Configure Identity Integration Feature Pack 1a

  • Article
Cc526385.chm_head_left(en-us,TechNet.10).gif Cc526385.chm_head_middle(en-us,TechNet.10).gif Cc526385.chm_head_right(en-us,TechNet.10).gif

Configure Identity Integration Feature Pack 1a

This section contains the steps necessary to set up and configure the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory for the Customer Directory Integration (CDI) Service and to configure the Active Directory management agents at the customer and within your hosting infrastructure.

In this scenario, you will utilize the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory which must be downloaded from the Microsoft web site: This free download includes the installation of Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory and Microsoft SQL Server 2000 Service Pack 4 (SP4), Standard or Enterprise Edition.

Note

SQL Server 2005 is not supported.

All of these components will be installed on the customer Active Directory machine, CUSTAD02, in this set of procedures.

Note

In a production installation, you may choose to install these on the customer Active Directory machine or on a separate machine. If you choose to install the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory and SQL Server 2000 SP4 on a separate machine from CUSTAD02, you must use Windows Server 2003 Enterprise Edition as the operating system for that machine.

Procedure DCDIA.5: To install SQL Server 2000 on CUSTAD02

  1. Log on to CUSTAD02 with an account that is a member of the Domain Administrators group.
  2. Place the SQL Server 2000 installation disk in your CD-ROM drive.
  3. Navigate to the Enterprise folder and double-click Autorun.exe.
  4. On the SQL Server 2000 Enterprise Edition opening page, click Read the Release Notes to review installation information.
  5. When you are ready to start the installation, click SQL Server 2000 Components.
  6. On the Install Components page, click Install Database Server.
  7. Click Continue to the message indicating that SQL Server 2000 is not supported by the current Windows operating system (Windows Server 2003).
  8. Click Next on the Welcome page.
  9. In the Computer Name dialog box of the SQL Server Installation Wizard, accept the default option for Local Computer and then click Next.
  10. In the Installation Selection dialog box, accept the default installation option of Create a new instance of SQL Server or install Client tools and click Next.
  11. In the User Information dialog box, type the user Name and Company, and then click Next.
  12. In the Software License Agreement dialog box, read the agreement, and then click Yes to accept the agreement terms.
  13. In the Installation Definition dialog box, accept the default option for a Server and Client Tools installation, and then click Next.
  14. In the Instance Name dialog box, accept the Default instance, and then click Next.
  15. In the Setup Type dialog box, accept the default option for Typical setup, and then click Next.
  16. In the Service Accounts dialog box, accept the default option for Use the same account for each service. Auto start SQL Server Service.
  17. Under Service Settings, click the Use the Local System Account option, and then click Next.
  18. In the Authentication Mode dialog box, accept the default option for Windows Authentication Mode, and then click Next.
  19. In the Start Copying Files dialog box, click Next.
  20. In the Choose Licensing Mode dialog box, under Licensing Mode, select your appropriate licensing mode and options, and then click Continue to begin the installation.
  21. When the installation is complete, click Finish in the Setup Complete dialog box.

Procedure DCDIA.6: To install SQL Server SP4 on CUSTAD02

  1. Restart the CUSTAD02 machine and log on using an account that is a member of the Domain Administrators group.
  2. Place the SQL Server 2000 SP4 installation disk in your CD-ROM drive.
  3. Double-click the Setup.bat script in the root folder of your SQL Server 2000 SP4 installation disk to start the installation.
  4. In the Welcome page of the Microsoft SQL Server 2000 Service Pack 4 Installation Wizard, click Next.
  5. In the Software License Agreement dialog box, read the agreement and click Yes to accept the license agreement terms.
  6. In the Instance Name dialog box, click Next.
  7. In the Connect to Server dialog box, accept the default option for Windows authentication, and then click Next.
  8. In the SA Password Warning dialog box, enter a strong password in Enter SA Password, and then Confirm SA Password.
  9. In the Backward Compatibility Checklist dialog box, select Upgrade Microsoft Search and apply SQL Server 2000 SP4, and then click Continue.
  10. If you want to send error reports to Microsoft, select Automatically send error reports to Microsoft, and then click OK.
  11. In the Start Copying Files dialog box, click Next.
  12. When setup is complete, click Finish in the Setup Complete dialog box.

Note

This procedure assumes that you have already downloaded the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory from Microsoft.com and extracted the contents of the archive to a location on your hard drive or a network location that is accessible from CUSTAD02. By default, the contents of the archive are extracted to C:\Program Files\IIFPSetup.

Procedure DCDIA.7: Install Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory

  1. Open Windows Explorer and navigate to folder where you extracted the contents of the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory archive.

  2. Navigate to the Setup folder and double-click Setup.exe.

  3. On the splash screen, click Install Identity Integration Feature Pack 1a.

  4. In the Identity Integration Feature Pack Setup Wizard opening page, click Next.

  5. In the End User License Agreement dialog box, read the agreement, select I accept the terms of the license agreement, and then click Next to continue.

  6. In the Type of Installation dialog box, accept the default option for Complete installation, and then click Next.

  7. In the Store Information dialog box, select This computer, if you installed SQL Server 2000 with Service Pack 4 on your CUSTAD02 server. Otherwise, select A remote machine and specify the network location of the SQL Server installation.

  8. Under The SQL Server instance is section of the Store Information dialog box, accept the default option for The default instance if you used the default instance during SQL Server setup. Otherwise, select A named instance and specify the instance name you configured during SQL Server setup. Click Next.

  9. In the Service Account Information dialog box, type MIISService in the Service Account box, type the password for the account in the Password box, and enter the domain name, such as Proseware, in the Domain or local computer name box. Click Next.

  10. In the Group Information dialog box, type the group names for Administrator (MIISAdmins), Operator (MIISOperators), Joiner (MIISJoiners), and Connector browse (MIISBrowse) that you configured earlier when setting up CUSTAD02, and then click Next.

    Note

    When entering group names, be sure to use the global groups by using the domain\groupname format, for example Proseware\MIISPasswordSet.

  11. In the Ready to Install the Program dialog box, click Start.

  12. Click OK to the message indicating that the MIIS service account is unsecured in its current configuration.

  13. Click OK to the message indicating that you will be prompted to specify a backup location for the encryption key set.

  14. In the Save Encryption Key Set file system dialog box, navigate to %systemdrive%\Program Files\Microsoft Identity Integration Server\, type the folder name as KeyBackup and the file name as KeyBackup.bin, and then click Save.

  15. Click Finish when the installation is complete.

  16. Restart the CUSTAD02 computer and then log back on with an account that is a member of the Domain Administrators group.

Important

  • The use of the Microsoft Password Change Notification (PCNS) Service requires an Active Directory schema extension. The schema extension can only be installed by a user with Schema Administrator rights. The security group that allows this capability is the Schema Admins group.
  • Ensure that you are logged on with an account that has Schema Administrator permissions before attempting to install the Microsoft Password Change Notification (PCNS) Service Active Directory schema extension.

Procedure DCDIA.8: To install the Microsoft Password Change Notification Service (PCNS) Active Directory schema extension

  1. Click the Start button, click Run, and then type the following text in the Open box: msiexec /I "C:\Program Files\IIFPSetup\Password Synchronization\Password Change Notification Service x86.msi" SCHEMAONLY=TRUE

    Note

    If you extracted the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory archive to a different directory than C:\Program Files\IIFPSetup, make sure that you substitute that directory path.

  2. Click OK.

  3. In the Welcome to the Microsoft Password Change Notification Service Schema Update Wizard opening page, click Next.

  4. In the Microsoft Password Change Notification Service Installer Information dialog, click OK to proceed with the schema update.

  5. Click Finish when the installation is complete.

Procedure DCDIA.9: To install the Microsoft Password Change Notification Service (PCNS) Filter

  1. Open Windows Explorer and navigate to folder where you extracted the contents of the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory archive.
  2. Navigate to the Password Synchronization folder and double-click Password Change Notification Service x86.msi.
  3. In the Welcome to the Setup Wizard for Microsoft Password Change Notification Service opening page, click Next.
  4. In the License Agreement page, read the agreement and click the option button to accept the agreement terms. Then click Next.
  5. In the Ready to Install the Program page, click Install.
  6. Click Finish when the installation is complete.
  7. In the Microsoft Password Change Notification Service Installer Information dialog, click YES to restart your system for the configuration changes to take effect.

Procedure DCDIA.10: To index the uid Metaverse attribute in MIIS

  1. Log on to CUSTAD02 with an account that is a member of the Domain Administrators group.
  2. Click the Start button, click All Programs, click Identity Integration Feature Pack, and then click Identity Manager.
  3. On the toolbar, click Metaverse Designer.
  4. In the upper left-hand pane of Metaverse Designer, select person in the list of Object types.
  5. In the lower left-hand pane, select uid in the Attributes list, right-click uid, then select Edit Attribute to display the Edit Attribute dialog box.
  6. Select Indexed, and then click OK.
  7. Leave Identity Manager open.

Procedure DCDIA.11: To create and configure an Active Directory MIIS management agent for the Service Provider fabrikam domain

  1. On the toolbar of Identity Manager, click Management Agents.

  2. In the Actions pane on the right side of Identity Manager, click Create to start the Create Management Agent Wizard.

  3. Under Management agent for, ensure that Active Directory is selected.

  4. In the Name box, type fabrikam, then click Next to create the Active Directory management agent.

  5. In the Connect to Active Directory Forest dialog box, type fabrikam.com for the Forest name value, MIISAgentSvc@fabrikam.com for the User name value, and the password you assigned to the MIISAgentSvc account for the Password value. Leave the Domain box empty, and then click Next.

  6. In the Select directory partitions section of the Configure Directory Partitions dialog box, select DC=fabrikam,DC=com.

  7. Click the Containers button to display the Select Containers dialog box.

  8. Clear the DC=fabrikam,DC=com (the root) check box, select Hosting, and then click OK.

    Important

    If you have specified a different name for the Hosting OU, as accomplished in the Deploy the Hosting Platform section of the Deployment Walkthrough documentation, please accomplish this step on that OU instead.

  9. In the Configure Directory Partitions dialog box, click Next.

  10. In the Select Object Types dialog box, select user. Make sure that container, domainDNS, and organizationalUnit are all selected, since they are mandatory, then click Next.

  11. In the Select Attributes dialog box, click the Show All check box to expand the attribute list.

  12. Select adminDescription, then click Next.

  13. In the Configure Connector Filter dialog box, click Next.

  14. In the Configure Join and Projection Rules dialog box, click user and then click New Join Rule to display the Join Rule for user dialog box.

  15. In the Data source attribute section, select adminDescription.

  16. In the Mapping type section, select the Direct option.

  17. Select person from the Metaverse object type drop-down box.

  18. In the Metaverse attribute section, select uid.

  19. Click the Add Condition button to configure the rule, then click OK. Note that the Join and projection rules section is populated with the rule you configured.

  20. In the Configure Join and Projection Rules dialog box, click Next.

  21. In the Configure Attribute Flow dialog box, click Next (no configuration is required).

  22. In the Configure Deprovisioning dialog box, accept the default selection for Make them disconnectors, then click Next.

  23. In the Configure Extensions dialog box, click Enable password management.

  24. Click the Edit button to display the Configure Partition Display Name dialog box.

  25. In Partitions, select DC=fabrikam,DC=com (the domain root).

  26. In the box next to the Edit button, type in a descriptive phrase such as fabrikam service provider.

    Note

    This description will display in the MIIS Password Management Web service. You should therefore use user-friendly terms for the descriptive text so that users can readily identify them.

  27. Click Edit and then click OK.

  28. Click Finish.

Procedure DCDIA.12: To create and configure an Active Directory MIIS management agent for the customer Active Directory domain

  1. On the toolbar of Identity Manager, click Management Agents.

  2. In the Actions pane on the right side of Identity Manager, click Create to start the Create Management Agent Wizard.

  3. Under Management agent for, ensure that Active Directory is selected.

  4. In the Name field type Proseware, and then click Next to create the Active Directory management agent.

  5. In the Connect to Active Directory Forest dialog box, type proseware.local for the Forest name value, MIISAgentSvc@proseware.local for the User name value, and the password you assigned to the MIISAgentSvc account for the Password value. Leave the Domain box empty, and then click Next.

  6. In the Select directory partitions section of the Configure Directory Partitions dialog box, select DC=proseware,DC=local.

  7. Click the Containers button to display the Select Containers dialog box.

  8. Select DC=proseware,DC=local (the root), select Users (or OU where user accounts exist), then click OK.

  9. In the Configure Directory Partitions dialog box, click Next.

  10. In the Select Object Types dialog box, select user. Make sure that container, domainDNS, and organizationalUnit are all selected, since they are mandatory, and then click Next.

  11. In the Select Attributes dialog box, select the Show All to expand the attribute list.

  12. Select userPrincipalName, and then click Next.

  13. In the Configure Connector Filter dialog box, click Next.

  14. In the Configure Join and Projection Rules dialog box, click user, and then click the New Projection Rule button to display the Projection dialog box.

  15. In the Projection dialog box, make sure that the Declared option is selected and that the Metaverse object type is person-the default-then click OK. Note that the Join and projection rules section is now populated with the rule you configured.

  16. In the Configure Join and Projection Rules dialog box, click Next.

  17. In the Data source object type drop-down box of the Configure Attribute Flow dialog box, select user.

  18. In the Metaverse object type drop-down box, select person.

  19. In the Data source attribute box, select userPrincipalName.

  20. In the Flow Direction section, select the Import option.

  21. In the Metaverse attribute box, select uid.

  22. Click the New button to add the configuration to the attribute flow list, and then click Next.

  23. In the Configure Deprovisioning dialog box, accept the default selection for Make them disconnectors, and then click Next.

  24. In the Configure Extensions dialog box, click Enable password management.

  25. Click the Edit button to display the Configure Partition Display Name dialog box.

  26. In Partitions, select DC=proseware,DC=local (the domain root).

  27. In the box next to the Edit button, type in a descriptive phrase such as proseware customer.

  28. Note

    This description will appear in the MIIS Password Management Web service. You should therefore utilize user-friendly terms for the descriptive text so that users can readily identify them.

  29. Click Edit, and then click OK.

  30. Click Finish.

Procedure DCDIA.13: To create MIIS management agent run profiles for fabrikam

  1. In Identity Manager, click Management Agents on the toolbar, and then click on fabrikam.
  2. In the Actions pane on the right-hand side of Identity Manager, click Configure Run Profiles to bring up the Configure Run Profiles dialog box.
  3. Click the New Profile button.
  4. Type Initial Discovery in the Name field, and then click Next.
  5. In the Type drop-down box, select Full Import (Stage Only), and then click Next.
  6. In the Custom Data section, set the Timeout value to 3000, and then click Finish to create an initial discovery run profile for fabrikam.
  7. In the Configure Run Profiles dialog box, click the New Profile button.
  8. Type Delta Import in the Name box, and then click Next.
  9. In the Type drop-down box, select Delta Import (Stage Only), and then click Next.
  10. In the Custom Data section, set the Timeout value to 3000, and then click Finish to create a delta import run profile for fabrikam.
  11. In the Configure Run Profiles dialog box, click the New Profile button.
  12. Type Delta Synchronization in the Name field, and then click Next.
  13. In the Type drop-down box, select Delta Synchronization, and then click Next.
  14. Click Finish to create a delta synchronization run profile for fabrikam.
  15. Click Apply, and then click OK.

Procedure DCDIA.14: To create MIIS management agent run profiles for proseware

  1. Under Management Agents in Identity Manager, click on proseware.
  2. In the Actions pane on the right-hand side of Identity Manager, click Configure Run Profiles to bring up the Configure Run Profiles dialog box.
  3. Click the New Profile button.
  4. Type Initial Discovery in the Name box, then click Next.
  5. In the Type drop-down box, select Full Import (Stage Only), then click Next.
  6. In the Custom Data section, set the Timeout value to 3000, then click Finish to create an initial discovery run profile for proseware.
  7. In the Configure Run Profiles dialog box, click the New Profile button.
  8. Type "Delta Import" in the Name field, then click Next.
  9. In the Type drop-down box, select Delta Import (Stage Only), then click Next.
  10. In the Custom Data section, set the Timeout value to 3000, then click Finish to create a delta import run profile for proseware.
  11. In the Configure Run Profiles dialog box, click the New Profile button.
  12. Type Delta Synchronization in the Name field, then click Next.
  13. In the Type drop-down box, select Delta Synchronization, then click Next.
  14. Click Finish to create a delta synchronization run profile for proseware.
  15. Click Apply, and then click OK.

Procedure DCDIA.15: To create scripts for the run profiles

  1. In Identity Manager, click Management Agents on the toolbar, then click on fabrikam.
  2. In the Actions pane on the right-hand side of Identity Manager, click Configure Run Profiles to bring up the Configure Run Profiles dialog box.
  3. Under Management agent run profiles, select Delta Import, then click the Script button.
  4. In the Save As dialog box, navigate to %systemdrive%\Program Files\Microsoft Identity Integration Server\ and create a Scripts directory.
  5. Open the Scripts folder, type fabrikam_deltaimport.vbs for the file name, then click Save.
  6. Under Management Agents, click on fabrikam.
  7. In the Actions pane, click Configure Run Profiles to bring up the Configure Run Profiles dialog box.
  8. Under Management agent run profiles, select Delta Synchronization, then click the Script button.
  9. In the Save As dialog box, navigate to %systemdrive%\Program Files\Microsoft Identity Integration Server\ and open the Scripts folder.
  10. Type fabrikam_deltasynch.vbs for file name, then click Save.
  11. Under Management Agents, click on proseware.
  12. In the Actions pane, click Configure Run Profiles to bring up the Configure Run Profiles dialog box.
  13. Under Management agent run profiles, select Delta Import, then click the Script button.
  14. In the Save As dialog box, navigate to %systemdrive%\Program Files\Microsoft Identity Integration Server\ and open the Scripts folder.
  15. Type proseware_deltaimport.vbs for the file name, then click Save.
  16. Under Management Agents, click on proseware.
  17. In the Actions pane, click Configure Run Profiles to bring up the Configure Run Profiles dialog box.
  18. Under Management agent run profiles, select Delta Synchronization, and then click the Script button.
  19. In the Save As dialog box, navigate to %systemdrive%\Program Files\Microsoft Identity Integration Server\ and open the Scripts folder.
  20. Type proseware_deltasynch.vbs for the file name, and then click Save.

Procedure DCDIA.16: To perform an Initial Discovery run

  1. Under Management Agents, click on proseware.
  2. In the Actions pane, click Run.
  3. Under Run profiles, click Initial Discovery, and then click OK.
  4. Watch the state until it changes from running to idle. In the lower right-hand corner of Identity Manager, verify that Status reads Success.
  5. In the Actions pane, click Run.
  6. Under Run profiles, click Delta Synchronization, and then click OK.
  7. Watch the state until it changes from running to idle. In the lower right-hand corner of Identity Manager, verify that Status reads Success.
  8. Under Management Agents, click on fabrikam.
  9. In the Actions pane, click Run.
  10. Under Run profiles, click Initial Discovery, and then click OK.
  11. Watch the state until it changes from running to idle. In the lower right-hand corner of Identity Manager, verify that Status reads Success.
  12. In the Actions pane, click Run.
  13. Under Run profiles, click Delta Synchronization, and then click OK.
  14. Watch the state until it changes from running to idle. In the lower right-hand corner of Identity Manager, verify that Status reads Success.
  15. Close Identity Manager.

Procedure DCDIA.17: To create a command file to run MIIS scripts

  1. Click the Start button, click Run, type Notepad, then click OK to start the Notepad application.

  2. Type the following lines of text in the open Notepad file:

    cscript.exe "%systemdrive%\Program Files\Microsoft Identity Integration Server\Scripts\proseware_deltaimport.vbs"

    cscript.exe "%systemdrive%\Program Files\Microsoft Identity Integration Server\Scripts\proseware_deltasynch.vbs"

    cscript.exe "%systemdrive%\Program Files\Microsoft Identity Integration Server\Scripts\fabrikam_deltaimport.vbs"

    cscript.exe "%systemdrive%\Program Files\Microsoft Identity Integration Server\Scripts\fabrikam_deltasynch.vbs"

    Make sure you substitute the correct drive letter in your system for the %systemdrive% environment variable specified here.

  3. From the File menu, click Save.

  4. In the Save As dialog box, navigate to the %systemdrive%\Program Files\Microsoft Identity Integration Server\Scripts\ directory.

  5. In the Save as type drop-down box of the Save As dialog box, select All Files.

  6. In the File name box, type runcycles.cmd.

  7. Click Save in the Save As dialog box, and then exit Notepad.

Procedure DCDIA.18: To create a scheduled job to execute the command file

  1. Click the Start button, click All Programs, click Accessories, click System Tools, and then click Scheduled Tasks.
  2. In the main Scheduled Tasks window, double-click Add Scheduled Task.
  3. In the opening dialog of the Scheduled Task Wizard, click Next.
  4. Click the Browse button and navigate to the %systemdrivet%\Program Files\Microsoft Identity Integration Server\Scripts\ directory, and then double-click runcycles.cmd.
  5. Under Perform this task in the Scheduled Task Wizard, select Daily and then click Next.
  6. Under Start time, configure 1:00 AM as the start time and then click Next.
  7. In the Enter the username box, type proseware\Administrator, and in Enter the password and Confirm password, type the Administrator password, then click Next.
  8. In the Scheduled Task Wizard, click Finish.
  9. In the Scheduled Tasks dialog box, right-click runcycles and then click Run to execute the task once.
  10. Ensure that the task completes properly and that the Last Run Time is updated.
  11. From the File menu of Scheduled Tasks, click Close.

Note

This procedure requires the use of the setspn.exe utility. Setspn.exe is included in the Windows Server 2003 Resource Kit and the Windows Server 2003 Support Tools on the Windows Server 2003 operating system disk. If you have not installed either of these tools on CUSTAD02, please do so prior to starting this procedure.

Procedure DCDIA.19: To configure the Service Principal Name (SPN) for the Password Change Notification Service

  1. If you have installed the Windows Server 2003 Support Tools and will be using the Setspn.exe included in that installation, click the Start button, click All Programs, click Windows Support Tools, and then click Command Prompt.

  2. Read the example information in the following note to understand what setspn.exe is going to do when it is executed and to validate the parameters that you will provide. You will not execute setspn.exe in this step.

    Note

    The following is an example of how to set an SPN for a server running MIIS 2003 or the Identity Integration Feature Pack 1a. Setspn.exe -A PCNSCLNT/Miis.fabrikam.com Fabrikam\MIISService Where the following describes the parameters: PCNSCLNT is any user-defined name. For example, PCNSCLNT helps indicate that this is a target MIIS 2003 server for PCNS. Miis.fabrikam.com is the fully qualified domain name of the server running MIIS 2003 or the Identity Integration Feature Pack 1a. Fabrikam\MIISService is the DOMAIN\UserName of the MIIS 2003 service account. Although an SPN is usually assigned to a computer account, the SPN is assigned to the MIIS 2003 service account for password synchronization.

  3. If you've followed the standard deployment steps included in this document and have installed the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory on the Customer Active Directory Controller (CUSTAD02), type the following command in the open Command Prompt window and hit Enter to execute setspn.exe. Setspn.exe -A PCNSCLNT/custad02.proseware.local proseware\MIISService You should see the following in the Command Prompt window after you execute the Setspn.exe command: <pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">Registering ServicePrincipalNames for CN=MIISService,CN=Users,DC=proseware,DC=local PCNSCLNT/custad02.proseware.local Updated object</pre>

  4. Type EXIT in the Command Prompt window and then press ENTER to close the Command Prompt window.

You need to specify an inclusion group, and, optionally, an exclusion group to prepare to configure the Password Change Notification Service. These groups contain users that are either included or excluded from password synchronization. If you already have a group that defines the users that should participate in password synchronization-for example, if you want to synchronize all user passwords-then you can just specify the Domain Users group. If not, then create a new group, such as PasswordSyncUsers, and add all the users to that group whose passwords you want to synchronize.

Note

Inclusion and exclusion groups must be Security groups. Members of the exclusion group are always excluded from password synchronization, even if they are also members of the inclusion group. For the purposes of this deployment walkthrough, we will create a new security group, called PasswordSyncUsers.

Procedure DCDIA.20: To create a security group that defines the users that should participate in password synchronization

  1. Click the Start button, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
  2. In the left-hand pane of the Active Directory Users and Computers management console, right-click the Users node, click New, and then click Group.
  3. In the Group name box of the New Object - Group dialog box, type PasswordSyncUsers, and then click OK.
  4. Close Active Directory Users and Computers.

In this procedure, you usepcnscfg.exe, a command-line utility, to configure Password Change Notification Service (PCNS) to send password change notifications to a specific MIIS 2003 or Identity Integration Feature Pack 1a target. This utility is installed with PCNS to \Program Files\Microsoft Password Change Notification folder on each domain controller by default. For complete documentation about pcnscfg.exe, please see the MIIS 2003 Help.

The following configuration steps assume that you have followed the standard deployment steps included in this document and have installed the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory on the Customer Active Directory Controller (CUSTAD02).

Procedure DCDIA.21: To configure the Password Change Notification Service

  1. Click the Start button, click Run, then type cmd.exe and click OK or press ENTER.
  2. In the open Command Prompt window, type CD \Program Files\Microsoft Password Change Notification and then press ENTER.
  3. Type the following command in the open Command Prompt window and then press ENTER: Pcnscfg.exe addtarget /N:CUSTAD02 /A:custad02.proseware.local /S:PCNSCLNT/custad02.proseware.local /FI:PasswordSyncUsers /F:3 /I:600 /D:FALSE /WI:60
  4. Type EXIT in the Command Prompt window and press ENTER to close the Command Prompt window.

Procedure DCDIA.22: To configure Management Agent for the Password Change Notification Service

  1. Click the Start button, click All Programs, click Identity Integration Feature Pack, and then click Identity Manager.
  2. In Identity Manager, click Management Agents on the toolbar, then click on proseware.
  3. In the Actions pane on the right-hand side of Identity Manager, click Properties to bring up the Properties dialog box.
  4. In the Management Agent Designer pane on the left-hand side, click Configure Directory Partitions.
  5. In the Configure Directory Partitions pane on the right-hand side, enable the checkbox next to Enable this partition as a password synchronization source.
  6. In the Configure Directory Partitions pane on the right-hand side, click the Targets button.
  7. In the Target Management Agents dialog, enable the checkbox next to the Fabrikam Management Agent and then click OK.
  8. Click OK to close the Properties dialog.

Procedure DCDIA.23: To enable Password Synchronization in Identity Manager

  1. In Identity Manager, click the Tools menu and then choose Options.
  2. Enable the checkbox next to Enable Password Synchronization and then click OK.
  3. Close Identity Manager.