I’ve already posted about the configuration options that are common to all MAs, so this post is about the options specific to the Active Directory MA, though much of it will also apply to the other LDAP-types – Sun and Netscape, Netware, ADAM, IBM Directory Server and openLDAP.
Starting on the Configure Directory Partitions page, select your preferred directory Patition, Domain Controllers (optional) and Containers (OUs). Just let ILM see what it has to – there is no need to waste diskspace and time on importing OUs it has no business with.
Next we come to the Object Types. Again here you can be selective, but make sure you keep container and organizationalUnit as ILM will need them when constructing DNs.
Similarly on the Attributes page select the bare minimum, remembering that you can always add more later on. The basics for a user object are cn, firstName, sn, displayName, sAMAccountName (this is actually optional – AD will fill in a random one, but it will be ugly and I prefer to supply my own), userAccountControl, userPwd.
I prefer to be selective about which objects and attributes ILM can see for a couple of reasons – one is to reduce the scope for accidents, and the other is to reduce the size of the blame target. Call me paranoid if you will, but I have disproved a charge of “ILM did it” in the past by simply pointing out that the attributes in question weren’t even selected!
The final point I will mention is about the Enable Exchange 2007 provisioning option that has appeared, in ILM 2007, on the Extensions page. I understand this has something to do with Exchange 2007 no longer using the Recipient Update Service – a rather annoyingly opaque process in 2000/2003, but something we ILM’ers were relying on to get mailboxes created. There’s a proper explanation on this technet page.
