Support-Info: (CONNECTORS): How to work around the "Replicate Directory Changes" to connect to AD for the ADMA or GalSync MA
PRODUCTS INVOLVED
- Forefront Identity Manager 2010, R2, R2 SP1
- Microsoft Identity Manager 2016, SP1
COMPONENTS INVOLVED
- Active Directory Management Agent
- GalSync Management Agent
PROBLEM SCENARIO DESCRIPTION
- By default out of the box, the Active Directory Management Agent and/or GalSync Management Agent connect to Active Directory utilizes the DirSync Control. In doing so, it needs/requires the "Replicate Directory Changes" to communicate with Active Directory. However, if we do not want to provide the "Replicate Directory Changes", how can we access the Active Directory.
RESOLUTION
- On the Synchronization Service Machine, you can utilize the ADMAUseACLSecurity registry key setting: https://msdn.microsoft.com/en-us/library/ff800821(v=ws.10).aspx
Resolution Steps | ||||
|
ADDITIONAL INFORMATION
You may run into issues with permissions on the Deleted Objects container. Here are steps to resolve that issue if encountered.
Resolution Steps for Deleted Objects Container |
To make this work, we had to explicitly grant the AD MA account list and read permissions to the Deleted Objects container in the domain. This is done using the dsacls.exe utility to:
1. Change ownership of the Deleted Objects container to the currently logged in user 2. Grant the ADMA account list and read permissions More information: Use the dsacls.exe utility to explicitly grant the AD MA account list and read access to the Deleted Objects container in the domain. Without this permission, we can't guarantee that the user will be able to read from the deleted objects container during delta import.This utility will need to be run as a domain administrator from an administrative cmd.exe prompt.https://support.microsoft.com/en-us/help/892806/how-to-let-non-administrators-view-the-active-directory-deleted-objects-containerOne of the differences between the domain administrator and the standard user object, is that the domain administrator automatically has access to the deleted objects container. This list/read property access that domain administrators have may make the difference in being able to discover the object deletion in delta import, and not.Please use the dsacls.exe utility to check the current permissions on the deleted objects container. If the AD MA account doesn’t have list and read properties access, please use the dsacls.exe utility to add these permissions, and re-test.Default permissions on Deleted Objects containerC:\Users\mimadmin>dsacls.exe "cn=deleted objects,DC=contoso,dc=com" /takeownershipOwner: CONTOSO\Domain AdminsGroup: NT AUTHORITY\SYSTEMAccess list:{This object is protected from inheriting permissions from the parent}Allow BUILTIN\Administrators SPECIAL ACCESSLIST CONTENTSREAD PROPERTYAllow NT AUTHORITY\SYSTEM SPECIAL ACCESSDELETEREAD PERMISSONSWRITE PERMISSIONSCHANGE OWNERSHIPCREATE CHILDDELETE CHILDLIST CONTENTSWRITE SELFWRITE PROPERTYREAD PROPERTY The command completed successfullyUpdated permissions with my AD MA account addedC:\Users\mimadmin>dsacls.exe "cn=deleted objects,DC=contoso,dc=com" /takeownershipOwner: CONTOSO\Domain AdminsGroup: NT AUTHORITY\SYSTEM Access list:{This object is protected from inheriting permissions from the parent}Allow CONTOSO\ma_ADMA SPECIAL ACCESSLIST CONTENTSREAD PROPERTYAllow BUILTIN\Administrators SPECIAL ACCESSLIST CONTENTSREAD PROPERTYAllow NT AUTHORITY\SYSTEM SPECIAL ACCESSDELETEREAD PERMISSONSWRITE PERMISSIONSCHANGE OWNERSHIPCREATE CHILDDELETE CHILDLIST CONTENTSWRITE SELFWRITE PROPERTYREAD PROPERTY The command completed successfully |
ADDITIONAL LINKS / INFORMATION
Registry Keys and Configuration File Settings in FIM 2010: https://msdn.microsoft.com/en-us/library/ff800821(v=ws.10).aspx
Management Agent for Active Directory: https://technet.microsoft.com/en-us/library/cc720645(v=ws.10).aspx
Install MIM 2016: Synchronize Active Directory and MIM Service: /en-us/microsoft-identity-manager/install-mim-sync-ad-service
Support-Info: (CONNECTORS): Supported Active Directory (AD) Version for Active Directory Management Agent (ADMA): https://blogs.technet.microsoft.com/iamsupport/2018/03/23/support-info-connectors-supported-active-directory-ad-version-for-active-directory-management-agent-ad-ma/
FIM Reference: How to set more granular permissions than "replicating directory changes" on a source AD read by the ADMA: https://social.technet.microsoft.com/wiki/contents/articles/16874.fim-reference-how-to-set-more-granular-permissions-than-replicating-directory-changes-on-a-source-ad-read-by-the-adma.aspx
How to grant "Replicate Directory Permissions": https://support.microsoft.com/en-us/help/303972/how-to-grant-the-replicating-directory-changes-permission-for-the-micr