Identity Synchronization for Windows should be configured as described in Chapter 3, Case Study: Deploying in a High-Availability Environment Over a Wide Area Network Using SSL and not be configured for user creations or any other attribute synchronization.
User creation is not the responsibility of Identity Synchronization for Windows in this deployment. Therefore, new users that are added to Directory Server using Identity Manager will not be linked to the corresponding entries in Active Directory Domains, and visa-versa. To establish this link for new users, administrators must periodically execute idsync resync so that password changes for the new entries are synchronized. The frequency with which this operation is executed is the administrator’s decision. Periodic automated execution is feasible using a scheduled UNIX cron job. For details, see Periodic idsync resync Operation for Primary Installation