MIM 2016: PAM integration with existing Active Directory domains

MIM, when configured for the PAM scenario, should be deployed in its own separate bastion Active Directory forest, as this isolates the administrative accounts and services from any potential backdoor users that might have been latent in an existing Active Directory forest.  For MIM to recognize user accounts and security groups from the existing forest, it is necessary to establish a trust relationship between the existing forest and the new forest, and configure MIM to recognize the existing domains in those forests.

Connecting to an existing forest

Before configuring MIM with an existing domain, it is necessary to establish a trust relationship between the existing forest and the new forest.  While there are built-in tools with Active Directory which establish trust relationships, an additional cmdlet has been included with MIM that handles the variation in trust relationships of different forest levels.

Establish PAM Trust

Step 1. Use the New-PAMTrust command to establish trust.

To establish a trust relationship, it is necessary to be logged in on the server with MIM installed as a domain administrator in that forest.  It will be necessary to know the credentials of a domain administrator in the forest to be connected.

The New-PAMTrust cmdlet takes two parameters: -SourceForest and -Credentials.  The argument to -SourceForest is the fully qualified domain name of the existing forest.  The argument to -Credentials is an object, returned by Get-Credential, which contains the authentication credentials of a domain administrator in the forest to be connected.

For example,

$ca = get-credential New-PAMTrust -SourceForest "contoso.local" -Credentials $ca

 

Configure domains

After establishing trust, update MIM and the domains in the forest, so that MIM is prepared to manage user accounts and groups related to existing users and groups in those domains.

Step 2. Use the New-PAMDomainConfiguration to configure the domains.