Step 6: Create AD Environment and Connector
Creating the initial environment consists of creating a test OU, two test users in Active Directory, a SQL database and table and then populating the the SQL table.
Create the ECMA2 OU in Active Directory
Create Test Users
Set additional Attributes on our Users
Create the AD Management Agent
Create the run profiles for the AD management agent
Create the ECMA2 OU in Active Directory
In this step we will be creating one OU. This OU will be used to contain our Active Directory test users.
To Create the ECMA2 OU in Active Directory
Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.
In the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then select Organizational Unit.
In the Name text box, type the following text, and then click OK:
ECMA2Close Active Directory Users and Computers.
Table 5 - Required Accounts
First Name | Last Name | User logon name | Display name | Forest | Password |
---|---|---|---|---|---|
Britta |
Simon |
bsimon |
Britta Simon |
corp.contoso.com |
Pass1word$ |
Lola |
Jacobson |
ljacobson |
Lola Jacobson |
Corp.contoso.com |
Pass1word$ |
To create the test User Accounts
Still on DC1, in Active Directory Users and computers, right-click ECMA2, select New and then select User. This will bring up the New Object – User window.
On the New Object – User screen, in the First Name box, enter Britta.
On the New Object – User screen, in the Last Name box, enter Simon.
On the New Object – User screen, in the User logon name: box, enter bsimon and click Next.
On the New Object – User screen, in the Password box, enter Pass1word$.
On the New Object – User screen, in the Confirm Password box, enter Pass1word$.
On the New Object – User screen, remove the check from User must change password at next logon.
On the New Object – User screen, add a check to Password never expires and click Next.
Click Finish.
Repeat these steps for all of the accounts listed in the Account Summary table.
Set additional Attributes on our Users
In this step we will set employee ID and employee type on our users.
To Set additional Attributes on our Users
In the Active Directory Users and Computers MMC, select the ECMA2 OU.
Select Britta Simon, right-click and select Properties.
Click the Attribute Editor tab. Ensure that Advanced Features is enabled.
Scroll down to employeeID, click edit, enter 10 for the value and click Apply.
Scroll down to mail, click edit, enter bsimon@corp.contoso.com for the value and click Apply. Click OK.
Select Lola Jacobson, right-click and select Properties.
Click the Attribute Editor tab. Ensure that Advanced Features is enabled.
Scroll down to employeeID, click edit, enter 11 for the value and click OK.
Scroll down to mail, click edit, enter ljacobson@corp.contoso.com for the value and click Apply and click OK.
Create the AD Management Agent
Now we will create the Active Directory management agent in the synchronization service.
To create the AD management agent
Log on to FIM1 as CORP\Administrator.
Click Start, click All Programs, click Microsoft Forefront Identity Manager, and then click Synchronization Service.
In the Synchronization Service, click the Management Agents button at the top.
In the Management Agents view, on the right, under Actions, click Create. This will bring up the Create Management Agent dialog box.
On the Create Management Agent screen, under Management Agent for, select Active Directory Domain Services. Under Name enter AD and then click Next.
On the Connect to Active Directory Forest screen, enter corp.contoso.com for Forest name. Enter Administrator for the User name. Enter Pass1word$ for the Password. Enter CORP for the Domain. Click Next.
On the Configure Directory Partitions screen, under Select directory partitions, put a check in DC=corp,DC=contoso,DC=com. Under Select containers for this partition, click the Containers button. This will bring up the Select Containers dialog box.
On the Select Containers screen, clear the check in the root DC=corp,DC=contoso,DC=com box. This will remove the check marks in all of the boxes. Now place a check in the ECMA2 box. Click OK. This will close the Select Containers dialog box.
On the Configure Directory Partitions screen, click Next.
On the Configure Provisioning Hierarchy screen click Next.
On the Select Object Types screen, check user and then click Next.
On the Select Attributes screen, place a check in the Show All box in the upper-right.
On the Select Attributes screen, place a check in the box for each attribute in the following list. When finished click Next.
cn
displayName
employeeID
samAccountName
givenName
mail
sn
On the Configure Connector Filter dialog box, click Next.
On the Configure Join and Projection Rules dialog box, select user and then click New Projection Rule. This will bring up the Projection dialog box.
On the Projection dialog box select Declared and then click OK. This will close the Projection dialog box.
On the Configure Join and Projection Rules dialog box, click Next.
On the Configure Attribute Flow dialog box, under Data source object type select user.
On the Configure Attribute Flow dialog box, under Metaverse object type select person.
On the Configure Attribute Flow dialog box, under Data source attribute select samAccountName.
On the Configure Attribute Flow dialog box, under Mapping Type select Direct.
On the Configure Attribute Flow dialog box, under Flow Direction select Import.
On the Configure Attribute Flow dialog box, under Metaverse attribute select accountName.
On the Configure Attribute Flow dialog box, click New. This flow rule will appear above. Repeat these steps for each attribute in the following table. When finished, click Next.
Table 1 – Attribute Flow
Data Source Attribute Flow Direction Metaverse attribute samAccountName
Import
accountName
mail
Import
mail
employeeID
Import
employeeID
displayName
Import
displayName
givenName
Import
firstName
sn
Import
lastName
displayName
Export
displayName
mail
Export
mail
employeeID
Export
employeeID
givenName
Export
firstName
sn
Export
lastName
On the Configure Deprovisioning dialog box, click Next.
On the Configure Extensions dialog box, click Finish.
Create the run profiles for the AD management agent
Now that the AD management agent has been created, you will need to create run profiles for the management agent.
To Create the run profiles for the AD management agent
In the Synchronization Service, on the right of the portal page, under Actions menu, click Configure Run Profiles. This opens the Configure run Profiles window.
Click New Profile. This will begin the Configure Run Profile wizard.
On the Profile Name page, in the text box under Name, type the following, and then click Next:
Full ImportOn the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile. This will begin the Configure Run Profile wizard.
On the Profile Name page, in the text box under Name, type the following, and then click Next:
ExportOn the Configure Step page, from the drop-down list under Type, select Export, and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Full SynchronizationOn the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.