Steps for Deploying Cross-Forest Management Solution Using Forefront Identity Manager (FIM) 2010
Updated: June 3, 2010
Applies To: Forefront Identity Manager 2010
This document provides step-by-step instructions for implementing a cross-forest management solution by using Microsoft® Forefront® Identity Manager (FIM) 2010.
Important
As with any solution, it is important to try this solution in a test environment before you deploy it into your production environment.
Prerequisite Knowledge
This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:
Managing Active Directory® Domain Services (AD DS), including managing organizational units, groups and users, and domain controllers
A basic understanding of Windows SharePoint® Services 3.0
Managing users and groups using FIM 2010, as outlined in the Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850)
Managing security groups by using FIM 2010, as outlined in the Introduction to Security Group Management (https://go.microsoft.com/fwlink/?LinkId=165851)
Managing distribution groups by using FIM 2010, as outlined in the Introduction to Distribution Group Management (https://go.microsoft.com/fwlink/?LinkId=165852)
Familiarity with management policy rules, as outlined in the Introduction to Management Policy Rules (https://go.microsoft.com/fwlink/?LinkId=165856)
Managing custom attributes as outlined in the Introduction to Custom Resource and Attribute Management (https://go.microsoft.com/fwlink/?LinkId=165857)
Managing inbound synchronization rules, as outlined in the Introduction to Inbound Synchronization (https://go.microsoft.com/fwlink/?LinkId=165858)
Managing outbound synchronization rules, as outlined in the Introduction to Outbound Synchronization (https://go.microsoft.com/fwlink/?LinkId=165859)
Managing request management as outlined in the Introduction to Request Management (https://go.microsoft.com/fwlink/?LinkId=165862)
For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap (https://go.microsoft.com/fwlink/?LinkId=187028). For an introduction to essential FIM 2010 concepts, see the documents in the Getting Started (https://go.microsoft.com/fwlink/?LinkId=188283) collection of the FIM 2010 technical library.
A description of how to set up FIM 2010 and AD DS is out of the scope of this document.
Time Requirements
The procedures in this document require 120 to 180 minutes for a new user to complete.
Note
These time estimates assume that the testing environment is already configured for the scenario. They do not include the time required to set up the test environment.
Audience
This guide is intended for IT planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan to develop and deploy a cross-forest solution by using FIM 2010.
Testing Environment
The following lab environment is recommended to test the procedures in this topic:
Windows Server 2008 domain controller hosting the Fabrikam.com domain
Windows Server 2008 domain controller hosting the Contoso.com domain
Note
To correctly implement the solution in this document, there must be a two-way forest trust established between the Fabrikam.com and Contoso.com forests.
Windows Server 2008 server hosting FIM 2010. For the purposes of this scenario, this server is joined to the Fabrikam.com domain.
Implementing the procedures in this document
To implement the procedures in this document, you must complete the following steps in the following order:
Configure Windows SharePoint Services 3.0 Portal
Create string version of objectSid in the FIM Portal
Create Binding to objectSid Attribute
Map objectSIDString between FIM and the Synchronization Engine
Configure the Administrator Filter Scope
Create Forest Configuration Objects
Create FSP Sets
Create Domain Configuration Objects
Create All Domains in Forest Sets
Create the Contact Sets for Each Forest
Create Cross-Forest Group Membership Calculation Workflow and Management Policy Rule
Create Active Directory Management Agents
Enable Codeless Provisioning
AD DS User Provisioning
Sets for AD DS Objects
Create AD DS Synchronization Rules
Create Synchronization Workflow and Management Policies
Configure Windows SharePoint Services 3.0 Portal
Normally, FIM is configured to allow access for authenticated users to the SharePoint portal. This allows all users from trusted domains access to the portal as well. If you have changed the default settings, ensure that all users who need to access the FIM Portal have Read permissions to the SharePoint site.
Create string version of objectSid in the FIM Portal
To create Foreign Security Principals (FSPs) in AD DS, the objectSid from the User or Group object that the FSP references must be available. Therefore, the provisioning sets for FSPs need to include the objectSid attribute to ensure that it contains a value. However, objectSid in FIM is the binary type, and sets cannot include operations on binary attributes. Therefore, a string version of objectSid, which the set can include, needs to be created in FIM and the Synchronization engine metaverse to hold the string value of the objectSid.
To create the string version of objectSid in the FIM Portal:
Open the FIM Portal, click Administration, click All Attributes, and then click New.
Enter the details for the new attribute shown in the following table, and then click Next.
Attribute Value System Name
A meaningful name for the attribute such as objectSidString
Display name
A meaningful name for the attribute such as objectSidString
Data type
Indexed string
For any field in the user interface (UI) that does not have a value in the table, accept the default settings.
Create Binding to objectSid Attribute
In the following procedures, you bind the objectSid attribute that you created in the Create string version of objectSid in the FIM Portal procedure earlier in this document, to the Person and Group objects in the FIM Portal.
To create the binding for this attribute to Person object in the FIM Portal
Open the FIM Portal, click Administration, click All Attributes, and then click New.
Enter the details for the new binding shown in the following table, click Finish, and then click Next.
Attribute Value Resource type
User
Attribute type
The attribute name created above such as objectSidString
Required
Cleared
For any field in the UI that does not have a value in the table, accept the default settings.
To create the binding for this attribute to the Group object in the FIM Portal
Open the FIM Portal, click Administration, click Schema Management, click All Bindings, and then click New.
Enter the details for the new binding shown in the following table, click Finish, and then click Next.
Attribute Value Resource Type
User
Attribute Type
The attribute name created above such as objectSidString
Required
Cleared
For any field in the UI that does not have a value in the table, accept the default settings.
Create String Version of objectSid in the Synchronization Engine
In the following procedure, you create the string version of the objectSid attribute in the synchronization engine.
To create the string version of objectSid in the synchronization engine
Open Microsoft Forefront Identity Manager, and then click Synchronization Service.
Click the Metaverse Designer tab, and then in the Object Types list box, select person.
In the Actions menu, click Add Attribute, and then click New Attribute.
Enter the details for the new binding shown in the following table, and then click OK.
Attribute Value Attribute name
The attribute name created above such as objectSidString
Attribute type
String (indexable)
Multivalued
Cleared
Required
Unchecked
In the Object Types list box, select Group, and then in Actions, click Add Attribute.
In the list of Available attributes, select the new attribute, objectSidString, and then click OK.
Close Synchronization Service Manager.
Map objectSIDString between FIM and the Synchronization Engine
In the following procedure, you map the attribute, objectSidString, between FIM and the synchronization engine.
To map the objectSidString between FIM and the synchronization engine
Open Microsoft Forefront Identity Manager, click Synchronization Service, click the Management Agents tab, and then select the FIM Service Management Agent.
On the Actions menu, click Refresh Schema, enter any credentials as necessary, and then click OK.
On the Actions menu, click Properties, click Select Attributes, and then select the Person grouping from the Configure Attribute Flow table.
In the Data source attribute list, select objectSidString. In the Metaverse attribute list, select objectSidString, and then in the Flow Direction grouping, click Export. Click New.
In the Configure Attribute Flow table, select the Group grouping. In the Data source attribute list, select objectSidString. In the Metaverse attribute list, select objectSidString. In the Flow Direction grouping, click Export, click New, and then click OK.
Configure the Administrator Filter Scope
To create the Forest configuration sets, the Administrator Filter Scope object must include the ForestConfiguration, DomainConfiguration, and ObjectSidString attributes.
To edit the Administrator Filter Scope object
Open the FIM Portal, click Administration, click All resources, click Filter Scope and then select Administrator Filter Permission.
Click the Permitted Filter Attributes tab, add the information in the following table to the text box located next to Allowed Attributes, click OK, and then click Submit.
Attribute Value Allowed attributes
Forest Configuration
Domain Configuration
objectSidString
Create Forest Configuration Objects
For each forest, you need to create a Forest Configuration object.
To create a new Forest Configuration
Open the FIM Portal, click Administration, click All resources, click Forest Configuration, and then click New.
Enter the details for the new forest shown in the following table, click Next, and then click Submit.
Attribute Value Display name
A meaningful name for the forest such as Fabrikam.com Forest.
Description
A meaningful description such as Fabrikam.com Forest Configuration Object.
Trusted forests
Browse to any Forests Configuration objects that this AD DS forest has been configured to trust. You may need to return and edit this if the Forest Configuration for the trusted forest does not yet exist.
Distribution group domain
Leave this blank.
Contacts set
Leave this blank for now.
Repeat these steps for each Active Directory forest. For our example, use the steps above to create a new Forest Configuration object for the Contoso.com forest.
Create FSP Sets
For each domain, you need to create the FSP set now and configure the domain configuration objects later to reference those sets.
To create FSP sets
Open the FIM Portal and create a set with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as All Domain Local Security Group members not in Fabrikam.com Domain (FSPs)
Description
A meaningful description such as Fabrikam.com Domain FSPs Set
Enable criteria-based membership in current set
Cleared
Repeat this same procedure to create the FSP set for the contoso.com forest.
Create Domain Configuration Objects
For each domain, create a Domain Configuration object.
To create a new domain configuration object
Open the FIM Portal, click Administration, click All resources, click Domain Configuration, and then click New.
Enter the details for the new domain as shown in the following table, and then click OK and Submit.
Attribute Value Display name
A meaningful name for the domain such as Fabrikam.com Domain.
Domain
The Network Basic Input/Output System (NetBIOS) domain name for this domain such as FABRIKAM
Forest configuration
Browse to the Forest Configuration object you created for this forest.
FSP set
Browse to the FSP set you created for this domain in the Create FSP Sets section earlier in this document, and click OK.
Repeat these steps for each Active Directory domain. For our example, create the domain configuration object for the Contoso.com domain.
Create All Domains in Forest Sets
For each forest, you need to create a set that contains all the domains in that forest.
To create the All Domains in a Forest set
Open the FIM Portal, and create a Set with the following details:
Attribute Value Display name
A meaningful name for the set such as All Domain Configuration Objects in Fabrikam.com Forest
Description
A meaningful description such as All domains in Fabrikam.com forest
Criteria-based Members | Enable criteria-based membership in current set
Enabled: Domain configuration where Forest Configuration is Fabrikam.com forest Configuration object.
Repeat these steps for each Active Directory forest. For our example, create the same set for Contoso.com.
Create the Contact Sets for Each Forest
For each forest, you need to create the following contact sets:
All Users NOT in a Forest
All Groups NOT in a Forest
All Users and Groups NOT in a Forest
To create the All Users NOT in a Forest set
Open the FIM Portal and create a set with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as All Users NOT in Fabrikam.com Forest (Contacts)
Description
A meaningful description such as Fabrikam.com Forest Contact Sets
Criteria-based Members | Enable criteria-based membership in current set
Enabled: user where Domain Configurationnot inAll Domain Configuration Objects in Fabrikam.com Forest
Repeat this same procedure to create the same Set for the Contoso.com forest.
To create All Groups NOT in a Forest set
Open the FIM Portal and create a set with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as All Users Groups NOT in Fabrikam.com Forest (Contacts)
Description
A meaningful description such as All Users Groups NOT in Fabrikam.com Forest (Contacts)
Criteria-based Members | Enable criteria-based membership in current set
Enabled: group where Domain Configurationnot inAll Domain Configuration Objects in Fabrikam.com Forest
Repeat this same procedure to create the same set for the contoso.com forest.
To create All Groups and Users NOT in Forest set
Open the FIM Portal and create a set with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as All Users and Groups NOT in Fabrikam.com Forest (Contacts)
Description
A meaningful description such as All Users and Groups NOT in Fabrikam.com Forest (Contacts)
Criteria-based Members | Enable criteria-based membership in current set
Enabled: all resources that match any of the following conditions: Resource IDinAll Users NOT in Fabrikam.com Forest (Contacts)
- Resource IDinAll Users NOT in Fabrikam.com Forest (Contacts)All Users NOT in Fabrikam.com Forest (Contacts)
- Resource IDinAll Groups NOT in Fabrikam.com Forest (Contacts)All Groups NOT in Fabrikam.com Forest (Contacts)
- Resource IDinAll Users NOT in Fabrikam.com Forest (Contacts)All Users NOT in Fabrikam.com Forest (Contacts)
Create Cross-Forest Group Membership Calculation Workflow and Management Policy Rule
To enable management of the FSP set, you must create a workflow, Set, and Management Policy Rule (MPR) that uses the Group Member Validation activity.
To create the workflow
Create a new file called GroupMemberValidation.xaml with the following content:
<ns0:SequentialWorkflow x:Name="SequentialWorkflow" ActorId="00000000-0000-0000-0000-000000000000" WorkflowDefinitionId="00000000-0000-0000-0000-000000000000" RequestId="00000000-0000-0000-0000-000000000000" TargetId="00000000-0000-0000-0000-000000000000" xmlns:x="https://schemas.microsoft.com/winfx/2006/xaml" xmlns:ns0="clr-namespace:Microsoft.ResourceManagement.Workflow.Activities;Assembly=Microsoft.ResourceManagement, Version=4.0.2592.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35"> <ns0:GroupMembershipValidationActivity /> </ns0:SequentialWorkflow>
Where
4.0.2592.0
is the version of FIM installed.Open the FIM Portal and create a workflow with the following details:
Attribute Value Display name
A meaningful name for the domain such as Cross Forest Group Membership Calculation Workflow
Description
A meaningful description such as Cross Forest Group Membership Calculation Workflow
Workflow type
Action
Run-on policy update
Cleared
Import pre-existing workflow definition from a XOML file (located on the Activities tab)
Selected
File to import
GroupMemberValidation.xaml
In the following procedure, you create the All Domain Local Groups set.
To create the All Domain Local Groups set
Open the FIM Portal and create a set with the details shown in the following table.
Attribute Value Display name
A meaningful name for the domain such as All Domain Local Groups
Description
A meaningful description such as All Domain Local Groups
Enable criteria-based membership in current set (located on the Criteria-based Members tab)
Selected
Groups where Scope is DomainLocal (this value must be entered manually)
In the following procedure, you create the MPR.
To create the MPR
Open the FIM Portal and create an MPR with the details shown in the following table.
Attribute Value Display name
A meaningful name for the domain such as Cross Forest Group Membership Calculation Policy
Description
A meaningful description such as Cross Forest Group Membership Calculation Policy
Type
Request
Specific set of Requestors
All People
Create resource
Selected
Delete resource
Cleared
Read resource
Cleared
Add a value to a multivalued attribute
Selected
Remove a value from a multivalued attribute
Cleared
Modify a single-valued attribute
Cleared
Grants permissions
Cleared
Target resource definition before request
All Domain Local Groups
Target resource definition after set: Specific set of objects
All Domain Local Groups
Resource attributes | Select specific attributes
Manually-managed membership
Authentication workflows
None (clear all boxes)
Authorization workflows
None (clear all boxes)
Action workflow
Cross-Forest Group Membership Calculation workflow
Create Active Directory Management Agents
To create the management agents for AD DS, you first create the management agents and then create the necessary run profiles for those agents. The default value is acceptable for any value not listed in the following procedures.
To create management agents
Open Synchronization Service Manager and create a management agent, except for the fields noted in the following table, using the procedure in the “Creating the Fabrikam ADMA” section of the Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850) guide.
Dialog box Field Value Configure directory partitions -> containers
Select containers
The containers to be synchronized, such as Users and ForeignSecurityPrincipals. Only select the ForeignSecurityPrincipals container for the domain that contains or will contain the greatest number of Domain Local security groups.
Select object types
Object types
In addition to the objects selected in the Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850) guide, select the following:
contact
container
domainDNS
foreignSecurityPrincipal
Click Show All to expose the foreignSecurityPrincipal selection.
organizationUser
Select attributes
Attributes
In addition to the attributes selected in the Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850) guide, choose the following:
assistant
cn
co
company
department
description
facsimileTelephoneNumber
homeMDB
info
l (lower case “L”)
mail
mailNickname
managedBy
manager
mDBUseDefaults
middleName
mobile
msExchRecipientDisplayType
name
physicalDeliveryOfficeName
postalAddress
postalCode
secretary
sIDHistory
telephoneNumber
title
Configure Join and Projection
Join and Projection rules for Contact
Action: Join
Metaverse object type: person
Condition:
Data Source attribute: mailNickname
Metaverse attribute: mailNickname
Action: Join
Metaverse object type: group
Condition:
Data Source attribute: mailNickname
Metaverse attribute: mailNickname
Configure Join and Projection
Join and Projection rules for ForeignSecurityPrincipal
Action: Join
Metaverse object type: person
Condition:
Data Source attribute: cn
Metaverse attribute: objectSidString
Action: Join
Metaverse object type: group
Condition:
Data Source attribute: cn
Metaverse attribute: objectSidString
Repeat these steps for each Active Directory domain. For our example, create the same management agent for the Contoso.com domain.
After creating the management agents for both domains, you need to create the following run profiles for each management agent:
Full Import
Full Synchronization
Delta Import / Delta Synchronization
Export
For step-by-step instructions about configuring these run profiles, see the Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850) guide. See the section titled “Creating the Fabrikam ADMA.”
Enable Codeless Provisioning
To enable a synchronization rule to provision objects, you need to enable codeless provisioning.
To enable codeless provisioning
- Open Synchronization Service Manager, and on the Tools menu, select Options. Select the Enable Synchronization Rule Provisioning check box.
AD DS User Provisioning
For each domain, you need to enable Active Directory user provisioning. To do this, you must create the following:
AD DS Users Provisioning Set
AD DS Users Provisioning Synchronization Rule
AD DS Users Provisioning Workflow
AD DS Users Provisioning Policy
For information about how to create the items listed for Active Directory user provisioning, see Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850).
Sets for AD DS Objects
You need to create sets in each Active Directory domain that contains the following objects:
AD DS Security Groups set
AD DS Distribution Lists set
AD DS FSP set for members
AD DS Contacts set for Users
AD DS contacts set for distribution lists
AD DS Contacts set for mail-enabled security groups
AD DS Security Groups set
For each domain, you need to create the set that contains the Security Groups in FIM that need group objects in AD DS.
To create the Active Directory Security Groups set
Open the FIM Portal and create an MPR with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as All Security Groups in Fabrikam.com Domain
Description
A meaningful description such as Fabrikam.com Domain Security Groups Set
Enable criteria-based membership in current set
Selected
Enable criteria-based membership in current set
Enabled: All Groups where:
- TypeisSecurity
- Domain is Fabrikam
Static members
Leave this blank.
- TypeisSecurity
Repeat these steps for each Active Directory domain.
AD DS Distribution Lists set
For each domain, you need to create the set that contains the distribution lists in FIM that need group objects in AD DS.
To create Active Directory Distribution Lists sets
Open the FIM Portal and create a set with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as All Distribution Lists in Fabrikam.com Domain
Description
A meaningful description such as Fabrikam.com Domain Distribution Lists Set
Enable criteria-based membership in current set
Enabled: All Groups where:
- TypeisDistribution
- Domain is Fabrikam
Static members
Leave this blank.
- TypeisDistribution
Repeat these steps for each Active Directory domain.
AD DS FSP set for members
For each domain, you need to create the set that contains the Users and Security Groups in FIM that need FSPs in AD DS.
To create Active Directory People FSPs sets
Open the FIM Portal and create a set with the details as shown in the following table.
Attribute Value Display name
A meaningful name for the set such as All People and Group members not in Fabrikam.com Domain
Description
A meaningful description such as Fabrikam.com Domain People and Groups Foreign Security Principals Set
Enable criteria-based membership in current set
Leave this blank (not enabled).
Static members
Leave this blank.
The Resource ID should be in the FSP set that is associated with the forest for which the domain in this set provisions. In our example, we used the All People and Groups not in Fabrikam.com Forest (FSPs) sets since this set provisioning FSPs in the Fabrikam.com domain, which is in the Fabrikam.com forest.
Repeat these steps for each Active Directory domain.
AD DS Contacts set for Users
For each domain, you need to create the set that contains the People in FIM that need contact objects in a remote forest.
To create the AD DS set for Users
Open the FIM Portal and create a set with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as All User Contacts in Fabrikam.com Domain
Description
A meaningful description such as Fabrikam.com Domain User Contacts Set
Enable criteria-based membership
Enabled: All People where:
- Resource ID inAll People and Groups not in Fabrikam.com Forest (Contacts)
- Email contains @
Static members
Leave this blank.
The Resource ID should be in the Contact set that is associated with the forest for which the domain in this set provisions. In our example, we used the All People and Groups not in Fabrikam.com Forest (Contacts) sets since this set is provisioning FSPs in the Fabrikam.com domain, which is in the Fabrikam.com forest.
- Resource ID inAll People and Groups not in Fabrikam.com Forest (Contacts)
Enter the following details for the new set, and then click Finish and Submit.
Repeat these steps for each Active Directory domain.
AD DS contacts set for distribution lists
For each domain, you need to create the set that contains the distribution lists in FIM that need contact objects in a remote forest.
To create the AD DS contacts set for distribution lists
Open the FIM Portal and create a set with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as All Distribution List Contacts in Fabrikam.com Domain
Description
A meaningful description such as Fabrikam.com Domain Distribution List Contacts Set
Enable criteria-based membership
Enabled: All Groups where:
- Resource IDinAll People and Groups not in Fabrikam.com Forest (Contacts)
- TypeisDistribution
- Email contains @
Static members
Leave this blank.
The Resource ID should be in the Contact set associated with the forest for which the domain in which this set provisions. In our example, we used the All People and Groups not in Fabrikam.com Forest (Contacts) sets since this set is provisioning FSPs in the Fabrikam.com domain, which is in the Fabrikam.com forest.
- Resource IDinAll People and Groups not in Fabrikam.com Forest (Contacts)
Repeat these steps for each Active Directory domain.
AD DS Contacts set for mail-enabled security groups
For each domain, you need to create the set that contains the mail-enabled security groups in FIM that needs contact objects in a remote forest. There is no need to create contact objects for non-mail-enabled security groups.
To create an AD DS Contacts set for mail-enabled security groups
Open the FIM Portal and create a set with the following details:
Attribute Value Display name
A meaningful name for the set such as All Security Group Contacts in Fabrikam.com Domain
Description
A meaningful description such as Fabrikam.com Domain Security Group Contacts Set
Enable criteria-based membership
Enabled: All Groups where:
- Resource IDinAll People and Groups not in Fabrikam.com Forest (Contacts)
- Type is MailEnabledSecurity
- Email contains @
Static members
Leave this blank.
The Resource ID should be in the Contact set associated with the forest for which the domain in this set provisions. In our example, we used the All People and Groups not in Fabrikam.com Forest (Contacts) sets since this set is provisioning FSPs in the Fabrikam.com domain, which is in the Fabrikam.com forest.
- Resource IDinAll People and Groups not in Fabrikam.com Forest (Contacts)
Repeat these steps for each Active Directory domain.
Create AD DS Synchronization Rules
To enable AD DS provisioning, a number of synchronization rules need to be created. You need synchronization rules to provision:
AD DS users
AD DS security groups
AD DS distribution lists
AD DS user FSPs
AD DS group FSPs
AD DS user contacts
AD DS mail-enabled security group contacts
AD DS distribution lists contacts
AD DS users
For each domain, you need to create the synchronization rule that creates an Active Directory user account.
For information about how to create the synchronization rules for AD DS user provisioning, see Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850).
AD DS security groups
For each domain, you need to create the synchronization rule that creates an Active Directory security group.
For information about how to create the synchronization rules for AD DS security group provisioning, see Introduction to Security Group Management (https://go.microsoft.com/fwlink/?LinkId=165851).
AD DS distribution lists
For each domain, you need to create the synchronization rule that creates Active Directory distribution lists.
For information about how to create the synchronization rules for AD DS provisioning, see Introduction to Distribution Group Management (https://go.microsoft.com/fwlink/?LinkId=165852).
AD DS user FSPs
For each domain, you need to create the synchronization rule that creates AD DS FSPs for users.
To create the synchronization rule for Active Directory user FSPs
Open the FIM Portal and create a synchronization rule with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as AD User Foreign Security Principals Provision for Fabrikam.com Domain Sync Rule
Description
A meaningful description such as Fabrikam.com Domain AD User Foreign Security Principals Provision Sync Rule
Dependency
Default setting
Data flow direction
Outbound
Metaverse resource type
Person
External system
Domain for which you are configuring the synchronization rule
External system resource type
foreignSecurityPrincipal
Relationship criteria
MetaverseObject:person(Attribute): objectSidString
ConnectedSystemObject:user(Attribute): cn
Create resource in external system
Selected
Enable deprovisioning
Selected
Workflow parameters
Default settings
Outbound attribute flow (initial flow only)
Source:
- Custom Expression: “CN=”
- Function: ConvertSidToString(objectSid)
- Custom Expression: ",CN=ForeignSecurityPrincipals,DC=Fabrikam,DC=com"
Destination: Dn
Allow null: Cleared
Outbound attribute flow
Source: displayName
Destination: displayName
Allow null: Cleared
- Custom Expression: “CN=”
Repeat these steps for each Active Directory domain.
The DN suffix for the FSP synchronization rule should be the domain that contains or will contain the greatest number of Domain Local security groups.
AD DS group FSPs
For each domain, you need to create the synchronization rule that creates AD DS FSPs for groups.
To create the synchronization rule for Active Directory group FSPs
Open the FIM Portal and create a synchronization rule with the following details:
Attribute Value Display name
A meaningful name for the set such as AD Group Foreign Security Principals Provision for Fabrikam.com Domain Sync Rule
Description
A meaningful description such as Fabrikam.com Domain AD Group Foreign Security Principals Provision Sync Rule
Dependency
Default Setting
Data flow direction
Outbound
Metaverse resource type
Group
External system
Fabrikam ADMA
External system resource type
foreignSecurityPrincipal
Relationship criteria
MetaverseObject:person(Attribute): objectSidString
ConnectedSystemObject:user(Attribute): cn
Create resource in external system
Selected
Enable deprovisioning
Selected
Workflow parameters
Default settings
Outbound attribute flow (initial flow only)
Source:
- Custom Expression: “CN=”
- Function: ConvertSidToString(objectSid)
- Custom Expression: ",CN=ForeignSecurityPrincipals,DC=Fabrikam,DC=com"
Destination: Dn
Allow null: Unchecked
Outbound attribute flow
Source: displayName
Destination: displayName
Allow null: Cleared
- Custom Expression: “CN=”
Repeat these steps for each Active Directory forest.
The DN suffix for the FSP synchronization rule should be the domain which contains or will contain the greatest number of Domain Local security groups.
AD DS user contacts
For each domain, you need to create the synchronization rule that creates an Active Directory contact for users.
To create the synchronization rule for Active Directory user contacts
Open the FIM Portal and create a synchronization rule with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as AD User Contact Provision for Fabrikam.com Domain Sync Rule
Description
A meaningful description such as Fabrikam.com Domain AD User Contact Provision Sync Rule
Dependency
Default setting
Data flow direction
Outbound
Metaverse resource type
Person
External system
Domain for which you are configuring the synchronization rule
External system resource type
Contact
Relationship criteria
MetaverseObject:person(Attribute): mailNickname
ConnectedSystemObject:user(Attribute): mailNickName
Create resource in external system
Selected
Enable deprovisioning
Selected
Workflow parameters
Default settings
Outbound attribute flow (initial flow only)
Source: displayName
Destination: displayName
Allow null: Cleared
Outbound attribute flow (initial flow only)
Source: mailNickname
Destination: mailNickname
Allow null: Cleared
Outbound attribute flow (initial flow only)
Source:
- Custom Expression: “CN=”
- displayName
- Custom Expression: ",OU=Users,DC=Fabrikam,DC=com"
Destination: Dn
Allow null: Cleared
Outbound attribute flow (initial flow only)
Source: Function: Trim(“CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=Fabrikam,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN= Fabrikam,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= Fabrikam, DC=com” )
Destination: homeMDB
Allow null: Cleared
Outbound attribute flow (initial flow only)
Source:
- Custom Expression: “SMTP:”
- email
Destination: targetAddress
Allow null: Cleared
Outbound attribute flow (initial flow only)
Source: firstName
Destination: givenName
Allow null: Cleared
Outbound attribute flow
Source: middleName
Destination: middleName
Allow null: Cleared
Outbound attribute flow
Source: lastName
Destination: sn
Allow null: Cleared
Outbound attribute flow
Source: manager
Destination: manager
Advanced: contact
Allow null value to flow to destination: Checked
Outbound attribute flow
Source: jobTitle
Destination: title
Allow null: Cleared
Outbound attribute flow
Source: email
Destination: mail
Allow null: Cleared
- Custom Expression: “CN=”
Repeat these steps for each Active Directory domain.
AD DS mail-enabled security group contacts
For each forest, you need to create the synchronization rule that creates an AD DS contact for security groups.
To create the synchronization rule for AD DS mail-enabled security group contacts
Open the FIM Portal and create a synchronization rule with the following details:
Attribute Value Display name
A meaningful name for the set such as AD Mail Enabled Security Group Contact Provision for Fabrikam.com Domain Sync Rule
Description
A meaningful description such as Fabrikam.com Domain AD Mail Enabled Security Group Contact Provision Sync Rule
Dependency
Default setting
Data flow direction
Outbound
Metaverse resource type
Group
External system
Domain for which you are configuring the synchronization rule
External system resource type
Contact
Relationship criteria
MetaverseObject:group(Attribute): mailNickname
ConnectedSystemObject:group(Attribute): mailNickName
Create resource in external system
Selected
Enable deprovisioning
Selected
Workflow parameters
Default Settings
Outbound attribute flow (initial flow only)
Source: displayName
Destination: displayName
Allow null: Cleared
Outbound attribute flow (initial flow only)
Source: mailNickname
Destination: mailNickname
Allow null: Cleared
Outbound attribute flow (initial flow only)
Source:
- Custom Expression: “CN=”
- displayName
- Custom Expression: ",OU=Users,DC=Fabrikam,DC=com"
Destination: Dn
Allow null: Cleared
Outbound attribute flow (initial flow only)
Source:
- Custom Expression: “SMTP:”
- email
Destination: targetAddress
Allow null: Cleared
Outbound attribute flow (initial flow only)
Source: Custom Expression: 2147485958
Destination: msExchRecipientDisplayType
Allow null: Cleared
Outbound attribute flow
Source: email
Destination: mail
Allow null: Cleared
- Custom Expression: “CN=”
Repeat these steps for each Active Directory forest.
AD DS distribution lists contacts
For each forest, you need to create the synchronization rule that creates an Active Directory contact for a security group.
To create the synchronization rule for Active Directory distribution list contacts
Open the FIM Portal and create a synchronization rule with the details shown in the following table.
Attribute Value Display name
A meaningful name for the set such as AD Distribution Lists Contact Provision for Fabrikam.com Forest Sync Rule
Description
A meaningful description such as Fabrikam.com Forest AD Distribution Lists Contact Provision Sync Rule
Dependency
Default setting
Data flow direction
Outbound
Metaverse resource type
Group
External system
Domain for which you are configuring the synchronization rule
External system resource type
Contact
Relationship criteria
MetaverseObject:person(Attribute): mailNickname
ConnectedSystemObject:user(Attribute): mailNickName
Create resource in external system
Selected
Enable deprovisioning
Selected
Workflow parameters
Default Settings
Outbound attribute flow (initial flow only)
Source: displayName
Destination: displayName
Outbound attribute flow (initial flow only)
Source: mailNickname
Destination: mailNickname
Outbound attribute flow (initial flow only)
Source:
- Custom Expression: “CN=”
- displayName
- Custom Expression: ",OU=Users,DC=Fabrikam,DC=com"
Destination: Dn
Outbound attribute flow (initial low only)
Source:
- Custom Expression: “SMTP:”
- email
Destination: targetAddress
Outbound attribute flow (initial flow only)
Source: Custom Expression: 2147483910
Destination: msExchRecipientDisplayType
Outbound attribute flow
Source: email
Destination: mail
- Custom Expression: “CN=”
Repeat these steps for each Active Directory forest.
Create Synchronization Workflow and Management Policies
For each synchronization rule, you need to create a workflow and MPR to apply the synchronization rules to the correct objects and FSPs.
For more information about how to create the workflow and MPR to apply the synchronization rules for user and group objects, see Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850).
Synchronization workflow
In the following procedure, you create the synchronization workflow to apply the synchronization rules to provision FSPs.
To create the synchronization workflow to provision FSPs
Open the FIM Portal and create a workflow with the details shown in the following table.
Attribute Value Display name
A meaningful name for the domain such as Active Directory User and Group FSP Provision for Fabrikam.com Domain Workflow
Description
A meaningful description such as Fabrikam.com Domain Active Directory User and Group FSP Provision Workflow
Workflow type
Action
Run on Policy Update
Cleared
Import XAML for workflow
Cleared
Activities
Add Synchronization Rule Activity for synchronization rule such as Active Directory User Provision for Fabrikam.com Domain Synchronization Rule with Add action where objectType = User
Add Synchronization Rule Activity for synchronization rule such as Active Directory User Provision for Fabrikam.com Domain Synchronization Rule with Add action where objectType = Group
Synchronization MPR
In the following procedure, you create the synchronization MPR to apply the synchronization rules to provision FSPs.
To create the synchronization MPR to provision
Open the FIM Portal and create an MPR with the following details:
Attribute Value Display name
A meaningful name for the domain such as Active Directory User and Group FSP Provision for Fabrikam.com Domain
Description
A meaningful description such as Active Directory User and Group FSP Provision for Fabrikam.com Domain
Type
Request
Specific set of Requestors
All People
Create resource
Selected
Delete resource
Cleared
Read resource
Cleared
Add a value to a multivalued attribute
Selected
Remove a value to a multivalued attribute
Cleared
Modify a single-valued attribute
Cleared
Grants permissions
Cleared
Target resource definition before request
All objects
Target resource definition after set: specific set of objects
All objects
Resource attributes | select specific attributes
Explicit member
Authentication Workflows
None
Authorization workflows
None
Action workflow
The synchronization rule workflow, such as Active Directory User and Group FSP Provision for Fabrikam.com Domain Workflow