Configure Service Provider Active Directory for Outbound Manual Synchronization

  • Article
Cc526389.chm_head_left(en-us,TechNet.10).gif Cc526389.chm_head_middle(en-us,TechNet.10).gif Cc526389.chm_head_right(en-us,TechNet.10).gif

Configure Service Provider Active Directory for Outbound Manual Synchronization

This section contains the steps necessary to set up the service provider shared Active Directory to prepare it for use with the Customer Directory Integration (CDI) Service. All configuration steps are accomplished on the service provider AD01 and AD02 Active Directory domain controllers and are executed by a domain administrator.

Perform the procedures that follow to set up the service provider shared Active Directory domain controllers.

Note

The following procedure configures the service provider side of the DNS zone transfer from the customer Active Directory. You can use an alternate method of domain name resolution, however, this procedure utilizes Microsoft DNS to set up the stub zone for the customer Active Directory in the service provider front-end public DNS servers.

Procedure DCDOM.10: To create a stub zone for the customer Active Directory CUSTAD01 in DNS

  1. Log on to DNS01 as the local Administrator.
  2. Click the Start button, click All Programs, click Administrative Tools, and then click DNS.
  3. In the left pane of the dnsmgmt management console, right-click the DNS01 machine name and then click New Zone to display the New Zone Wizard.
  4. Click Next at the wizard welcome page.
  5. In the Zone Type screen, select the Stub Zone option, and then click Next.
  6. On the Forward or Reverse Lookup Zone screen, select the Forward lookup zone option, and then click Next.
  7. In the Zone Name screen, type alpineskihouse.local for the zone name, and then click Next.
  8. In the Master DNS Servers screen, type the IP address of the machine hosting the customer Active Directory and DNS server (CUSTAD01), and then click Add and Next.
  9. Click Finish.
  10. In the left pane of the dnsmgmt management console, expand the Forward Lookup Zones node for DNS01.
  11. Right-click on alpineskihouse.local and select Transfer from Master.
  12. Verify that a host (A) record exists for CUSTAD01 along with the proper IP address and that there are entries present for Start of Authority (SOA) and Name Server (NS).
  13. Close the dnsmgmt management console.

Procedure DCDOM.11: To create an account for the Microsoft Identity Integration Server (MIIS) 2003 Service

  1. Click the Start button, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
  2. In the left pane of Active Directory Users and Computers, under fabrikam.com, click the Users node.
  3. Right-click the Users node, and then click New and User.
  4. In the First name and User logon name boxes of the New Object - User dialog box, type MIISService, and then click Next.
  5. Type a password in the Password and Confirm password boxes.
  6. Select Password never expires, and then click Next.
  7. Click Finish.

Procedure DCDOM.12: To create an account for the MIIS 2003 management agent

  1. In the left pane of Active Directory Users and Computers, right-click the Users node, and then click New and then click User.
  2. In the First name and User logon name boxes of the New Object - User dialog box, type MIISAgentSvc and then click Next.
  3. Type a password in the Password and Confirm password boxes.
  4. Select Password never expires and then click Next.
  5. Click Finish.

Procedure DCDOM.13: To add the MIISService and MIISAgentSvc accounts to the Windows-based Hosting Service Accounts group

  1. In the left pane of Active Directory Users and Computers, click the Users node.
  2. In the right pane, double-click the Windows-based Hosting Service Accounts group.
  3. In the Windows-based Hosting Service Accounts Properties dialog box, click the Members tab.
  4. Click the Add button.
  5. In the Enter the object names to select box, type MIISService;MIISAgentSvc, and then click Check Names.
  6. Click OK, click Apply, and then click OK.

Procedure DCDOM.14: To create and configure the MIIS 2003 service groups

  1. In the left pane of the Active Directory Users and Computers management console, right-click the Users node, click New, and then click Group.
  2. In the Group name box of the New Object - Group dialog box, type MIISAdmins and then click OK.
  3. Repeat steps 1 to 4 to create the following additional MIIS 2003 service groups:
    • MIISBrowse
    • MIISJoiners
    • MIISOperators
    • MIISPasswordSet
  4. In the right pane of Active Directory Users and Computers, double-click the MIISAdmins group.
  5. In the MIISAdmins Properties dialog box, click the Members tab, and then click Add.
  6. In the Enter the object names to select box of the Select Users, Contacts, Computers, or Groups dialog box, type Domain Admins, and then click Check Names.
  7. Click OK, click Apply, and then click OK.
  8. In the right pane of Active Directory Users and Computers, double-click the MIISBrowse group.
  9. In the MIISBrowse Properties dialog box, click the Members tab, and then click Add.
  10. In the Enter the object names to select box of the Select Users, Contacts, Computers, or Groups dialog box, type Domain Admins;MIISAgentSvc, and then click Check Names.
  11. Click OK, click Apply, and then click OK.
  12. Double-click the MIISJoiners group.
  13. In the MIISJoiners Properties dialog box, click the Members tab, and then click Add.
  14. In the Enter the object names to select box of the Select Users, Contacts, Computers, or Groups dialog box, type Domain Admins, and then click Check Names.
  15. Click OK, click Apply, and then click OK.
  16. Double-click the MIISOperators group.
  17. In the MIISOperators Properties screen, click the Members tab, and then click Add.
  18. In the Enter the object names to select box of the Select Users, Contacts, Computers, or Groups dialog box, type Domain Admins;MIISAgentSvc, and then click Check Names.
  19. Click OK, click Apply, then click OK.
  20. Double-click the MIISPasswordSet group.
  21. In the MIISPasswordSet Properties dialog box, click the Members tab, and then click Add.
  22. In the Enter the object names to select box of the Select Users, Contacts, Computers, or Groups dialog box, type Domain Admins;MIISAgentSvc;MIISService, and then click Check Names.
  23. Click OK, click Apply, and then click OK.

Procedure DCDOM.15: To assign password change and reset rights to the MIISAgentSvc account

  1. In the Active Directory Users and Computers management console, click the View menu and ensure that Advanced Features is selected.
  2. In the left pane of the Active Directory Users and Computers management condole, right-click fabrikam.com (the domain root), and then click Properties.
  3. In the fabrikam.com Properties dialog box, click the Security tab, and then click Add.
  4. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc, and then click OK.
  5. In the Group or User Names section of the fabrikam.com Properties dialog box, ensure MIISAgentSvc is selected, then in Permissions for MIISAgentSvc, select the Allow check box for Replicate Directory Changes, and then click Apply.
  6. In the Group or user names section of the fabrikam.com Properties dialog box, ensure that MIISAgentSvc is selected, and then click Advanced.
  7. In the Advanced Security Settings dialog, click Add.
  8. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc, click Check Names, and then click OK.
  9. Select User Objects in the Apply onto drop-down box of the Permission Entry for fabrikam dialog box.
  10. Select the Allow check box for the Change Password and Reset Password properties, and then click OK.
  11. Click Apply, and then click OK.
  12. Right-click on the Hosting OU and click Properties.
  13. Click on the Security tab.
  14. In the Group or user names section of the Hosting Properties dialog box, ensure that MIISAgentSvc is selected, and then in Permissions for MIISAgentSvc, select the Allow check box for Read.
  15. Click Apply, and then click OK.
  16. Close the Active Directory Users and Computers management console.

Procedure DCDOM.16: To secure the MIISService and MIISAgentSvc accounts

  1. Click the Start button, click All Programs, click Administrative Tools, then click Domain Security Policy.
  2. Expand the Local Policies node.
  3. Click on User Rights Assignment.
  4. In the right pane of the Default Domain Security Settings management console, double-click on Deny log on locally.
  5. Select Define these policy settings.
  6. Click Add User or Group.
  7. In the Add User or Group dialog box, click Browse.
  8. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISService, then click Check Names.
  9. Click OK to exit each screen.
  10. Exit the Default Domain Security Settings management console.