Condividi tramite


Common Configuration for Getting Started Guides

Applies To: Forefront Identity Manager 2010

This document provides common configurations that you can use to evaluate and test features in Microsoft® Forefront® Identity Manager (FIM) 2010. It contains a set of common configurations that is a prerequisite for many of the companion FIM 2010 step-by-step guides. Perform the operations in this guide before you use those step-by-step guides.

What This Document Covers

This document shows you how to create sample users, management policy rules (MPRs), run profiles, and inbound synchronization rules. It also describes a deployment and test scenario for FIM 2010.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of synchronization of data with external systems.

While not required, it is highly recommended that you familiarize yourself with the concept of inbound synchronization rules and how they work, as described in Applying synchronization rules to identity objects. This guide refers to settings that you used during your installation of FIM 2010. We recommend that you make sure that you have these settings available.

Audience

This document is intended for information technology (IT) professionals who are interested in learning about the new features in FIM 2010.

Time requirements

The completion time for the procedures in this document is approximately 60 minutes.

Getting Support

If you have questions regarding the content of this document or if you have general feedback, post a message to the Microsoft Forefront Identity Manager Discussion Forum (https://go.microsoft.com/fwlink/?LinkId=163230).

Scenario Description

The scenario that is described in this document consists of a standard configuration of test users that is required for completion of the companion FIM 2010 step-by-step guides. This scenario also provides a common example configuration. The example configuration features Fabrikam, a fictitious corporation.

Testing environment

Important

The scenario in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 is already deployed and the computer is configured to be a domain controller for the Active Directory forest Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration shows the forest configuration.

7f149bb5-8092-4ff4-9e7e-e02b47291fa7

To perform the procedures in this document, the domain controller has been configured with the following software:

  • Windows Server® 2008 64-Bit Enterprise

  • Microsoft .NET Framework 3.5 Service Pack 1 (SP1)

  • Microsoft SQL Server® 2008 64-Bit Enterprise SP1

  • Windows® SharePoint® Services 3.0 (SP1), 64-bit

  • Windows Powershell™ 1.0

  • FIM 2010

Note

A description of the installation process for FIM 2010 and the required software is out of the scope of this document. For a complete description of the installation process for FIM 2010, see the FIM Installation Guide (https://go.microsoft.com/fwlink/?LinkId=165845).

Scenario Roadmap

The scenario roadmap in this document consists of three main building blocks:

  1. Configuring the scenario – In this section, you create all required scenario features, including the required sample users, management agents, run profiles, and an inbound synchronization rule.

  2. Initializing the scenario – In this section, you deploy your initial configuration in FIM 2010.

  3. Testing the scenario – In this section, you verify that the scenario works according to the scenario specification.

Configuring the Scenario

The configuration of the scenario in this document consists of the following building blocks:

  1. Configuring the connected data sources

  2. Configuring the FIM 2010 R2 Synchronization Service

  3. Configuring the FIM 2010 R2 Service

The following sections provide detailed instructions for each configuration building block. These steps are performed as the user who installed the FIM Service. You must also have permissions to create organizational unit (OU) and user entities in your directory.

Configuring the connected data source

To configure the connected data source, you must create a new OU and three sample users in your Active Directory environment. Because the scenario is designed to be completed on a single computer, the sample users should be members of the Server Operators security group, which has the right to log on to a domain controller. As an alternative, you can also add a workstation to your environment, which eliminates the need for the membership update.

Creating the OU

For this scenario, you create an OU that receives the newly created sample object.

To create the OU

  1. To open the Active Directory Users and Computers snap-in, click Start, click Run, and then type dsa.msc.

  2. In the console tree, right-click fabrikam.com, click New, and then click Organizational Unit.

  3. In Name, type FIMObjects.

  4. To create the OU, click OK.

Creating the Active Directory sample users

For the scenario in this document, you create some sample users in Active Directory Domain Services (AD DS). During the various procedures, you may be required to log on to the computer with these user identities. The following table lists the initial attributes to set when you create the sample users.

First name Last name Full name User logon name:

Britta

Simon

Britta Simon

bsimon

Terry

Adams

Terry Adams

tadams

Jimmy

Bischoff

Jimmy Bischoff

jbischoff

To create the Active Directory sample users

  1. To open the Active Directory Users and Computers snap-in, click Start, click Run, and then type dsa.msc.

  2. Expand the console tree, and then select the newly created FIMObjects OU.

  3. To open the New Object – User dialog box, on the Action menu, click New, and then click User.

  4. Enter the data shown in the previous table for the current user, and then click Next.

  5. In the Password and the Confirm password text boxes, type P@$$w0rd.

  6. Clear the User must change password at next logon check box, and then click Next.

  7. To create the user, click Finish.

Repeat these steps for the remaining users.

At this point, you have created three new users in the FIM Objects OU. For each user, you must set additional attributes. The following table lists the required attributes.

Name Employee ID Employee type

Britta Simon

10

Full Time Employee

Terry Adams

11

Full Time Employee

Jimmy Bischoff

12

Contractor

To set the additional attributes

  1. In the FIMObjects OU, select the name of the user shown in the previous table.

  2. To display the properties dialog box for the selected user, on the Action menu, click Properties.

  3. Click the Attribute Editor tab. Ensure that you have selected Advanced Features to enable this tab.

  4. Set each attribute that is shown for the current row in the previous table.

Repeat these steps for all sample users.

Assigning group membership

This task is necessary to grant your sample users the right to interactively log on to your server running FIM 2010 R2.

To assign group membership

  1. To open the Active Directory Users and Computers snap-in, click Start, click Run, and then type dsa.msc.

  2. In the console tree, select the Builtin container of the Fabrikam.com domain.

  3. In the list of objects, select the Server Operators security group.

  4. To open the Server Operators Properties dialog box, on the Actions menu, click Properties.

  5. Select the Members tab, and then click Add.

  6. In the Object Names text box, type Britta Simon;Terry Adams;Jimmy Bischoff.

  7. Click OK to update the group membership.

Configuring the FIM Synchronization Service

This section contains the instructions for configuring the FIM 2010 R2 Synchronization Service. Your sample users must be synchronized into FIM 2010 R2 because, for security purposes, FIM 2010 needs membership next to the domain as well as a user’s security identifier (SID) to make access decisions. The implementation of the synchronization scenario in this document is simplified and designed to enable only the scenario that is described in this document.

The configuration of the FIM 2010 R2 Synchronization Service consists of the following tasks:

  1. Enabling synchronization rule provisioning

  2. Creating the Fabrikam Active Directory Management Agent (ADMA)

  3. Creating the Fabrikam FIMMA

  4. Creating run profiles

Enabling synchronization rule provisioning

To enable the configured synchronization rules during a synchronization run, you must enable synchronization rule processing in the Synchronization Service Manager.

To enable synchronization rule provisioning

  1. Open the Synchronization Service Manager.

  2. To open the Options dialog box, on the Tools menu, click Options.

  3. Select Enable Synchronization Rule Provisioning.

  4. To close the Options dialog box, click OK.

Creating management agents

The objective of the synchronization scenario is to publish the three Active Directory sample users into the FIM 2010 data store. To accomplish this, two management agents are required:

  1. Fabrikam ADMA

  2. Fabrikam FIMMA

Creating the Fabrikam ADMA

The Fabrikam ADMA is a management agent for AD DS. To create this management agent, you use the Create Management Agent Wizard.

To create the Fabrikam ADMA

  1. In FIM 2010, open the Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. To open the Create Management Agent Wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: Active Directory Domain Services

    • Name: Fabrikam ADMA

  4. On the Connect to Active Directory Forest page, provide the following settings, and then click Next:

    • Forest name: fabrikam.com

    • User name: administrator

    • Password: the administrator’s password

    • Domain: fabrikam

  5. On the Configure Directory Partitions page, perform the following steps, and then click Next:

    1. In the Select directory partitions list, select DC=Fabrikam, DC=com.

    2. To open the Select Containers dialog box, click Containers.

    3. To clear all the selected nodes, click DC=Fabrikam,DC=com.

    4. Click FIMObjects.

    5. To close the Select Containers dialog box, click OK.

  6. On the Configure Provisioning Hierarchy page, click Next.

  7. On the Select Object Types page, perform the following steps, and then click Next:

    1. In the Object types list, select user.
  8. On the Select Attributes page, provide the following settings, and then click Next:

    1. Select Show All.

    2. From the Attributes list, select the following attributes:

      • displayname

      • employeeID

      • employeeType

      • givenName

      • objectSid

      • sAMAccountName

      • sn

  9. On the Configure Connector Filter page, click Next.

  10. On the Configure Join and Projection Rues page, click Next.

  11. On the Configure Attribute Flow page, click Next.

  12. On the Configure Deprovisioning page, click Next.

  13. On the Configure Extensions page, click Finish.

Creating the Fabrikam FIMMA

The Fabrikam FIMMA is a management agent for the FIM Service. To create this management agent, you use the Create Management Agent Wizard.

Warning

Do not create more than one FIM Service management agent. FIM will only synchronize with the first FIM Service management agent.

Important

To create the FIM Service management agent, you need a separate user account that you use to run it. See the FIM Installation Guide for the details of this account. You will need to refer to your installation steps to determine which account was used for this configuration. For more information, see the FIM Installation Guide (https://go.microsoft.com/fwlink/?LinkId=165845). The following example assumes that the account that is used is named fimma, but you will have to modify this name to match your settings.

To create the Fabrikam FIMMA

  1. In FIM 2010, open the Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. To open the Create Management Agent Wizard, on the Actions menu, click Create.

  3. On the Create Management Agent page, provide the following settings, and then click Next:

    • Management agent for: FIM 2010 R2 Service Management Agent

    • Name: Fabrikam FIMMA

  4. On the Connect to Database page, provide the following settings, and then click Next:

    • Server This assumes a single computer configuration for all the features.

    • Database: FIMService

    • FIM Service base address: https://localhost:5725

    • Authentication mode: Windows Integrated Authentication

    • User name: fimma

    • Password: <the account’s password> (Use the account that you used during installation.)

    • Domain: fabrikam

  5. On the Selected Object Types page, verify that the following object types are selected, and then click Next:

    • ExpectedRuleEntry

    • DetectedRuleEntry

    • SynchronizationRule

    • Person

  6. On the Selected Attributes page, verify that all listed attributes are selected, and then click Next.

  7. On the Configure Connector Filter page, click Next.

  8. On the Configure Object Type Mappings, add the following mapping, and then click Next:

    1. In the Data Source Object Type list, select Person.

    2. To open the Mapping dialog box, click Add Mapping.

    3. In the Metaverse object type list, select person.

    4. To close the Mapping dialog box, click OK.

  9. On the Configure Attribute Flow page, apply the following attribute flow mappings, and then click Next:

    Flow direction Data source attribute Metaverse attribute

    Export

    AccountName

    accountName

    Export

    DisplayName

    displayName

    Export

    Domain

    domain

    Export

    EmployeeID

    employeeID

    Export

    EmployeeType

    employeeType

    Export

    FirstName

    firstName

    Export

    LastName

    lastName

    Export

    ObjectSID

    objectSid

    1. In Data source object type, select Person.

    2. In Metaverse object type, select person.

    3. In Mapping Type, select Direct.

    4. For each row in the previous table, complete the following steps:

      1. Select the Flow direction shown for that row in the table.

      2. Select the Data source attribute shown for that row in the table.

      3. Select the metaverse attribute shown for that row in the table.

      4. To apply the flow mapping, click New.

  10. On the Configure Deprovisioning page, click Next.

  11. To create the management agent, on the Configure Extensions page, click Finish.

Configuring run profiles

The following section provides instructions for creating run profiles. For the scenario in this document, you create run profiles for the Fabrikam ADMA and the Fabrikam FIMMA.

Creating run profiles for the Fabrikam ADMA

The following table lists the run profiles that you create for the Fabrikam ADMA.

Profile Run profile name Step type

Profile1

Full import

Full import (Stage only)

Profile2

Full synchronization

Full synchronization

Profile3

Delta import

Delta import (Stage only)

Profile4

Export

Export

To create run profiles for the Fabrikam ADMA

  1. In FIM 2010, open the Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. In the Management Agents list, click Fabrikam ADMA.

  3. To open the Configure Run Profiles dialog box, on the Actions menu, click Configure Run Profiles.

  4. For each run profile in the previous table, complete the following steps:

    1. To open the Configure Run Profile Wizard, click New Profile.

    2. In the Name text box, type the profile name shown in the table, and then click Next.

    3. In the Type list, select the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

  5. To close the Configure Run Profiles dialog box, click OK.

Creating run profiles for the Fabrikam FIMMA

The following table lists the run profiles that you create for the Fabrikam FIMMA.

Profile Run profile name Step type

Profile1

Full Import

Full Import (Stage Only)

Profile2

Full Synchronization

Full Synchronization

Profile3

Delta Import

Delta Import (Stage Only)

Profile4

Delta Synchronization

Delta Synchronization

Profile5

Export

Export

To create run profiles for the Fabrikam FIMMA

  1. In FIM 2010, open the Synchronization Service Manager and on the Tools menu, click Management Agents.

  2. In the management agent list, select Fabrikam FIMMA.

  3. To open the Configure Run Profiles for dialog box, on the Actions menu, click Configure Run Profiles.

  4. For each run profile in the previous table, complete the following steps:

    1. To open the Configure Run Profile Wizard, click New Profile.

    2. In the Name text box, type the profile name shown in the table, and then click Next.

    3. In the Type list, click the step type shown in the table, and then click Next.

    4. Click Finish to create the run profile.

  5. To close the Configure Run Profiles dialog box, click OK.

Configuring the FIM Service

In this section, you find the instructions for configuring the FIM 2010 R2 Service.

Configuration of the FIM 2010 R2 Service consists of the following tasks:

  1. Enabling required Management Policy Rules

  2. Creating the Fabrikam inbound synchronization rule

  3. Enabling full-time employees to manage distribution groups (DGs)

Enabling required Management Policy Rules

For the scenario in this document, you enable some of the preconfigured Management Policy Rules (MPRs) in FIM 2010. These MPRs are required so that nonadministrator users have access to the portal and the ability to view other users’ basic information. Enable the MPRs in the following table.

Display Name

General: Users can read schema related resources

General: Users can read non-administrative configuration resources

User management: Users can read attributes of their own

User management: Users can read selected attributes of other users

To enable required MPRs

  1. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

    Note

    You may have to substitute this URL with the URL that you configured for your FIM portal.

  2. On the FIM portal home page, click Management Policy Rules in the navigation bar to open the Management Policy Rules page.

  3. In the Search for textbox, type the display name of each of the MPRs from the table above, and then click the Search for button.

  4. For each MPR that is listed as disabled, perform the following steps:

    1. To open the configuration dialog box, click the Display Name of the disabled MPR.

    2. Clear the Policy is disabled check box, and then click OK.

    3. On the Summary page, click Submit.

Creating the Active Directory inbound synchronization rule

To configure the Active Directory inbound synchronization rule, you use the related wizard pages.

To create the Active Directory inbound synchronization rule

  1. To open the Administration page, in the FIM Portal navigation bar, click Administration.

  2. To open the Synchronization Rules page, click Synchronization Rules.

  3. To open the Create Synchronization Rules Wizard, on the toolbar, click New.

  4. On the General tab, provide the following information, and then click Next:

    • Display Name: Active Directory inbound synchronization rule

    • Data Flow Direction: Inbound

  5. On the Scope tab, provide the following information, and then click Next:

    • Metaverse Resource Type: person

    • External System: Fabrikam ADMA

    • External System Resource Type: user

  6. On the Relationship tab, provide the following information, and then click Next:

    1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): employee ID

    2. Create Resource In FIM: Selected

  7. On the Inbound Attribute Flow tab, provide the information in the followingtable, and then click Finish.

    Source Destination

    displayName

    displayName

    employeeID

    employeeID

    employeeType

    employeeType

    givenName

    firstName

    objectSid

    objectSid

    sAMAccountName

    accountName

    sn

    lastName

    1. For each row in the previous table, complete the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

    2. To open the Flow Definition dialog box, click New Attribute Flow.

    3. On the Source tab, in the attributes list, select String, and then type FABRIKAM in the text box.

    4. On the Destination tab, select domain in the attributes list.

    5. To apply the attribute flow configuration, click OK.

  8. On the Summary tab, click Submit.

Enabling full-time employees to manage DGs

To enable full-time employees to create DGs, you must modify some of the built-in MPRs. The following table provides an overview of the required changes.

Step Display name Action

1

DL management: Owners can read attributes of group resources.

Enable MPR

2

DL management: Owners can update and delete groups that they own.

  1. Enable MPR

  2. Remove the MembershipLocked attribute from the list of the specific resources attributes on the Target Resources tab.

3

DL management: Users can add or remove any members of groups subject to owner approval.

Enable MPR

4

DL management: Users can add or remove any members of groups that do not require owner approval.

Enable MPR

5

DL management: Users can create group resources.

  1. Enable MPR

  2. Set Requestor to All Full Time Employees.

6

DL management: Users can read selected attributes of group resources.

Enable MPR

To enable full-time employees to manage DGs

  1. On the FIM 2010 home page, on the navigation bar, click Management Policy Rules.

  2. For each row in the previous table, complete the following steps:

    1. Type the Display Name of the MPR shown for that row in the table into the Search for text box, and then click the Search button.

    2. To open the Management Policy Rule dialog box, in the search results list, click the Display Name of the MPR shown for that row in the table.

    3. Apply the changes that are listed in the Action box shown for that row in the table.

    4. On the Summary page, click Submit.

Initializing the Testing Environment

Before you can test your configuration with test data, you must initialize your configuration. The following steps are part of this process:

  • Initializing the Fabrikam FIMMA

  • Initializing the Fabrikam ADMA

Initializing the Fabrikam FIMMA

To initialize the Fabrikam FIMMA, you must run a complete synchronization cycle on this management agent. The complete cycle consists of the run profile runs in the following table.

Step Run profile name

1

Full import

2

Full synchronization

3

Export

4

Delta import

Important

After running the export run profile on the Fabrikam FIMMA, you should wait a minute or two before running the confirming delta import.

To initialize the Fabrikam FIMMA

  1. Open Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam FIMMA.

  3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  4. For each row in the table immediately preceding this procedure, complete the following steps:

    1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

    2. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

  5. To start the run profile, click OK.

Initializing the Fabrikam ADMA

To initialize the ADMA, you must run a full import and a full synchronization on it. In this sequence, the sample users are brought into the metaverse and also staged in the connector space of the FIMMA. To complete the initialization of the Fabrikam ADMA, you must also run an export and a confirming import on the Fabrikam FIMMA.

Step Management agent Run profile name

1

Fabrikam ADMA

Full import

2

Fabrikam ADMA

Full synchronization

3

Fabrikam FIMMA

Export

3

Fabrikam FIMMA

Delta import

To initialize the Fabrikam ADMA

  1. Open the Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. For each row in the previous table, complete the following steps:

    1. In the Management Agents list, select the management agent shown for that row in the table.

    2. To open the Run Management Agent dialog box, on the Action menu, click Run.

    3. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

Tip

You should verify at this point whether all sample users have been successfully populated in the FIM Portal.

Exporting the Data to the FIMMA

You must also ensure that the new user data from the ADMA is synchronized to the FIMMA system. Use the following table with the procedure below.

Step Management Agent Run Profile Name

3

Fabrikam FIMMA

Export

3

Fabrikam FIMMA

Delta import

To Export the data to the Fabrikam FIMMA

  1. Open the Synchronization Service Manager, and on the Tools menu, click Management Agents.

  2. In the Management Agents list, select Fabrikam FIMMA.

  3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  4. For each row in the table immediately preceding this procedure, complete the following steps:

  5. To open the Run Management Agent dialog box, on the Actions menu, click Run.

  6. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

  7. To start the run profile, click OK.

Testing the Configuration

To test the configuration, you perform the following steps:

  1. Verify that the new user information is available in the FIM portal.

  2. Verify access to the FIM portal by the newly created users.

Verifying That New User information is Available in the FIM Portal

In this section, you will ensure that new user information is included in the FIM Portal as expected.

To verify new user information

  1. On your computer, log on as the user who installed the FIM Service.

  2. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

  3. On the home page, click Users, Profiles and Passwords.

  4. Click the Search icon on the Users page.

You should see the sample users that you created earlier in this document.

Verifying Access to the FIM Portal by the Newly Created Users

In this procedure you ensure that the new users can access information in the FIM Portal.

To verify access to the FIM portal

  1. On your computer, log on as Brita Simon.

  2. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

  3. Click Users, Profiles and Passwords on the home page.

  4. Click the Search icon on the Users page.

You should see the sample users that you created earlier in this document. You may want to perform the same verification for the other users in the system.

Summary

When you complete the procedures in this guide, you will have successfully completed a standard configuration for FIM 2010, including the required sample users, management agents, run profiles, and an inbound synchronization rule. In addition, you will have successfully deployed and tested the configuration in FIM 2010. As a next step, you can use this configuration to complete the remaining introductory guides. Start with Introduction to Configuring and Customizing the FIM Portalor proceed to the guide that most interests you. For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.