Management domain data location

The user registry creates and stores metadata that tracks information about the ISAM management domain. We must specify the location for the metadata storage.

The management domain is created when the ISAM policy server is configured. The management domain is the initial security domain.

During policy server configuration, the administrator specifies the name of the management domain or uses the default name of Default. The administrator also specifies the location in the registry where this metadata is stored by specifying the management domain location DN. The location specified must exist in the user registry. If the administrator chooses to use the default management domain location, the information is maintained in specific Active Directory Lightweight Directory Service (AD LDS) partition, which must be called

secAuthority=management_domain_name

where management_domain_name is the management domain name specified. For example, if the default management domain name is used, the partition would be called secAuthority=Default. If the administrator does not use the default location and specifies the management domain location DN, any existing location within the AD LDS registry can be used if it is a container object. You must choose a location DN within the same directory partition where the user and group information is stored. AD LDS requires the policy server to exist in the same directory partition as the user and group information.

The policy server cannot maintain user and group information that is outside of the AD LDS directory partition where the policy server itself is defined.

For this reason, do not use the default management location during policy server configuration when AD LDS is used as the ISAM registry. Instead, choose a management domain location within the AD LDS partition in which we want to maintain the user and groups that reflects your enterprise structure. Attention: If you chose the default management location during policy server configuration, the option to permanently remove domain information from registry deletes all data in the AD LDS partition of the default domain management location, including registry-specific data, when you unconfigure the ISAM. To retain registry-specific data, choose the management domain location in the AD LDS partition in which we want to maintain users and groups. The default management location is the location for ISAM metadata.

Parent topic: Microsoft Active Directory Lightweight Directory Service (AD LDS) installation