Steps for Deploying Cross-Forest Management Solution Using Forefront Identity Manager (FIM) 2010

Updated: June 3, 2010

Applies To: Forefront Identity Manager 2010

This document provides step-by-step instructions for implementing a cross-forest management solution by using Microsoft® Forefront® Identity Manager (FIM) 2010.

Important

As with any solution, it is important to try this solution in a test environment before you deploy it into your production environment.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap (https://go.microsoft.com/fwlink/?LinkId=187028). For an introduction to essential FIM 2010 concepts, see the documents in the Getting Started (https://go.microsoft.com/fwlink/?LinkId=188283) collection of the FIM 2010 technical library.

A description of how to set up FIM 2010 and AD DS is out of the scope of this document.

Time Requirements

The procedures in this document require 120 to 180 minutes for a new user to complete.

Note

These time estimates assume that the testing environment is already configured for the scenario. They do not include the time required to set up the test environment.

Audience

This guide is intended for IT planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan to develop and deploy a cross-forest solution by using FIM 2010.

Testing Environment

The following lab environment is recommended to test the procedures in this topic:

  • Windows Server 2008 domain controller hosting the Fabrikam.com domain

  • Windows Server 2008 domain controller hosting the Contoso.com domain

    Note

    To correctly implement the solution in this document, there must be a two-way forest trust established between the Fabrikam.com and Contoso.com forests.

  • Windows Server 2008 server hosting FIM 2010. For the purposes of this scenario, this server is joined to the Fabrikam.com domain.

Implementing the procedures in this document

To implement the procedures in this document, you must complete the following steps in the following order:

  1. Configure Windows SharePoint Services 3.0 Portal

  2. Create string version of objectSid in the FIM Portal

  3. Create Binding to objectSid Attribute

  4. Map objectSIDString between FIM and the Synchronization Engine

  5. Configure the Administrator Filter Scope

  6. Create Forest Configuration Objects

  7. Create FSP Sets

  8. Create Domain Configuration Objects

  9. Create All Domains in Forest Sets

  10. Create the Contact Sets for Each Forest

  11. Create Cross-Forest Group Membership Calculation Workflow and Management Policy Rule

  12. Create Active Directory Management Agents

  13. Enable Codeless Provisioning

  14. AD DS User Provisioning

  15. Sets for AD DS Objects

  16. Create AD DS Synchronization Rules

  17. Create Synchronization Workflow and Management Policies

Configure Windows SharePoint Services 3.0 Portal

Normally, FIM is configured to allow access for authenticated users to the SharePoint portal. This allows all users from trusted domains access to the portal as well. If you have changed the default settings, ensure that all users who need to access the FIM Portal have Read permissions to the SharePoint site.

Create string version of objectSid in the FIM Portal

To create Foreign Security Principals (FSPs) in AD DS, the objectSid from the User or Group object that the FSP references must be available. Therefore, the provisioning sets for FSPs need to include the objectSid attribute to ensure that it contains a value. However, objectSid in FIM is the binary type, and sets cannot include operations on binary attributes. Therefore, a string version of objectSid, which the set can include, needs to be created in FIM and the Synchronization engine metaverse to hold the string value of the objectSid.

To create the string version of objectSid in the FIM Portal:

  1. Open the FIM Portal, click Administration, click All Attributes, and then click New.

  2. Enter the details for the new attribute shown in the following table, and then click Next.

    Attribute Value

    System Name

    A meaningful name for the attribute such as objectSidString

    Display name

    A meaningful name for the attribute such as objectSidString

    Data type

    Indexed string

    For any field in the user interface (UI) that does not have a value in the table, accept the default settings.

Create Binding to objectSid Attribute

In the following procedures, you bind the objectSid attribute that you created in the Create string version of objectSid in the FIM Portal procedure earlier in this document, to the Person and Group objects in the FIM Portal.

To create the binding for this attribute to Person object in the FIM Portal

  1. Open the FIM Portal, click Administration, click All Attributes, and then click New.

  2. Enter the details for the new binding shown in the following table, click Finish, and then click Next.

    Attribute Value

    Resource type

    User

    Attribute type

    The attribute name created above such as objectSidString

    Required

    Cleared

    For any field in the UI that does not have a value in the table, accept the default settings.

To create the binding for this attribute to the Group object in the FIM Portal

  1. Open the FIM Portal, click Administration, click Schema Management, click All Bindings, and then click New.

  2. Enter the details for the new binding shown in the following table, click Finish, and then click Next.

    Attribute Value

    Resource Type

    User

    Attribute Type

    The attribute name created above such as objectSidString

    Required

    Cleared

    For any field in the UI that does not have a value in the table, accept the default settings.

Create String Version of objectSid in the Synchronization Engine

In the following procedure, you create the string version of the objectSid attribute in the synchronization engine.

To create the string version of objectSid in the synchronization engine

  1. Open Microsoft Forefront Identity Manager, and then click Synchronization Service.

  2. Click the Metaverse Designer tab, and then in the Object Types list box, select person.

  3. In the Actions menu, click Add Attribute, and then click New Attribute.

  4. Enter the details for the new binding shown in the following table, and then click OK.

    Attribute Value

    Attribute name

    The attribute name created above such as objectSidString

    Attribute type

    String (indexable)

    Multivalued

    Cleared

    Required

    Unchecked

  5. In the Object Types list box, select Group, and then in Actions, click Add Attribute.

  6. In the list of Available attributes, select the new attribute, objectSidString, and then click OK.

  7. Close Synchronization Service Manager.

Map objectSIDString between FIM and the Synchronization Engine

In the following procedure, you map the attribute, objectSidString, between FIM and the synchronization engine.

To map the objectSidString between FIM and the synchronization engine

  1. Open Microsoft Forefront Identity Manager, click Synchronization Service, click the Management Agents tab, and then select the FIM Service Management Agent.

  2. On the Actions menu, click Refresh Schema, enter any credentials as necessary, and then click OK.

  3. On the Actions menu, click Properties, click Select Attributes, and then select the Person grouping from the Configure Attribute Flow table.

  4. In the Data source attribute list, select objectSidString. In the Metaverse attribute list, select objectSidString, and then in the Flow Direction grouping, click Export. Click New.

  5. In the Configure Attribute Flow table, select the Group grouping. In the Data source attribute list, select objectSidString. In the Metaverse attribute list, select objectSidString. In the Flow Direction grouping, click Export, click New, and then click OK.

Configure the Administrator Filter Scope

To create the Forest configuration sets, the Administrator Filter Scope object must include the ForestConfiguration, DomainConfiguration, and ObjectSidString attributes.

To edit the Administrator Filter Scope object

  1. Open the FIM Portal, click Administration, click All resources, click Filter Scope and then select Administrator Filter Permission.

  2. Click the Permitted Filter Attributes tab, add the information in the following table to the text box located next to Allowed Attributes, click OK, and then click Submit.

    Attribute Value

    Allowed attributes

    Forest Configuration

    Domain Configuration

    objectSidString

Create Forest Configuration Objects

For each forest, you need to create a Forest Configuration object.

To create a new Forest Configuration

  1. Open the FIM Portal, click Administration, click All resources, click Forest Configuration, and then click New.

  2. Enter the details for the new forest shown in the following table, click Next, and then click Submit.

    Attribute Value

    Display name

    A meaningful name for the forest such as Fabrikam.com Forest.

    Description

    A meaningful description such as Fabrikam.com Forest Configuration Object.

    Trusted forests

    Browse to any Forests Configuration objects that this AD DS forest has been configured to trust. You may need to return and edit this if the Forest Configuration for the trusted forest does not yet exist.

    Distribution group domain

    Leave this blank.

    Contacts set

    Leave this blank for now.

  3. Repeat these steps for each Active Directory forest. For our example, use the steps above to create a new Forest Configuration object for the Contoso.com forest.

Create FSP Sets

For each domain, you need to create the FSP set now and configure the domain configuration objects later to reference those sets.

To create FSP sets

  1. Open the FIM Portal and create a set with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as All Domain Local Security Group members not in Fabrikam.com Domain (FSPs)

    Description

    A meaningful description such as Fabrikam.com Domain FSPs Set

    Enable criteria-based membership in current set

    Cleared

  2. Repeat this same procedure to create the FSP set for the contoso.com forest.

Create Domain Configuration Objects

For each domain, create a Domain Configuration object.

To create a new domain configuration object

  1. Open the FIM Portal, click Administration, click All resources, click Domain Configuration, and then click New.

  2. Enter the details for the new domain as shown in the following table, and then click OK and Submit.

    Attribute Value

    Display name

    A meaningful name for the domain such as Fabrikam.com Domain.

    Domain

    The Network Basic Input/Output System (NetBIOS) domain name for this domain such as FABRIKAM

    Forest configuration

    Browse to the Forest Configuration object you created for this forest.

    FSP set

    Browse to the FSP set you created for this domain in the Create FSP Sets section earlier in this document, and click OK.

  3. Repeat these steps for each Active Directory domain. For our example, create the domain configuration object for the Contoso.com domain.

Create All Domains in Forest Sets

For each forest, you need to create a set that contains all the domains in that forest.

To create the All Domains in a Forest set

  1. Open the FIM Portal, and create a Set with the following details:

    Attribute Value

    Display name

    A meaningful name for the set such as All Domain Configuration Objects in Fabrikam.com Forest

    Description

    A meaningful description such as All domains in Fabrikam.com forest

    Criteria-based Members | Enable criteria-based membership in current set

    Enabled: Domain configuration where Forest Configuration is Fabrikam.com forest Configuration object.

  2. Repeat these steps for each Active Directory forest. For our example, create the same set for Contoso.com.

Create the Contact Sets for Each Forest

For each forest, you need to create the following contact sets:

  • All Users NOT in a Forest

  • All Groups NOT in a Forest

  • All Users and Groups NOT in a Forest

To create the All Users NOT in a Forest set

  1. Open the FIM Portal and create a set with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as All Users NOT in Fabrikam.com Forest (Contacts)

    Description

    A meaningful description such as Fabrikam.com Forest Contact Sets

    Criteria-based Members | Enable criteria-based membership in current set

    Enabled: user where Domain Configurationnot inAll Domain Configuration Objects in Fabrikam.com Forest

  2. Repeat this same procedure to create the same Set for the Contoso.com forest.

To create All Groups NOT in a Forest set

  1. Open the FIM Portal and create a set with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as All Users Groups NOT in Fabrikam.com Forest (Contacts)

    Description

    A meaningful description such as All Users Groups NOT in Fabrikam.com Forest (Contacts)

    Criteria-based Members | Enable criteria-based membership in current set

    Enabled: group where Domain Configurationnot inAll Domain Configuration Objects in Fabrikam.com Forest

  2. Repeat this same procedure to create the same set for the contoso.com forest.

To create All Groups and Users NOT in Forest set

  1. Open the FIM Portal and create a set with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as All Users and Groups NOT in Fabrikam.com Forest (Contacts)

    Description

    A meaningful description such as All Users and Groups NOT in Fabrikam.com Forest (Contacts)

    Criteria-based Members | Enable criteria-based membership in current set

    Enabled: all resources that match any of the following conditions: Resource IDinAll Users NOT in Fabrikam.com Forest (Contacts)

    • Resource IDinAll Users NOT in Fabrikam.com Forest (Contacts)All Users NOT in Fabrikam.com Forest (Contacts)

    • Resource IDinAll Groups NOT in Fabrikam.com Forest (Contacts)All Groups NOT in Fabrikam.com Forest (Contacts)

Create Cross-Forest Group Membership Calculation Workflow and Management Policy Rule

To enable management of the FSP set, you must create a workflow, Set, and Management Policy Rule (MPR) that uses the Group Member Validation activity.

To create the workflow

  1. Create a new file called GroupMemberValidation.xaml with the following content:

    <ns0:SequentialWorkflow 
        x:Name="SequentialWorkflow"
        ActorId="00000000-0000-0000-0000-000000000000"
        WorkflowDefinitionId="00000000-0000-0000-0000-000000000000"
        RequestId="00000000-0000-0000-0000-000000000000"
        TargetId="00000000-0000-0000-0000-000000000000"
        xmlns:x="https://schemas.microsoft.com/winfx/2006/xaml"
        xmlns:ns0="clr-namespace:Microsoft.ResourceManagement.Workflow.Activities;Assembly=Microsoft.ResourceManagement, Version=4.0.2592.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35">
        <ns0:GroupMembershipValidationActivity />
    </ns0:SequentialWorkflow>
    

    Where 4.0.2592.0 is the version of FIM installed.

  2. Open the FIM Portal and create a workflow with the following details:

    Attribute Value

    Display name

    A meaningful name for the domain such as Cross Forest Group Membership Calculation Workflow

    Description

    A meaningful description such as Cross Forest Group Membership Calculation Workflow

    Workflow type

    Action

    Run-on policy update

    Cleared

    Import pre-existing workflow definition from a XOML file (located on the Activities tab)

    Selected

    File to import

    GroupMemberValidation.xaml

In the following procedure, you create the All Domain Local Groups set.

To create the All Domain Local Groups set

  1. Open the FIM Portal and create a set with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the domain such as All Domain Local Groups

    Description

    A meaningful description such as All Domain Local Groups

    Enable criteria-based membership in current set (located on the Criteria-based Members tab)

    Selected

    Groups where Scope is DomainLocal (this value must be entered manually)

In the following procedure, you create the MPR.

To create the MPR

  1. Open the FIM Portal and create an MPR with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the domain such as Cross Forest Group Membership Calculation Policy

    Description

    A meaningful description such as Cross Forest Group Membership Calculation Policy

    Type

    Request

    Specific set of Requestors

    All People

    Create resource

    Selected

    Delete resource

    Cleared

    Read resource

    Cleared

    Add a value to a multivalued attribute

    Selected

    Remove a value from a multivalued attribute

    Cleared

    Modify a single-valued attribute

    Cleared

    Grants permissions

    Cleared

    Target resource definition before request

    All Domain Local Groups

    Target resource definition after set: Specific set of objects

    All Domain Local Groups

    Resource attributes | Select specific attributes

    Manually-managed membership

    Authentication workflows

    None (clear all boxes)

    Authorization workflows

    None (clear all boxes)

    Action workflow

    Cross-Forest Group Membership Calculation workflow

Create Active Directory Management Agents

To create the management agents for AD DS, you first create the management agents and then create the necessary run profiles for those agents. The default value is acceptable for any value not listed in the following procedures.

To create management agents

  1. Open Synchronization Service Manager and create a management agent, except for the fields noted in the following table, using the procedure in the “Creating the Fabrikam ADMA” section of the Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850) guide.

    Dialog box Field Value

    Configure directory partitions -> containers

    Select containers

    The containers to be synchronized, such as Users and ForeignSecurityPrincipals. Only select the ForeignSecurityPrincipals container for the domain that contains or will contain the greatest number of Domain Local security groups.

    Select object types

    Object types

    In addition to the objects selected in the Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850) guide, select the following:

    contact

    container

    domainDNS

    foreignSecurityPrincipal

    Click Show All to expose the foreignSecurityPrincipal selection.

    organizationUser

    Select attributes

    Attributes

    In addition to the attributes selected in the Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850) guide, choose the following:

    assistant

    cn

    co

    company

    department

    description

    facsimileTelephoneNumber

    homeMDB

    info

    l (lower case “L”)

    mail

    mailNickname

    managedBy

    manager

    mDBUseDefaults

    middleName

    mobile

    msExchRecipientDisplayType

    name

    physicalDeliveryOfficeName

    postalAddress

    postalCode

    secretary

    sIDHistory

    telephoneNumber

    title

    Configure Join and Projection

    Join and Projection rules for Contact

    Action: Join

    Metaverse object type: person

    Condition:

    Data Source attribute: mailNickname

    Metaverse attribute: mailNickname

    Action: Join

    Metaverse object type: group

    Condition:

    Data Source attribute: mailNickname

    Metaverse attribute: mailNickname

    Configure Join and Projection

    Join and Projection rules for ForeignSecurityPrincipal

    Action: Join

    Metaverse object type: person

    Condition:

    Data Source attribute: cn

    Metaverse attribute: objectSidString

    Action: Join

    Metaverse object type: group

    Condition:

    Data Source attribute: cn

    Metaverse attribute: objectSidString

  2. Repeat these steps for each Active Directory domain. For our example, create the same management agent for the Contoso.com domain.

After creating the management agents for both domains, you need to create the following run profiles for each management agent:

  • Full Import

  • Full Synchronization

  • Delta Import / Delta Synchronization

  • Export

For step-by-step instructions about configuring these run profiles, see the Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850) guide. See the section titled “Creating the Fabrikam ADMA.”

Enable Codeless Provisioning

To enable a synchronization rule to provision objects, you need to enable codeless provisioning.

To enable codeless provisioning

  • Open Synchronization Service Manager, and on the Tools menu, select Options. Select the Enable Synchronization Rule Provisioning check box.

AD DS User Provisioning

For each domain, you need to enable Active Directory user provisioning. To do this, you must create the following:

  • AD DS Users Provisioning Set

  • AD DS Users Provisioning Synchronization Rule

  • AD DS Users Provisioning Workflow

  • AD DS Users Provisioning Policy

For information about how to create the items listed for Active Directory user provisioning, see Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850).

Sets for AD DS Objects

You need to create sets in each Active Directory domain that contains the following objects:

  • AD DS Security Groups set

  • AD DS Distribution Lists set

  • AD DS FSP set for members

  • AD DS Contacts set for Users

  • AD DS contacts set for distribution lists

  • AD DS Contacts set for mail-enabled security groups

AD DS Security Groups set

For each domain, you need to create the set that contains the Security Groups in FIM that need group objects in AD DS.

To create the Active Directory Security Groups set

  1. Open the FIM Portal and create an MPR with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as All Security Groups in Fabrikam.com Domain

    Description

    A meaningful description such as Fabrikam.com Domain Security Groups Set

    Enable criteria-based membership in current set

    Selected

    Enable criteria-based membership in current set

    Enabled: All Groups where:

    • TypeisSecurity

    • Domain is Fabrikam

    Static members

    Leave this blank.

  2. Repeat these steps for each Active Directory domain.

AD DS Distribution Lists set

For each domain, you need to create the set that contains the distribution lists in FIM that need group objects in AD DS.

To create Active Directory Distribution Lists sets

  1. Open the FIM Portal and create a set with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as All Distribution Lists in Fabrikam.com Domain

    Description

    A meaningful description such as Fabrikam.com Domain Distribution Lists Set

    Enable criteria-based membership in current set

    Enabled: All Groups where:

    • TypeisDistribution

    • Domain is Fabrikam

    Static members

    Leave this blank.

  2. Repeat these steps for each Active Directory domain.

AD DS FSP set for members

For each domain, you need to create the set that contains the Users and Security Groups in FIM that need FSPs in AD DS.

To create Active Directory People FSPs sets

  1. Open the FIM Portal and create a set with the details as shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as All People and Group members not in Fabrikam.com Domain

    Description

    A meaningful description such as Fabrikam.com Domain People and Groups Foreign Security Principals Set

    Enable criteria-based membership in current set

    Leave this blank (not enabled).

    Static members

    Leave this blank.

    The Resource ID should be in the FSP set that is associated with the forest for which the domain in this set provisions. In our example, we used the All People and Groups not in Fabrikam.com Forest (FSPs) sets since this set provisioning FSPs in the Fabrikam.com domain, which is in the Fabrikam.com forest.

  2. Repeat these steps for each Active Directory domain.

AD DS Contacts set for Users

For each domain, you need to create the set that contains the People in FIM that need contact objects in a remote forest.

To create the AD DS set for Users

  1. Open the FIM Portal and create a set with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as All User Contacts in Fabrikam.com Domain

    Description

    A meaningful description such as Fabrikam.com Domain User Contacts Set

    Enable criteria-based membership

    Enabled: All People where:

    • Resource ID inAll People and Groups not in Fabrikam.com Forest (Contacts)

    • Email contains @

    Static members

    Leave this blank.

    The Resource ID should be in the Contact set that is associated with the forest for which the domain in this set provisions. In our example, we used the All People and Groups not in Fabrikam.com Forest (Contacts) sets since this set is provisioning FSPs in the Fabrikam.com domain, which is in the Fabrikam.com forest.

  2. Enter the following details for the new set, and then click Finish and Submit.

  3. Repeat these steps for each Active Directory domain.

AD DS contacts set for distribution lists

For each domain, you need to create the set that contains the distribution lists in FIM that need contact objects in a remote forest.

To create the AD DS contacts set for distribution lists

  1. Open the FIM Portal and create a set with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as All Distribution List Contacts in Fabrikam.com Domain

    Description

    A meaningful description such as Fabrikam.com Domain Distribution List Contacts Set

    Enable criteria-based membership

    Enabled: All Groups where:

    • Resource IDinAll People and Groups not in Fabrikam.com Forest (Contacts)

    • TypeisDistribution

    • Email contains @

    Static members

    Leave this blank.

    The Resource ID should be in the Contact set associated with the forest for which the domain in which this set provisions. In our example, we used the All People and Groups not in Fabrikam.com Forest (Contacts) sets since this set is provisioning FSPs in the Fabrikam.com domain, which is in the Fabrikam.com forest.

  2. Repeat these steps for each Active Directory domain.

AD DS Contacts set for mail-enabled security groups

For each domain, you need to create the set that contains the mail-enabled security groups in FIM that needs contact objects in a remote forest. There is no need to create contact objects for non-mail-enabled security groups.

To create an AD DS Contacts set for mail-enabled security groups

  1. Open the FIM Portal and create a set with the following details:

    Attribute Value

    Display name

    A meaningful name for the set such as All Security Group Contacts in Fabrikam.com Domain

    Description

    A meaningful description such as Fabrikam.com Domain Security Group Contacts Set

    Enable criteria-based membership

    Enabled: All Groups where:

    • Resource IDinAll People and Groups not in Fabrikam.com Forest (Contacts)

    • Type is MailEnabledSecurity

    • Email contains @

    Static members

    Leave this blank.

    The Resource ID should be in the Contact set associated with the forest for which the domain in this set provisions. In our example, we used the All People and Groups not in Fabrikam.com Forest (Contacts) sets since this set is provisioning FSPs in the Fabrikam.com domain, which is in the Fabrikam.com forest.

  2. Repeat these steps for each Active Directory domain.

Create AD DS Synchronization Rules

To enable AD DS provisioning, a number of synchronization rules need to be created. You need synchronization rules to provision:

  • AD DS users

  • AD DS security groups

  • AD DS distribution lists

  • AD DS user FSPs

  • AD DS group FSPs

  • AD DS user contacts

  • AD DS mail-enabled security group contacts

  • AD DS distribution lists contacts

AD DS users

For each domain, you need to create the synchronization rule that creates an Active Directory user account.

For information about how to create the synchronization rules for AD DS user provisioning, see Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850).

AD DS security groups

For each domain, you need to create the synchronization rule that creates an Active Directory security group.

For information about how to create the synchronization rules for AD DS security group provisioning, see Introduction to Security Group Management (https://go.microsoft.com/fwlink/?LinkId=165851).

AD DS distribution lists

For each domain, you need to create the synchronization rule that creates Active Directory distribution lists.

For information about how to create the synchronization rules for AD DS provisioning, see Introduction to Distribution Group Management (https://go.microsoft.com/fwlink/?LinkId=165852).

AD DS user FSPs

For each domain, you need to create the synchronization rule that creates AD DS FSPs for users.

To create the synchronization rule for Active Directory user FSPs

  1. Open the FIM Portal and create a synchronization rule with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as AD User Foreign Security Principals Provision for Fabrikam.com Domain Sync Rule

    Description

    A meaningful description such as Fabrikam.com Domain AD User Foreign Security Principals Provision Sync Rule

    Dependency

    Default setting

    Data flow direction

    Outbound

    Metaverse resource type

    Person

    External system

    Domain for which you are configuring the synchronization rule

    External system resource type

    foreignSecurityPrincipal

    Relationship criteria

    MetaverseObject:person(Attribute): objectSidString

    ConnectedSystemObject:user(Attribute): cn

    Create resource in external system

    Selected

    Enable deprovisioning

    Selected

    Workflow parameters

    Default settings

    Outbound attribute flow (initial flow only)

    Source:

    • Custom Expression: “CN=”

    • Function: ConvertSidToString(objectSid)

    • Custom Expression: ",CN=ForeignSecurityPrincipals,DC=Fabrikam,DC=com"

    Destination: Dn

    Allow null: Cleared

    Outbound attribute flow

    Source: displayName

    Destination: displayName

    Allow null: Cleared

  2. Repeat these steps for each Active Directory domain.

    The DN suffix for the FSP synchronization rule should be the domain that contains or will contain the greatest number of Domain Local security groups.

AD DS group FSPs

For each domain, you need to create the synchronization rule that creates AD DS FSPs for groups.

To create the synchronization rule for Active Directory group FSPs

  1. Open the FIM Portal and create a synchronization rule with the following details:

    Attribute Value

    Display name

    A meaningful name for the set such as AD Group Foreign Security Principals Provision for Fabrikam.com Domain Sync Rule

    Description

    A meaningful description such as Fabrikam.com Domain AD Group Foreign Security Principals Provision Sync Rule

    Dependency

    Default Setting

    Data flow direction

    Outbound

    Metaverse resource type

    Group

    External system

    Fabrikam ADMA

    External system resource type

    foreignSecurityPrincipal

    Relationship criteria

    MetaverseObject:person(Attribute): objectSidString

    ConnectedSystemObject:user(Attribute): cn

    Create resource in external system

    Selected

    Enable deprovisioning

    Selected

    Workflow parameters

    Default settings

    Outbound attribute flow (initial flow only)

    Source:

    • Custom Expression: “CN=”

    • Function: ConvertSidToString(objectSid)

    • Custom Expression: ",CN=ForeignSecurityPrincipals,DC=Fabrikam,DC=com"

    Destination: Dn

    Allow null: Unchecked

    Outbound attribute flow

    Source: displayName

    Destination: displayName

    Allow null: Cleared

  2. Repeat these steps for each Active Directory forest.

    The DN suffix for the FSP synchronization rule should be the domain which contains or will contain the greatest number of Domain Local security groups.

AD DS user contacts

For each domain, you need to create the synchronization rule that creates an Active Directory contact for users.

To create the synchronization rule for Active Directory user contacts

  1. Open the FIM Portal and create a synchronization rule with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as AD User Contact Provision for Fabrikam.com Domain Sync Rule

    Description

    A meaningful description such as Fabrikam.com Domain AD User Contact Provision Sync Rule

    Dependency

    Default setting

    Data flow direction

    Outbound

    Metaverse resource type

    Person

    External system

    Domain for which you are configuring the synchronization rule

    External system resource type

    Contact

    Relationship criteria

    MetaverseObject:person(Attribute): mailNickname

    ConnectedSystemObject:user(Attribute): mailNickName

    Create resource in external system

    Selected

    Enable deprovisioning

    Selected

    Workflow parameters

    Default settings

    Outbound attribute flow (initial flow only)

    Source: displayName

    Destination: displayName

    Allow null: Cleared

    Outbound attribute flow (initial flow only)

    Source: mailNickname

    Destination: mailNickname

    Allow null: Cleared

    Outbound attribute flow (initial flow only)

    Source:

    • Custom Expression: “CN=”

    • displayName

    • Custom Expression: ",OU=Users,DC=Fabrikam,DC=com"

    Destination: Dn

    Allow null: Cleared

    Outbound attribute flow (initial flow only)

    Source: Function: Trim(“CN=Mailbox Database,CN=First Storage Group,CN=InformationStore,CN=Fabrikam,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN= Fabrikam,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC= Fabrikam, DC=com” )

    Destination: homeMDB

    Allow null: Cleared

    Outbound attribute flow (initial flow only)

    Source:

    • Custom Expression: “SMTP:”

    • email

    Destination: targetAddress

    Allow null: Cleared

    Outbound attribute flow (initial flow only)

    Source: firstName

    Destination: givenName

    Allow null: Cleared

    Outbound attribute flow

    Source: middleName

    Destination: middleName

    Allow null: Cleared

    Outbound attribute flow

    Source: lastName

    Destination: sn

    Allow null: Cleared

    Outbound attribute flow

    Source: manager

    Destination: manager

    Advanced: contact

    Allow null value to flow to destination: Checked

    Outbound attribute flow

    Source: jobTitle

    Destination: title

    Allow null: Cleared

    Outbound attribute flow

    Source: email

    Destination: mail

    Allow null: Cleared

  2. Repeat these steps for each Active Directory domain.

AD DS mail-enabled security group contacts

For each forest, you need to create the synchronization rule that creates an AD DS contact for security groups.

To create the synchronization rule for AD DS mail-enabled security group contacts

  1. Open the FIM Portal and create a synchronization rule with the following details:

    Attribute Value

    Display name

    A meaningful name for the set such as AD Mail Enabled Security Group Contact Provision for Fabrikam.com Domain Sync Rule

    Description

    A meaningful description such as Fabrikam.com Domain AD Mail Enabled Security Group Contact Provision Sync Rule

    Dependency

    Default setting

    Data flow direction

    Outbound

    Metaverse resource type

    Group

    External system

    Domain for which you are configuring the synchronization rule

    External system resource type

    Contact

    Relationship criteria

    MetaverseObject:group(Attribute): mailNickname

    ConnectedSystemObject:group(Attribute): mailNickName

    Create resource in external system

    Selected

    Enable deprovisioning

    Selected

    Workflow parameters

    Default Settings

    Outbound attribute flow (initial flow only)

    Source: displayName

    Destination: displayName

    Allow null: Cleared

    Outbound attribute flow (initial flow only)

    Source: mailNickname

    Destination: mailNickname

    Allow null: Cleared

    Outbound attribute flow (initial flow only)

    Source:

    • Custom Expression: “CN=”

    • displayName

    • Custom Expression: ",OU=Users,DC=Fabrikam,DC=com"

    Destination: Dn

    Allow null: Cleared

    Outbound attribute flow (initial flow only)

    Source:

    • Custom Expression: “SMTP:”

    • email

    Destination: targetAddress

    Allow null: Cleared

    Outbound attribute flow (initial flow only)

    Source: Custom Expression: 2147485958

    Destination: msExchRecipientDisplayType

    Allow null: Cleared

    Outbound attribute flow

    Source: email

    Destination: mail

    Allow null: Cleared

  2. Repeat these steps for each Active Directory forest.

AD DS distribution lists contacts

For each forest, you need to create the synchronization rule that creates an Active Directory contact for a security group.

To create the synchronization rule for Active Directory distribution list contacts

  1. Open the FIM Portal and create a synchronization rule with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the set such as AD Distribution Lists Contact Provision for Fabrikam.com Forest Sync Rule

    Description

    A meaningful description such as Fabrikam.com Forest AD Distribution Lists Contact Provision Sync Rule

    Dependency

    Default setting

    Data flow direction

    Outbound

    Metaverse resource type

    Group

    External system

    Domain for which you are configuring the synchronization rule

    External system resource type

    Contact

    Relationship criteria

    MetaverseObject:person(Attribute): mailNickname

    ConnectedSystemObject:user(Attribute): mailNickName

    Create resource in external system

    Selected

    Enable deprovisioning

    Selected

    Workflow parameters

    Default Settings

    Outbound attribute flow (initial flow only)

    Source: displayName

    Destination: displayName

    Outbound attribute flow (initial flow only)

    Source: mailNickname

    Destination: mailNickname

    Outbound attribute flow (initial flow only)

    Source:

    • Custom Expression: “CN=”

    • displayName

    • Custom Expression: ",OU=Users,DC=Fabrikam,DC=com"

    Destination: Dn

    Outbound attribute flow (initial low only)

    Source:

    • Custom Expression: “SMTP:”

    • email

    Destination: targetAddress

    Outbound attribute flow (initial flow only)

    Source: Custom Expression: 2147483910

    Destination: msExchRecipientDisplayType

    Outbound attribute flow

    Source: email

    Destination: mail

  2. Repeat these steps for each Active Directory forest.

Create Synchronization Workflow and Management Policies

For each synchronization rule, you need to create a workflow and MPR to apply the synchronization rules to the correct objects and FSPs.

For more information about how to create the workflow and MPR to apply the synchronization rules for user and group objects, see Introduction to User and Group Management (https://go.microsoft.com/fwlink/?LinkId=165850).

Synchronization workflow

In the following procedure, you create the synchronization workflow to apply the synchronization rules to provision FSPs.

To create the synchronization workflow to provision FSPs

  1. Open the FIM Portal and create a workflow with the details shown in the following table.

    Attribute Value

    Display name

    A meaningful name for the domain such as Active Directory User and Group FSP Provision for Fabrikam.com Domain Workflow

    Description

    A meaningful description such as Fabrikam.com Domain Active Directory User and Group FSP Provision Workflow

    Workflow type

    Action

    Run on Policy Update

    Cleared

    Import XAML for workflow

    Cleared

    Activities

    Add Synchronization Rule Activity for synchronization rule such as Active Directory User Provision for Fabrikam.com Domain Synchronization Rule with Add action where objectType = User

    Add Synchronization Rule Activity for synchronization rule such as Active Directory User Provision for Fabrikam.com Domain Synchronization Rule with Add action where objectType = Group

Synchronization MPR

In the following procedure, you create the synchronization MPR to apply the synchronization rules to provision FSPs.

To create the synchronization MPR to provision

  1. Open the FIM Portal and create an MPR with the following details:

    Attribute Value

    Display name

    A meaningful name for the domain such as Active Directory User and Group FSP Provision for Fabrikam.com Domain

    Description

    A meaningful description such as Active Directory User and Group FSP Provision for Fabrikam.com Domain

    Type

    Request

    Specific set of Requestors

    All People

    Create resource

    Selected

    Delete resource

    Cleared

    Read resource

    Cleared

    Add a value to a multivalued attribute

    Selected

    Remove a value to a multivalued attribute

    Cleared

    Modify a single-valued attribute

    Cleared

    Grants permissions

    Cleared

    Target resource definition before request

    All objects

    Target resource definition after set: specific set of objects

    All objects

    Resource attributes | select specific attributes

    Explicit member

    Authentication Workflows

    None

    Authorization workflows

    None

    Action workflow

    The synchronization rule workflow, such as Active Directory User and Group FSP Provision for Fabrikam.com Domain Workflow