Synchronizing Passwords from an Authoritative Active Directory Forest to a Receiving Active Directory Forest

  • Article

Applies To: Forefront Identity Manager, Windows Server 2003

Microsoft® Identity Lifecycle Manager 2007 (ILM 2007) provides a mechanism to synchronize passwords from Active Directory to multiple identity stores. Active Directory which acts as the authoritative source for all password synchronization operations uses the Password Change Notification Service (PCNS) to push password changes made in Active Directory to any identity store that is enabled for password management.

You can change passwords in Active Directory using CTRL+ALT+DEL from your native Windows desktops and have these password changes pushed to other connected data sources using the password synchronization feature in ILM 2007.

These password-set operations are event-driven operations which means they happen in real time and are not dependant on the normal management agent-run schedules.

This document discusses how to synchronize passwords from one authoritative Active Directory forest to another receiving Active Directory forest.

What This Document Covers

This document covers the steps and procedures that are needed to synchronize users' passwords from an authoritative Active Directory forest to a receiving Active Directory forest. In environments with multiple Active Directory forests, you must set one forest as the authoritative forest for password change requests. After completing the procedures in this document, you will be able to:

  • Install and configure Password Change Notification Service (PCNS) to capture password changes originating from an authoritative Active Directory forest.

  • Establish a link between two Active Directory forests' user accounts.

  • Configure the management agents for the authoritative Active Directory forest and the receiving Active Directory forest.

  • Configure ILM 2007 to process password synchronization requests.

The procedures below are for a lab environment. After you have successfully tried out these procedures in the lab environment, you can deploy this scenario in your production environment with the settings that correspond to your environment.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

For an introduction to essential ILM 2007 concepts, see the following documents:

For a design overview of PCNS see Automated Password Synchronization Solution Guide for MIIS 2003 (https://go.microsoft.com/fwlink/?LinkId=81749).

For a description of all MIIS 2003 documentation, see Microsoft Identity Integration Server 2003 Documentation Roadmap (https://go.microsoft.com/fwlink/?LinkID=82465).

Note

A description of how to set up ILM 2007 and Active Directory is out of the scope of this document.

Audience

This guide is intended for IT planners, systems architects, technology-decision makers, consultants, infrastructure planners, and IT personnel who plan and develop ILM 2007 solutions using a PCNS to synchronized passwords from an authoritative Active Directory forest to a receiving Active Directory forest.

Time Requirements

The procedures in this document require 60 to 90 minutes for a new user to complete. An experienced ILM 2007 user can complete them in 30 to 40 minutes.

Scenario Description

Contoso, a fictitious corporation, has two Active Directory forests, Contoso and Fabrikam, in their IT infrastructure. They would like to have the option of users changing their passwords from their native Windows desktops in the Contoso forest, which is the authoritative forest for password change operations, and have the newly changed password synchronized to the Fabrikam forest.

The following illustration outlines the above scenario:

18e93362-6dcd-4b9b-ab8d-ad8e00050ec6

The Testing Environment

To perform the procedures in this document, your testing environment should have the following characteristics:

  • One Contoso Active Directory domain controller (CONDC1)

  • One server hosting ILM 2007 (ILMSrv1) in the Contoso forest

    This server requires Microsoft Windows Server 2003 Enterprise Edition and Microsoft SQL Server 2000 or Microsoft SQL Server 2005.

  • One Fabrikam Active Directory domain controller (FABDC1)

  • One client computer hosting Microsoft Windows XP (XPClient1) in the Contoso forest.

  • One client computer hosting Microsoft Windows XP (XPClient2) in the Fabrikam Forest.

The following illustration shows the infrastructure used in the scenario for this document.

24d3bff8-d4a6-431f-b5d3-9abf9d38ccc3

You must have an account with sufficient rights for the management agents for both Active Directory forests. This document uses the domain administrator account for Active Directory management agents for both forests.

Note

This document does not use strong passwords for the user accounts. It is recommended that you deploy strong passwords in your production environment to aid in the security of your network infrastructure.

Before You Begin

Two important configuration tasks need to take place before synchronizing passwords from one Active Directory forest to another Active Directory forest using PCNS:

  • Proper DNS Configuration

  • Forest Trusts

  • One forest has to be the authoritative source for password change events.

Proper DNS Configuration

The management agents for both Active Directory forests must have access to each forest. ILM 2007 must have access to the SRV records in DNS for a management agent to find a forest. The zones for the two forests have to be centrally located on a DNS server that the management agents have access to or you must configure the forwarders on the server running ILM 2007.

Forest Trusts

Forest trusts are only required if PCNS and ILM 2007 are located in different forests. If this is the case, a forest-level trust must be established. This is required for Kerberos mutual authentication for the ILM 2007 server to accept the request from a remote forest host.

For the purposes of this document, PCNS and ILM 2007 are located in the same forest.

One forest has to be the authoritative source for password change events

In environments with multiple Active Directory forests, you must set one forest as the authoritative forest for password change requests. Otherwise, an infinite loop occurs.

An infinite loop occurs when Forest A receives a password change request, and then sends a password change notification to Forest B. Forest B interprets this as a change request, and then sends the request back to Forest A. Each time the notification is sent; the receiving forest interprets it as a change request, and then sends a new notification to the other forest, thus causing an infinite loop.

For the purposes of this document, the Contoso forest will be the authoritative forest for password change requests.

Scripts in this Document

To simplify administrative task such as populating your Active Directory test environment with organizational units and users, you can use the scripts provided in the appendix.

The following table shows the scripts that are included in the Appendix.

Appendix Description

Appendix A: Script to Populate Contoso Active Directory Objects

Script to populate Contoso Active Directory objects

Appendix B: Script to Populate Fabrikam Active Directory Objects

Script to populate Fabrikam Active Directory objects

Running the Scripts

The scripts in this document are designed to run locally on the computer. The first script in the appendix configures the Contoso Active Directory objects on the Contoso Active Directory domain controller, and the second script configures the Fabrikam Active Directory objects on the Fabrikam Active Directory domain controller.

To run a script

  1. From the Appendix, copy the script, and then paste it into a new Notepad file.

  2. Save the Notepad file on you local drive as a .vbs file, for example c:\Appendix.vbs.

    Although the name of the file is irrelevant, it must have the .vbs file name extension.

  3. To run the script, double-click the icon for the .vbs file.

Implementing the Procedures in this Document

To implement the procedures in this document, you must complete the following steps in the following order:

  1. Configure the Fabrikam Active Directory environment.

  2. Configure the Contoso Active Directory environment.

  3. Install Password Change Notification Service (PCNS) on the Contoso Active Directory domain controller.

  4. Configure the Service Principal Name (SPN) for the nextref_ilm1 server.

  5. Configure PCNS.

  6. Enable password synchronization on the server running ILM 2007.

  7. Establish a link between the accounts in the Fabrikam and Contoso forests and configure the management agents for password synchronization.

  8. Configure the run profiles.

  9. Test the configuration.

Configure the Fabrikam Active Directory Environment

The Fabrikam Active Directory environment in this document consists of an organizational unit MIISObjects and four test users, U1, U2, U3, and U4.

Each user populated in Active Directory has the password, p@ssword.

The following illustration shows the Active Directory objects for this document.

2fe24157-de94-457b-ba45-6abe5392b6a5

You can use the tools provided by Active Directory to create the Active Directory environment for this document or you can use the scripts in Appendix A to create the environment.

You may need to modify the password provided in the script to meet the password security policy of your domain. To do this you must modify this portion of the script located in Appendix A:

'Set Password
dim strPassword
strPassword = "p@ssword"
objUser.SetPassword strpassword

When declaring the value for strpassword, change the value from p@ssword to a value that meets the security requirements for your domain.

For more information about using the supplied scripts, see Running the Scripts.

To create the required objects using Active Directory tools

  • For more information about using Active Directory tools, see Active Directory Help.

To create the required objects using the script

  1. In Appendix A, copy the script, and then paste it into a new Notepad file

  2. Save the Notepad file on your local drive as a .vbs file, for example, C:\AppendixA.vbs.

  3. To run the script, double click the icon for the .vbs file.

  4. Click OK on the message box stating Organizational Unit and users are now created.

  5. Open Active Directory Users and Computers snap-in to verify the results.

Configure the Contoso Active Directory environment

The Contoso Active Directory environment in this document consists of an organizational unit MIISObjects and four test users, U1, U2, U3, and U4.

Each user populated in Active Directory has the password, p@ssword.

The following illustration shows the Active Directory objects for this document.

532d3f4b-2678-4912-9387-2b4eecd5f945

You can use the tools provided by Active Directory to create the Active Directory environment for this document or you can use the scripts in Appendix A to create the environment.

You may need to modify the password provided in the script to meet the password security policy of your domain. To do this you must modify this portion of the script located in Appendix B:

'Set Password
dim strPassword
strPassword = "p@ssword"
objUser.SetPassword strpassword

When declaring the value for strpassword, change the value from p@ssword to a value that meets the security requirements for your domain.

For more information about using the supplied scripts, see Running the Scripts.

To create the required objects using Active Directory tools

  • For more information about using Active Directory tools, see Active Directory Help.

To create the required objects using the script

  1. In Appendix B, copy the script, and then paste it into a new Notepad file

  2. Save the Notepad file on your local drive as a .vbs file, for example, C:\AppendixA.vbs.

  3. To run the script, double click the icon for the .vbs file.

  4. Click OK on the message box stating Organizational Unit and users are now created.

  5. Open Active Directory Users and Computers snap-in to verify the results.

Install Password Change Notification Service (PCNS) on the Contoso Active Directory domain controller

To install Password Change Notification Service (PCNS) on the Contoso Active Directory domain controller, you must use the Password Change Notification Service.msi file. The file is located on the ILM 2007 installation CD in the MIIS\Password Synchronization folder.

Note

The user who installs PCNS must be a member of the Domain Admins group. Additionally, if you want to update the Active Directory® schema to include object classes and attributes that PCNS requires, you must be a member of the Schema Admins group.

During PCNS installation, ILM 2007 verifies the Active Directory schema to ensure that classes and attributes needed to run PCNS are available. If they are not available, you are prompted to update the schema by launching the PCNS Schema Update Wizard.

Note

To update the Active Directory schema, follow the instructions in the PCNS Schema Update Wizard, and then run the Password Change Notification Service.msi file again to install the PCNS components. To modify the Active Directory schema, you must be a member of both the Domain Admins and the Schema Admins groups. The Active Directory schema must be extended only once for each Active Directory forest. The schema modifications are replicated to the other domain controllers in the forest. For more information about the object classes and attributes added during the schema update, see ILM 2007 Help.

To install PCNS

  1. On the ILM 2007 installation media, double-click the Password change Notification Service.msi icon located in the MIIS\Password Synchronization folder.

    Use the Password Change Notification Service x64.msi or Password Change Notification x86 as appropriate for the hardware in your environment.

  2. In Welcome to the Setup Wizard for Microsoft Password Change Notification Service, click Next.

  3. In the installation wizard, read and accept Microsoft Software License Terms, and then click Next.

  4. Click Install to begin the installation.

  5. Click Yes to restart your computer now, or click No to restart your computer later.

To verify that PCNS has started

  1. Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

  2. At a command prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

  3. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  4. Verify that the following events from pcnssvc.exe are in the log:

    • 2001 – PCNS has started.

    The presence of this event confirms that PCNS has started successfully.

Configure the Service Principal Name (SPN) for the ILM 2007 server

ILM 2007 uses Setspn.exe to create and configure the service principal name (SPN). Setspn.exe is included with the Microsoft Windows 2000 Resource Kit Tools and the Microsoft Windows Server® 2003 Support Tools on the Windows Server 2003 installation CD.

Note

You can also download Setspn.exe from Windows 2000 Resource Kit Tool: Setspn.exe (https://go.microsoft.com/fwlink/?LinkID=33571).

To configure the SPN using Setspn.exe

  • At a command prompt, type the commands shown by the following syntax:

    Setspn.exe -a <user defined named for target ILM 2007 server>/<fully qualified domain name of the server running ILM 2007> <domain\user name of the ILM 2007 service account>

    For example:

    Setspn.exe -a PCNSCLNT/ILMSrv1.contoso.com contoso\ILMSrvAccount

    The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to ILM 2007.

To verify the SPN setting for ILM 2007

  1. Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

  2. At a command prompt, type setspn –L <ILM 2007 service account>, and then press ENTER.

    For example:

    setspn -l ILMSrvAccount

  3. Verify that the following SPN is registered for the <ILM 2007 service account>: PCNSCLNT\<ILM 2007 server host name>

Configure PCNS

To configure PCNS, perform the following two tasks:

  1. Configure inclusion and exclusion groups

  2. Configure pcnscfg.exe

Configure inclusion and exclusion groups

To configure PCNS, you must configure an inclusion group, and optionally, an exclusion group. Inclusion and exclusion groups must be security groups. As the names imply, members of these groups are users who are either included or excluded from password synchronization.

If you have an existing group for users who must participate in password synchronization, you can specify that group. If not, create a new group. For example you can create a group called PasswordSyncUsers for all users whose passwords you want to synchronize.

Note

Members of the exclusion group are always excluded from password synchronization, even if they are also members of the inclusion group.

For this document, you will use the built in Domain Users group as the inclusion group for password synchronization, therefore you will not need to configure an inclusion group. In a real world scenario, this is not recommended because certain user accounts such as administrative and service accounts would not typically participate in password synchronization.

Configure pcnscfg.exe

You use pcnscfg.exe, a command-line tool, to configure PCNS to process password change requests. Pcnscfg.exe installs with PCNS into the Microsoft Password Change Notification folder, which is in the Program Files folder on each domain controller. You use Pcnscfg.exe to configure PCNS to send password change notifications to a specific target server running ILM 2007. For complete documentation about Pcnscfg.exe, see ILM 2007 Help.

To configure PCNS using Pcnscfg.exe

  • At a command-line prompt, type the commands shown by the following syntax:

    pcnscfg.exe addtarget /n:<user-defined friendly name of the target server running ILM 2007> /a:<fully-qualified domain name of the server running ILM 2007> /s:<the SPN for the ILM 2007 server>/<full qualified domain name of the nextref_ilm1 server> /fi:<the specified inclusion group> /f:3

    For the purposes of this document type:

    Pcnscfg.exe addtarget /n:ilmdemo /a:ILMSrv1.contoso.com /s:PCNSCLNT/ILMSrv1.contoso.com /fi:Domain Users/f:3

To verify configuration of ILM 2007 as a target for PCNS

  1. Log on to an Active Directory domain controller where PCNS was installed with administrative privileges.

  2. At a command-line prompt, navigate to the PCNS installation directory, which is typically C:\Program Files\Microsoft Password Change Notification.

  3. Type Pcnscfg LIST, and then press ENTER.

  4. Verify that the output listing corresponds to the settings that you configured earlier.

    You should see the ILM 2007 server name, the SPN for the ILM 2007 service account, the authentication type, the inclusion groups, and any exclusion groups that you configured.

  5. At a command prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

  6. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  7. Verify that the following events from pcnssvc.exe are in the log:

    • 2102 – Target <user defined friendly name of the target server running ILM 2007> is enabled. Password changes will be queued for this target.

Enable Password Synchronization on the Server hosting ILM 2007

You have to enable password synchronization on the server hosting ILM 2007. This will allow ILM 2007 to process password change requests that it receives from Active Directory.

To enable password synchronization on the server hosting ILM 2007

  1. Open Identity Manager, on the server hosting ILM 2007.

  2. On the Tools menu, click Options.

  3. Select the check box next to Enable Password Synchronization.

  4. Click OK to exit the Options dialog box.

To verify password synchronization has been enabled on the server hosting ILM 2007

  1. On the server hosting ILM 2007, open a command-line prompt and type eventvwr.msc, and then press ENTER to open Event Viewer.

  2. In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

  3. Verify that the following events from pcnssvc.exe are in the log:

    • 6910 – Password synchronization has been enabled.

You have to establish a link in the metaverse between the accounts in the Fabrikam and Contoso forests to successfully deploy password synchronization using ILM 2007. Using ILM 2007, you will create management agents for:

  • Fabrikam Active Directory forest

  • Contoso Active Directory forest

These management agents create links in the metaverse between the Contoso forest and Fabrikam forest user accounts by using the sAMAccountName attribute, which is guaranteed to be unique across the organization.

While creating the management agents for both the Fabrikam and Contoso forests, you will configure the management agents for password synchronization. This enables any password changes occurring in the Contoso forest, which is the authoritative source for password change requests, to be pushed to the Fabrikam forest.

Create the Fabrikam Active Directory Forest Management Agent

In the procedures below, you will create the management agent for the Fabrikam Active Directory forest. This will propagate the user accounts you created in the Fabrikam Active Directory forest to the ILM 2007 metaverse.

To create the management agent for the Fabrikam Active Directory forest

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. On the Actions menu, click Create to start the Create Management Agent wizard.

  4. Specify the required parameters for each page, and then click Next. The instructions for each page are provided as separate procedures below.

  5. Click Finish to create the management agent.

Create Management Agent

On this page, you select the type of management agent you want to create, and then name it accordingly.

To complete the Create Management Agent page

  1. In the Management agents for list, select Active Directory.

  2. In the Name box, type FabrikamADMA, and then click Next.

Connect to Active Directory Forest

On this page, you enter the name of your Active Directory forest and provide data for the account that this management agent uses to connect to that forest.

Note

In a real-world scenario, you can use any name you choose for the forest and domain, and any user account that has sufficient rights.

To complete the Connect to Active Directory Forest page

  1. In the Forest name box, type fabrikam.com.

  2. In the User name box, type administrator.

  3. In the Password box, type the administrator's password.

  4. In the Domain box, type fabrikam, and then click Next.

Configure Directory Partitions

On this page, you select your directory partition and the container (organizational unit) that contains the Active Directory objects that are part of this document. You also enable your directory partition as the source for password synchronization.

To complete the Configure Directory Partitions page

  1. In the Select directory partitions box, select the check box next to DC=fabrikam,DC=com.

  2. Click Containers to open the Select Containers dialog box.

  3. In the Select Containers dialog box, verify that only MIISObjects is selected.

  4. To close the Select Containers dialog box, click OK.

  5. Click Next.

Select Object Types

On this page, you select the object types that will participate in password synchronization.

To complete the Select Object Types page

  1. In the Select Object Types box, select the following types:

    • container

    • domainDNS

    • organaizationlUnit

    • user

  2. Click Next.

Select Attributes

On this page, you specify the attributes in your scenario. For this document, select the attributes specified in the following procedure.

To complete the Select Attributes page

  1. In the Attributes box, select the following attribute:

    • sAMAccountName

  2. Click Next.

Configure Connector Filter

You do not have to configure anything on this page.

To complete the Configure Connector Filter page

  • Click Next.
Configure Join and Projection Rules

On this page, you configure the required join and projection rules for this scenario. This document requires you to configure a join and projection rule for the user object type.

The following illustration shows the Configure Join and Projection Rules dialog box after you have applied all projection rules for this document.

ed9ea706-0a74-47e1-b3ad-6ded2de0d9e7

To complete the Configure Join and Projection Rules page

  1. In the Data Source Object Type column, select user.

  2. To open the Projection dialog box, click New Projection Rule.

  3. Select Declared.

  4. In the Metaverse object type list, select person.

  5. To close the Projection dialog box, click OK.

  6. In the Data Source Object Type column, select user.

  7. To open the Join Rule for user dialog box, select New Join Rule.

  8. In the Data source attribute field select sAMAccountName.

  9. Select Direct in the Mapping type field.

  10. In the Metaverse object type list, select person.

  11. In the Metaverse attribute list select uid.

  12. Click Add Condition.

  13. Click OK on the dialog box stating, "You are attempting a join mapping with a non-indexed metaverse attribute. Joining with non-indexed attributes can result in performance problems."

  14. Click OK to close the Join Rule for user dialog box.

  15. Click Next.

Configure Attribute Flow

On this page, you provide the import and export attribute flow rules for this scenario. This document requires you to configure import attribute flow rules for the user object of the management agent for Active Directory.

The following illustration shows the Configure Attribute Flow dialog box after you have applied all the attribute flow rules for the user object.

a17a3374-6027-4938-87f6-add06146e391

The following table shows the data source and metaverse attribute pairs for which you must configure a flow rule.

Flow Rule Data Source Attribute Metaverse Attribute

Rule 1

sAMAccountName

uid

To complete the Configure Attribute Flow page

  1. In the Data source object type box select user.

  2. In the Metaverse object type box, select person.

  3. Under Mapping Type, select Direct.

  4. Under Flow Direction, select Import.

  5. For each row in the table immediately above this procedure complete the following steps:

    1. In the Data source attribute list, select the data source attribute shown for that row in the table.

    2. In the Metaverse attribute list, select the metaverse attribute shown for that row in the table.

    3. Click New.

  6. After completing the steps to configure attribute flow for each attribute in the table, click Next.

Configure Deprovisioning

You do not have to configure anything on this page.

To complete the Configure Deprovisioning page

  • Click Next.
Configure Extensions

On this page, you configure the Sun ONE Directory Server to receive password change requests from nextref_ilm1 after a password change request is received from Active Directory.

To complete the Configure Extensions page

  1. In the Password management dialog box, click the check box next to Enable password management.

  2. Click Finish.

Create the Contoso Active Directory Forest Management Agent

After creating the management agent for the Fabrikam Active Directory forest, you now create the management agent for the Contoso Active Directory forest. This propagates the user accounts you created in the Contoso Active Directory forest to the ILM 2007 metaverse as well as enables the Contoso Active Directory forest to be the authoritative source for all password change requests.

To create the management agent for the Contoso Active Directory forest

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. On the Actions menu, click Create to start the Create Management Agent wizard.

  4. Specify the required parameters for each page, and then click Next. The instructions for each page are provided as separate procedures below.

  5. Click Finish to create the management agent.

Create Management Agent

On this page, you select the type of management agent you want to create, and then name it accordingly.

To complete the Create Management Agent page

  1. In the Management agents for list, select Active Directory.

  2. In the Name box, type ContosoADMA, and then click Next.

Connect to Active Directory Forest

On this page, you enter the name of your Active Directory forest and provide data for the account that this management agent uses to connect to that forest.

Note

In a real-world scenario, you can use any name you choose for the forest and domain, and any user account that has sufficient rights.

To complete the Connect to Active Directory Forest page

  1. In the Forest name box, type contoso.com.

  2. In the User name box, type administrator.

  3. In the Password box, type the administrator's password.

  4. In the Domain box, type contoso, and then click Next.

Configure Directory Partitions

On this page, you select your directory partition and the container (organizational unit) that contains the Active Directory objects that are part of this document. You also enable your directory partition as the authoritative source for password synchronization.

To complete the Configure Directory Partitions page

  1. In the Select directory partitions box, select the check box next to DC=contoso,DC=com.

  2. Click Containers to open the Select Containers dialog box.

  3. In the Select Containers dialog box, verify that only MIISObjects is selected.

  4. To close the Select Containers dialog box, click OK.

  5. In the Password Synchronization dialog box, click the check box next to Enable this partition as a password synchronization source.

  6. Click the Targets button located in the Password Synchronization dialog box.

  7. In the Target management agents dialog box, under the Management Agent Name column, click the check box next to FabrikamADMA.

  8. Click OK to exit the Target management agents dialog box.

  9. On the Configure Directory Partitions page, click Next.

Select Object Types

On this page, you select the object types that will participate in password synchronization.

To complete the Select Object Types page

  1. In the Select Object Types box, select the following types:

    • container

    • domainDNS

    • organaizationlUnit

    • user

  2. Click Next.

Select Attributes

On this page, you specify the attributes in your scenario. For this document, select the attributes specified in the following procedure.

To complete the Select Attributes page

  1. In the Attributes box, select the following attribute:

    • sAMAccountName

  2. Click Next.

Configure Connector Filter

You do not have to configure anything on this page.

To complete the Configure Connector Filter page

  • Click Next.
Configure Join and Projection Rules

On this page, you configure the required join and projection rules for this scenario. This document requires you to configure a join and projection rule for the user object type.

The following illustration shows the Configure Join and Projection Rules dialog box after you have applied all projection rules for this document.

79539165-ca46-4b09-8f4a-22a2a8814837

To complete the Configure Join and Projection Rules page

  1. In the Data Source Object Type column, select user.

  2. To open the Projection dialog box, click New Projection Rule.

  3. Select Declared.

  4. In the Metaverse object type list, select person.

  5. To close the Projection dialog box, click OK.

  6. In the Data Source Object Type column, select user.

  7. To open the Join Rule for user dialog box, select New Join Rule.

  8. In the Data source attribute field select sAMAccountName.

  9. Select Direct in the Mapping type field.

  10. In the Metaverse object type list, select person.

  11. In the Metaverse attribute list select uid.

  12. Click Add Condition.

  13. Click OK on the dialog box stating, "You are attempting a join mapping with a non-indexed metaverse attribute. Joining with non-indexed attributes can result in performance problems."

  14. Click OK to close the Join Rule for user dialog box.

  15. Click Next.

Configure Attribute Flow

On this page, you provide the import and export attribute flow rules for this scenario. This document requires you to configure import attribute flow rules for the user object of the management agent for Active Directory.

The following illustration shows the Configure Attribute Flow dialog box after you have applied all the attribute flow rules for the user object.

6d23221a-7eae-4aaf-94b2-844e774ad6eb

The following table shows the data source and metaverse attribute pairs for which you must configure a flow rule.

Flow Rule Data Source Attribute Metaverse Attribute

Rule 1

sAMAccountName

uid

To complete the Configure Attribute Flow page

  1. In the Data source object type box select user.

  2. In the Metaverse object type box, select person.

  3. Under Mapping Type, select Direct.

  4. Under Flow Direction, select Import.

  5. For each row in the table immediately above this procedure complete the following steps:

    1. In the Data source attribute list, select the data source attribute shown for that row in the table.

    2. In the Metaverse attribute list, select the metaverse attribute shown for that row in the table.

    3. Click New.

  6. After completing the steps to configure attribute flow for each attribute in the table, click Next.

Configure Deprovisioning

You do not have to configure anything on this page.

To complete the Configure Deprovisioning page

  • Click Next.
Configure Extensions

You do not have to configure anything on this page

To complete the Configure Extensions page

  • Click Finish.

Configure the Run Profiles

This topic provides instructions for creating and configuring the required run profiles. For this document, you must configure several run profiles for the management agents for the Fabrikam and Contoso forests.

The following table shows the run profiles you must create for the management agents for the Fabrikam forest (FabrikamADMA) and the Contoso forest (ContosoADMA).

Run Profile Name Step Type

Full Import

Full Import (Stage Only)

Full Synchronization

Full Synchronization

To create the run profiles for the management agent for the Fabrikam forest

  1. Open Identity Manager.

  2. Switch to the Management Agents view.

  3. In the management agent list, select FabrikamADMA.

  4. On the Actions menu, click Configure Run Profiles to open the Configure Run Profiles for dialog box.

  5. For each run profile in the table immediately above this procedure, complete the following steps:

    1. To open the Configure Run Profile wizard, click New Profile.

    2. In the Name box, type the profile name shown in the table, and then click Next.

    3. In the Type list, select the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

    5. Click OK to exit the Configure Run Profiles for dialog box.

To create the run profiles for the management agent for the Contoso forest

  • Follow the same procedure for creating the run profiles as for the Fabrikam forest, ensuring that you select ContosoADMA from the management agent list.

Test the Configuration

Complete the following procedures to test your configuration:

  1. Execute the run profiles for the Fabrikam forest.

  2. Execute the run profiles for the Contoso forest.

  3. Verify client logon.

  4. Change the user's password in the Contoso Forest.

  5. Verify password change in the Contoso forest is synchronized to the Fabrikam forest.

Execute the run profiles for the Fabrikam Forest

In this procedure, you will run the run profiles for the Fabrikam forest. This projects the user person object into the ILM 2007 metaverse or joins the object to any existing metaverse objects with the same e-mail attribute.

To execute the run profiles for the FabrikamADMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view, by clicking the Management Agents button.

  3. In the Management Agents box, select FabrikamADMA.

  4. In the Actions box, click Run.

  5. On the Run Management Agent page, in the Run Profiles box, choose Full Import.

  6. Click OK.

  7. After the Full Import run profile completes, repeat the above steps to run the Full Synchronization run profile.

Execute the run profiles for the Contoso Forest

In this procedure, you will run the run profiles for the Contoso forest. This projects the user person object into the ILM 2007 metaverse and joins the object to any existing metaverse object with the same e-mail attribute.

To execute the run profiles for the ContosoADMA

  1. Open Identity Manager.

  2. Switch to the Management Agents view, by clicking the Management Agents button.

  3. In the Management Agents box, select ContosoADMA.

  4. In the Actions box, click Run.

  5. On the Run Management Agent page, in the Run Profiles box, choose Full Import.

  6. Click OK.

  7. After the Full Import run profile completes, repeat the above steps to run the Full Synchronization run profile.

Verify client logon

Complete the following procedures to verify that users can initially log on to the client workstations in the Fabrikam and Contoso forests with their existing credentials.

To verify log on to the client workstation in the Fabrikam forest

  1. Log on to the client computer (XPClient2) with the following user credentials:

    User: U1

    Password: p@ssword

  2. Verify that you can successfully log on to the computer.

To verify logon to the client workstation in the Contoso forest

  1. Log on to the client computer (XPClient1) with the following user credentials:

    User: U1

    Password: p@ssword

  2. Verify that you can successfully log on to the computer.

Change the user's password in the Contoso forest

Complete the following procedure to change the user's password in the Contoso forest.

To change the user's password in Active Directory

  1. From the client computer (XPClient1) in the Contoso forest, press CTRL+ALT+DEL, and then click Change Password to change the password for user U1.

  2. Change the password of user, U1, from p@ssword to f@brikam.

Verify password change in the Contoso forest is synchronized to the Fabrikam forest

Complete the following procedure to verify that the changed password in the Contoso forest, which is the authoritative source for password change operations, is pushed to the Fabrikam forest.

To verify password change in the Contoso forest is synchronized to the Fabrikam forest

  1. From a client computer in the Fabrikam forest (XPClient2), press CTRL+ALT+DELETE.

  2. At the log on screen enter the following credentials

    Username: U1

    Password: f@brikam

  3. Click OK, to log on with your new password credentials.

Summary

In this document, you have been introduced to the essential steps of synchronizing passwords from an authoritative Active Directory forest to a receiving Active Directory forest in a lab environment.

As a next step, you should configure an exclusion group for your scenario and see what impact it has on the password synchronization process. Also you may configure your lab environment in a manner where PCNS and ILM 2007 are in different forests keeping in mind that you need to set up a two-way forest trust for this scenario to work.

Appendices

Appendix A: Script to Populate the Fabrikam Forest Active Directory Objects

Option explicit
Dim objRoot, objDomain

'Section to bind to your Active Directory
Set objRoot = GetObject("LDAP://rootDSE")
objDomain = objRoot.Get("defaultnamingContext")
Set ObjDomain = GetObject("LDAP://" & objDomain)

'Create OU
Dim objOU, strContainer
strContainer = "MIISObjects"
Set objOU = objDomain.Create("OrganizationalUnit", "ou=" & strContainer)
objOU.SetInfo

'Begin loop to create users
Dim i, objUser, userName
For i = 1 to 4

'Create user
userName = "U"
Set objUser = objOU.Create("user", "cn=" & userName & i)
objUser.Put "sAMAccountName", userName & i
objUser.SetInfo

'Set Password
dim strPassword
strPassword = "p@ssword"
objUser.SetPassword strpassword

'Enable user account
objuser.AccountDisabled = FALSE
objUser.SetInfo

Next

'Inform that new OU and Users have been created
WScript.Echo ("Organizational Unit and users are now created.")

Appendix B: Script to Populate the Contoso Forest Active Directory Objects

Option explicit
Dim objRoot, objDomain

'Section to bind to your Active Directory
Set objRoot = GetObject("LDAP://rootDSE")
objDomain = objRoot.Get("defaultnamingContext")
Set ObjDomain = GetObject("LDAP://" & objDomain)

'Create OU
Dim objOU, strContainer
strContainer = "MIISObjects"
Set objOU = objDomain.Create("OrganizationalUnit", "ou=" & strContainer)
objOU.SetInfo

'Begin loop to create users
Dim i, objUser, userName
For i = 1 to 4

'Create user
userName = "U"
Set objUser = objOU.Create("user", "cn=" & userName & i)
objUser.Put "sAMAccountName", userName & i
objUser.SetInfo

'Set Password
dim strPassword
strPassword = "p@ssword"
objUser.SetPassword strpassword

'Enable user account
objuser.AccountDisabled = FALSE
objUser.SetInfo

Next

'Inform that new OU and Users have been created
WScript.Echo ("Organizational Unit and users are now created.")