Simple Account Provisioning Walkthrough: Lab Setup

Applies To: Windows Server 2003 with SP1

Previous Steps in This Walkthrough

  1. Overview

  2. Scenario Design

Lab Requirements

This section describes the software and hardware that you need to have available before you can begin to set up this scenario.

Software Requirements

With the exception of Microsoft Identity Integration Server 2003, ensure that the person who is responsible for setting up the scenario has experience with installing the software required to complete the scenario. To set up this scenario, you need to install the following software:

  • Microsoft® Windows Server 2003, Enterprise Edition

  • Active Directory

  • Microsoft® SQL Server 2000, Enterprise Edition, Service Pack 3 (SP3)

  • Microsoft® Visual Studio .NET 2003

  • Microsoft Identity Integration Server 2003

Hardware Requirements

To complete the scenario, you need to set up two computers. Following are the minimum hardware requirements for the two servers that you use in this scenario:

  • Pentium II 500 megahertz (MHz)

  • 256 megabytes (MB) of RAM

  • 8 gigabyte (GB) hard disk

  • Network adapter

  • 4 MB video adapter

  • SVGA monitor (800x600) or greater resolution

  • Microsoft Mouse or compatible pointing device

Scenario Setup

In this section, you configure the following software:

  • Active Directory

  • Scenario-specific scripts to create Active Directory containers that are used in the scenario

  • Prerequisites for installing Microsoft Identity Integration Server 2003

    • Windows Server 2003, Enterprise Edition

    • SQL Server 2000, Enterprise Edition, Service Pack 3 (SP3)

  • Visual Studio .NET 2003 (required for developing rules extensions)

  • Microsoft Identity Integration Server 2003

Perform these steps in the order described in the following sections.

Computer One: Install Windows Server 2003 and Active Directory

Use the following instructions to set up the server running Windows Server 2003, Enterprise Edition, and Active Directory, to which you will provision user accounts. To create the Active Directory containers needed for the scenario, you need the Buildad.vbs Visual Basic script file from the \Scenarios\SimpleAccountProvisioning folder provided with the Microsoft Identity Integration Server 2003 installation media.

First install Windows Server 2003, Enterprise Edition, and the install Active Directory.

To Install Windows Server 2003, Enterprise Edition

  1. Insert the Windows Server 2003, Enterprise Edition, operating system CD in the CD-ROM drive.

  2. Follow the prompts to install the operating system by using the parameters in Table 2.4. Respond to all other installation prompts with information appropriate for your computer or location. Unless indicated otherwise, accept the default option.

Table 2.4   Information for Installing Windows Server 2003

When prompted for Use this configuration

Licensing Mode

Per Device or Per User

Computer Name

fabnoa-dc-01

Note: you can choose another computer name without affecting the scenario.

Administrator password

Any password. Ensure that the password is written down for future reference.

Windows 2000 Components (optional)

During Setup, select the Management and Monitoring Tools check box and then click Details. Choose Network Monitor Toolsand Terminal Services, and then click OK.

Terminal Services Setup (if you chose to install this option above)

Remote administration mode

Networking Settings

Typical

Workgroup or Computer Domain

Click the default setting: No, this computer is not on a network, or is on a network without a domain. Note: This computer will be its own forest and domain when Active Directory is installed.

When the installation is complete

Restart the computer

After you finish installing Windows Server 2003, use the Active Directory Installation Wizard to install Active Directory.

To install Active Directory

  1. From the Start menu, click Run, and then type:

dcpromo

Use the information in Table 2.5 to install Active Directory. Choose the default options unless instructed otherwise.

Table 2.5   Information for Installing Active Directory

When prompted for... Use this configuration...

New Forest/Domain Name

fabnoa.fabcorp.fabrikam.com

Note: If prompted, choose to install Active Directory–integrated DNS. Your server running Microsoft Identity Integration Server 2003 will not be able to join this local domain if the DNS Server service is not running on the local domain controller.

Configure the DNS server setting in the TCP/IP Properties for your network adapter with the local IP address. Alternately, you can configure the DNS server setting with the DNS loopback address, 127.0.0.1.

Permissions Mode

Accept the default setting.

Directory Services Restore Mode Administrator Password

Type a password and write it down. Note: This is a different password than the Administrator password.

  1. When Active Directory installation is complete, restart the server.

Create Active Directory Containers

Log on as Administrator and install Active Directory setup files to create the organizational unit structure within the new Active Directory domain.

  1. From the Microsoft Identity Integration Server 2003 installation media, copy Buildad.cmd from the \Scenarios\SimpleAccountProvisioning folder to the C:\Scenarios\SimpleAccountProvisioning folder on the Active Directory computer.

  2. In Notepad, open the Buildad.cmd file, and then change the following variables to reflect your scenario.

    • Servername: Computer Name of the server running Active Directory, if you run the script remotely. Computer Name is the leftmost label (host name) in the DNS fully qualified domain name of the server.

    • Username: Name of an administrative account that is allowed to create objects in Active Directory (for example, Administrator).

    • Domainname: NetBIOS name of the Active Directory domain (for example, FABNOA).

    • Password: Password of the administrative account specified earlier.

  3. Save the changes to Buildad.cmd and close Notepad.

  4. Open the command prompt and run Buildad.cmd. The Buildad.cmd script creates five organizational unit (OU) objects in Active Directory (at the same level as Builtin and Users). One OU is given the name of the Active Directory computer (fabnoa-dc-01). Under this, another OU with the name of the scenario, SimpleAccountProvisioning, is created. Under this OU, a Fabrikam OU is created, which is populated with two other OUs: Users and Disabled Users.

Computer Two: Install Windows Server 2003, Microsoft Identity Integration Server 2003, SQL Server 2000, and Visual Studio .NET 2003

The following instructions assume that you are going to install Windows Server 2003, Enterprise Edition, and Microsoft Identity Integration Server 2003 on the C: drive.

Note

These instructions are designed to be performed in a particular sequence. Performing any of these steps out of order may cause your scenario not to work.

  1. Install Windows Server 2003, Enterprise Edition.

  2. Computer name:fabnoa-miis-01. You can choose another computer name without affecting the scenario.

  3. In the TCP/IP Properties for the network adapter on this computer, set the DNS server for the adapter using the IP address of your domain controller, or this computer will not be able to locate the domain controller for the domain fabnoa.fabcorp.fabrikam.com.

  4. Join the computer to the Active Directory domain fabnoa.fabcorp.fabrikam.com.

  5. Install SQL Server 2000, Enterprise Edition. During setup, you must select Windows Authentication Mode or Mixed Mode (Windows Authentication and SQL Server Authentication) for SQL Server. If you have applications that use SQL Server and that require SQL Server authentication, select Mixed Mode (Windows Authentication and SQL Server Authentication).

  6. Install SQL Server 2000 SP3. After SP3 setup is finished, make sure that the SQL Server service is running. If you are not sure whether the service is running, at a command prompt, run net start mssqlserver.

  7. Install Microsoft Visual Studio .NET 2003.

  8. Create an account on the local computer that you will use to run the Microsoft Identity Integration Server 2003 service. This account is called the Identity Integration Server 2003 service account. This account does not need to be a local administrator account.

  9. During Microsoft Identity Integration Server 2003 Setup, you must type the name of the account, the password for the account, and the Computer Name of the local computer. The account you create in this step will have full control over the file structure that Microsoft Identity Integration Server 2003 Setup creates, the registry keys that control how the service runs, as well as the component interface that runs server functions.

  10. Install Microsoft Identity Integration Server 2003, accepting all defaults during setup. When you are prompted for the service account, enter the account details for the new Identity Integration Server 2003 service account that you created in the previous step and the computer name of the server running Microsoft Identity Integration Server 2003.

  11. Microsoft Identity Integration Server 2003 Setup creates three security groups (among others) that correspond to three Microsoft Identity Integration Server 2003 user roles (that is, Administrator, Account Joiner, and Operator). The account with which you logged on when you (the setup user) ran setup is placed in the group with the highest privileges (known as the Microsoft Identity Integration Server 2003 administrators group or MIISAdmins).

  12. After you run Setup, you must log off and log on again so that Microsoft Identity Integration Server 2003 acknowledges your membership in this group. Perform this step before you run Microsoft Identity Integration Server 2003 for the first time.

If a user other than the Microsoft Identity Integration Server 2003 Setup user is going to run a scenario, before running a scenario, the user must first be added to the Microsoft Identity Integration Server 2003 administrators group.

  1. After being added to the Microsoft Identity Integration Server 2003 administrators group, the user must log off and log on again for Microsoft Identity Integration Server 2003 to acknowledge membership in the Microsoft Identity Integration Server 2003 administrators group.

  2. After logging on again, the user can run a scenario.

  3. Copy the files from the \Scenarios\SimpleAccountProvisioning folder on the Microsoft Identity Integration Server 2003 installation media to the C:\Scenarios\SimpleAccountProvisioning folder on the server running Microsoft Identity Integration Server 2003.

  4. Copy the three Rules extension DLLs from C:\Scenarios\SimpleAccountProvisioning folder to the InstallationPath\Extensions folder (the default Microsoft Identity Integration Server 2003 installation path is C:\Program Files\Microsoft Identity Integration Server). The three rules extensions are FabrikamADMA.dll, FabrikamHRMA.dll, and HRProvisioning.dll.

  5. Copy the Simpleprov.xml file into the InstallationPath\Extensions folder.

Customize Your Environment

If you used an Active Directory domain name that differs from the named suggested in this scenario, adjust the Simpleprov.xml file that you copied into the \Extensions folder to reflect your changes. The default settings in this file are:

<root>OU=Fabrikam,OU=SimpleAccountProvisioning,OU=FABNOA-DC-01,DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com</root>

Failing to set the simpleprov.xml correctly could cause an extension-dll-exception (MissingParentObjectException) during the provisioning run.

Using Notepad, adjust the following settings if you have different naming/containers in your Active Directory domain:

  • <account-provisioning><containers><root>

This is the Active Directory domain partition with the container where the containers specified by <enabled-users /> and <disabled-users> are located

Default: OU=Fabrikam,OU=SimpleAccountProvisioning,OU=FABNOA-DC-01,DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com.

  • <account-provisioning><containers><enabled-users>

This is the Active Directory location under <root /> where the enabled users will be created. This container must exist in Active Directory.

Default: OU=Users.

  • <account-provisioning><containers><disabled-users>

Active Directory location under <root /> where disabled accounts will be created. This container must exist in Active Directory.

Default: OU=Disabled Users.

  • <management-agents><fabrikam-ad-ma><sam-suffix>

This is a text string that will be appended to the samAccountName attribute for each user created in the Active Directory.

Default: -miis

  • <management-agents><fabrikam-ad-ma><upn-suffix>

This is the Active Directory user principal name (UPN) suffix. It must match your Active Directory domain name in order for this scenario to work correctly.

Default: @fabnoa.fabcorp.fabrikam.com.

The minimum settings that must be adjusted in this case are <root /> and <upn-suffix />.

Next