Partager via

Step 6: Create and Configure AD MA

  • Article

Creating and configuring the Delimited Text MA consists of the following:

  • Create the ECMA OU in Active Directory

  • Create and edit test users

  • Create the AD Management Agent

  • Create the run profiles for the AD management agent

Create the ECMA2 OU in Active Directory

To create the ECMA2 organizational unit

  1. Log on DC1.corp.contoso.com as Administrator

  2. Click Start, select Administrative Tools, and click Active Directory Users and Computers. This will open the Active Directory Users and Computers mmc.

  3. In the Active Directory Users and Computers mmc, from the tree-view on the left, right-click corp.contoso.com, select New, and then Organizational Unit.

  4. In the Name textbox, type ECMA2. Click OK.

Create and edit Test Accounts

Table 1 – Test Accounts

Full Name

User Logon Name

Forest

Password

Object100

Object100

corp.contoso.com

Pass1word$

Object101

Object101

corp.contoso.com

Pass1word$

To create the Test Accounts

  1. In Active Directory Users and Computers, expand corp.contoso.com, right-click ECMA2, select New and then select User. This will bring up the New Object – User window.

  2. On the New Object – User screen, in the Full Name box, enter Object100.

  3. On the New Object – User screen, in the User logon name: box, enter Object100 and click Next.

  4. On the New Object – User screen, in the Password box, enter Pass1word!.

  5. On the New Object – User screen, in the Confirm Password box, enter Pass1word!.

  6. On the New Object – User screen, remove the check from User must change password at next logon.

  7. On the New Object – User screen, add a check to Password never expires and click Next.

  8. Click Finish.

  9. Repeat these steps for all of the accounts listed in the Account Summary table.

To edit the Test Accounts

  1. On to DC1 as CORP\Administrator.

  2. Click Start, select Administrative Tools, and then click ADSI Edit. This will bring up ADSI Edit.

  3. At the top, right-click ADSI Edit and select Connect to. This will bring up a Connections Settings box. Leave the defaults and click OK.

  4. On the right, expand Default Naming Context [DC1.corp.contoso.com], double-click DC=corp,DC=contoso,DC=com, expand DC=corp,DC=contoso,DC=com, and then select OU=ECMA2.

  5. In the center, right-click CN=Object100 and select Properties. This will bring up CN=Object100 Properties.

  6. Scroll through the list of attributes and double-click mail. This will bring up the String Attrribute Editor.

  7. In the box, under Value :, type the following text, and then click OK:
    Object100@corp.contoso.com

  8. Scroll through the list of attributes and double-click employeeID. This will bring up the String Attrribute Editor.

  9. In the box, under Value :, type the following text, and then click OK:
    100

  10. Click OK.

  11. Click Apply.

  12. Click OK.

  13. In the center, right-click CN=Object101 and select Properties. This will bring up CN=Object101 Properties.

  14. Scroll through the list of attributes and double-click mail. This will bring up the String Attrribute Editor.

  15. In the box, under Value :, type the following text, and then click OK:
    Object101@corp.contoso.com

  16. Scroll through the list of attributes and double-click employeeID. This will bring up the String Attrribute Editor.

  17. In the box, under Value :, type the following text, and then click OK:
    101

  18. Click OK.

  19. Click Apply.

  20. Click OK.

  21. Close ADSI Edit.

Create the AD Management Agent

Now we will create the Active Directory management agent in the synchronization service.

To create the AD management agent

  1. Log on to FIM1.corp.contoso.com as CORP\Administrator.

  2. Click Start, click All Programs, click Microsoft Forefront Identity Manager, and then click Synchronization Service.

  3. In the Synchronization Service, click the Management Agents button at the top.

  4. In the Management Agents view, on the right, under Actions, click Create. This will bring up the Create Management Agent dialog box.

  5. On the Create Management Agent screen, under Management Agent for, select Active Directory Domain Services. Under Name enter AD and then click Next.

    Create AD MA

  6. On the Connect to Active Directory Forest screen, enter corp.contoso.com for Forest name. Enter Administrator for the User name. Enter Pass1word$ for the Password. Enter CORP for the Domain. Click Next.

    Connect to AD Forest

  7. On the Configure Directory Partitions screen, under Select directory partitions, put a check in DC=corp,DC=contoso,DC=com. Under Select containers for this partition, click the Containers button. This will bring up the Select Containers dialog box.

  8. On the Select Containers screen, clear the check in the root DC=corp,DC=contoso,DC=com box. This will remove the check marks in all of the boxes. Now place a check in the ECMA2 box. Click OK. This will close the Select Containers dialog box.

    Select containers

  9. On the Configure Directory Partitions screen, click Next.

    Configure Directory Partitions

  10. On the Configure Provisioning Hierarchy screen click Next.

    Configure Prov Hierarchy

  11. On the Select Object Types screen, check user and then click Next.

    Select Object Types

  12. On the Select Attributes screen, place a check in the Show All box in the upper-right.

  13. On the Select Attributes screen, place a check in the box for each attribute in the following list. When finished click Next.

    • cn

    • displayName

    • employeeID

    • samAccountName

    • mail

    Select Attributes

  14. On the Configure Connector Filter dialog box, click Next.

    Configure Connector Filter

  15. On the Configure Join and Projection Rules dialog box, select user and then click New Projection Rule. This will bring up the Projection dialog box.

  16. On the Projection dialog box select Declared and then click OK. This will close the Projection dialog box.

  17. On the Configure Join and Projection Rules dialog box, click Next.

    Configure join and projection

  18. On the Configure Attribute Flow dialog box, under Data source object type select user.

  19. On the Configure Attribute Flow dialog box, under Metaverse object type select person.

  20. On the Configure Attribute Flow dialog box, under Data source attribute select samAccountName.

  21. On the Configure Attribute Flow dialog box, under Mapping Type select Direct.

  22. On the Configure Attribute Flow dialog box, under Flow Direction select Import.

  23. On the Configure Attribute Flow dialog box, under Metaverse attribute select accountName.

  24. On the Configure Attribute Flow dialog box, click New. This flow rule will appear above. Repeat these steps for each attribute in the following table. When finished, click Next.

    Table 1 – Attribute Flow

    Data Source Attribute Flow Direction Metaverse attribute

    samAccountName

    Import

    accountName

    mail

    Import

    mail

    employeeID

    Import

    employeeID

    displayName

    Import

    displayName

    displayName

    Export

    displayName

    mail

    Export

    mail

    employeeID

    Export

    employeeID

    Configure attribute flow

  25. On the Configure Deprovisioning dialog box, click Next.

    Configure deprovisioning

  26. On the Configure Extensions dialog box, click Finish.

    Configure extensions

Create the run profiles for the AD management agent

Now that the AD management agent has been created, you will need to create run profiles for the management agent.

To Create the run profiles for the AD management agent

  1. In the Synchronization Service, on the right of the portal page, under Actions menu, click Configure Run Profiles. This opens the Configure run Profiles window.

  2. Click New Profile. This will begin the Configure Run Profile wizard.

  3. On the Profile Name page, in the text box under Name, type the following, and then click Next:
    Full Import

  4. On the Configure Step page, from the drop-down list under Type, select Full Import (Stage Only), and then click Next.

  5. On the Management Agent Configuration page, click Finish.

  6. Click New Profile. This will begin the Configure Run Profile wizard.

  7. On the Profile Name page, in the text box under Name, type the following, and then click Next:
    Export

  8. On the Configure Step page, from the drop-down list under Type, select Export, and then click Next.

  9. On the Management Agent Configuration page, click Finish.

  10. Click New Profile.

  11. On the Profile Name page, in the text box under Name, type the following text, and then click Next:
    Full Synchronization

  12. On the Configure Step page, from the drop-down list under Type, select Full Synchronization, and then click Next.

  13. On the Management Agent Configuration page, click Finish.