Configure Service Provider Active Directory for Inbound Automatic Synchronization

  • Article
Cc526387.chm_head_left(en-us,TechNet.10).gif Cc526387.chm_head_middle(en-us,TechNet.10).gif Cc526387.chm_head_right(en-us,TechNet.10).gif

Configure Service Provider Active Directory for Inbound Automatic Synchronization

This section contains the steps necessary to set up your shared Active Directory and to prepare it for use with the Customer Directory Integration (CDI) Service. You must use a domain administrator account to be able to configure your domain controllers. You must use a local administrator account to configure the front-end DNS servers.

This procedure configures the service provider side of the DNS zone transfer from the customer Active Directory. (This completes the configuration process begun in Procedure "To allow zone transfers in DNS" in Configure Customer Active Directory for Inbound Automatic Synchronization). You can use an alternate method of domain name resolution, however this procedure uses Microsoft DNS to setup the stub zone for the customer Active Directory in the service provider front-end public DNS servers.

Procedure DCDIA.1: To create a stub zone for the customer Active Directory CUSTAD02 in DNS

  1. Log on to DNS01 as the local Administrator.
  2. Click the Start button, click All Programs, click Administrative Tools, and then click DNS.
  3. In the left-hand pane of the dnsmgmt management console, right-click the DNS01 machine name, and then click New Zone to display the New Zone Wizard.
  4. Click Next at the wizard welcome page.
  5. In the Zone Type screen, select the Stub Zone option, and then click Next.
  6. On the Forward or Reverse Lookup Zone screen, select the Forward lookup zone option, and then click Next.
  7. In the Zone Name screen, type proseware.local for the zone name, and then click Next.
  8. In the Zone File screen, accept the default, and then click Next.
  9. In the Master DNS Servers screen, type the IP address of the machine hosting the customer Active Directory and DNS server (CUSTAD02), and then click Add. Click Next.
  10. Click Finish.
  11. In the left-hand pane of the dnsmgmt management console, expand the Forward Lookup Zones node for DNS01.
  12. Right-click on proseware.local and select Transfer from Master.
  13. Verify that a host (A) record exists for CUSTAD02 along with the proper IP address and that there are entries present for Start of Authority (SOA) and Name Server (NS).
  14. Close the dnsmgmt management console.
  15. Logoff DNS01 when you have completed this procedure.

Procedure DCDIA.2: To create an account for the Microsoft Identity Integration Server (MIIS) management agent

  1. Log on to AD01 with an account that is a member of the Domain Administrators group.
  2. In the left-hand pane of Active Directory Users and Computers, right-click the Users node, and then click New. Click User.
  3. In the First name and User logon name boxes of the New Object - User dialog box, type MIISAgentSvc, and then click Next.
  4. Type a password in the Password and Confirm password boxes.
  5. Select Password never expires, and then click Next.
  6. Click Finish.

Procedure DCDIA.3: To assign password change and reset rights to the MIISAgentSvc account

  1. In the Active Directory Users and Computers management console, click the View menu and ensure that Advanced Features is selected.

  2. In the left-hand pane of the Active Directory Users and Computers management condole, right-click fabrikam.com (the domain root), and then click Properties.

  3. In the fabrikam.com Properties dialog box, click the Security tab, and then click Add.

  4. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc, and then click OK.

  5. In the Group or User Names section of the fabrikam.com Properties dialog box, ensure MIISAgentSvc is selected, then in Permissions for MIISAgentSvc, select the Allow check box for Replicate Directory Changes, and then click Apply.

  6. In the Group or user names section of the fabrikam.com Properties dialog box, ensure that MIISAgentSvc is selected, and then click Advanced.

  7. In the Advanced Security Settings dialog, click Add.

  8. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc, click Check Names, and then click OK.

  9. Select User Objects in the Apply onto drop-down box of the Permission Entry for fabrikam dialog box.

  10. Select the Allow check box for the Change Password and Reset Password properties, then click OK.

  11. Click Apply, then click OK.

  12. Right-click on the Hosting OU and click Properties.

    Important

    If you have specified a different name for the Hosting OU, as accomplished in the Deploy the Hosting Platform section of the Deployment Walkthrough documentation, please accomplish this step on that OU instead.

  13. Click on the Security tab.

  14. In the Group or user names section of the Hosting Properties dialog box, ensure that MIISAgentSvc is selected, then in Permissions for MIISAgentSvc, select the Allow check box for Read.

  15. Click Apply, then click OK.

  16. Close the Active Directory Users and Computers management console.

Procedure DCDIA.4: To secure the MIISAgentSvc account

  1. Click the Start button, click All Programs, click Administrative Tools, and then click Domain Security Policy.
  2. Expand the Local Policies node.
  3. Click on User Rights Assignment.
  4. In the right-hand pane of the Default Domain Security Settings management console, double-click Deny log on locally.
  5. Select Define these policy settings.
  6. Click Add User or Group.
  7. In the Add User or Group dialog box, click Browse.
  8. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc, and then click Check Names.
  9. Click OK to exit each screen.
  10. Exit the Default Domain Security Settings management console.
  11. Logoff of AD01.