Step 5: Create the Initial Envrionment

Creating the initial environment consists of creating a test OU, two test users in Active Directory, a SQL database and table and then populating the the SQL table.

  • Create the ECMA2 OU in Active Directory

  • Create Test Users

  • Add employeeID and mail attribute values to test users.

  • Create and Populating the CONTOSO Database

  • Add CORP\FIMSyncService to the CONTOSO database.

  • Add CORP\FIMSyncService to the CONTOSO Domain Admins group

  • Restart the Forefront Identity Manager Synchronization Service

Create the ECMA2 OU in Active Directory

In this step we will be creating one OU. This OU will be used to contain our Active Directory test users.

To Create the ECMA2 OU in Active Directory

  1. Log on to DC1 as corp\Administrator.

  2. Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.

  3. In the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then select Organizational Unit.

  4. In the Name text box, type the following text, and then click OK:
    ECMA2

  5. Close Active Directory Users and Computers.

ECMA2 OU

Table 5 - Required Accounts

First Name Last Name User logon name Display name Forest Password

Britta

Simon

bsimon

Britta Simon

corp.contoso.com

Pass1word$

Lola

Jacobson

ljacobson

Lola Jacobson

Corp.contoso.com

Pass1word$

To create the test User Accounts

  1. Still on DC1, in Active Directory Users and computers, right-click ECMA2, select New and then select User. This will bring up the New Object – User window.

  2. On the New Object – User screen, in the First Name box, enter Britta.

  3. On the New Object – User screen, in the Last Name box, enter Simon.

  4. On the New Object – User screen, in the User logon name: box, enter bsimon and click Next.

  5. On the New Object – User screen, in the Password box, enter Pass1word$.

  6. On the New Object – User screen, in the Confirm Password box, enter Pass1word$.

  7. On the New Object – User screen, remove the check from User must change password at next logon.

  8. On the New Object – User screen, add a check to Password never expires and click Next.

  9. Click Finish.

  10. Repeat these steps for all of the accounts listed in the Account Summary table.

Add employeeID and mail attribute values to test users.

In this step we will add some values to the employeeID and mail attributes of the users we just created.

To add employeeID and mail attribute values to test users.

  1. On DC1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and then click ADSI Edit. This will bring up ADSI Edit.

  3. At the top, right-click ADSI Edit and select Connect to. This will bring up a Connections Settings box. Leave the defaults and click OK.

  4. On the right, expand Default Naming Context [DC1.corp.contoso.com], double-click DC=corp,DC=contoso,DC=com, expand DC=corp,DC=contoso,DC=com, and then select OU=ECMA2.

  5. In the center, right-click CN=Britta Simon and select Properties. This will bring up CN=Britta Simon Properties.

  6. Scroll through the list of attributes and double-click employeeID. This will bring up the String Attribute Editor.

  7. In the box, under Value:, type the following text, and then click Add:
    100

    EmployeeID

  8. Click OK.

  9. Scroll through the list of attributes and double-click mail. This will bring up the String Attribute Editor.

  10. In the box, under Value:, type the following text, and then click Add:
    bsimon@corp.contoso.com

  11. Click OK. Click Apply. Click OK.

  12. In the center, right-click CN=Lola Jacobson and select Properties. This will bring up CN=Lola Jacobson Properties.

  13. Scroll through the list of attributes and double-click employeeID. This will bring up the String Attribute Editor.

  14. In the box, under Value:, type the following text, and then click Add:
    101

  15. Click OK.

  16. Scroll through the list of attributes and double-click mail. This will bring up the String Attribute Editor.

  17. In the box, under Value:, type the following text, and then click Add:
    ljacobson@corp.contoso.com

  18. Click OK. Click Apply. Click OK.

  19. Close ADSI edit.

Create and Populating the CONTOSO Database

In this step we will be creating and populating the CONOTOSO database in SQL. This will simulate be used to simulate an HR database. A full copy of all the T-SQL is available in Appendix A: SQL Database Scripts

To create and populate the CONTOSO database

  1. Log on to APP1 as corp\Administrator.

  2. Click Start, click All Programs, click Microsoft SQL Server 2008 R2, and then click SQL Server Management Studio. This will launch SQL Server Management Studio.

  3. On the Connect to Server dialog box, under Server Type, select Database Engine.

  4. On the Connect to Server dialog box, under Server name, select APP1.

  5. On the Connect to Server dialog box, under Authentication, select Windows Authentication.

  6. Click Connect. This should be successful and the database information will be displayed on the left.

  7. At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  8. Copy the following code into the center pane.

    USE [master]
    GO
    
    /****** Object:  Database [CONTOSO]    Script Date: 10/05/2011 04:40:17 ******/
    CREATE DATABASE [CONTOSO] ON  PRIMARY 
    ( NAME = N'CONTOSO', FILENAME = N'C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\CONTOSO.mdf' , SIZE = 2048KB , MAXSIZE = UNLIMITED, FILEGROWTH = 1024KB )
     LOG ON 
    ( NAME = N'CONTOSO_log', FILENAME = N'C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\DATA\CONTOSO_log.ldf' , SIZE = 1024KB , MAXSIZE = 2048GB , FILEGROWTH = 10%)
    GO
    
    ALTER DATABASE [CONTOSO] SET COMPATIBILITY_LEVEL = 100
    GO
    
    IF (1 = FULLTEXTSERVICEPROPERTY('IsFullTextInstalled'))
    begin
    EXEC [CONTOSO].[dbo].[sp_fulltext_database] @action = 'enable'
    end
    GO
    
    ALTER DATABASE [CONTOSO] SET ANSI_NULL_DEFAULT OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET ANSI_NULLS OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET ANSI_PADDING OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET ANSI_WARNINGS OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET ARITHABORT OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET AUTO_CLOSE OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET AUTO_CREATE_STATISTICS ON 
    GO
    
    ALTER DATABASE [CONTOSO] SET AUTO_SHRINK OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET AUTO_UPDATE_STATISTICS ON 
    GO
    
    ALTER DATABASE [CONTOSO] SET CURSOR_CLOSE_ON_COMMIT OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET CURSOR_DEFAULT  GLOBAL 
    GO
    
    ALTER DATABASE [CONTOSO] SET CONCAT_NULL_YIELDS_NULL OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET NUMERIC_ROUNDABORT OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET QUOTED_IDENTIFIER OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET RECURSIVE_TRIGGERS OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET  DISABLE_BROKER 
    GO
    
    ALTER DATABASE [CONTOSO] SET AUTO_UPDATE_STATISTICS_ASYNC OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET DATE_CORRELATION_OPTIMIZATION OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET TRUSTWORTHY OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET ALLOW_SNAPSHOT_ISOLATION OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET PARAMETERIZATION SIMPLE 
    GO
    
    ALTER DATABASE [CONTOSO] SET READ_COMMITTED_SNAPSHOT OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET HONOR_BROKER_PRIORITY OFF 
    GO
    
    ALTER DATABASE [CONTOSO] SET  READ_WRITE 
    GO
    
    ALTER DATABASE [CONTOSO] SET RECOVERY FULL 
    GO
    
    ALTER DATABASE [CONTOSO] SET  MULTI_USER 
    GO
    
    ALTER DATABASE [CONTOSO] SET PAGE_VERIFY CHECKSUM  
    GO
    
    ALTER DATABASE [CONTOSO] SET DB_CHAINING OFF 
    GO
    

    Create DB

  9. At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.

  10. At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  11. Copy the following code into the center pane.

    USE [CONTOSO]
    GO
    
    /****** Object:  Table [dbo].[HR]    Script Date: 10/05/2011 04:41:53 ******/
    SET ANSI_NULLS ON
    GO
    
    SET QUOTED_IDENTIFIER ON
    GO
    
    SET ANSI_PADDING ON
    GO
    
    CREATE TABLE [dbo].[HR](
    [FirstName] [char](20) NULL,
    [LastName] [char](30) NULL,
    [EMail] [nchar](30) NULL,
    [EmployeeID] [nchar](10) NULL,
    [FullName] [char](50) NULL,
    [AccountName] [char](20) NULL
    ) ON [PRIMARY]
    
    GO
    
    SET ANSI_PADDING OFF
    GO
    
  12. At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.

  13. At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.

  14. Copy the following code into the center pane.

    USE [HR]
    GO
    INSERT INTO HR (FirstName, LastName, EMail, EmployeeID, FullName, AccountName) 
    VALUES ('John', 'Smith', 'jsmith@corp.contoso.com', '11255', 'John Smith', 'jsmith') 
    INSERT INTO HR (FirstName, LastName, EMail, EmployeeID, FullName, AccountName) 
    VALUES ('Jane', 'Doe', 'jdoe@corp.contoso.com', '11277', 'Jane Doe', 'jdoe') 
    
  15. At the top, click Execute. This will take a moment and you should see two lines that say (1 row(s) affected) in the lower part of the center pane.

Add CORP\FIMSyncService to the CONTOSO database

Now we will give the FIM Synchronization Service account dbo.owner permissions on our SQL database. This will allow the service account to make changes on the HR table, including inserts and updates.

To add CORP\FIMSyncService to the CONTOSO database

  1. In SQL Server Management Studio, on the right, expand Security.

  2. Under Security, right-click CORP\FIMSynchService and select Properties. This will bring up the Login Properties for the FIM Synchronization Service account.

  3. On the left, select User Mapping. On the right, place a check in CONTOSO and at the bottom, place a check in dbo_owner

  4. Click OK.

  5. Close SQL Server Management Studio.

Add CORP\FIMSyncService to the CONTOSO Domain Admins group

For purposes of this test lab, the FIMSyncService account will need permissions to modify, update, and delete objects out of Active Directory. To accomplish this, we will add the FIMSyncService account to the Domain Admins group for Contoso.

To add CORP\FIMSyncService to the CONTOSO Domain Admins group

  1. Log on to the DC.corp.fabrikam.com Server as Administrator.

  2. Click Start, select Administrative Tools, and click Active Directory Users and Computers.

  3. In Active Directory Users and computers, select the Users OU.

  4. In the center, double-click on Domain Admins. This will bring up the Domain Admins properties.

  5. Click on the Memebers tab.

  6. Click Add. This will bring up the Select Users, Contacts, Computers, Service Accounts, or Groups dialog box.

  7. In the box, enter CORP\FIMSyncService and click Check Names. This should resolve with an underline.

  8. Click OK. Click Apply. Click OK.

Restart the Forefront Identity Manager Synchronization Service

Now we will restart the Forefront Identity Manager Synchronization Service to allow the changes above to take effect.

To restart the Forefront Identity Manager Synchronization Service

  1. Log on to the FIM1.corp.fabrikam.com Server as Administrator.

  2. Click Start, select Administrative Tools, and click Services. This will bring up Services.

  3. Scroll down to Forefront Identity Manager Synchronization Service, right-click and select Restart.

  4. Once this completes close Services.