Introduction to Expected State Detection

Applies To: Forefront Identity Manager 2010

In Microsoft® Forefront® Identity Manager (FIM) 2010, you can use expected state detection (ESD) to detect the custom states of objects in your managed external systems and configure a response to them. This document provides a detailed introduction to ESD based on a simple lab environment.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Before You Begin

This document assumes that you already have a working instance of FIM 2010 running on a computer. For more information about installing FIM 2010, see the FIM Installation Guide (https://go.microsoft.com/fwlink/?LinkID=165845).

Prerequisite knowledge

This document assumes that you have a basic understanding of the ESD process. For more information, see Understanding Expected State Detection (https://go.microsoft.com/fwlink/?LinkID=188180).

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Audience

This guide is intended for information technology (IT) professionals who are interested in getting some initial hands-on experience with FIM 2010 expected state detection in a lab environment.

Scope

The scenario outlined in this document has been simplified to address the requirements of a simple lab environment. The focus is on helping you obtain a basic understanding of the technologies. This scenario is not intended for deployment in a production environment.

Time requirements

The procedures in this document require 90 to 120 minutes for a new user to complete. These time estimates assume that the testing environment is already configured, and they do not include the time required to set up the test environment.

Getting Support

If you have questions regarding the content of this document or if you have general feedback, post a message to the Forefront Identity Manager 2010 forum (https://go.microsoft.com/fwlink/?LinkId=163230).

Scenario Description

Fabrikam, a fictitious company, is investigating how to easily deploy and maintain digital identities by using FIM 2010. As part of this investigation, Fabrikam wants to explore the new ESD feature in the corporate lab environment based on a simple scenario. The goal of this scenario is to detect whether an account that has been imported from Active Directory® Domain Services (AD DS) is enabled. If an enabled account is detected, the account is moved into a specific set.

The following illustration outlines this scenario.

Scenario Description

The following sections describe the scenario design, the scenario preparation, and the scenario steps.

Scenario Design

To implement the simple lab solution in this document, you implement two management agents:

  • Fabrikam FIMMA. This management agent for the FIM 2010 R2 Service is the target for the sample users in this document.

  • Fabrikam ADMA. This management agent for AD DS contributes user data.

The following illustration outlines the logical architecture of this scenario.

Required environment

For the outbound synchronization rule, the following conceptual elements are required:

34daaa9d-2a33-4b10-8a81-e8b0a35318de

Fabrikam User Inbound Synchronization Rule. The synchronization rule to manage objects in the Fabrikam ADMA connector space. The following attributes are populated by this synchronization rule:

  • accountName

  • displayName

  • domain

  • firstName

  • lastName

  • userAccountControl

Is Enabled User Outbound Synchronization Rule. The synchronization rule that contains the existence test outbound attribute flow mapping. There is only one outbound attribute flow mapping for the userAccountControl attribute configured.

7fe695f8-0f5a-406c-8650-964f53c245e2

All Enabled ADDS Users. A set with dynamic membership for all enabled AD DS users.

All Enabled ADDS Users DREs. A set with dynamic membership for all AD DS Detected Rule Entries.

Testing Environment

The scenario outlined in this document has been developed and tested on a stand-alone computer. FIM 2010 is already deployed on this computer, and the computer is configured to be a domain controller for the Active Directory forest Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration outlines the domain configuration.

7f149bb5-8092-4ff4-9e7e-e02b47291fa7

To perform the procedures in this document, the domain controller has been configured with:

  • The 64-bit editions of Windows Server® 2008 or Windows Server 2008 R2 Standard or Enterprise

  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)

  • The 64-bit edition of Microsoft SQL Server® 2008 Standard or Enterprise, Service Pack 1 (SP1)

  • The 64-bit edition of Windows SharePoint® Services 3.0 SP1

  • Windows PowerShell™ 

  • FIM 2010

Note

A description of the installation of FIM 2010 and the required software components is out of the scope of this document. For a complete description of the installation process for FIM 2010, see the FIM Installation Guide (https://go.microsoft.com/fwlink/?LinkID=165845).

Scenario Roadmap

The scenario roadmap in this document consists of three main building blocks:

  1. Configuring the scenario. In this section, you create all required scenario components, including the required management agents, run profiles, an outbound synchronization rule, an action process, and a management policy.

  2. Initializing the scenario. In this section, you deploy your initial configuration inside FIM 2010.

  3. Testing the scenario. In this section, you verify the declarative provisioning prerequisites and you deploy one newly created scenario user from the FIM 2010 R2 Service database to the data file that is associated with the Fabrikam FileMA.

Configuring the Scenario

The configuration of the scenario in this document consists of the following building blocks:

  1. Creating the organizational unit

  2. Creating the management agents

  3. Creating the run profiles

  4. Creating the synchronization rules

  5. Creating the sets

  6. Enabling synchronization rule provisioning

The following sections provide detailed instructions for each configuration building block.

Creating the organizational unit

For the scenario in this document, you create an organizational unit that is used as a source container for the sample users.

The following illustration shows an example of this:

Active Directory Users and Computers

To create the organizational unit

  1. To open the Active Directory Users and Computers snap-in, on the Start menu, click Run, and then type dsa.msc.

  2. In the console tree, right-click fabrikam.com, select New, and then click Organizational Unit.

  3. In the Name box, type FIMObjects.

  4. To create the organizational unit, click OK.

Creating the management agents

In this section, you find instructions for creating the two scenario management agents:

  • Fabrikam ADMA

  • Fabrikam FIMMA

The following sections provide detailed instructions for creating these management agents.

Creating the Fabrikam ADMA

The Fabrikam ADMA is a management agent for AD DS. To create this management agent, you use the Create Management Agent wizard.

To create the Fabrikam ADMA

  1. To open the Create Management Agent wizard, on the Actions menu, click Create.

  2. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: Active Directory Domain Services

    • Name: Fabrikam ADMA

  3. On the Connect to Active Directory Forest page, provide the following settings, and then click Next:

    • Forest name: fabrikam.com

    • User name: administrator

    • Password: <the account’s password>

    • Domain: fabrikam

  4. On the Configure Directory Partitions page, provide the following settings, and then click Next:

    1. In the Select directory partitions list, select DC=Fabrikam, DC=com.

    2. To open the Select Containers dialog box, click Containers.

    3. To cancel the selection of all selected nodes, click the DC=Fabrikam,DC=com node.

    4. Click the FIMObjects node.

    5. To close the Select Containers dialog box, click OK.

  5. On the Configure Provisioning Hierarchy page, click Next.

  6. On the Select Object Types page, provide the following settings, and then click Next:

    • In the Object types list, select user.
  7. On the Select Attributes page, provide the following settings, and then click Next:

    • Select Show All.

    • In the Attributes list, select the following attributes:

      • givenName

      • objectSid

      • sAMAccountName

      • sn

      • userAccountControl

  8. On the Configure Connector Filter page, click Next.

  9. On the Configure Join and Projection Rules page, click Next.

  10. On the Configure Attribute Flow page, click Next.

  11. On the Configure Deprovisioning page, click Next.

  12. On the Configure Extensions page, click Finish.

Creating the FIMMA

The Fabrikam FIMMA is a management agent for FIM 2010 R2 Service Management Agent. To create this management agent, you use the Create Management Agent Wizard.

To create the FIM 2010 R2 management agent, you need a separate user account to run it. The user account must be the same as the one you have specified during the installation of FIM 2010 R2.

Important

If your server running FIM 2010 R2 is also a domain controller, the account that you use must have the right to log on locally. For more information, see Grant a Member the Right to Log On Locally (https://go.microsoft.com/fwlink/?LinkID=182205). For more details about the FIM 2010 management agent account, see How Can I Manage my FIM MA Account (https://go.microsoft.com/fwlink/?LinkId=189672).

To create the Fabrikam FIMMA

  1. Open Synchronization Service Manager and, on the Tools menu, click Management Agents.

  2. To open the Create Management Agent Wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following configuration settings, and then click Next:

    • Management agent for: FIM 2010 R2 Service Management Agent

    • Name: Fabrikam FIMMA

  4. On the Connect to Database page, provide the following configuration settings, and then click Next:

    • Server: localhost

    • Database: FIMService

    • FIM Service base address: https://localhost:5725

    • Authentication mode: Windows-integrated authentication

    • User name: <the accounts’ user names>

    • Password: <the accounts’ passwords>

    • Domain: fabrikam

  5. On the Selected Object Types page, verify that the following object types are selected, and then click Next:

    • DetectedRuleEntry

    • ExpectedRuleEntry

    • Person

    • SynchronizationRule

  6. On the Selected Attributes page, click Next.

  7. On the Configure Connector Filter page, click Next.

  8. On the Configure Object Type Mappings, add the following mapping, and then click Next:

    1. In the Data Source Object Type list, select Person.

    2. To open the Mapping dialog box, click Add Mapping.

    3. In the Metaverse object type list, select person.

    4. To close the Mapping dialog box, click OK.

  9. On the Configure Attribute Flow page, apply the following attribute flow mappings, and then click Next:

    Data source attribute Metaverse attribute

    AccountName

    accountName

    DetectedRulesList

    detectedRulesList

    DisplayName

    displayName

    Domain

    domain

    FirstName

    firstName

    LastName

    lastName

    ObjectSID

    objectSid

    1. Select Person as Data source object type.

    2. Select person as Metaverse object type.

    3. Select Direct as Mapping Type.

    4. Select Import as Flow Direction.

    5. For each row in the previous table, complete the following steps:

      1. Select the Data source attribute for that row in the table.

      2. Select the metaverse attribute for that row in the table.

      3. To apply the flow mapping, click New.

  10. On the Configure Deprovisioning page, click Next.

  11. To create the management agent, on the Configure Extensions page, click Finish.

Creating the run profiles

This section lists the steps for configuring the scenario run profiles. For the scenario outlined in this document, you configure run profiles for the Fabrikam ADMA and the Fabrikam FIMMA.

Creating run profiles for the Fabrikam ADMA

The following table lists the run profiles for the Fabrikam ADMA:

Profile Run profile name Step type

Profile 1

Full import

Full import (Stage only)

Profile 2

Full synchronization

Full synchronization

Profile 3

Delta import

Delta import

Profile 4

Delta synchronization

Delta synchronization

To configure the run profiles for the Fabrikam ADMA

  1. On the Tools menu, click Management Agents.

  2. In the Name column, select Fabrikam ADMA.

  3. For each row in the previous table, perform the following steps:

    1. To open the Configure Run Profiles for Fabrikam ADMA dialog box, on the Actions menu, click Configure Run Profiles.

    2. To open the Configure Run Profile dialog box, click New Profile.

    3. On the Profile Name page, in the Name box, type the run profile name shown for that row in the table, and then click Next.

    4. On the Configure Step page, select the Type shown for that row in the table, and then click Next.

    5. On the Management Agent Configuration page, click Finish to create the run profile.

Creating run profiles for the Fabrikam FIMMA

The following table lists the run profiles for the Fabrikam FIMMA:

Profile Run profile name Step type

Profile 1

Full import

Full import (Stage only)

Profile 2

Full synchronization

Full synchronization

Profile 3

Delta import

Delta import (Stage only)

Profile 4

Delta synchronization

Delta synchronization

Profile 5

Export

Export

To configure the run profiles for the Fabrikam FIMMA

  1. On the Tools menu, click Management Agents.

  2. In the Name column, select Fabrikam FIMMA.

  3. For each row in the previous table, perform the following steps:

    1. To open the Configure Run Profiles for Fabrikam FIMMA dialog box, on the Actions menu, click Configure Run Profiles.

    2. To open the Configure Run Profile dialog box, click New Profile.

    3. On the Profile Name page, select the Step Type for that row in the table, and then click Next.

    4. To create the run profile, on the Management Agent Configuration page, click Finish.

Creating the synchronization rules

In this section, you find instructions for creating the two scenario synchronization rules:

  • Active Directory User Inbound Synchronization Rule

  • Is Enabled User Outbound Synchronization Rule

The following sections provide detailed instructions for creating these management agents.

Creating the Active Directory User Inbound Synchronization Rule

The objective of the Active Directory User Inbound Synchronization Rule is to populate the sample users for the scenario in this document.

The following table summarizes the synchronization rule configuration for the scenario in this document.

Synchronization Rule

To create the Active Directory User Inbound Synchronization Rule

  1. To open the FIM 2010 R2 Portal, start Windows Internet Explorer®, and then go to https://localhost/identitymanagement/default.aspx.

  2. To open the Synchronization Rules page, in the Administration bar, click Synchronization Rules.

  3. To open the Create Synchronization Rules Wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • Display Name: Active Directory User Inbound Synchronization Rule

    • Data Flow Direction: Inbound

  5. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: Fabrikam ADMA

    • External System Resource Type: person

  6. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): accountName

      • ConnectedSystemObject:person(Attribute): sAMAccountName

    2. Create Resource in FIM: selected

  7. On the Workflow Parameters tab, click Next.

  8. On the Inbound Attribute Flow tab, provide the following information, and then click Next:

    Source Destination

    givenName ID

    firstName

    sAMAccountName

    accountName

    sn

    lastName

    last Name

    LastName

    objectSid

    objectSid

    1. For each row in the previous table, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

    2. To set the displayName attribute, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the attributes list, select givenName.

      3. Click Concatenate Value.

      4. In the attributes list, select String.

      5. In the box, type a space.

      6. Click Concatenate Value.

      7. In the attributes list, select sn.

      8. On the Destination tab, in the attributes list, select displayName.

      9. To apply the attribute flow configuration, click OK.

    3. To set the userAccountControl attribute, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the attributes list, select CustomExpression.

      3. In the box, type the following text: IIF(Eq(BitOr(userAccountControl,2),userAccountControl),0,userAccountControl)

      4. On the Destination tab, select userAccountControl.

      5. To apply the attribute flow configuration, click OK.

    4. To open the summary page, click Finish.

    5. To submit your request, click Submit.

  9. On the Summary tab, click Submit.

Creating the Is Enabled User Outbound Synchronization Rule

The objective of the Is Enabled User Outbound Synchronization Rule is to contribute the outbound attribute flow mapping that is required for the existence test.

The following table summarizes the synchronization rule configuration for the scenario in this document.

Synchronization Rule

To create the Is Enabled User Outbound Synchronization Rule

  1. To open the Create Synchronization Rules Wizard, on the toolbar, click New.

  2. On the General tab, provide the following information, and then click Next:

    • Display Name: Is Enabled User Outbound Synchronization Rule

    • Data Flow Direction: Outbound

  3. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: Fabrikam ADMA

    • External System Resource Type: person

  4. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): accountName

      • ConnectedSystemObject:person(Attribute): sAMAccountName

    2. Create Resource in FIM: selected

  5. On the Workflow Parameters tab, click Next.

  6. On the Inbound Attribute Flow tab, provide the following information, and then click Next:

    1. To open the Flow Definition dialog box, click New Attribute Flow.

    2. On the Source tab, select userAccountControl.

    3. On the Destination tab, select userAccountControl.

    4. To apply the attribute flow configuration, click OK.

    5. On the newly created attribute flow mapping, select Use as Existence Test.

  7. To move to the summary page, click Finish.

  8. On the Summary tab, click Submit.

Creating the sets

In this section, you create the required sets. The objective of these sets is to group all enabled AD DS users. The first set is a collection of all Detected Rule Entry objects with a reference to the Is Enabled User Outbound Synchronization Rule. The second set is a collection of all user resources that contain at least one DetectedRulesList entry that points to one of the objects in the first set.

Creating the All Enabled ADDS Users DREs set

The objective of the All Enabled ADDS Users DREs set is to group all Detected Rules Entries for the Is Enabled User Outbound Synchronization Rule.

The following table summarizes the set configuration for the scenario in this document.

Filter Statement

To create the All Enabled ADDS Users DREs set

  1. On the FIM 2010 R2 Portal home page, in the Management Policy Rules section of the navigation bar, click Sets to open the Sets page.

  2. To open the Create Set wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: All Enabled ADDS Users DREs
  4. On the Criteria-based Members tab, provide the following information, and then click Next:

    • In the filter statement, click all resources, and then select detected rule entry.

    • Click Add Statement.

    • Click <Click to select attribute>, and then select Synchronization Rule ID.

    • Click <Click to select value>, to open the Select Resource dialog box.

    • From the Search within list, select All Sync Rules.

    • Click Search for.

    • Select Is Enabled User Outbound Synchronization Rule, and then click OK.

  5. To open the Summary tab, click Finish.

  6. On the Summary tab, click Submit.

  7. To open the set’s properties, click All Enabled ADDS Users DREs.

  8. Click Advanced View.

  9. Write down the Resource ID attribute.

  10. To close the Properties dialog box, click Cancel.

Creating the All Enabled ADDS Users set

The objective of the All Enabled ADDS Users set is to track the users with an associated DRE object that points to the Is Enabled User Outbound Synchronization Rule.

To configure this set, it is necessary to manually update the set’s filter statement.

The related filter statement groups all users with a DetectedRulesList attribute that has a reference to one of the DetectedRuleEntry objects of the set you have created in the previous section. The following code block outlines the structure of the related statement.

/Person[DetectedRulesList = Set[ObjectID='226dbba2-e406-4780-a8c2-6e5cc6ce8912']/ComputedMember]

Important

You need to replace the GUID in the filter statement with the actual GUID of the set in your environment.

To create the All Enabled ADDS Users set

  1. On the FIM 2010 R2 Portal home page, in the Management Policy Rules section of the navigation bar, click Sets to open the Sets page.

  2. To open the Create Set wizard, on the toolbar, click New.

  3. On the General tab, provide the following information, and then click Next:

    • Display Name: All Enabled ADDS Users
  4. On the Criteria-based Members tab, provide the following information, and then click Next:

    • In the filter statement, click all resources and then select person.

    • Click Add Statement.

    • Click <Click to select attribute>, and then select Detected Rules List.

    • Click <Click to select value>, to open the Select Resource dialog box.

    • Click Search for.

    • Select one object, and then click OK.

      Note

      There is no need to select a specific object for this step.

  5. To open the Summary tab, click Finish.

  6. On the Summary tab, click Submit.

  7. To open the set’s properties, click All Enabled ADDS Users.

  8. Click Advanced View.

  9. Click the Extended Attributes tab.

  10. Update the configured filter with the following statement: /Person[DetectedRulesList = Set[ObjectID='226dbba2-e406-4780-a8c2-6e5cc6ce8912']/ComputedMember]

    Important

    The GUID in the filter statement must be the GUID of the All Enabled ADDS Users DREs set in your environment!

  11. To close the Properties dialog box, click OK.

  12. To submit your updated set definition, click Submit.

Enabling Synchronization Rule Provisioning

To enable the configured synchronization rules during a synchronization run, you must enable synchronization rule processing in the Synchronization Service Manager.

To enable Synchronization Rule Provisioning

  1. Open Synchronization Service Manager.

  2. To open the Options dialog box, on the Tools menu, click Options.

  3. Select Enable Synchronization Rule Provisioning.

  4. To close the Options dialog box, click OK.

Initializing the Scenario

The initialization of your scenario consists of the following steps:

  1. Importing data from the FIM 2010 R2 Service database

  2. Initializing the FIM 2010 R2 Synchronization service

  3. Exporting to the FIM 2010 R2 Service database

  4. Confirming the FIM 2010 R2 Service database

Importing data from the FIM Service database

The objective of the full import is to bring the already existing objects, including the newly created synchronization rules, into the connector space of the Fabrikam FIMMA. After successfully performing a full import on the Fabrikam FIMMA, the synchronization statistics report four added objects. The following illustration shows the synchronization statistics for a full import run.

Synchronization Statistics

To import data from the FIM Service database

  1. On the Tools menu, click Management Agents.

  2. In the Name column, select Fabrikam FIMMA.

  3. To open the Run Management Agent dialog box, in the Actions menu, click Run.

  4. In the Run profiles list, select Full Import, and then click OK.

By using a connector space search, you can examine the properties of the new objects. Next to the synchronization rule, you also find two additional Person objects to be imported. The objects are representations of the Built-in Synchronization Account and the account you have used to install FIM 2010.

The following image shows the result of a connector space search on the Fabrikam FIMMA.

Connector Space Search

To run a connector space search on the Fabrikam FIMMA

  1. To open the Search Connector Space dialog box, in the Actions menu, click Search Connector Space.

  2. To retrieve a list of the available connector space objects, click Search.

Initializing the FIM Synchronization Service

A full synchronization run is always required when a synchronization rule is updated. You apply updates to these synchronization rules during the configuration of the Fabrikam FIMMA management agent. By design, each FIM 2010 R2 Service management agent has a preconfigured projection rule. During the initial full synchronization run, the three staged connector space objects are projected into the metaverse. The preconfigured export attribute flow rule stages the metaverse object ID for an export in the Fabrikam FIMMA connector space. The following illustration shows the synchronization statistics for a full synchronization run.

Synchronization Statistics

By using the metaverse search, you can examine the properties of the newly projected objects.

To initialize the FIM Synchronization Service

  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. In the Run profiles list, select Full Synchronization, and then click OK.

By using a metaverse search, you can examine the properties of the newly projected objects.

  1. On the Tools menu, click Metaverse Search.

  2. If necessary, adjust the column settings by selecting the Column Settings link.

  3. To search the metaverse, click Search.

  4. To open the Metaverse Object Properties dialog box, in the Search Results list, select FileMA Outbound Synchronization Rule, and then, on the Actions menu, click Properties.

Exporting data to the FIM Service database

As a result of the FIM 2010 R2 Service database initialization, updates have been staged to the connector space of the FIM 2010 R2 management agent. These pending exports must be pushed out to the FIM 2010 R2 Service database. The following illustration shows the synchronization statistics of a successful export run.

21a4eb0b-4d23-4f19-9d13-b8655a867d13

To export data to the FIM Service database

  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. In the Run profiles list, select Export, and then click OK.

Confirming the FIM Service database

To complete the initialization sequence, you run a delta import on your Fabrikam FIMMA. The delta import is required to confirm the exported data in the connector space. The following illustration shows the synchronization statistics of a successful confirming import run.

3ce46068-5102-4967-b87a-55eada126ac0

To confirm the FIM Service database

  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. In the Run profiles list, select Delta Import, and then click OK.

Note

At this point, your scenario is fully initialized.

Testing the Scenario

The goal of the scenario in this document is to create one sample user in the data source file that is associated with the Fabrikam FileMA. The complete deployment cycle of a sample user consists of the following building blocks:

  1. Creating the scenario users

  2. Staging the scenario users

  3. Synchronizing the scenario users

  4. Exporting the scenario users

The following sections provide instructions for each building block.

Creating the scenario users

In this section, you create the test users for this scenario in AD DS. To test the expected state detection process, you need one enabled and one disabled test user.

The following illustration shows an example of this.

Active Directory Users and Computers

The scenario users have the attribute settings in the following table.

Attribute User1 User2

First name

Jimmy

Britta

Last name

Bischoff

Simon

Full name

Jimmy Bischoff

Britta Simon

User logon name

jbischoff

bsimon

To create the scenario users

  1. To open the Active Directory Users and Computers snap-in, on the Start menu, click Run, and then type dsa.msc.

  2. For each user in the previous table, perform the following steps:

    1. To open the New Object – User dialog box, from the Action menu, select New, and then click User.

    2. For the First name, Last name, Full name and User logon name attributes, provide the values shown in the previous table, and then click Next.

    3. In the Password and Confirm password boxes, type P@$$w0rd.

    4. For the user Jimmy Bischoff, select Account is disabled.

  3. Click Next.

  4. To create the new user, click Finish.

Staging the scenario users

As a first step, your newly created scenario users need to be staged in the AD DS connector space.

After running a full import on your Fabrikam ADMA, the synchronization statistics reports four Adds.

The following illustration shows an example of this.

Synchronization Statistics

To stage the scenario users

  1. Open the Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam ADMA.

  3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  4. From the Run profiles list, select Full Import.

  5. To start the Run profile, click OK.

Synchronizing the scenario users

As a second step, your staged scenario users need to be synchronized inside the FIM 2010 R2 synchronization service.

After running a full synchronization run on your Fabrikam ADMA, the synchronization statistics reports two new projections. These are your two sample users.

However, on the outbound synchronization side, three Provisioning Adds are reported. Two of these objects represent your sample users. The third object is an Expected Rule Entry object that was created by the synchronization engine as a result of the positive existence test.

The following illustration shows an example for this.

Synchronization Statistics

To synchronize the scenario users

  1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  2. From the Run profiles list, select Full Synchronization.

  3. To start the run profile, click OK.

By using a metaverse search, you can examine the effect of a positive existence test. If an existence test was positive, the detectedRulesList attribute of the affected object is updated with a reference to a newly created Detected Rule Entry (DRE) object. The DRE object has a reference to the synchronization rule with the positive existence test. The name of the DRE object is DRE for Is Enabled User Outbound Synchronization Rule.

The following illustration shows an example of this.

Metaverse Object Properties

To run a metaverse search

  1. On the Tools menu, click Metaverse Search.

  2. If necessary, adjust the column settings by selecting the Column Settings link to display the columns that interest you.

  3. To search the metaverse, click Search.

  4. To open the Metaverse Object Properties dialog box, in the Search Results list, select Britta Simon, and then, on the Actions menu, click Properties.

For a positive existence test, the synchronization rule creates a DRE object and updates the DRL attribute of the affected object. To make the information available in the FIM 2010 R2 Portal, the DRE object needs to be pushed out to and an outbound flow mapping for the DRL attribute is required on the affected resources. To verify that your system is configured correctly, you should perform a connector space search on the FIM 2010 R2 connector space. The connector space search should indicate an updated DetectedRulesList attribute on the affected object in the FIM 2010 R2 connector space.

The following illustration shows an example of this.

Connector Space Object Properties

To run a connector space search on the Fabrikam FIMMA

  1. To open the Search Connector Space dialog box, in the Actions menu, click Search Connector Space.

  2. To retrieve a list of the available connector space objects, click Search.

  3. To display the properties of an object, select the object, and then click Properties.

Exporting the scenario users

To complete the synchronization cycle, the scenario users need to be exported into the FIM 2010 R2 Service.

At the end of a successful export run, your sample users appear in the Users section of the FIM 2010 R2 Portal.

The following illustration shows an example of this.

Users

To stage the scenario users

  1. Open the Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam ADMA.

  3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  4. From the Run profiles list, select Full Import.

  5. To start the run profile, click OK.

The last step of this scenario is a verification of whether the ESD process has created the expected results. In this scenario, Britta Simon is supposed to be a member of the All Enabled ADDS Users set. As a prerequisite for this, the DRE object called DRE for Is Enabled Outbound Synchronization Rule should appear as a member in the All Enabled ADDS Users DREs set.

The following illustration shows an example of this.

Filter Definition

To verify the members of the All Enabled ADDS Users DREs set

  1. To open the sets page, in the Management Policy Rules section on the navigation bar of the FIM 2010 R2 Portal, click Sets.

  2. To display the configured sets, click Search for.

  3. To open the Set property dialog box, select the All Enabled ADDS Users DREs set.

  4. Select the Criteria-based Members tab.

  5. To display the members, click View Members.

If the prerequisite is fulfilled, you should verify that Britta Simon appears as member of the All Enabled ADDS Users Set.

The following illustration shows an example of this.

Filter Definition

Note

When displaying the properties of this set, FIM 2010 R2 indicates that it cannot render the configured filter. This is because the filter was modified outside the Filter Builder. You can ignore the warning.

To verify the members of the All Enabled ADDS Users set

  1. To open the Sets page, in the Management Policy Rules section on the navigation bar of the FIM 2010 R2 Portal, click Sets.

  2. To display the configured sets, click Search for.

  3. To open the Set property dialog box, select the All Enabled ADDS Users set.

  4. Select the Criteria-based Members tab.

  5. To display the members, click View Members.