How Do I Synchronize Users from AD DS to FIM

Applies To: Forefront Identity Manager 2010

One basic requirement for an identity management system is the ability to import and process identity data from an external system. This guide walks you through the main building blocks that are involved in the process of populating Microsoft® Forefront® Identity Manager (FIM) 2010 with user data from Active Directory® Domain Services (AD DS), outlines how you can verify whether your scenario works as expected, provides suggestions for managing Active Directory users by using FIM 2010, and lists additional sources for information.

Before You Begin

In this section, you will find information about the scope of this document.

In general, “How Do I” guides are targeted at readers who already have basic experience with the process of synchronizing objects with FIM as covered in the related Getting Started (https://go.microsoft.com/FWLink/?LinkId=190486) Guides.

Audience

This guide is intended for information technology (IT) professionals who already have a basic understanding of how the FIM synchronization process works and are interested in getting hands-on experience and more conceptual information about specific scenarios.

Prerequisite knowledge

This document assumes that you have access to a running instance of FIM and that you have experience in configuring simple synchronization scenarios as outlined in the following documents:

• Introduction to Inbound Synchronization (https://go.microsoft.com/fwlink/?LinkId=189652)

• Introduction to Outbound Synchronization (https://go.microsoft.com/fwlink/?LinkId=189653)

The content in this document is scoped to function as an extension to these introductory documents.

Scope

The scenario outlined in this document has been simplified to address the requirements of a basic lab environment. The focus is to give you an understanding of the concepts and technologies discussed.

This document helps you develop a solution that involves managing users in AD DS by using FIM.

Time requirements

The procedures in this document require 60 to 90 minutes to complete.

These time estimates assume that the testing environment is already configured and does not include the time required to set up the test environment.

Getting support

If you have questions regarding the content of this document or if you have general feedback you would like to discuss, feel free to post a message to the Forefront Identity Manager 2010 forum (https://go.microsoft.com/fwlink/?LinkId=189654).

Scenario description

Fabrikam, a fictitious company, is planning to use FIM to manage the user accounts in the corporation’s AD DS by using FIM. As part of this process, Fabrikam needs to synchronize users to FIM. To start with the initial testing, Fabrikam has installed a basic lab environment that consists of FIM and AD DS. In this lab environment, Fabrikam is testing a scenario that consists of a security group that was manually created in AD DS. The objective of this scenario is to synchronize the sample user to FIM.

Scenario design

To use this guide, you need three architectural components:

• Active Directory domain controller

• Computer running FIM Synchronization Service

• Computer running FIM Portal

The following illustration outlines the required environment.

You can run all components on one computer.

Scenario components list

The following table lists the components that are a part of the scenario in this guide.

	Organizational unit	FIM objects – Organizational unit (OU) that is used as a target for the provisioned user.
	User accounts	ADMA – Active Directory user account with sufficient rights to connect to AD DS. FIMMA - Active Directory user account with sufficient rights to connect to FIM. Britta Simon – Sample account in AD DS that is synchronized to FIM.
	Management agents and run profiles	Fabrikam ADMA – Management agent that exchanges data with AD DS. Fabrikam FIMMA - Management agent that exchanges data with FIM.
	Synchronization rules	AD DS User Inbound Synchronization Rule – Inbound synchronization rule that synchronizes users to FIM.

Scenario steps

The scenario outlined in this guide consists of the building blocks shown in the following figure.

Configuring the External Systems

In this section, you will find instructions for the resources that you need to create that are outside of your FIM environment.

Step 1: Create the OU

You need the OU as a container for the sample objects. For more information about creating OUs, see Create a New Organizational Unit (https://go.microsoft.com/fwlink/?LinkId=189655).

Step 1
	Create an OU called FIMObjects in your AD DS.

Step 2: Create the Active Directory user accounts

For the scenario in this guide, you need two Active Directory user accounts:

• ADMA - Used by the Active Directory management agent.

• FIMMA – Used by the FIM Service management agent.

In both cases, it is sufficient to create regular user accounts. More information about the specific requirements of both accounts is found later in this document. For more information about creating users, see Create a New User Account (https://go.microsoft.com/fwlink/?LinkId=189656).

Step 2
	Create two Active Directory user accounts based on the previous description.

Configuring the FIM Synchronization Service

For the configuration steps in this section, you need to start the FIM Synchronization Service Manager.

Creating the management agents

For the scenario in this guide, you need to create two management agents:

• Fabrikam ADMA – management agent for AD DS.

• Fabrikam FIMMA – management agent for FIM Service management agent.

Step 3: Create the Fabrikam ADMA management agent

When you configure a management agent for AD DS, you need to specify an account that is used by the management agent in the data exchange with AD DS. You should use a regular user account. However, to import data from AD DS, the account must have the right to poll changes from the DirSync control. If you want your management agent to export data to AD DS, you need to grant the account sufficient rights on the target OUs. For more information about this topic, see Configuring the ADMA Account (https://go.microsoft.com/fwlink/?LinkId=189657).

When you import group data from AD DS, there are no technical requirements for specific attributes to be populated.

By design, the FIM management agent already has the attribute flow mappings that are required by the FIM schema for the object type user configured. However, there are logical requirements from a scenario perspective. This includes the first name, last name, and display name attribute of a user. You should populate these values to ensure that your objects are recognizable in the FIM user interface. In addition, it is a good practice to populate the userSid and the domain attribute.

The following table lists the most important scenario-specific settings that you need to configure.

Management agent designer page	Configuration
Create management agent	Management agent for: AD DS Name: Fabrikam ADMA
Connect to Active Directory forest	Select directory partitions: “DC=Fabrikam,DC=com” Click Containers to open the Select Containers dialog box and ensure that FIMObjects is the only OU that is selected.
Select Object types	In addition to the already selected Object types, select user.
Select attributes	Click Show All. Select the following attributes: displayName givenName objectSid sAMAccountName sn

Step 3
	Create the management agent based on the previous description.

Step 4: Create the Fabrikam FIMMA management agent

When you configure a FIM Service management agent, you need to specify an account that is used by the management agent in the data exchange with the FIM Service.

You should use a regular user account. The account must be the same account as the one you specified during the installation of FIM. For a script that you can use to determine the name of the FIM MA account that you specified during setup and to test whether this account is still valid, see Using Windows PowerShell to Do a FIM MA Account Configuration Quick Test (https://go.microsoft.com/fwlink/?LinkId=189659).

The following table lists the most important scenario-specific settings you need to configure.

Management agent designer page	Configuration
Create management agent	Management agent for: FIM Service Management Agent Name: Fabrikam FIMMA
Connect to database	Use the following settings: Server: localhost Database: FIMService FIM Service base address: https://localhost:5725 Provide the information about the account you created for this management agent.
Select Object types	In addition to the already selected Object types, select Person.
Configure Object type mappings	In addition to the already existing object type mappings, add the following Data Source Object Type to Metaverse Object Type mappings: Group to group Person to person
Configure attribute flow	In addition to the already existing attribute flow mappings, add the following attribute flow mappings:

Step 4
	Create the management agent based on the previous description.

Step 5: Create the run profiles

The following table lists the run profiles you need to create for the scenario in this guide.

Management agent	Run profile
Fabrikam ADMA	Full import Full synchronization Delta import Delta synchronization Export
Fabrikam FIMMA	Full import Full synchronization Delta import Delta synchronization Export

Step 5
	Create run profiles for each management agent according to the previous table.

Configuring the FIM Service

For the scenario in this guide, you only need to configure an inbound synchronization rule. The following section provides information about the configuration of the synchronization rule.

Step 6: Create the synchronization rule

When you create the inbound synchronization rule for your Active Directory users, you need to add a flow mapping for the domain attribute. Populating the domain attribute is a challenge because domain is not an attribute of a group. When this attribute is required in AD DS, the directory service has to look up the value from the configuration container.

The following illustration shows an example of a domain partition in the configuration container.

One method used to populate the domain attribute is to implement a lookup table that determines the attribute value based on the current SID of an object. The SID attribute is a good attribute for this purpose because the value of this attribute only changes when the domain membership of an object changes.

The SID attribute of an object in AD DS consists of the domain SID plus an extension called a relative identifier (RID), the unique identifier of an object within the domain database. If you know what the value of the domain SID is, you can use this value in comparison with the SID value of an object to determine the value of the domain attribute as a custom expression.

FIM provides a built-in function you can use to translate a binary SID into a string representation. The name of this function is ConvertSidToString. This function returns the string representation of a SID as domain SID + RID.

For an equality comparison (Eq) of a user's SID and the domain SID, you need to remove the RID part from the user's SID. Because you know the value of the domain SID, you also know the domain SID length. You can use the length of the domain SID to calculate the part of a user's SID that you need for an equality comparison.

The following example outlines how you can use the domain SID and the user's SID to calculate the domain value with a custom expression in FIM 2010 R2.

A lookup of Fabrikam's SID returns the following value:

“S-1-5-21-4220550486-1538840966-3184992408”

The SID string has a length of 41.

The first step in your custom expression is to translate the object's SID into a string representation by using the ConvertSidToString method:

ConvertSidToString(objectSid)

From this string, you only need the first 41 characters from the left:

Left(ConvertSidToString(objectSid), 41)

The question is whether this string is equal to the domain SID:

Eq(Left(ConvertSidToString(objectSid), 41)

If both values match, you can flow “FABRIKAM” as the domain name into the metaverse. If the values do not match, you should flow something like “Unknown”:

IIF(Eq(Left(ConvertSidToString(objectSid),41),”S-1-5-21-4220550486-1538840966-3184992408”),”FABRIKAM”,”Unknown”)

The FIM ScriptBox provides a script that automatically calculates the required custom expression string for the domain attribute value calculation. The script is available in the article Using Windows PowerShell to Generate the Custom Expression for the Domain Attribute Flow (https://go.microsoft.com/FWLink/?LinkId=190482).

The script requests the required information from a target domain controller, translates the domain information into a CustomExpression, and stores the result in the clipboard.

The following tables show the configuration of the required Fabrikam Provisioning synchronization rule.

Synchronization rule configuration
Name	Fabrikam User Inbound Synchronization Rule
Description
Precedence	2
Data Flow Direction	Inbound
Dependency

Scope
Metaverse Resource Type	person
External System	Fabrikam ADMA
External System Resource Type	user

Relationship
Create Resource In FIM	True

Relationship criteria
ILM Attribute	accountName
Data Source Attribute	sAMAccountName

Inbound attribute flows
Destination	Source
displayName	displayName
firstName	givenName
domain	CustomExpression(IIF(Eq(Left(ConvertSidToString(2, objectSid),41),”S-1-5-21-4220550486-1538840966-3184992408” ),”FABRIKAM”,”Unknown” ))
objectSid	objectSid
accountName	sAMAccountName
lastName	sn

Step 6
	Create a synchronization rule according to the data in the previous tables.

Initializing your Environment

The objectives of the initialization phase are as follows:

• Bring your synchronization rule into the metaverse.

• Bring your Active Directory structure into the Active Directory connector space.

Step 7: Run the run profiles

The following table lists the run profiles that are part of the initialization phase.

Run	Management agent	Run profile
1	Fabrikam FIMMA	Full import
2		Full synchronization
3		Export
4		Delta import
5	Fabrikam ADMA	Full import
6		Full synchronization

Step 7
	Run the run profiles according to the previous table.

Testing the Configuration

The objective of this section is to test your actual configuration. To test the configuration, you:

1. Create a sample user in AD DS.

2. Synchronize the AD DS user into FIM.

Step 8: Create a sample user in AD DS

The following table lists the properties of the sample user.

Attribute	Value
First Name	Britta
Last Name	Simon
Display Name	Britta Simon
Account Name	BSimon

Step 8
	Create a sample security group according the data in the previous table.

Step 9: Synchronize the AD DS user into FIM

Before you start the first synchronization cycle for a test object, you should track the expected state of your object after each run profile that you run in a test plan. Your test plan should include next to the general state of your object (created, updated, or deleted) also the attribute values that you expect. Use your test plan to verify your test plan expectations. If a step does not return the expected results, do not proceed with to the next step until you have resolved the discrepancy between your expected result and the actual result.

To verify your expectations, you can use the synchronization statistics as a first indicator. For example, if you expect new objects to be staged in a connector space, but the import statistics returns no “Adds,” there is obviously something in your environment that does not work as expected.

While the synchronization statistics can give you a first indication of whether your scenario works as expected, you should use the Search Connector Space and the Metaverse Search feature of the Synchronization Service Manager to verify the expected attribute values.

To synchronize the user to FIM

1. Import the security group into the AD MA connector space.

2. Project the security group into the metaverse.

3. Provision the security group to the FIM connector space.

4. Export the user to FIM.

5. Confirm the creation of the user.

To accomplish these tasks, you run the following run profiles.

Management agent	Run profile
Fabrikam FIMMA	Delta import Delta synchronization
Fabrikam FIMMA	Export Delta import

After the delta import from AD DS, the synchronization statistics report one new object.

The objective of the delta synchronization run on your Fabrikam FIMMA is to perform several operations:

• Projection – The new user object is projected into the metaverse.

• Provisioning – The newly projected Britta Simon object is provisioned into the connector space of the FIM MA.

• Export Attribute Flows – The export attribute flows populate the newly staged user with the configured attribute values.

Step 9
	Run the run profiles according to the instructions in this section.

Step 10: Verify the provisioned user in FIM

To verify that your sample user has been synchronized to FIM, open the related object in the FIM Portal.

Step 10
	Verify that your sample user exists in the FIM Portal.

Summary

Synchronizing group objects from AD DS into FIM is a relatively simple task from a configuration perspective. The only bigger challenge is the population of the domain attribute because this attribute is not directly associated with an object in AD DS and needs to be calculated. In this document, you have been introduced to a method that uses an object's SID attribute value and a lookup table for the calculation of the value.

When using this method, keep in mind that a change to your domain infrastructure such as renaming existing domains or adding new domains requires an update to the calculation logic in your inbound synchronization rule. Updates to synchronization rules require full synchronization runs that can be time consuming to process in your environment.

An alternative to populating the domain attribute in a synchronization rule is the implementation of workflows to do this task. However, initializing attribute values by using workflows has an impact on the performance of your system. The performance impact of bulk imports from AD DS can be significant.

In general, when implementing inbound synchronization rules in your environment, you need to differentiate between two scenarios:

• Initialization of objects from AD DS

• Regular imports from AD DS objects

The initialization phase requires special care in your planning. In this phase, FIM is populated by a bulk import with existing objects from AD DS. This scenario can have a significant impact on both the servers in your external systems and your servers running FIM. If you have a large number of objects that you need to synchronize from AD DS into FIM, you should investigate options that can limit this process such as:

• Limiting the number of objects that are processed during one import run from AD DS. This option is a recommended best practice.

• Modifying the partitions and container filters to decrease the number of objects that are processed in one run.

• Exporting your AD DS objects by using, for example, LDIF and importing them into FIM 2010 R2 by using the FIM 2010 R2 Windows PowerShell cmdlets.

Each method has pros and cons. You need to determine the method that works best for you in your test environment.

Another aspect of handling the initialization phase is the subject of attribute flow precedence. During the initialization phase, you may need to make AD DS authoritative for attributes for which you want FIM to be authoritative after the initialization phase. This means that you need to configure the attribute flow precedence in a way that enables your AD MA to flow attribute values into FIM that, later in your deployment, will be controlled by FIM.

In general, you should develop a plan that includes a solution for the initialization phase for your environment.

See Also

Other Resources

Using FIM to Enable or Disable Accounts in Active Directory
About Reference Attributes
How Can I Manage My FIM MA Account
Detecting Nonauthoritative Accounts – Part 1: Envisioning
The Poor Man’s Version of a Connector Detection Mechanism
Configuring the ADMA Account
A Method to Remove Orphaned ExpectedRuleEntry Objects from Your Environment
About Attribute Flow Precedence
About Exports