS READ PROPERTY Allow BUILTINAdministrators SPECIAL ACCESS LIST CONTENTS READ PROPERTY Allow NT AUTHORITYSYSTEM SPECIAL ACCESS DELETE READ PERMISSONS WRITE PERMISSIONS CHANGE OWNERSHIP CREATE CHILD DELETE CHILD LIST CONTENTS WRITE SELF WRITE PROPERTY READ PROPERTY
The command completed successfully |
ADDITIONAL LINKS / INFORMATION
- Registry Keys and Configuration File Settings in FIM 2010: https://msdn.microsoft.com/en-us/library/ff800821(v=ws.10).aspx
- Management Agent for Active Directory: https://technet.microsoft.com/en-us/library/cc720645(v=ws.10).aspx
- Install MIM 2016: Synchronize Active Directory and MIM Service: https://docs.microsoft.com/en-us/microsoft-identity-manager/install-mim-sync-ad-service
- Support-Info: (CONNECTORS): Supported Active Directory (AD) Version for Active Directory Management Agent (ADMA): https://blogs.technet.microsoft.com/iamsupport/2018/03/23/support-info-connectors-supported-active-directory-ad-version-for-active-directory-management-agent-ad-ma/
- FIM Reference: How to set more granular permissions than "replicating directory changes" on a source AD read by the ADMA: https://social.technet.microsoft.com/wiki/contents/articles/16874.fim-reference-how-to-set-more-granular-permissions-than-replicating-directory-changes-on-a-source-ad-read-by-the-adma.aspx
- How to grant "Replicate Directory Permissions": https://support.microsoft.com/en-us/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr