Configuring the Zone Provisioning Agent

By default, the Zone Provisioning Agent monitors all domains in the entire forest. If you use the recommended Centrify organizational structure described in Creating recommended organizational units, Centrify recommends setting the Zone Provisioning Agent to only monitor the top-level Centrify organizational unit or the Zones container. These objects are created in the Setup Wizard the first time you open Access Manager. After the initial configuration, you can perform the steps in this section to configure the Zone Provisioning Agent. For more information about the initial configuration, see Running Access Manager for the first time.

The most common reason for monitoring more than one organizational unit is if you have a regional or team-based OU structure in Active Directory, where each region or team is responsible for managing its own UNIX data. In this scenario, a provisioning staff member in Sidney, Australia, wouldn’t be responsible for account fulfillment of a UNIX user in Chicago. To ensure the appropriate separation of duties between the different regions or teams, you would have more than one Centrify organizational unit, and you would configure the Zone Provisioning Agent to search each of the regional organizational units.

To configure the Zone Provisioning Agent:

  1. Open the Zone Provisioning Agent Configuration Panel by clicking Start > All Programs > Server Suite 2021.1 > Zone Provisioning Agent Configuration Panel.

  2. In the Monitored containers section, click Add.

  3. Navigate to select the Centrify organizational unit or the Zones container, then click OK.

  4. Select Entire Forest forest_name from the list of Monitored containers, then click Remove.

  5. Set the provisioning polling interval in minutes.

    The polling interval controls how often the Zone Provisioning Agent checks monitored containers for changes and processes the business rules for provisioning users and groups into zones. The appropriate interval often depends on the expectations of the user population or on service level agreements that define the provisioning team’s commitments. In general, you should avoid polling more frequently than necessary to reduce the affect the Zone Provisioning Agent has on the performance of your domain controllers.

  6. If desired, you can specify which domain controller that the Zone Provisioning Agent uses.

    1. To specify the domain controllers, click Advanced.

      The Advanced Domain Controller Settings dialog box displays.

    2. Click Add to open a separate dialog box in which you can add a domain and pick from a list of domain controllers. Click OK to save your chances.

    3. Click Change if you want to change the specified domain controller, or click Remove if you need to remove the specified domain controller.

  7. Type the service account name or click Browse to locate the service account name, then type the password for the account.

  8. Click Apply.

  9. Click Start to start the Zone Provisioning Agent.