The sections below contain information about the key driver features.
The Multi-Domain Active Directory driver performs the following operations on the Publisher and Subscriber channels:
Publisher Channel: Add, Modify, Delete, Migrate, Move, Query operations and password synchronization.
Subscriber Channel: Add, Modify, Delete, Migrate, and Query operations, Password Set/Reset operations only on User objects, execution of PowerShell Cmdlets using policies, and Move operation across domains within the same forest.
The Multi-Domain Active Directory driver is a .NET Remote Loader only driver. The driver uses the Remote Loader service to run on a Windows domain controller or Windows member server. The Remote Loader service for the Multi-Domain Active Directory driver can be installed on the following Windows platforms:
Windows Server 2019 (64-bit)
Windows Server 2016 (64-bit)
Windows Server 2012 R2 (64-bit)
Windows Server 2012 (64-bit)
Windows Server 2008 R2 (64-bit)
For more information about remote installations, see Deploying the Multi-Domain Active Directory Driver.
For additional information about system requirements, see Considerations for Installing Identity Manager Components
in the NetIQ Identity Manager Setup Guide for Windows.
The Multi-Domain Active directory driver provisions and synchronizes objects across all domains in a forest. The driver simplifies integrating Microsoft Active Directory with Identity Manager.
The Multi-Domain Active Directory driver establishes remote PowerShell sessions with the preferred DC for each domain. PowerShell commands are executed for a domain provided by the associations of the object or the LDAP DN of the domain in the XDS document. You can use Identity Manager policies, stylesheets, and ECMA to add the commands. The driver shim executes the commands in the respective domains.
The driver establishes a remote PowerShell session with the preferred domain controller for each domain. If an account is used across multiple domains, then the number of sessions will not exceed the number of configured domains. If Exchange is used, a second remote session is established with that Exchange server to execute exchange commands. This second PowerShell session with Exchange is created within the first PowerShell session and does not count toward the total number of PowerShell sessions being used by the server.
Remove-psession is a cleanup call and it is done by the driver at the time of shutdown.
The Multi-Domain Active Directory driver supports entitlements. By default, it supports UserAccount, Group, and ExchangeMailbox.
When using entitlements, an action such as provisioning an account in the target directory is delayed until the proper approvals have been made. In Role-Based Services, rights assignments are made based on attributes of a user object. Entitlements standardize a method of recording this information on objects in the Identity Vault. From the driver perspective, an entitlement grants or revokes the right to something in Active Directory. You can use entitlements to grant the right to an account in Active Directory, to control group membership, and to provision Exchange mailboxes.
The Multi-Domain Active Directory driver also supports Permission Collection and Reconciliation Service (PCRS) that allows you to create and manage the relationship of identities with resource assignments. PCRS helps you to create custom entitlements to map with the resources in the Identity Vault. You can dynamically create resources with custom entitlements holding permission values from Active Directory and permission assignments between Identity Manager resource/entitlement model and Active Directory.
The driver uses PCRS to map entitlements with resources and automatically assign those entitlements to users when permissions change in Active Directory. The driver content includes an enhanced entitlement package that supports the following entitlements:
ExchangeMailbox: This entitlement grants or denies a Microsoft Exchange mailbox for the specified user.
Group: This entitlement grants or denies membership to a group in Active Directory. When the entitlement is revoked, Identity Manager removes the user from the group.
UserAccount: This entitlement grants or denies an Active Directory account for the specified user. When this entitlement is granted, the Multi-Domain Active Directory driver provides an enabled logon account. When this entitlement is revoked, the driver either disables or deletes the logon account, depending on the driver configuration.
The driver performs the following actions when PCRS is enabled:
Reconcile resource assignments between the connected systems and the Identity Vault
Provide a way to create customized entitlements and resources specific to your domain
The driver supports multiple domain connections, which can have multiple dynamic resources. The Role Based Provisioning Module (RBPM) considers each of the domains configured in the connection objects as separate Logical Identifier (LLID) systems. Each logical system requires a unique dynamic resource. RBPM creates a dynamic resource for each LLID and thereby for each domain that the driver is connecting to. The entitlement value source for this dynamic resource is bound to the LLID.
The PermissionOnboarding job is a standard Identity Manager job and is available in the entitlement package. During the driver startup, the PermissionOnboarding job runs and queries Active Directory for resource updates. When the driver performs resource onboarding, this process creates the EntitlementLLIDMapping mapping table. The PermissionOnboarding job populates this table with the ResourceDNs of the dynamic resources created for LLIDs for each custom entitlement. This mapping table includes the mapping between an entitlement, its LLIDs, and the ResourceDN.
In the User Application, the Resource Name field in the Roles and Resources tab displays all the default entitlements and the custom entitlements. You can select the desired resource in this tab. The Details page under the Entitlements tab shows the dynamic value of the resource. The LLID is automatically mapped to the resource when the resource is created.
When creating custom entitlements, the driver can still use the CSV file to map the Active Directory entitlements with the corresponding resources in the Resource Catalog. After you create, deploy, and start the driver, the driver automatically reads the PermissionNameToFile mapping table. The CSV file information that the driver requires to create the custom entitlement is available in the PermissionNameToFile mapping table. The driver consumes the entitlements values from the CSV file and creates the custom entitlements.
RBPM creates new resources with the entitlement values from the CSV file and displays the new custom entitlement and the corresponding resource object in the Resource Catalog. When the permission assignments change in Active Directory, the driver policies consume the modified permission values and update the Resource Catalog.
NOTE:If you are not using group onboarding, ensure that you do not include the static group resources in the StaticEntitlementValueMap table.
If an administrator assigns a resource to a user in the User Application, then that change reflects in Active Directory, and similarly, if an Active Directory administrator makes a change to the user permission, the corresponding resource is updated with the permission assignment.
You can turn this functionality on or off using the Entitlement GCVs included with the driver.
You should enable entitlements for the driver only if you plan to use the User Application or Role-Based Entitlements with the driver. For more information about entitlements, see the NetIQ Identity Manager Entitlements Guide.
Before continuing, ensure that you go through the prerequisites needed for enabling this functionality. For general prerequisites, see Prerequisites
in Synchronizing Permission Changes from the Connected Systems in the NetIQ Identity Manager Driver Administration Guide.
Also, you need to set up administrative user accounts and configure a password policy for them. For more information, see Setting Up Administrative User Accounts
and Setting Up Administrative Passwords
in Synchronizing Permission Changes from the Connected Systems
in the NetIQ Identity Manager Driver Administration Guide.
To use the new functionality included in the Multi-Domain Active Directory driver, you can create a new driver with the latest packages. For more information about creating a driver, see Creating the Driver in Designer.
The Multi-Domain Active Directory driver can consume the entitlement information from the CSV file, which is present on the server where Identity Manager is installed. The CSV file must contain values of the Active Directory system permission information in the format specified below. The Active Directory administrator should maintain a separate CSV file for every custom entitlement.
For example, a CSV file can contain details about issuing parking passes to the employees for the ParkingPass entitlement. A CSV file that holds ParkingPass entitlement details represents this information in the following format:
North, North Lot, North Parking Lot
where North is the entitlement value, North Lot is the display name in the User Application for the entitlement value North, and North Parking Lot is the description of the entitlement value, which is displayed in the User Application. Optionally, you can also add an additional field for LLID name that allows you to configure the entitlement value for a specific domain.
The Multi-Domain Active Directory driver supports automatic Domain Controller (DC) discovery during the driver start up. The driver either automatically discovers the nearest DC or connects with the preferred DC as per the configurations.
The Multi-Domain Active Directory driver supports automatic domain controller failover. If the driver is running and the connection with preferred domain controller fails, driver rests for the wait period specified before it tries to re-establish the connection with a secondary DCs.
The Multi-Domain Active Directory driver synchronizes passwords on both Subscriber channel and Publisher channel. For more information, see Section 6.0, Synchronizing Passwords.
The Multi-Domain Active Directory driver synchronizes User objects, Group objects, containers, and Exchange mailboxes in the default configuration and can be customized to use additional classes and attributes.
The Multi-Domain Active Directory driver synchronizes group memberships across domains when a group is added as the member of another group.
The Multi-Domain Active Directory driver creates separate messaging queues for each of the synchronized domains. These message queues are processed simultaneously by the driver shim and changes are synchronized with the respective domains parallel.
The Multi-Domain Active Directory driver does not support creation of multiple user accounts for the same eDirectory object on multiple domains in the same forest. A single driver instance can maintain only a one-one mapping between an eDirectory user object and any Active Directory domain account. If you require management of multiple Active Directory forests then you must have one Multi-Domain Active Directory driver per forest.