2.7 Becoming Familiar with Driver Features

2.7.1 Schema Changes

The Multi-Domain Active Directory driver introduces a path syntax multi-valued DirXML-MDADContext and DirXML-MDADAliasName attributes to support multiple Multi-Domain Active Directory drivers. The DirXML-MDADContext allows you to store the user's current AD context (LDAP DN). The DirXML-MDADAliasName allows you to store the current AD logon attribute (sAMAccountName or-- userPrincipalName).

2.7.2 Structuring eDirectory Container Hierarchy

The Multi-Domain Active Directory driver provides two ways of organizing Active Directory objects if spread across multiple domain in the forest. The two ways are as follows:

Mirrored

In the Mirrored mode, each domain is mapped to a separate container created in edirectory under the user container in idv.dit.data.users. This container stores all the directory objects belonging to that particular domain. An object must be created within this hierarchy for it to be synchronized to the Active Directory domain. The driver automatically matches the objects created in this container with the corresponding Active Directory container configured in the Synchronization Settings under the Configuration tab in the Driver Properties page. For more information, see Synchronization Settings. The path to this container must be updated in Domain Container in the Synchronization Settings page.

When using User Account entitlements, the user objects residing in Domain Container can only be assigned to that particular domain.

Flat

In the Flat mode, all domains are mapped to a single user container in idv.dit.data.users. This container stores the directory objects belonging to all domains. In this mode, policy customization is required to match the users to the corresponding Active Directory container configured in the Synchronization Settings under the Configuration tab in the Driver Properties page. For more information, see Synchronization Settings. The path to idv.dit.data.users must be updated in Domain Container in the Synchronization Settings page.

When using User Account entitlement, the user objects are automatically synchronized to the domain that is present in the assignment value.

2.7.3 Moving Cross Domain Objects

When Multi-Domain Active Directory driver is configured in the Mirrored mode, a move between eDirectory domain containers is interpreted as a move between the respective Active Directory domains.

When the driver does not mirror the forest domain structure, but instead uses the Flat mode to synchronize, then an user account entitlement reassignment from one domain value to another domain value is interpreted as a move between these two domains.

2.7.4 Automatic Failover

In case of a Domain Controller (DC) failure, the drivers does the automatic failover in the following ways:

  1. The driver allows the DC a period of time equal to Time to Wait interval to come back online.

  2. After the Time to Wait interval expires, the driver automatically tries to connect with another domain controller. The secondary server can be configured or allowed to automatically locate during driver startup.

2.7.5 Multivalue Attributes

When the Multi-Domain Active Directory driver synchronizes a multivalue attribute with a single-value attribute, the multivalue attribute is treated as single-valued. For example, the Telephone Number attribute is single-valued in Active Directory, and multivalued in the Identity Vault. When this attribute is synchronized from Active Directory, only a single value is stored in the Identity Vault.

This creates true synchronization and mapping between the two attributes, but can result in a potential loss of data if you have multiple values in an attribute that is mapped to an attribute with a single value. In most cases, a policy can be implemented to preserve the extra values in another location if this is required in your environment.

2.7.6 Using Custom Boolean Attributes to Manage Account Settings

The Active Directory attribute userAccountControl is an integer whose bits control logon account properties, such as whether logon is allowed, passwords are required, or the account is locked. Synchronizing the Boolean properties individually is difficult because each property is embedded in the integer value.

Each bit within the userAccountControl attribute can be referenced individually as a Boolean value, or userAccountControl can be managed in-total as an integer. The driver recognizes a Boolean alias to each bit within userAccountControl. These alias values are included in the schema for any class that includes userAccountControl. The alias values are accepted on the Subscriber channel and are presented on the Publisher channel.

The advantage of this is that each bit can be used as a Boolean, so the bit can be enabled individually in the Publisher filter and accessed easily. You can also put userAccountControl into the Publisher filter to receive change notification as an integer.

The integer and alias versions of userAccountControl should not be mixed in a single configuration.

The following table lists available aliases and hexadecimal values. Read-only attributes cannot be set on the Subscriber channel.

Table 2-3 Aliases and Hexadecimal Values

Alias

Hexadecimal

Notes

dirxml-uACAccountDisable

0x0002

Read-write

dirxml-uACDontExpirePassword

0x10000

Read-write

dirxml-uACEncryptedTextPasswordAllowed

0x0080

Read-write

dirxml-uACHomedirRequired

0x0008

Read-write

dirxml-uACInterdomainTrustAccount

0x0800

Read-only

dirxml-uACNormalAccount

0x0200

Read-only

dirxml-uACPasswordCantChange

0x0040

Read-only

dirxml-uACScript

0x0001

Read-write

dirxml-uACPasswordNotRequired

0x0020

Read-write

dirxml-uACServerTrustAccount

0x2000

Read-only

dirxml-uACWorkstationTrustAccount

0x1000

Read-only

dirxml-uACLockout

0x0010

Read-write

For troubleshooting tips relating to the userAccountControl attribute, see The Active Directory Account Is Disabled after a User Add on the Subscriber Channel.

2.7.7 Provisioning Exchange Mailboxes

The Multi-Domain Active Directory driver can be configured to provision Exchange mailboxes as well as Active Directory accounts. The Multi-Domain Active Directory driver can provision Exchange Server 2010, Exchange Server 2013, and Exchange Server 2016 mailboxes. For information on configuring the driver to provision the Exchange mailboxes, see Section 8.0, Provisioning Exchange Mailboxes.

2.7.8 Expiring Accounts in Active Directory

If you map the eDirectory attribute of Login Expiration Time to the Active Directory attribute of accountExpires, an account in Active Directory expires a day earlier than the time set in eDirectory.

This happens because Active Directory sets the value of the accountExpires attribute in full-day increments. The eDirectory attribute of Login Expiration Time uses a specific day and time to expire the account.

For example, if you set an account in eDirectory, to expire on July 15, 2007, at 5:00 p.m., the last full day this account is valid in Active Directory is July 14.

If you use the Microsoft Management Console to set the account to expire on July 15, 2007, the eDirectory attribute of Login Expiration Time is set to expire on July 16, 2007 at 12:00 a.m. Because the Microsoft Management Console doesn’t allow for a value of time to be set, the default is 12:00 a.m.

The driver uses the most restrictive settings. You can add an additional day to the expiration time in Microsoft depending upon what your requirements are.

2.7.9 Driver Response Behavior

The engine returns a status message for all the operations submitted to the driver queue and restores the operation-data to this status message.

The Multi-Domain Active Directory driver receives two status document, one when the event is queued and the another when the queued event is processed. The first status contains a type attribute set to driver-queue while the second status element does not contain any type attributes. This helps to differentiate the processing of policies for operation-data between the first and second status documents.