Step 6: Configure the Environment
In this section we will configure the environment so that we are able to synchronize Active Directory Users with the FIM Portal.
Create Active Directory Organizational Unit
Move users to our new OU
Set additional Attributes on our Users
Assigning group membership
Create a Distribution Group
Add a member to our Distribution Group
Enable Synchronization Rule Provisioning
Create the AD Management Agent
Create the FIM Management Agent
Create the Run Profiles for the AD MA
Create the Run Profiles for the FIM MA
Enable the Required MPRs
Create the AD Inbound User Synch Rule
Create the Group Synchronization Rule
Creating the AD Group Outbound Workflow
Create the AD Group Outbound MPR
Set Attribute Precedence on Attributes
Initializing the FIM Management Agent
Initializing the AD Management Agent
Create Active Directory Organizational Unit
In this step you will be creating an organizational unit in Active Directory. This OU will be used to contain your FIM objects.
To create Active Directory organizational units
Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.
In the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.contoso.com, select New, and then select Organizational Unit.
In the Name text box, type the following text, and then click OK:
FIMObjects
Move users to our new OU
In this step we will move Britta and Lola into our FIMObjects OU.
To Move users to our new OU
In the Active Directory Users and Computers MMC, select the Users OU.
On the right, select Britta Simon and Lola Jacobson using the CTRL key and drag them to the new FIMObjects OU.
On the pop-up window that says moving objects can prevent your existing system from working, click Yes.
Set additional Attributes on our Users
In this step we will set employee ID and employee type on our users.
To Set additional Attributes on our Users
In the Active Directory Users and Computers MMC, select the FIMObjects OU.
Select Britta Simon, right-click and select Properties.
Click the Attribute Editor tab. Ensure that Advanced Features is enabled.
Scroll down to employeeID, click edit, enter 10 for the value and click OK.
Scroll down to employeeType, click edit, enter Full Time Employee for the value and click OK.
Click Apply. Click OK.
Select Lola Jacobson, right-click and select Properties.
Click the Attribute Editor tab. Ensure that Advanced Features is enabled.
Scroll down to employeeID, click edit, enter 11 for the value and click OK.
Scroll down to employeeType, click edit, enter Full Time Employee for the value and click OK.
Click Apply. Click OK.
Assigning group membership
This task is necessary to grant your sample users the right to interactively log on to FIM1.
To assign group membership
In the Active Directory Users and Computers MMC, select the Builtin OU.
In the list of objects, double-click the Server Operators security group.
Select the Members tab, and then click Add.
In the Object Names text box, type Britta Simon;Lola Jacobson . Click Check Names. Ensure they resolve with an underline.
Click OK. Click Apply. Click OK.
Create a Distribution Group
In this step we will create one distribution group in our AD environment
To Create a Distribution Group
Log on to the EX1.corp.contoso.com server as Administrator.
Click Start, click All Programs, click Microsoft Exchange Server 2010, and then click Exchange Management Console.
In the Exchange Management Console, click Microsoft Exchange On-Premises.
Warning
This may bring up a Microsoft Exchange box that says The following servers in your organization running Exchange Server 2010 are unlicensed. It will list EX1. If you plan to use this test lab for more than 120 days you will need to enter a product key. For now, just hit OK.
In the Exchange Management Console, expand Microsoft Exchange On-Premises (ex1.corp.contoso.com), expand Recipient Configuration, right-click Distribution Group, and then select New Distribution Group. This will bring up the New Distribution Group wizard.
On the Introduction, click Next.
Place a check in Specify an Organizational Unit rather than using a default one: and Browse for the FIMObjects OU. Click OK.
In the Name text box, type IT Discussion.
In the Alias text box, enter ITD. Click Next.
Click New. Once it is done, click Finish.
Leave Exchange Management Console open as it will be used for the next procedure.
Add a member to our Distribution Group
In this step we will add a member to our distribution group.
To add a member to our Distribution Group
In Exchange Management Console, double-click on the IT Discussion group we just created.
At the top, click the Members tab and then click Add.
Select Britta Simon and click OK.
Click Apply. Click OK.
Close Exchange Management Console.
Enable Synchronization Rule Provisioning
Next you will enable Synchronization Rule Provisioning. This will enable the configured synchronization rules during a synchronization run. This setting is specifically for the declarative provisioning feature which we’ll be using in this lab.
To enable Synchronization Rule Provisioning
In the Synchronization Service Manager, at the top of the portal page, click Tools, and then select Options.
Select Enable Synchronization Rule Provisioning.
Click OK.
Create the AD Management Agent
In this procedure, you will create the AD DS management agent.
To create the AD DS management agent
Log on to FIM1 as CORP\Administrator.
Click Start, select All Programs, select Forefront Identity Manager, and click Synchronization Service. This will bring up the FIM 2010 R2 Synchronization Service.
At the top, click Management Agents.
On the right, click Create. This will begin the Create Management Agent wizard.
Under Management Agent for, use the drop-down list and select Active Directory Domain Services.
In the text box under Name, enter the following text, and then click Next:
ADIn the text box next to Forest name, enter corp.contoso.com.
In the text box next to User name, enter Administrator.
In the text box next to Password, enter the Administrators password.
In the text box next to Domain, enter CORP.
Click Next.
In the Select directory partitions list, click DC=corp,DC=contoso,DC=com.
Click the Containers button. This will bring up the Select Containers window.
To deselect all selected nodes, click the check next to the DC=corp, DC-contoso,DC=com node.
Select the FIMObjectsnode.
Click OK, and then click Next.
On the Configure Provisioning Hierarchy page, click Next.
On the Select Object Types page, under Object Types, select user and group.
Click Next.
On the Select Attributes page, at the top, click Show all.
Select all of the following attributes:
displayname
employeeID
employeeType
givenName
groupType
mail
mailNickname
managedBy
member
objectSid
sAMAccountName
sn
Click Next.
On the Configure Connector Filter page, click Next.
On the Configure Join and Projection Rules page, click Next.
On the Configure Attribute Flow page, click Next.
On the Configure Deprovisioning page, select Stage a delete on the object for the next export run, and then click Next.
On the Configure Extensions page, in the drop-down next to Provisioning for: select Exchange 2010.
In the box next to Exchange 2010 RPS URI: enter https://ex1.corp.contoso.com/powershell. Click Finish.
Create the FIM Management Agent
Now it is time to create the FIM management agent.
To create the FIM Management Agent
At the top of the Synchronization Service, click Management Agents.
On the right, click Create. This will begin the Create Management Agent wizard.
Under Management Agent for, use the drop-down list and select FIM Service Management Agent.
In the text box under Name, enter FIM.
Click Next.
On the Connect to Database page, in the Server text box, enter APP1.
In the text box next to Database, type FIMService.
In the text box next to FIM Service base address, enter https://FIM1:5725.
In the box, next to Authentication mode box, click Windows integrated authentication.
In the text box next to User name, type FIMMA.
In the Password text box, enter Pass1word$.
In the Domain text box, enter CORP.
Click Next.
On the Select Object Types page, place a check in the box next to Person and Group, then click Next.
On the Select Attributes page, check the box at the top next to Show All, verify that all of the attributes are selected, and then click Next.
On the Configure Connector Filter page, click Next.
On the Configure Object Type Mappings page, click Person, and then click Add Mapping. This will bring up a mapping window.
On the mapping window, make sure person is selected for Metaverse object type, and then click OK. This will close the mapping window.
On the Configure Object Type Mappings page, click Group, and then click Add Mapping. This will bring up a mapping window.
On the mapping window, make sure group is selected for Metaverse object type, and then click OK. This will close the mapping window. Click Next.
On the Configure Attribute Flow page, from the drop-down list under Data source object type, select Person.
From the drop-down list under Metaverse object type list, select person.
For Mapping Type, select Direct.
From the list below Data source attribute, select AccountName.
From the list below Metaverse attribute, select accountName.
For Flow Direction,select Export. Ensure that Allow Nulls is not selected. Click New.
Repeat the above steps for each of the attribute entries in the following table.
Data source attribute Flow direction Metaverse attribute AccountName
Export
accountName
DisplayName
Export
displayName
Domain
Export
domain
EmployeeID
Export
employeeID
EmployeeType
Export
employeeType
Email
Export
mail
FirstName
Export
firstName
LastName
Export
lastName
ObjectSID
Export
objectSid
On the Configure Attribute Flow page, from the drop-down list under Data source object type, select Group.
From the drop-down list under Metaverse object type list, select group.
For Mapping Type, select Direct.
From the list below Data source attribute, select AccountName.
From the list below Metaverse attribute, select accountName.
For Flow Direction,select Export. Ensure that Allow Nulls is not selected. Click New.
Repeat the above steps for each of the attribute entries in the following table.
Data source attribute Flow direction Metaverse attribute AccountName
Export
accountName
DisplayName
Export
displayName
Domain
Export
domain
Email
Export
mail
MailNickName
Export
mailNickName
Member
Export
member
ObjectSID
Export
objectSid
Scope
Export
scope
Type
Export
type
MembershipAddWorkflow
Export
membershipAddWorkflow
MembershipLocked
Export
membershipLocked
DisplayName
Import
displayName
Scope
Import
scope
Type
Import
type
Member
Import
member
AccountName
Import
accountName
DisplayedOwner
Import
dsiplayedOwner
MailNickname
Import
mailNickname
Once all the attribute flows have been added, click Next.
On the Configure Deprovisioning page, select Stage a delete on the object for the next export run, and then click Next.
On the Configure Extensions page, click Finish.
Create the Run Profiles for the AD MA
Now that the AD MA has been created, you will create run profiles for the management agent.
To create the run profiles for the AD MA
Click the AD Management Agent so it is highlighted.
On the right, under Actions menu, click Configure Run Profiles. This opens the Configure Run Profiles window.
Click New Profile. This will begin the Configure Run Profile wizard.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Full ImportOn the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Full SynchronizationOn the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Delta ImportOn the Configure Step page, from the drop-down list under Type, select Delta Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Delta SynchronizationOn the Configure Step page, from the drop-down list under Type, select Delta Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish. Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
ExportOn the Configure Step page, from the drop-down list under Type, select Export, and then click Next.
On the Management Agent Configuration page, click Finish.
Click Apply, and then click OK.
Create the Run Profiles for the FIM MA
Now that the FIM MA has been created, you will need to create run profiles for the management agent.
To create the run profiles for the FIM MA
Click the FIM Management Agent so it is highlighted.
On the right, under Actions menu, click Configure Run Profiles. This opens the Configure Run Profiles window.
Click New Profile. This will begin the Configure Run Profile wizard.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Full ImportOn the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Full SynchronizationOn the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Delta ImportOn the Configure Step page, from the drop-down list under Type, select Delta Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Delta SynchronizationOn the Configure Step page, from the drop-down list under Type, select Delta Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish. Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
ExportOn the Configure Step page, from the drop-down list under Type, select Export, and then click Next.
On the Management Agent Configuration page, click Finish.
Click Apply, and then click OK.
Enable the Required MPRs
By default, FIM has several Management Policy Rules disabled.
To enable the required MPRs
Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.
On the right, under Administration, click Management Policy Rules.
In the list of MPRs, locate General: Users can read non-administrative configuration resources and click it. This will open the Configuration page.
Clear the check box next to Policy is disabled.
Click OK, and then click Submit.
Repeat the above steps for each of the MPR entries in the following table.
Management policy rule Disabled General: Users can read non-administrative configuration resources
No
User management: Users can read attributes of their own
No
User management: Users can read selected attributes of other users
No
Distribution List management: Owners can read attributes of group resources.
No
Distribution List management: management: Owners can update and delete groups that they own.
No
Distribution List management: Users can add or remove any members of groups subject to owner approval.
No
Distribution List management: Users can add or remove any members of groups that don’t require owner approval.
No
Distribution List management: Users can read selected attributes of group resources.
No
Distribution List management: Users can create Static Distribution Groups.
No
Synchronization: Synchronization account can read group resources it synchronizes
No
Synchronization: Synchronization account controls group resources it synchronizes
Create the AD Inbound User Synch Rule
Now you will create the codeless inbound user synchronization rule. This provisions and flows the attributes of our users to the FIM Portal.
To create the AD Inbound User Synch Rule
At the bottom, on the left of the page, click Administration. This will bring up the Administration page. Click Synchronization Rules
At the top, click New.
On the General tab, in the text box next to Display Name type AD Inbound User Synch Rule.
Under Data Flow Direction, select Inbound, and then click Next.
On the Scope tab, provide the following information, and then click Next:
Metaverse Resource Type: person
External System: AD
External System Resource Type: user
On the Relationship tab, provide the following information, and then click Next:
Relationship Criteria:
MetaverseObject:person(Attribute): employeeID
ConnectedSystemObject:person(Attribute): employee ID
Place a check in the box next to Create resource in FIM. Click Next.
On the Inbound Attribute Flow tab, provide the information in the following table, and then click Finish.
Source Destination displayName
displayName
employeeID
employeeID
employeeType
employeeType
givenName
firstName
objectSid
objectSid
sAMAccountName
accountName
sn
lastName
mail
mail
For each row in the previous table, complete the following steps:
To open the Flow Definition dialog box, click New Attribute Flow.
On the Source tab, select the attribute shown for that row in the table.
On the Destination tab, select the attribute shown for that row in the table.
To apply the attribute flow configuration, click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, in the attributes list, select String, and then type CORP in the text box.
On the Destination tab, select domain in the attributes list.
To apply the attribute flow configuration, click OK.
Click Finish, and then click Submit.
Create the Group Synchronization Rule
Now you will create the codeless inbound/outbound synchronization rule for groups. This provisions and flows the attributes of our groups to the FIM Portal and AD.
To create the Inbound/Outbound Group Synchronization Rule
Still on the Synchronization Rules page, at the top, click New.
On the General tab, in the text box next to Display Name type Group Synchronization Rule.
Under Data Flow Direction, select Inbound and Outbound, and then click Next.
On the Scope tab, provide the following information, and then click Next:
Metaverse Resource Type: group
External System: AD
External System Resource Type: group
On the Relationship tab, provide the following information, and then click Next:
Relationship Criteria:
MetaverseObject:person(Attribute): accountName
ConnectedSystemObject:person(Attribute): sAMAccountName
Place a check in the box next to Create resource in FIM.
Place a check in the box next to Create resource in external system.
Place a check in the box next to Disconnect FIM resource from external system resource when this Syncrhonization Rule is removed. Click Next.
On the Workflow Parameters page, click Next.
On the Outbound Attribute Flow tab, provide the information in the following table, and then click Finish.
Source Destination displayName
displayName
diplayedOwner
managedBy
accountName
sAMAccountName
member
member
mailNickname
mailNickname
For each row in the previous table, complete the following steps:
To open the Flow Definition dialog box, click New Attribute Flow.
On the Source tab, select the attribute shown for that row in the table.
On the Destination tab, select the attribute shown for that row in the table.
To apply the attribute flow configuration, click OK.
Click Next.
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, in the attributes list, select CustomExpression, and then in the box that appears enter IIF(Eq(type,"Distribution"),IIF(Eq(scope,"Universal"),8,IIF(Eq(scope,"Global"),2,4)),IIF(Eq(scope,"Universal"),-2147483640,IIF(Eq(scope,"Global"),-2147483646,-2147483644))) in the text box.
On the Destination tab, select groupType in the attributes list.
To apply the attribute flow configuration, click OK.
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, in the attributes list, select String and then in the box that appears enter CN= then select Concatenate Value and select displayName and click Concatenate Value and select String and then enter ,OU=FIMObjects,DC=corp,DC=contoso,DC=com
Important
It should look like the following when done: “CN=”+displayName+”,OU=FIMObjects,DC=corp,DC=contoso,DC=com”» dn
On the Destination tab, select dn in the attributes list.
To apply the attribute flow configuration, click OK.
Place a check in Initial Flow Only.
On the Inbound Attribute Flow tab, provide the information in the following table, and then click Finish.
Source Destination sAMAccountName
accountName
displayName
displayName
mailNickName
mailNickName
member
member
mail
mail
objectSid
objectSid
For each row in the previous table, complete the following steps:
To open the Flow Definition dialog box, click New Attribute Flow.
On the Source tab, select the attribute shown for that row in the table.
On the Destination tab, select the attribute shown for that row in the table.
To apply the attribute flow configuration, click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, in the attributes list, select String, and then type CORP in the text box.
On the Destination tab, select domain in the attributes list.
To apply the attribute flow configuration, click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, in the attributes list, select String, and then type false in the text box.
On the Destination tab, select membershipLocked in the attributes list.
To apply the attribute flow configuration, click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select CustomExpression.
In the box that appears, enter IIF(Eq(BitAnd(2,groupType),2),"Global",IIF(Eq(BitAnd(4,groupType),4),"DomainLocal","Universal")).
Click OK.
On the Destination tab, select scope in the attributes list.
To apply the attribute flow configuration, click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select CustomExpression.
In the box that appears, enter IIF(Eq(BitOr(14,groupType),14),"Distribution","Security").
Click OK.
On the Destination tab, select type in the attributes list.
To apply the attribute flow configuration, click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, in the attributes list, select String, and then type Owner Approval in the text box.
On the Destination tab, select membershipAddWorkflow in the attributes list.
To apply the attribute flow configuration, click OK.
Click Finish, and then click Submit.
Creating the AD Group Outbound Workflow
To configure the AD Group Outbound workflow, you use the related wizard pages.
To create the AD Group Outbound Workflow
On the left of the page, click Workflows. This will bring up the Workflows page. At the top click New.
On the General tab, provide the following information:
Workflow Name: AD Group Outbound Workflow
Workflow Type: Action
Place a check in Run on Policy Update. Click Next.
On the Activities tab, in the Activity Picker, select Synchronization Rule Activity, and then click Select.
In the Synchronization Rules list, select Group Synch Rule and in the Action Selection options, select Add then click Save.
Click Finish.
On the Summary tab, click Submit.
Create the AD Group Outbound MPR
To configure the MPR, you use the related wizard pages.
To create the AD Group Outbound MPR
On the left of the page, click Management Policy Rules. This will bring up the Management Policy page. At the top click New.
On the General tab, in the box next to Display Name enter AD Group Outbound MPR.
On the Type, select Set Transition. Click Next.
On the Transition Definition tab, in the Transition Set box, enter All Groups, click Validate so that it resolves and click Next:
On the Policy Workflows tab, perform the following steps, and then click Next:
- In the Action Workflows list, select AD Group Outbound Workflow.
On the Summary tab, click Submit.
Set Attribute Precedence on Attributes
Now you will need to set the attribute precedence on attributes for the group object. Equal precedence allows multiple management agents to multi-master a metaverse attribute.
To set the attribute precedence on attributes
In the Synchronization Service Manager, at the top, click Metaverse Designer.
From the list of Object types select group.
Down under the list of attributes, select accountName,and on the lower right, click Configure Attribute Flow Precedence.
Place a check in the box that says Use equal precedence and click OK.
Repeat the above steps for each of the entries in the following list:
displayName
mailNickname
member
scope
type
Initializing the FIM Management Agent
To initialize the FIM MA, you must run a complete synchronization cycle on this management agent. The complete cycle consists of the run profile runs in the following table.
Step | Run profile name |
---|---|
1 |
Full import |
2 |
Full synchronization |
3 |
Export |
4 |
Delta import |
Important
After running the export run profile on the FIM MA, you should wait a minute or two before running the confirming delta import.
To initialize the FIM MA
Open Synchronization Service Manager, and on the Tools menu, click Management Agents.
In the Management Agents list, select FIM.
To open the Run Management Agent dialog box, on the Actions menu, click Run.
For each row in the table immediately preceding this procedure, complete the following steps:
To open the Run Management Agent dialog box, on the Actions menu, click Run.
In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.
To start the run profile, click OK.
Initializing the AD Management Agent
To initialize the AD MA, you must run a full import and a full synchronization on it. In this sequence, the sample users are brought into the metaverse and also staged in the connector space of the FIM MA. To complete the initialization of the AD MA, you must also run an export and a confirming import on the FIM MA.
Step | Management agent | Run profile name |
---|---|---|
1 |
AD |
Full import |
2 |
AD |
Full synchronization |
3 |
FIM |
Export |
4 |
FIM |
Delta import |
To initialize the AD MA
Open the Synchronization Service Manager, and on the Tools menu, click Management Agents.
For each row in the previous table, complete the following steps:
In the Management Agents list, select the management agent shown for that row in the table.
To open the Run Management Agent dialog box, on the Action menu, click Run.
In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.