Prepare AD DS for FIM CM Installation

Updated: November 8, 2010

Applies To: Forefront Identity Manager Certificate Management

The Active Directory Domain Services (AD DS) schema must be extended in order to support FIM CM. The schema extensions add seven FIM CM extended permissions that you can use to delegate FIM CM management permissions to groups and users.

WarningWarning
Extending the AD DS schema is necessary for FIM CM to install, but this operation must be carefully planned. Changes to the AD DS schema are typically considered permanent. That is, changes to the AD DS schema cannot be undone without doing an Authoritative Restore of Active Directory. An Authoritative Restore should only be done if absolutely necessary because it could result in the loss of data from AD (users, groups, etc. added after the schema modification). For this reason, once you modify the AD schema, it should be considered a permanent change. For more information, see Extending the Active Directory Schema (http://go.microsoft.com/fwlink/?LinkId=205810) and Performing Authoritative Restore of an Application Directory Partition.

To extend the AD DS, you must be a member of the Schema Admins group for the AD DS forest.

FIM CM extended permissions include the following:

  • FIM CM Audit: Generates and displays FIM CM policy templates, defines management policies within a profile template, and generates FIM CM reports.

  • FIM CM Enrollment Agent: Performs certificate requests for the user or group on behalf of another user. The issued certificate’s subject contains the target user’s name, not the requester’s name.

  • FIM CM Enroll: Initiates, executes, or completes an enrollment request.

  • FIM CM Recover: Initiates encryption key recovery from the certification authority (CA) database.

  • FIM CM Renew: Initiates, executes, or completes an enrollment request. The renewal request replaces a user’s certificate that is near its expiration date with a new certificate that has a new validity period.

  • FIM CM Revoke: Revokes a certificate before the expiration of the certificate’s validity period. This can be necessary, for example, if a user’s computer or smart card is stolen.

  • FIM CM Request Unblock Smart Card: Resets a smart card’s user personal identification number (PIN) so that you can access the key material on a smart card.

noteNote
Earlier versions of FIM CM, such as ILM 2007 CLM or ILM "2" RC0 CLM used slightly different schema extension naming. To recognize the earlier version of each name, replace the "FIM CM" portion of the name with "CLM". For example, FIM CM Audit would be CLM Audit. This was a name change only.

Extending the AD DS Schema

You can use either of the following methods to apply the modifications:

  • Run the ModifySchema.vbs sample script.

    ModifySchema.vbs modifies the schema on the default forest by using the current credentials for the user. If your settings differ from the default settings, you must edit the script before you run it.

    As an option, you can also run ModifySchemaOnlineUpdate.vbs to add an attribute to the user object if you plan to use an online update service to renew or update profiles.

  • Run the LDAP Data Interchange Format Data Exchange tool, ldifde.exe.

    The following procedure describes using the LDIFDE method for extending the AD DS Schema.

To extend the Active Directory Schema using LDIFDE

  1. Ensure that the FIM CM installation files are accessible to the domain controller to which you connect. On the FIM CM installation media, open the Certificate Management folder and then open the x64 folder. Copy the Schema folder to a location on the domain controller to which you are connected.

  2. Open an elevated Command Prompt window, and then type change directory to the Schema folder you just copied over to the domain controller.

  3. Open Notepad and replace all of the DC=company,DC=com lines, with the LDAP path of your organization’s forest root domain. For example, if your AD DS root domain fully qualified domain name (FQDN) is corp.contoso.com, the LDAP path is DC=corp,DC=contoso,DC=com.

    1. Type notepad clm.ldif and press ENTER.

    2. In Notepad click Edit and then click Replace.

    3. In Find what, type DC=company,DC=com

    4. In Replace with, type your_domain_LDAP_path and then click Replace All.

    5. Close the Replace dialog box.

    6. In Notepad, click File and then click Save.

  4. When you are ready to extend the schema, import the settings specified in clm.ldif using ldifde.exe. To do so, in the Command Prompt window, type ldifde –i –f clm.ldif and press ENTER.

  5. When you see “The command has completed successfully,” the Active Directory Schema has been updated. Close the Command Prompt window and any other open windows.

See Also

Community Additions

ADD
Show: