Managing User Identities with Forefront Identity Manager 2010 Test Lab Guide
Updated: May 12, 2011
Applies To: Forefront Identity Manager 2010
This guide provides steps for configuring a test lab for the solution detailed in the Managing User Identities with Forefront Identity Manager 2010 guide lab. The following sections provide details about how to perform these tasks.
Test Lab Overview
In this test lab, Microsoft® Forefront® Identity Manager (FIM) 2010 is deployed with:
One preexisting server running FIM 2010.
One preexisting server running SQL Server® 2008 R2, named APP1.
One preexisting server running Microsoft Exchange Server 2010 with Service Pack 1, named EX1.
One preexisting client running Windows® 7 Ultimate, named CLIENT1.
The FIM test lab uses the following subnet:
- The intranet established by the Base Configuration Test Lab Guide, referred to as the Corpnet subnet (10.0.0.0/24).
Computers on each subnet connect using a hub or switch. See the following figure.
This test lab will guide you through the Forefront Identity Manager 2010 configuration process. The purpose of this test lab is to allow for the creation of a test lab environment that uses Forefront Identity Manager 2010 for end-to-end user identity management. This test lab guide builds upon previously released test lab guides.
Steps for Configuring the Managing User Identities with Forefront Identity Manager 2010 Test Lab
There are six steps to follow when configuring a Forefront Identity Manager 2010 test lab based on the Managing User Identities with Forefront Identity Manager 2010 Test Lab Guide.
Step 1: Completing the Base Configuration—The Base Configuration is the core of all Test Lab Guide scenarios. The first step is to complete the Base Configuration.
Step 2: Completing the Exchange Server 2010 with Service Pack 1 Test Lab Guide (TLG)—The second step is to complete the Exchange Server 2010 with Service Pack 1 test lab guide. This provides Active Directory® attributes and e-mail functionality for the FIM Service account.
Step 3: Completing the SQL Server 2008 R2 TLG—The third step is to complete the SQL Server 2008 R2 test lab guide. This provides the database server for your FIM 2010 installation.
Step 4: Completing the FIM 2010 TLG—The fourth step is to complete the FIM 2010 test lab guide. This provides the FIM installation.
Step 5: Configuring FIM 2010 to Manage User Identities—The fifth step includes configuring the environment.
Step 6: Verifying the Configuration—The sixth step includes verifying that everything is working.
Step 1: Completing the Base Configuration
Set up the Base Configuration test lab for both the Corpnet and Internet subnets using the procedures in the “Steps for Configuring the Corpnet Subnet” and “Steps for Configuring the Internet Subnet” sections of the Test Lab Guide: Base Configuration (https://go.microsoft.com/fwlink/?LinkId=198140).
Step 2: Complete the Exchange Server 2010 with Service Pack 1 Test Lab Guide (TLG)
Set up the Exchange Server 2010 with Service Pack 1 test lab using the procedures outlined in Test Lab Guide: Exchange Server 2010 with Service Pack 1 (https://go.microsoft.com/fwlink/?LinkId=206341).
Step 3: Complete the SQL Server 2008 R2 TLG
Set up the SQL Server 2008 R2 test lab using the procedures outlined in Test Lab Guide: SQL Server 2008 R2 (https://go.microsoft.com/fwlink/?LinkId=206340).
Step 4: Complete the FIM 2010 TLG
Set up the Forefront Identity Manager 2010 test lab using the procedures outlined in Test Lab Guide: Forefront Identity Manager 2010 (https://go.microsoft.com/fwlink/?LinkID=205228).
Step 5: Configure FIM 2010 to Manage User Identities
Configuring FIM 2010 to manage user identities consists of the following:
Create Active Directory Organizational Units
Create and Populating the HR Database
Create an EmployeeStatus Attribute in the FIM Portal
Add EmployeeStatus to MPR
Create the HR Management Agent in the Synchronization Service
Create the Run Profiles for the HR MA
Configure the Object Deletion Rule
Create the FIM Management Agent
Create the Run Profiles for the FIM MA
Enable Synchronization Rule Provisioning
Enable the Required MPRs
Set Up an Inbound Synchronization Rule for the HR MA in the FIM Portal
Run Imports and Synchs on the MAs
Set the Attribute Precedence on Attributes
Run the HR and FIM Management Agents
Create the AD Management Agent
Create the Run Profiles for the AD MA
Set Up an AD Provisioning Synchronization Rule for the AD MA in the FIM Portal
Create an All Employees and Contractors Set
Set Up the AD User Provisioning Workflow
Set Up the AD User Provisioning MPR
Set Up an Inbound Synchronization Rule for the AD MA in the FIM Portal
Create an Inactive Employees Set
Set Up an AD Make User Inactive Synchronization Rule
Set Up an AD Make User Inactive Workflow
Set Up an AD Make User Inactive MPR
Set Up an AD Deprovision Workflow
Set Up an AD Deprovision MPR
Run the HR, FIM, and AD Management Agents
Create Active Directory Organizational Units
In this step you will be creating three organizational units within Active Directory. These OUs will be used to contain your Full-Time Employees, Contractors, and your Terminated employees.
To create Active Directory organizational units
Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.
In the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then select Organizational Unit.
In the Name text box, type the following text, and then click OK:
FIM_FTEIn the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then select Organizational Unit.
In the Name text box, type the following text, and then click OK:
FIM_ContractorsIn the Active Directory Users and Computers MMC, from the tree-view on the left, right-click corp.fabrikam.com, select New, and then select Organizational Unit.
In the Name text box, type the following text, and then click OK:
FIM_InactiveClose Active Directory Users and Computers.
Create and Populating the HR Database
In this step you will be creating and populating your HR database in SQL. This will simulate a real-world example of a Human Resources database.
To create and populate the HR database
Log on to APP1 as corp\Administrator.
Click Start, click All Programs, click Microsoft SQL Server 2008, and then click SQL Server Management Studio. This will launch SQL Server Management Studio.
On the Connect to Server dialog box, under Server Type, select Database Engine.
On the Connect to Server dialog box, under Server name, select APP1.
On the Connect to Server dialog box, under Authentication, select Windows Authentication.
Click Connect. This should be successful and the database information will be displayed on the left.
At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.
Copy the following code into the center pane.
USE [master] GO /****** Object: Database [HR] Script Date: 10/28/2010 14:55:39 ******/ CREATE DATABASE [HR] ON PRIMARY ( NAME = N'HR', FILENAME = N'C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\HR.mdf' , SIZE = 2048KB , MAXSIZE = UNLIMITED, FILEGROWTH = 1024KB ) LOG ON ( NAME = N'HR_log', FILENAME = N'C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER\MSSQL\DATA\HR_log.ldf' , SIZE = 1024KB , MAXSIZE = 2048GB , FILEGROWTH = 10%) GO ALTER DATABASE [HR] SET COMPATIBILITY_LEVEL = 100 GO IF (1 = FULLTEXTSERVICEPROPERTY('IsFullTextInstalled'))begin EXEC [HR].[dbo].[sp_fulltext_database] @action = 'enable' end GO ALTER DATABASE [HR] SET ANSI_NULL_DEFAULT OFF GO ALTER DATABASE [HR] SET ANSI_NULLS OFF GO ALTER DATABASE [HR] SET ANSI_PADDING OFF GO ALTER DATABASE [HR] SET ANSI_WARNINGS OFF GO ALTER DATABASE [HR] SET ARITHABORT OFF GO ALTER DATABASE [HR] SET AUTO_CLOSE OFF GO ALTER DATABASE [HR] SET AUTO_CREATE_STATISTICS ON GO ALTER DATABASE [HR] SET AUTO_SHRINK OFF GO ALTER DATABASE [HR] SET AUTO_UPDATE_STATISTICS ON GO ALTER DATABASE [HR] SET CURSOR_CLOSE_ON_COMMIT OFF GO ALTER DATABASE [HR] SET CURSOR_DEFAULT GLOBAL GO ALTER DATABASE [HR] SET CONCAT_NULL_YIELDS_NULL OFF GO ALTER DATABASE [HR] SET NUMERIC_ROUNDABORT OFF GO ALTER DATABASE [HR] SET QUOTED_IDENTIFIER OFF GO ALTER DATABASE [HR] SET RECURSIVE_TRIGGERS OFF GO ALTER DATABASE [HR] SET DISABLE_BROKER GO ALTER DATABASE [HR] SET AUTO_UPDATE_STATISTICS_ASYNC OFF GO ALTER DATABASE [HR] SET DATE_CORRELATION_OPTIMIZATION OFF GO ALTER DATABASE [HR] SET TRUSTWORTHY OFF GO ALTER DATABASE [HR] SET ALLOW_SNAPSHOT_ISOLATION OFF GO ALTER DATABASE [HR] SET PARAMETERIZATION SIMPLE GO ALTER DATABASE [HR] SET READ_COMMITTED_SNAPSHOT OFF GO ALTER DATABASE [HR] SET HONOR_BROKER_PRIORITY OFF GO ALTER DATABASE [HR] SET READ_WRITE GO ALTER DATABASE [HR] SET RECOVERY FULL GO ALTER DATABASE [HR] SET MULTI_USER GO ALTER DATABASE [HR] SET PAGE_VERIFY CHECKSUM GO ALTER DATABASE [HR] SET DB_CHAINING OFF GO
At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.
At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.
Copy the following code into the center pane.
USE [HR] GO /****** Object: Table [dbo].[Employees] Script Date: 10/28/2010 14:54:59 ******/ SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO SET ANSI_PADDING ON GO CREATE TABLE [dbo].[Employees]([EmployeeNumber] [nchar](10) NULL,[FirstName] [char](10) NULL,[LastName] [char](20) NULL,[UserID] [char](21) NULL,[EmployeeType] [char](2) NULL,[EmploymentStatus] [char](2) NULL,[StartDate] [date] NULL,[EndDate] [date] NULL,[Manager] [char](100) NULL,[Department] [char](100) NULL) ON [PRIMARY] GO SET ANSI_PADDING OFF GO
At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.
At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.
Copy the following code into the center pane.
USE [HR] GO INSERT INTO Employees (EmployeeNumber, EmployeeType, EmploymentStatus, FirstName,LastName,UserID,Department,Manager,StartDate) VALUES ('1101', 'F', 'A', 'Test', 'User1', 'tuser1', 'IT', 'Britta Simon', '2009-10-28') INSERT INTO Employees (EmployeeNumber, EmployeeType, EmploymentStatus, FirstName,LastName,UserID,Department,Manager,StartDate) VALUES ('1102', 'F', 'A', 'Test', 'User2', 'tuser2', 'Accounting', 'Britta Simon', '1995-09-28') INSERT INTO Employees (EmployeeNumber, EmployeeType, EmploymentStatus, FirstName,LastName,UserID,Department,Manager,StartDate) VALUES ('1103', 'C', 'A', 'Test', 'User3', 'tuser3', 'Marketing', 'Lola Jacobson', '2006-08-28') INSERT INTO Employees (EmployeeNumber, EmployeeType, EmploymentStatus, FirstName,LastName,UserID,Department,Manager,StartDate) VALUES ('1104', 'C', 'A', 'Test', 'User4', 'tuser4', 'Legal', 'Lola Jacobson', '1999-07-28')
At the top, click Execute. This will take a moment and you should see four lines that say (1 row(s) affected) in the lower part of the center pane.
At the top, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.
Copy the following code into the center pane.
USE [HR] GO /****** Object: View [dbo].[Active_Employees] Script Date: 02/02/2011 08:21:00 ******/ SET ANSI_NULLS ON GO SET QUOTED_IDENTIFIER ON GO CREATE VIEW [dbo].[Active_Employees]AS SELECT EmployeeNumber, FirstName, LastName, UserID, EmployeeType, EmploymentStatus, StartDate, EndDate, Manager, Department, EmployeeNumber AS Expr1,FirstName AS Expr2, LastName AS Expr3, UserID AS Expr4, Department AS Expr5, Manager AS Expr6, EndDate AS Expr7, StartDate AS Expr8,EmploymentStatus AS Expr9, EmployeeType AS Expr10 FROM dbo.Employees WHERE(EndDate <= DATEADD(day, 0, GETDATE())) AND (EndDate > DATEADD(day, - 45, GETDATE())) OR (EndDate IS NULL) GO
At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.
Close SQL Server Management Studio.
Log off APP1.
Create an EmployeeStatus Attribute in the FIM Portal
In this procedure, you will create the EmployeeStatus attribute in the FIM Portal.
To create an EmployeeStatus attribute in the FIM Portal
Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will open the Forefront Identity Manager 2010 home page.
On the right, under Administration, click Schema Management.
Click All Attributes. The title bar should now show Schema Management—All Attributes.
At the top, click New. This will bring up the Create Attribute screen.
In the text box, next to System name, enter EmployeeStatus.
In the text box, next to Display Name, enter Employee Status.
From the drop-down, next to Data Type, select Unindexed string.
In the text box, next to Description, enter Tracks an employee’s status as Active, Retired, or Terminated.
Click Finish, and then click Submit.
At the top, click All Bindings. The title bar should now show Schema Management – All Bindings.
At the top, click New. This will bring up the Create Binding screen.
In the box, next to Resource Type, enter User. Click the green check mark. User should resolve with an underline.
In the box, next to Attribute Type, enter EmployeeStatus. Click the green check mark. EmployeeStatus should resolve with an underline.
Click Finish, and then click Submit.
Add EmployeeStatus to the MPR
Now you will add the EmployeeStatus attribute to the Synchronization: Synchronization account controls users it synchronizes MPR.
To add EmployeeStatus to the MPR
At the bottom of the left column, click Administration. This will bring up the Administration page.
Click Management Policy Rules.
In the list of MPRs, locate Synchronization: Synchronization account controls users it synchronizes and click it. This will open the Configuration page.
Click the Target Resources tab.
Down under Select specific attributes, use the up-down arrows and scroll to the bottom of the list.
After Time Zone, enter EmployeeStatus. Click to select the green check mark. This should resolve with an underline.
Click OK, and then click Submit.
Create the HR Management Agent in the Synchronization Service
Now you will create a SQL Server management agent (MA) named HR.
To create the HR management agent in the Synchronization Service
Click Start, All Programs, Microsoft Forefront Identity Manager, and then Synchronization Service. This will launch the Synchronization Service Manager.
At the top, click Management Agents.
On the right, click Create. This will begin the Create Management Agent wizard.
Under Management Agent for, select SQL Server from the drop-down list.
In the box under Name, type the following text, and then click Next:
HROn the Connect to Database page, in the Server text box, enter APP1.
In the text box next to Database, type HR.
In the text box next to Table/View, enter Active_Employees.
In the box, next to the Authentication mode box, click Windows integrated authentication.
In the text box next to User name, type Administrator.
In the Password text box, enter the Administrators password.
In the Domain text box, type the following text, and then click Next:
CORPOn the Configure Columns page, click Set Anchor. This will bring up a Set Anchor window.
Under Available attributes, click EmployeeNumber, and then click Add. Click OK. Click Next.
On the Configure Connector Filter page, click Next.
On the Configure Configure Join and Projection Rules page, click Next.
On the Configure Attribute Flow page, click Next.
On the Configure Deprovisioning page, click Next.
On the Configure Extensions page, click Finish.
Create the Run Profiles for the HR MA
Now that the HR MA has been created, you will create run profiles for the management agent.
To create the run profiles for the HR MA
On the right, under Actions menu, click Configure Run Profiles. This opens the Configure run Profiles window.
Click New Profile. This will begin the Configure Run Profile wizard.
On the Profile Name page, in the text box under Name box, type the following text, and then click Next:
Full ImportOn the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name box, type the following text, and then click Next:
Full SynchronizationOn the Configure Step screen, from the drop-down list under Type, select Full Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
Click Apply, and then click Close.
Configure Object Deletion Rule
Now we will configure the object deletion rule to delete the object from the metaverse once the HR connector is disconnected.
To Configure the Object Deletion Rule
At the top, click Metaverse Designer.
Under Object Types select Person.
On the right, click Configure Object Deletion Rule. This will bring up the Configure Object Deletion Rule screen.
Select Delete metaverse object when connector from any of the following management agents is disconnected. Place a check in the box next to HR.
Click OK.
Create the FIM 2010 Management Agent
Now it is time to create the FIM 2010 management agent.
To create the FIM 2010 Management Agent
At the top of the portal page, click Management Agents.
On the right, click Create. This will begin the Create Management Agent wizard.
Under Management Agent for, use the drop-down list and select FIM Service Management Agent.
In the text box under Name, type the following text, and then click Next:
FIMOn the Connect to Database page, in the Server text box, enter APP1.
In the text box next to Database, type FIMService.
In the text box next to FIM Service base address, enter https://FIM1:5725.
In the box, next to Authentication mode box, click Windows integrated authentication.
In the text box next to User name, type FIMMA.
In the Password text box, enter Pass1word$.
In the Domain text box, type the following text, and then click Next:
CORPOn the Select Object Types page, place a check in the box next to Person, and then click Next.
On the Select Attributes page, check the box at the top next to Show All, verify that all of the attributes are selected, and then click Next.
On the Configure Connector Filter page, click Next.
On the Configure Object Type Mappings page, click Person, and then click Add Mapping. This will bring up a mapping window.
On the mapping window, make sure person is selected for Metaverse object type, and then click OK. This will close the mapping window. Click Next.
On the Configure Attribute Flow page, from the drop-down list under Data source object type, select Person.
From the drop-down list under Metaverse object type list, select person.
For Mapping Type, select Direct.
From the list below Data source attribute, select AccountName.
From the list below Metaverse attribute, select accountName.
For Flow Direction, select Export. Ensure that Allow Nulls is not selected. Click New.
Repeat the above steps for each of the attribute entries in the following table.
Important
Be sure to change the Flow Direction where applicable. Also be sure to add the check to Allow Nulls where the column entry is marked Yes.
<table>
<colgroup>
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
<col style="width: 25%" />
</colgroup>
<thead>
<tr class="header">
<th>Data source attribute</th>
<th>Flow direction</th>
<th>Metaverse attribute</th>
<th>Allow nulls</th>
</tr>
</thead>
<tbody>
<tr class="odd">
<td><p>AccountName</p></td>
<td><p>Export</p></td>
<td><p>accountName</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>Department</p></td>
<td><p>Export</p></td>
<td><p>department</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>DisplayName</p></td>
<td><p>Export</p></td>
<td><p>displayName</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeEndDate</p></td>
<td><p>Export</p></td>
<td><p>employeeEndDate</p></td>
<td><p>Yes</p></td>
</tr>
<tr class="odd">
<td><p>EmployeeID</p></td>
<td><p>Export</p></td>
<td><p>employeeID</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeStartDate</p></td>
<td><p>Export</p></td>
<td><p>employeeStartDate</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>EmployeeStatus</p></td>
<td><p>Export</p></td>
<td><p>employeeStatus</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeType</p></td>
<td><p>Export</p></td>
<td><p>employeeType</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>FirstName</p></td>
<td><p>Export</p></td>
<td><p>firstName</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>LastName</p></td>
<td><p>Export</p></td>
<td><p>lastName</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Manager</p></td>
<td><p>Export</p></td>
<td><p>manager</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>AccountName</p></td>
<td><p>Import</p></td>
<td><p>accountName</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>DisplayName</p></td>
<td><p>Import</p></td>
<td><p>displayName</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeEndDate</p></td>
<td><p>Import</p></td>
<td><p>employeeEndDate</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>Department</p></td>
<td><p>Import</p></td>
<td><p>department</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>EmployeeID</p></td>
<td><p>Import</p></td>
<td><p>employeeID</p></td>
<td><p></p></td>
</tr>
<tr class="odd">
<td><p>EmployeeType</p></td>
<td><p>Import</p></td>
<td><p>employeeType</p></td>
<td><p></p></td>
</tr>
<tr class="even">
<td><p>Manager</p></td>
<td><p>Import</p></td>
<td><p>manager</p></td>
<td><p></p></td>
</tr>
</tbody>
</table>
Once all the attribute flows have been added, click Next.
On the Configure Deprovisioning page, select Stage a delete on the object for the next export run, and then click Next.
On the Configure Extensions page, click Finish.
Create the Run Profiles for the FIM 2010 MA
Now that the FIM 2010 MA has been created, you will need to create run profiles for the management agent.
To create the run profiles for the FIM 2010 MA
On the right of the portal page, under Actions menu, click Configure Run Profiles. This opens the Configure run Profiles window.
Click New Profile. This will begin the Configure Run Profile wizard.
On the Profile Name page, in the text box under Name, type the following, and then click Next:
Full ImportOn the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Full SynchronizationOn the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Delta ImportOn the Configure Step page, from the drop-down list under Type, select Delta Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Delta SynchronizationOn the Configure Step page, from the drop-down under Type, select Delta Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
ExportOn the Configure Step page, from the drop-down under Type, select Export, and then click Next.
On the Management Agent Configuration page, click Finish.
Click Apply, and then click OK.
Enable Synchronization Rule Provisioning
Next you will enable Synchronization Rule Provisioning. This will enable the configured synchronization rules during a synchronization run.
To enable Synchronization Rule Provisioning
In the Synchronization Service Manager, at the top of the portal page, click Tools, and then select Options.
Select Enable Synchronization Rule Provisioning.
Click OK.
Enable the Required MPRs
By default, FIM has several Management Policy Rules disabled.
To enable the required MPRs
Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.
On the right, under Administration, click Management Policy Rules.
In the list of MPRs, locate General: Users can read non-administrative configuration resources and click it. This will open the Configuration page.
Clear the check box next to Policy is disabled.
Click OK, and then click Submit.
Repeat the above steps for each of the MPR entries in the following table.
Management policy rule Disabled General: Users can read nonadministrative configuration resources
No
User management: Users can read attributes of their own
No
User management: Users can read selected attributes of other users
No
Set Up the Inbound Synchronization Rule for the HR MA in FIM Portal
Now you will create the Inbound Synchronization Rule for the HR MA in the FIM Portal.
To set up the Inbound Synchronization Rule for the HR MA in FIM Portal
At the bottom of the left column on the portal page, click Administration. This will bring up the Administration page.
Click Synchronization Rules.
At the top of the portal page, click New.
On the General tab, in the box next to Display Name, enter HR Inbound Synch Rule, and then click Next.
On the Scope tab, provide the following information, and then click Next:
Metaverse Resource Type: person
External System: HR
External System Resource Type: person
On the Relationship tab, provide the following information, and then click Next:
Relationship Criteria:
MetaverseObject:person(Attribute): employeeID
ConnectedSystemObject:person(Attribute): EmployeeNumber
Create Resource in FIM: select the check box
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select Department. Click OK.
On the Destination tab, from the drop-down list select department. Click OK.
Repeat the above steps for each of the entries in the table below.
Source Destination EmployeeNumber
employeeID
FirstName
firstName
LastName
lastName
UserID
accountName
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select FirstName. At the top, click Concatenate Value.
From the new drop-down list that appears, select String. In the text box that appears, enter a blank space.
Important
This can be done by clicking inside the box. Ensure that the cursor is in the box. Hit the Spacebar once.
Click Concatenate Value.
From the new drop-down list that appears, select LastName, and then click OK.
On the Destination tab, from the drop-down list select displayName, and then click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select StartDate. At the top of the page, click Concatenate Value.
From the new drop-down list that appears, select String. In the text box that appears, enter T08:00:00.000.
Click OK.
On the Destination tab, from the drop-down list select employeeStartDate, and then click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list box select EndDate. At the top, click Concatenate Value.
From the new drop-down list that appears, select String. In the text box that appears, enter T08:00:00.000.
Click OK.
On the Destination tab, from the drop-down list select employeeEndDate, and then click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select CustomExpression.
In the box that appears, enter IIF(Eq(EmployeeType, “F”), “Full Time Employee”, “Contractor”).
Click OK.
On the Destination tab, from the drop-down list select employeeType. Click OK.
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select CustomExpression.
In the text box that appears, enter IIF(Eq(EmploymentStatus, “A”), “Active”, IIF(Eq(EmploymentStatus, “R”), “Retired”, “Terminated”)).
Click OK.
On the Destination tab, from the drop-down list select employeeStatus, and then click OK.
Click Finish. Click Submit.
Run Imports and Synchs on the MAs
Now you will run your management agents and bring information into the metaverse.
To run imports and synchs on the MAs
In the Synchronization Service Manager, at the top, under Management Agents, click FIM.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Import, and then click OK. This will take a moment. It should finish with Import Statistics in the lower left window and no errors.
At the top, under Management Agents, click HR.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Import, and then click OK. This will take a moment. It should finish with Import Statistics in the lower left window and no errors.
At the top, under Management Agents, click FIM.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Synchronization, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left window and no errors.
At the top, under Management Agents, click HR.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Synchronization, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left window and no errors.
Set Attribute Precedence on Attributes
Now you will need to set the attribute precedence on attributes.
To set the attribute precedence on attributes
In the Synchronization Service Manager, at the top, click Metaverse Designer.
From the list of Object types select person.
Down under the list of attributes, select accountName, and on the lower right, click Configure Attribute Flow Precedence.
From the list, select one with the HR management agent and use the arrow on the right to move it up to the first position.
Repeat the above steps for each of the entries in the following list:
department
displayName
employeeEndDate
employeeID
employeeType
Run the HR and FIM Management Agents
Now that you have set the correct precedence for our attributes you will need to rerun your synchronizations and also do an export to populate the FIM Portal.
To run the HR and FIM management agents
In the Synchronization Service Manager, at the top, under Management Agents, click FIM.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Synchronization, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left window and no errors.
At the top, under Management Agents, click HR.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Synchronization, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.
At the top, under Management Agents, click FIM.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Export, and then click OK. This will take a moment. It should finish with Export Statistics in the lower left windows and no errors. You should see four adds and two updates.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Delta Import, and then click OK. This will take a moment. It should finish with Import Statistics in the lower left windows and no errors.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Delta Synchronization, and then click OK. This will take a moment. It should finish with Import Statistics in the lower left windows and no errors.
Create the AD Management Agent
In this procedure, you will create the AD DS management agent.
To create the AD DS management agent
At the top, click Management Agents.
On the right, click Create. This will begin the Create Management Agent wizard.
Under Management Agent for, use the drop-down list and select Active Directory Domain Services.
In the text box under Name, enter the following text, and then click Next:
ADIn the text box next to Forest name, enter corp.contoso.com.
In the text box next to User name, enter Administrator.
In the text box next to Password, enter the Administrators password.
In the text box next to Domain, enter the following text, and then click Next:
CORPIn the Select directory partitions list, click DC=corp,DC=contoso,DC=com.
Click the Containers button. This will bring up the Select Containers window.
To deselect all selected nodes, click the check next to the DC=corp, DC-contoso,DC=com node.
Select the FIM_Contractors node.
Select the FIM_FTE node.
Select the FIM_Inactive node.
Click OK, and then click Next.
On the Configure Provisioning Hierarchy page, click Next.
On the Select Object Types page, under Object Types, click user.
Click Next.
On the Select Attributes page, at the top, click Show all.
Select all of the following attributes:
cn
department
description
displayname
employeeID
employeeType
givenName
manager
objectSid
sAMAccountName
sn
unicodePwd
userAccountControl
Click Next.
On the Configure Connector Filter page, click Next.
On the Configure Join and Projection Rules page, click Next.
On the Configure Attribute Flow page, click Next.
On the Configure Deprovisioning page, select Stage a delete on the object for the next export run, and then click Next.
On the Configure Provisioning Hierarchy page, click Next.
On the Configure Extensions page, click Finish.
Create the Run Profiles for the AD MA
Now that the AD MA has been created, you will create run profiles for the management agent.
To create the run profiles for the AD MA
On the right, under Actions menu, click Configure Run Profiles. This opens the Configure Run Profiles window.
Click New Profile. This will begin the Configure Run Profile wizard.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Full ImportOn the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Full SynchronizationOn the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Delta ImportOn the Configure Step page, from the drop-down list under Type, select Delta Import (Stage Only), and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
Delta SynchronizationOn the Configure Step page, from the drop-down list under Type, select Delta Synchronization, and then click Next.
On the Management Agent Configuration page, click Finish.
Click New Profile.
On the Profile Name page, in the text box under Name, type the following text, and then click Next:
ExportOn the Configure Step page, from the drop-down list under Type, select Export, and then click Next.
On the Management Agent Configuration page, click Finish.
Click Apply, and then click OK.
Set Up AD Provisioning Synchronization Rule for the AD MA in the FIM Portal
Now you will create the codeless provisioning rule in the FIM Portal. This rule will be responsible for creating new users in Active Directory.
To set up the AD Provisioning Synchronization Rule for the AD MA in the FIM Portal
Click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.
On the right, under Administration, click Synchronization Rules.
At the top, click New.
On the General tab, in the text box next to Display Name, enter AD Provisioning Synch Rule.
Under Data Flow Direction, select Outbound, and then click Next.
On the Scope tab, provide the following information, and then click Next:
Metaverse Resource Type: person
External System: AD
External System Resource Type: user
On the Relationship tab, provide the following information, and then click Next:
Relationship Criteria:
MetaverseObject:person(Attribute): accountName
ConnectedSystemObject:person(Attribute): sAMAccountName
Create Resource in External System: select the check box
On the Workflow Parameters screen, click Next.
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select employeeID, and then click OK.
On the Destination tab, from the drop-down list select employeeID, and then click OK.
Repeat the above steps for each of the entries in the following table.
Source Destination department
department
displayName
displayName
employeeType
employeeType
firstName
givenName
lastName
sn
manager
manager
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select String. In the text box that appears, enter the following text, and then click OK:
Pass@word1On the Destination tab, from the drop-down list select unicodePwd, and then click OK.
Check the Initial Flow Only box next to “Pass@word1” -> unicodePwd.
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select CustomExpression.
In the text box that appears, enter IIF(Eq(employeeStatus, “Active”), IIF(Eq(employeeType, “Full Time Employee”),“cn=” + displayName + “,OU=FIM_FTE,DC=corp,DC=contoso,DC=com”, “cn=” + displayName + “,OU=FIM_Contractors,DC=corp,DC=contoso,DC=com”), “cn=” + displayName + “,OU=FIM_Inactive,DC=corp,DC=contoso,DC=com”).
Tip
You can copy and paste the above but be aware that the “” marks from the Word document are not part of the acceptable syntax. To work around this, copy the above into notepad and replace “” quotes from Word with “” marks from notepad then copy it into the Custom Expression box.
Click OK.
On the Destination tab, from the drop-down list select dn, and then click OK.
Check the box Initial Flow Only next to this rule.
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select CustomExpression.
In the box that appears, enter IIF(Eq(employeeStatus, “Active”), IIF(Eq(employeeType, “Full Time Employee”),“cn=” + displayName + “,OU=FIM_FTE,DC=corp,DC=contoso,DC=com”, “cn=” + displayName + “,OU=FIM_Contractors,DC=corp,DC=contoso,DC=com”), “cn=” + displayName + “,OU=FIM_Inactive,DC=corp,DC=contoso,DC=com”).
Click OK.
On the Destination tab, from the drop-down list select dn, and then click OK.
Warning
The following is not a typo. You want to add the same attribute flow twice. One is for the creation of the user account and is initial flow only and the second one, which is not marked initial flow, is responsible for moving your user between the FIM_FTE and FIM_Contractors OUs.
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select CustomExpression.
In the text box that appears, type IIF(Eq(employeeStatus, “Active”), 512, 514).
Click OK.
On the Destination tab, from the drop-down list select userAccountControl, and then click OK.
Check the Initial Flow Only box next to this rule.
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select accountName.
Click OK.
On the Destination tab, from the drop-down list select sAMAccountName, and then click OK.
Check the Initial Flow Only box next to this rule.
Check the Use as Existence Test box next to this rule.
Click Finish, and then click Submit.
Create an All Employees and Contractors Set
Now you will create a set that includes all employees and all contractors.
To create an all employees and contractors set
On the left side of the page, under Management Policy Rules, click Sets.
At the top, click New.
On the General tab, provide the following information, and then click Next:
- Display Name: _ All Employees and Contractors
Note
The “_” is used so that our newly created set will be at the top of the list in the FIM Portal.
On the Criteria-based Members page, provide the following information, and then click Finish:
Select Enable criteria-based membership in current set.
In the Select statement, click all resources, and then, from the drop-down list select user.
In the Select statement, click all, and then, from the drop-down list select any.
Click Add Statement.
Click <Click to select attribute>, and then, from the drop-down list select Employee Type.
Click <click to select value>, and then type Full Time Employee in the text box.
Click Add Statement.
Click <Click to select attribute>, and then, from the drop-down list select Employee Type.
Click <click to select value>, and then type Contractor in the text box.
Click Finish.
Click Submit.
Set Up the AD User Provisioning Workflow
Now you will create the AD User Provisioning workflow.
To set up the AD User Provisioning Workflow
On the left of the page, under Management Policy Rules, click Workflows.
At the top of the page, click New.
On the General tab, provide the following information:
Workflow Name: _ AD User Provision Workflow
Workflow Type: Action
Click Next.
On the Activities tab, perform the following steps:
In the Activity Picker, select Synchronization Rule Activity, and then click Select.
In the Synchronization Rules list, from the drop-down list select AD Provisioning Synch Rule.
In the Action Selection options, select Add.
Click Save.
Click Finish, and then click Submit.
Set Up the AD User Provisioning MPR
Now you will create the AD User Provisioning MPR.
To set up the AD User Provisioning MPR
On the left side of the page, click Management Policy Rules.
At the top of the page, click New.
On the General tab, provide the following information:
Display Name: _ AD User Provisioning MPR
Type: Request
Click Next.
On the Requesters and Operations tab, perform the following steps:
Select Specific Set of Requesters. In the text box below Requester is defined as the following user set type All People, and then click the green check mark.
Under Operation, select Create resource and Modify a single-valued attribute.
Click Next.
On the Target Resources tab, perform the following steps:
In the text box next to Target Resource Definition Before Request, type the following text, and then click the green check mark:
_ All Employees and ContractorsIn the text box next to Target Resource Definition After Request, type the following text, and then click the green check mark:
_ All Employees and ContractorsUnder Resource Attributes, select Select specific attributes and in the text box type Account Name. Click the green check mark.
Click Next.
On Policy Workflows, perform the following steps:
- Under Action Workflows, select _ AD User Provision Workflow.
Click Finish, and then click Submit.
Set Up the Inbound Synchronization Rule for the AD MA in the FIM Portal
Now you will create the codeless inbound synchronization rule. This allows the objectSid from AD DS to flow into the FIM Portal.
To set up the Inbound Synchronization Rule for the AD MA in the FIM Portal
At the bottom of the left of the page , click Administration. This will bring up the Administration page.
Click Synchronization Rules.
At the top, click New.
On the General tab, in the text box next to Display Name type AD Inbound Synch Rule.
Under Data Flow Direction, select Inbound, and then click Next.
On the Scope tab, provide the following information, and then click Next:
Metaverse Resource Type: person
External System: AD
External System Resource Type: user
On the Relationship tab, provide the following information, and then click Next:
Relationship Criteria:
MetaverseObject:person(Attribute): accountName
ConnectedSystemObject:person(Attribute): sAMAccountName
On the Inbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select objectSid, and then click OK.
On the Destination tab, from the drop-down list select objectSid, and then click OK.
Click Finish, and then click Submit.
Create an Inactive Employees Set
Now you will create the Inactive Employees set. Transitioning this set will cause the users in AD to be moved into the FIM_Inactive OU and disabled. Transitioning out of this set, say for example, in 30 days, will cause the user to be removed from AD.
To create an inactive employees set
On the left side of the page, under Management Policy Rules, click Sets.
At the top of the page, click New.
On the General tab, provide the following information, and then click Next:
- Display Name: _ All Inactive Employees
On the Criteria-based Members page, provide the following information, and then click Finish:
Select Enable criteria-based membership in current set.
In the Select statement, click all resources, and then, from the drop-down list select user.
Click Add Statement.
Click <Click to select attribute>, and then, from the drop-down list select EmployeeEndDate.
Click After, and then from the drop-down list select prior to.
Click <click to select value>, and then from the drop-down list select today in the text box.
Click Add Statement.
Click <Click to select attribute>, and then from the drop-down list, select EmployeeEndDate.
Click <click to select value>, and then, from the drop-down list, select x days ago in the text box. Click the 1 and change it to a 3. It should now read 3 days ago.
Click Finish.
Click Submit.
Set Up the AD Make User Inactive Synchronization Rule
In this procedure, you will set up the AD make user inactive synchronization rule.
To set up the AD Make User Inactive Synchronization Rule
At the bottom of the left column, click Administration. This will bring up the Administration page.
Click Synchronization Rules.
At the top, click New.
On the General tab, in the text box next to Display Name, enter AD Make User Inactive Synch Rule.
Under Data Flow Direction, select Outbound, and then click Next.
On the Scope tab, provide the following information, and then click Next:
Metaverse Resource Type: person
External System: AD
External System Resource Type: user
On the Relationship tab, provide the following information, and then click Next:
Relationship Criteria:
MetaverseObject:person(Attribute): accountName
ConnectedSystemObject:person(Attribute): sAMAccountName
Disconnect FIM resource from external system resource when this Synchronization Rule is removed: select the check box
On the Workflow Parameters screen, click Next.
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select CustomExpression.
In the text box that appears, enter IIF(Eq(employeeStatus, “Active”), IIF(Eq(employeeType, “Full Time Employee”), “cn=” + displayName + “,OU=FIM_FTE,DC=corp,DC=contoso,DC=com”, “cn=” + displayName + “,OU=FIM_Contractors,DC=corp,DC=contoso,DC=com”), “cn=” + displayName + “,OU=FIM_Inactive,DC=corp,DC=contoso,DC=com”).
Click OK.
On the Destination tab, from the drop-down list select dn, and then click OK.
On the Outbound Attribute Flow tab, click New Attribute Flow. This will bring up the Flow Definition page.
On the Source tab, from the drop-down list select CustomExpression.
In the text box that appears, enter IIF(Eq(employeeStatus, “Active”), 512, 514).
Click OK.
On the Destination tab, from the drop-down list select userAccountControl, and then click OK.
Click Finish, and then click Submit.
Set Up the AD Make User Inactive Workflow
Now you will set up the workflow for making a user inactive in Active Directory.
To set up the AD Make User Inactive Workflow
On the left of the page, under Management Policy Rules, click Workflows.
At the top of the page, click New.
On the General tab, provide the following information:
Workflow Name: _ AD Make User Inactive Workflow
Workflow Type: Action
Click Next.
On the Activities tab, perform the following steps:
In the Activity Picker, select Synchronization Rule Activity, and then click Select.
In the Synchronization Rules list, from the drop-down list select AD Provisioning Synch Rule.
In the Action Selection options, select Remove.
Click Save.
Click Add Activity.
In the Activity Picker, select Synchronization Rule Activity, and then click Select.
In the Synchronization Rules list, from the drop-down list select AD Make User Inactive Synch Rule.
In the Action Selection options, select Add.
Click Save.
Click Finish, and then click Submit.
Set Up the AD Make User Inactive MPR
Now you will create the MPR to associate with the workflow that will make your user inactive in AD.
To set up the AD Make User Inactive MPR
On the left of the page, click Management Policy Rules.
At the top of the page, click New.
On the General tab, provide the following information:
Display Name: _ AD Make User Inactive MPR
Type: Set Transition
Click Next.
On the Transition Definition tab, perform the following steps:
In the box next to Transition Set, type _ All Inactive Employees, and then click the green check mark.
Under Transition Type, select Transition In.
Click Next.
On Policy Workflows, perform the following steps:
- Under Action Workflows, select _ AD Make User Inactive Workflow.
Click Finish, and then click Submit.
Set Up the AD Deprovision Workflow
Now you will set up the workflow removing a user all together from AD.
To set up the AD Deprovision Workflow
On the left of the page, under Management Policy Rules, click Workflows.
At the top of the page, click New.
On the General tab, provide the following information:
Workflow Name: _ AD Deprovision Workflow
Workflow Type: Action
Click Next.
On the Activities tab, perform the following steps:
In the Activity Picker, select Synchronization Rule Activity, and then click Select.
In the Synchronization Rules list, from the drop-down list select AD Make User Inactive Synch Rule.
In the Action Selection options, select Remove.
Click Save.
Click Finish, and then click Submit.
Set Up the AD Deprovision MPR
Now you will create the MPR to associate with the workflow that will remove your users from AD.
To set up the AD Deprovision MPR
On the left side of the page, click Management Policy Rules.
At the top of the page, click New.
On the General tab, provide the following information:
Display Name: _ AD Deprovision MPR
Type: Set Transition
Click Next.
On the Transition Definition tab, perform the following steps:
In the text box next to Transition Set, enter _ All Inactive Employees, and then click the green check mark.
Under Transition Type, select Transition Out.
Click Next.
On Policy Workflows, perform the following steps:
- Under Action Workflows, select _ AD Deprovision Workflow.
Click Finish, and then click Submit.
Important
There has been some feedback that the AD Provisioning Synch Rule is not being applied to the pre-existing users in the FIM portal. Prior to running the management agents in the next step, verify that the AD Provisioning Synch Rule has been applied to our 4 test users. To do this do the following:
- On FIM1, click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
- In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.
- On the left side, click Users.
- On the Users page, in Search for, click the Magnifying Glass icon.
- In the list of users, double-click Test User1.
- At the top, click the Provisioning tab.
- Verify the AD Provisioning Synch Rule is under the Expected Rules List and the Synchronization Rules Status is pending.
If it is not there use the method below to work around this issue. This will not affect newly created users in the HR database.
- On Test User 1 click the General tab at the top.
- Scroll down and find Account Name.
- Change the value in Account Name from tuser1 to Tuser1.
- Click Ok. Click Submit. Repeat this for all four users.
- Verify that the AD Provisioning Synch Rule is under Expected Rules List and that the Synchronization Status is Pending.
Run the HR, FIM, and AD Management Agents
Now you are going to run your management agents. This will populate the FIM Portal and AD DS
To run the HR, FIM, and AD management agents
In the Synchronization Service Manager, at the top, under Management Agents, click HR.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.
Repeat the steps above for each item listed in the following table. You need to allow one management agent run to complete before doing the next one.
Management agent Run HR
Full Import
FIM
Full Import
AD
Full Import
HR
Full Synchronization
FIM
Export
FIM
Full Import
FIM
Full Synchronization
AD
Export
AD
Full Import
AD
Full Synchronization
Step 6: Verifying the Configuration
In this section, you will modify the attributes of a user and then observe how the policy rules and management agents that you defined previously affect the user’s state.
Test 1
In this test, you will change a user’s employee type from Contractor to Full Time, and then run management agents to move the user to the appropriate folder in AD DS.
Verifying the Current User State in AD DS
In this procedure, you will verify that Test User3 resides in the FIM_Contractors folder.
To verify the current user state in AD DS
Log on to DC1 as corp\Administrator.
Click Start, select Administrative Tools, and then click Active Directory Users and Computers. This will open the Active Directory Users and Computers MMC.
Click FIM_Contractors and verify that Test User3 is in the folder.
Important
Do not log off of DC1, as you will need to refer to it in later steps.
Changing the Status of the User
In this procedure, you will change the employee type of Test User3 from Contractor to Full Time.
To change the status of the user
Log on to APP1 as corp\Administrator.
Click Start, click All Programs, click Microsoft SQL Server 2008 R2, and then click SQL Server Management Studio. This will launch SQL Server Management Studio.
On the Connect to Server dialog box, under Server Type select Database Engine.
On the Connect to Server dialog box, under Server name select APP1.
On the Connect to Server dialog box, under Authentication select Windows Authentication.
Click Connect. This should be successful and the database information will be displayed on the left.
At the top of the page, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.
Copy the following code into the center pane.
USE [HR] GO UPDATE Employees set EmployeeType = ‘F’ where EmployeeNumber = ‘1103’
At the top of the page, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.
Note
Do not log off of APP1, as you will need to refer to it in later steps.
Running the Management Agents
In this step, you will run a sequence of management agents that will detect and synchronize the changes in Test User3, and apply the appropriate policy rules to move the user to a new folder.
To run the management agents
Log on to FIM1 as corp\Administrator.
Click Start, click All Programs, click Microsoft Forefront Identity Manager, and then click Synchronization Service. This will launch Synchronization Service Manager.
At the top of the page, click Management Agents, and then click HR.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.
Using steps 3 - 5 above, run the following management agent run profiles in order.
Management agent Run profile HR
Full Synchronization
FIM
Export
FIM
Full Import
FIM
Full Synchronization
AD
Export
AD
Full Import
AD
Full Synchronization
Note
Do not log off of FIM1, as you will need to refer to it in later steps.
Verifying the Changes in AD DS
In this step, you will verify that Test User3 was successfully moved to a new folder.
To verify the changes in AD DS
- On DC1, in Active Directory Users and Computers, click FIM_FTE and verify that Test User3 is now in that folder and is no longer in the FIM_Contractors folder.
Test 2
In this test, you will change a user’s employee status from Active to Inactive, and then run management agents to move the user to the appropriate folder in AD DS.
Verifying the Current User State in AD DS
In this procedure, you will verify that Test User1 resides in the FIM_FTE.
To verify the current user state in AD DS
- On DC1, in Active Directory Users and Computers, click FIM_FTE and verify that Test User1 is in the folder.
Changing the Status of the User
In this procedure, you will change the employee status of Test User1 from Active to Inactive, with a termination date of one day before today.
To change the status of the user
On APP1, in SQL Server Management Studio, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.
Copy the following code into the center pane.
Important
Replace the date in the following code with yesterday’s date using the format yyyy-mm-dd.
```
USE [HR]
GO
UPDATE Employees set EmploymentStatus = ‘T’ where EmployeeNumber = ‘1101’
UPDATE Employees set EndDate = ‘2011-02-02’ where EmployeeNumber = ‘1101’
```
- At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.
Running the Management Agents
In this step, you will run a sequence of management agents that will detect and synchronize the changes in Test User1, and apply the appropriate policy rules to move the user to a new folder.
To run the management agents
In Synchronization Service Manager, at the top, click Management Agents, and then click HR.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.
Using steps 1 - 3 above, run the following management agent run profiles in order.
Management agent Run profile HR
Full Synchronization
FIM
Export
FIM
Full Import
FIM
Full Synchronization
AD
Export
AD
Full Import
AD
Full Synchronization
Verifying the Changes in AD
In this step, you will verify that Test User1 was successfully moved to a new folder.
To verify the changes in AD
- On DC1, in Active Directory Users and Computers, click FIM_Inactive and verify that Test User1 is now in that folder and is no longer in the FIM_FTE folder.
Test 3
In this test, you will increase a user’s EndDate to five days, and then run management agents to remove the user from AD DS.
Changing the Status of the User
In this procedure, you will change the EndDate of Test User1, with a termination date of five days before today.
To change the status of the user
On APP1, in SQL Server Management Studio, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.
Copy the following code into the center pane.
Important
Replace the date in the following code with a date five days before today, using the format yyyy-mm-dd.
```
USE [HR]
GO
UPDATE Employees set EndDate = ‘2011-01-27’ where EmployeeNumber = ‘1101’
```
- At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.
Running the Management Agents
In this step, you will run a sequence of management agents that will detect and synchronize the changes in Test User1, and apply the appropriate policy rules to remove from AD DS.
To run the management agents
In Synchronization Service Manager, at the top, click Management Agents, and then click HR.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.
Using steps 1 - 3 above, run the following management agent run profiles in order.
Management agent Run profile HR
Full Synchronization
FIM
Export
FIM
Full Import
FIM
Full Synchronization
AD
Export
AD
Full Import
AD
Full Synchronization
Verifying the Changes in AD
In this step, you will verify that Test User1 was successfully removed from AD DS.
To verify the changes in AD
- On DC1, in Active Directory Users and Computers, click FIM_Inactive and verify that Test User1 has been removed from that folder and is no longer in AD DS.
Test 4
In this test, you will increase a user’s EndDate to at least 45 days, and then run management agents to remove the user from the FIMdatabase.
Verifying the User in the FIM Portal
In this procedure, you will verify that Test User1 is still in the FIM Service database.
To verify the user in the FIM Portal
On FIM1, click Start, click All Programs, and then click Internet Explorer (64-bit). This will open Internet Explorer.
In the Internet Explorer toolbar, enter https://fim1/identitymanagement in the address box, and then hit Enter. This will bring up the Forefront Identity Manager 2010 home page.
On the left side, click Users.
On the Users page, in Search for, click the Magnifying Glass icon.
In the list of users, verify that Test User1 is there. Note that even though the user was removed from AD DS, it is still in the FIM Service database.
Leave the FIM Portal on the Users page.
Changing the Status of the User
In this procedure, you will change the EndDate of Test User1, with a termination date of at least 45 days before today.
To change the status of the user
On APP1, in SQL Server Management Studio, click New Query. SQL Server Management Studio will populate the center with a blank white screen. There will be a blinking cursor at the top of this white center pane.
Copy the following code into the center pane.
Important
Replace the date in the following code with a date at least 45 days before today.
```
USE [HR]
GO
UPDATE Employees set EndDate = ‘2010-01-27’ where EmployeeNumber = ‘1101’
```
- At the top, click Execute. This will take a moment and you should see Command(s) completed successfully in the lower part of the center pane.
Running the Management Agents
In this step, you will run a sequence of management agents that will detect and synchronize the changes in Test User1, and apply the appropriate policy rules to remove from AD DS.
To run the management agents
In Synchronization Service Manager, at the top, click Management Agents, and then click HR.
On the right, under Actions menu, click Run. This opens the Run Management Agent window.
From the list, select Full Import, and then click OK. This will take a moment. It should finish with Synchronization Statistics in the lower left windows and no errors.
Using steps 1 - 3 above, run the following management agent run profiles in order.
Management agent Run profile HR
Full Synchronization
FIM
Export
FIM
Full Import
FIM
Full Synchronization
Verifying the Changes in the FIM Portal
In this step, you will verify that Test User1 was successfully removed from the FIM database.
To verify the changes in the FIM Portal
On FIM1, in the FIM Portal on the Users page, in Search for, click the Magnifying Glass icon to refresh the list.
In the list of users, verify that Test User1 has been removed.