This section discusses driver features you should become familiar with before deploying the Active Directory driver.
The way the Active Directory driver handles multi-valued attributes has changed from version 2.
Version 2 treated multi-valued attributes as single-valued on the Subscriber channel by ignoring all but the first change value in an Add or Modify operation. Version 3 of the Active Directory Driver fully supports multi-valued attributes.
However, when the Active Directory driver synchronizes a a multi-valued attribute with a single-valued attribute, the multi-valued attribute is treated as single-valued. For example, the Telephone Number attribute is single-valued in Active Directory, and multi-valued in Identity Vault. When this attribute is synchronized from Active Directory, only a single value is stored in Identity Vault.
This creates true synchronization and mapping between the two attributes, but can result in a potential loss of data if you have multiple values in an attribute that is mapped to an attribute with a single value. In most cases, a policy can be implemented to preserve the extra values in another location if required in your environment.
The Active Directory attribute userAccountControl is an integer whose bits control logon account properties, such as whether logon is allowed, passwords are required, or the account is locked. Synchronizing the Boolean properties individually is problematic because each property is embedded in the integer value.
In version 2, the Active Directory driver took a shortcut that let you map userAccountControl to the eDirectory Login Disabled attribute, but didn't let you map the other property bits within the attribute.
In version 3, each bit within the userAccountControl attribute can be referenced individually as a Boolean value, or userAccountControl can be managed in-total as an integer. The driver recognizes a Boolean alias to each bit within userAccountControl. These alias values are included in the schema for any class that includes userAccountControl. The alias values are accepted on the Subscriber channel and are presented on the Publisher channel.
The advantage to this feature is that because each bit can be used as a Boolean, the bit can be enabled individually in the Publisher filter and accessed easily. You can also put userAccountControl into the Publisher filter to receive change notification as an integer.
The integer and alias versions of userAccountControl should not be mixed in a single configuration.
The following table lists available aliases and hexadecimal values. Read-only attributes cannot be set on the Subscriber channel.
For troubleshooting tips relating to the userAccountControl attribute, see Active Directory Account Disabled after a User Add on the Subscriber Channel.
Options for provisioning Exchange 2000 and Exchange 2003 mailboxes have changed from version 2.
In Version 2, Exchange provisioning was accomplished by setting attributes on User objects. A Microsoft program (the Recipient Update Service) used this information to provision the Exchange database.
This method still works in version 3 of the Active Directory Driver, but a new method (CDOEXM) has been added. With CDOEXM enabled, an Exchange mailbox is provisioned by setting the homeMDB attribute. When the homeMDB attribute is set, the driver automatically sets all required attributes.
The homeMDB attribute is set during initial configuration, but you can change the setting by modifying the driver policy. For a discussion of this parameter, see Configuration Parameters.