Configure how data is gathered for the hybrid service
Use the page to refine the way that Directory Agent searches the selected directory server and packages user and group information for the hybrid service.
Under Root Context for Hybrid Service Users, click Add to provide a Root Context to use when gathering user and group data from the directory. Narrow the context to increase speed and efficiency. See Adding and editing directory contexts for the hybrid service.
There is a limit to how many groups the hybrid service can support. The limit is affected by a number of factors, but if it is exceeded, the service fails open, permitting all requests.
If your organization has a large directory forest with thousands of groups, be sure to configure Directory Agent to upload only the information required to manage the users whose requests are sent to the hybrid service. You might select only specific groups to upload, or set a specific and narrowed root context.
It is best to provide contexts that include only users managed by the hybrid service.
If you are using Active Directory and have multiple Directory Agent instances, make sure that each has a unique, non-overlapping root context. Especially watch out for this if:
- Multiple Directory Agent instances are configured to connect to domain controllers that all manage the same Active Directory server.
- One Directory Agent instance is configured to communicate with an Active Directory parent domain and another instance is configured to communicate with an Active Directory child domain (a separate global catalog server).
You can further refine the data that is sent to the hybrid service by defining patterns, or search filters, used to remove duplicate or otherwise unwanted entries from the directory search results. See Optimizing directory search results for the hybrid service for more information.