Support-Info: (CONNECTORS): How to work around the “Replicate Directory Changes” to connect to AD for the ADMA or GalSync MA

PRODUCTS INVOLVED

  • Forefront Identity Manager 2010, R2, R2 SP1
  • Microsoft Identity Manager 2016, SP1

COMPONENTS INVOLVED

  • Active Directory Management Agent
  • GalSync Management Agent

PROBLEM SCENARIO DESCRIPTION

  • By default out of the box, the Active Directory Management Agent and/or GalSync Management Agent connect to Active Directory utilizes the DirSync Control. In doing so, it needs/requires the “Replicate Directory Changes” to communicate with Active Directory. However, if we do not want to provide the “Replicate Directory Changes”, how can we access the Active Directory.

RESOLUTION

Resolution Steps
      1. Open the Windows Registry on the Synchronization Service Machine
      2. Navigate to HKLM\System\CurrentControlSet\Services\FIMSynchronizationService\Parameters
      3. Add a New DWORD Key called ADMAUseACLSecurity
      4. Provide it a value of 1
0 Use the DirSync Control and the Replicate Directory Changes
1 Use Active Directory ACLs for permission

 

ADDITIONAL INFORMATION

You may run into issues with permissions on the Deleted Objects container. Here are steps to resolve that issue if encountered.

Resolution Steps for Deleted Objects Container
To make this work, we had to explicitly grant the AD MA account list and read permissions to the Deleted Objects container in the domain.  This is done using the dsacls.exe utility to:

1. Change ownership of the Deleted Objects container to the currently logged in user

2. Grant the ADMA account list and read permissions

More information:

Use the dsacls.exe utility to explicitly grant the AD MA account list and read access to the Deleted Objects container in the domain.  Without this permission, we can’t guarantee that the user will be able to read from the deleted objects container during delta import.

This utility will need to be run as a domain administrator from an administrative cmd.exe prompt.

https://support.microsoft.com/en-us/help/892806/how-to-let-non-administrators-view-the-active-directory-deleted-objects-container

One of the differences between the domain administrator and the standard user object, is that the domain administrator automatically has access to the deleted objects container.  This list/read property access that domain administrators have may make the difference in being able to discover the object deletion in delta import, and not.

Please use the dsacls.exe utility to check the current permissions on the deleted objects container.  If the AD MA account doesn’t have list and read properties access, please use the dsacls.exe utility to add these permissions, and re-test.

Default permissions on Deleted Objects container

C:\Users\mimadmin>dsacls.exe “cn=deleted objects,DC=contoso,dc=com” /takeownership

Owner: CONTOSO\Domain Admins

Group: NT AUTHORITY\SYSTEM

Access list:

{This object is protected from inheriting permissions from the parent}

Allow BUILTIN\Administrators  SPECIAL ACCESS

LIST CONTENTS

READ PROPERTY

Allow NT AUTHORITY\SYSTEM     SPECIAL ACCESS

DELETE

READ PERMISSONS

WRITE PERMISSIONS

CHANGE OWNERSHIP

CREATE CHILD

DELETE CHILD

LIST CONTENTS

WRITE SELF

WRITE PROPERTY

READ PROPERTY

 

The command completed successfully

Updated permissions with my AD MA account added

C:\Users\mimadmin>dsacls.exe “cn=deleted objects,DC=contoso,dc=com” /takeownership

Owner: CONTOSO\Domain Admins

Group: NT AUTHORITY\SYSTEM

 

Access list:

{This object is protected from inheriting permissions from the parent}

Allow CONTOSO\ma_ADMA  SPECIAL ACCESS

LIST CONTENTS

READ PROPERTY

Allow BUILTIN\Administrators   SPECIAL ACCESS

LIST CONTENTS

READ PROPERTY

Allow NT AUTHORITY\SYSTEM      SPECIAL ACCESS

DELETE

READ PERMISSONS

WRITE PERMISSIONS

CHANGE OWNERSHIP

CREATE CHILD

DELETE CHILD

LIST CONTENTS

WRITE SELF

WRITE PROPERTY

READ PROPERTY

 

The command completed successfully

ADDITIONAL LINKS / INFORMATION