Introduction to Publishing To Active Directory Domain Service from Two Authoritative Data Sources

Applies To: Forefront Identity Manager 2010

With declarative provisioning, a new feature introduced in Microsoft® Forefront® Identity Manager (FIM) 2010 R2, you can implement your complete identity integration business logic without developing a rules extension source code. This document shows how to populate Active Directory® users from two authoritative data sources by using declarative provisioning.

For an overview of FIM 2010 documentation and guidance for using it, see the Documentation Roadmap.

Prerequisite Knowledge

This document assumes that you have a basic understanding of the following information technology (IT) concepts and tasks:

• Managing Active Directory Domain Services (AD DS), including managing organizational units, groups and users, and domain controllers.

• The synchronization process as outlined in Understanding Data Synchronization with External Systems

• Managing inbound synchronization rules as outlined in the Introduction to Inbound Synchronization.

• Managing outbound synchronization rules as outlined in the Introduction to Filter Based Outbound Synchronization Rules and Introduction to Synchronization Policy Based Outbound Synchronization.

A description of how to set up FIM 2010 R2 and Active Directory Domain Services (AD DS) is out of the scope of this document.

Audience

This guide is intended for IT planners, systems architects, technology decision makers, consultants, infrastructure planners, and IT personnel who plan to deploy FIM 2010 R2 by using declarative provisioning.

Time Requirements

The procedures in this document require 60 to 90 minutes for a new user to complete.

Getting Support

If you have questions regarding the content of this document or if you have general feedback you would like to discuss, feel free to post a message to the Forefront Identity Manager 2010 TechNet Forum.

Scenario Description

The ability to configure an identity integration scenario without the need to write code is one key feature in FIM 2010 R2. This feature is known as declarative provisioning. With declaritive provisioning, you can configure all aspects of your identity integration scenario by using the FIM Portal.

Fabrikam, a fictitious corporation, uses a human resources (HR) database to track information about all full-time employees. This database is the authoritative source for the creation of user accounts in the corporate Active Directory environment. In addition to the full time employees, Fabrikam is also required to grant access to other employee types such as contractors to the corporate network. To save operational costs, Fabrikam needs to automate the process of managing Active Directory accounts for the various employee types.

FIM 2010 R2 provides all the features needed to cover Fabrikam’s requirements. FIM 2010 R2 includes a database and the required front-end in the form of a Web portal-based application to manage the information about the various employee types. Plus, Fabrikam can use FIM 2010 R2 for automated management of distributed identity information from a central point.

To evaluate the capabilities of FIM 2010 R2, Fabrikam has a lab environment with a simplified implementation of the corporate network. This environment consists of an attribute-value pair (AVP) data source that functions as the HR database, an Active Directory environment, and FIM 2010 R2. All three data sources have a related management agent.

This document describes the steps Fabrikam uses to test the new features provided by FIM 2010 R2 in the outlined scenario.

Testing environment

The scenario outlined in this document has been developed and tested on a stand-alone computer. On this computer, FIM 2010 R2 is already deployed and the computer is configured to be a domain controller for the Active Directory forest, Fabrikam.com. The name of this domain controller is FabrikamDC1. The following illustration outlines the configuration.

To perform the procedures in this document, the domain controller has been configured with the following characteristics:

• Windows Server 2008 R2 64-bit Enterprise

• Microsoft .NET Framework 3.5 Service Pack 1 (SP1)

• Microsoft SQL Server® 2008 R2 64-bit Enterprise

• Windows SharePoint® Services 3.0 SP1, 64-bit

• Windows PowerShell™ 2.0

• FIM 2010 R2

Scenario Roadmap

The scenario roadmap in this document consists of three main building blocks:

1. Configuring the scenario - In this section, you create all the required scenario components including the required sample users, management agents, run profiles, and an inbound synchronization rule.

2. Initializing the scenario - In this section, you deploy your initial configuration inside FIM 2010 R2.

3. Testing the scenario - In this section, you verify that the scenario functions according to the outlined scenario specification.

Implementing the Procedures in this Document

To implement the procedures in this document, you complete the following steps in the order shown:

1. Configuring the connected data sources

2. Configuring the FIM Synchronization Service

3. Configuring the FIM Service

4. Initializing the testing environment

5. Testing the configuration

Configuring the connected data sources

For the scenario in this document, you need to create a data file for the AVP management agent and a new organizational unit in your AD DS.

Creating the data file

For the scenario in this document, you create an AVP data file.

To create the data file

1. Copy the records from the data below, and then paste them into a new Notepad file.

   EmployeeID:10
   DeltaOperation:Add
   Company:Fabrikam
   FirstName:Terry
   LastName:Adams
   UserID:tadams
   EmployeeType:Full Time Employee
   Manager: 
   
   EmployeeID:11
   DeltaOperation:Add
   Company:Fabrikam
   FirstName:Jimmy
   LastName:Bischoff
   UserID:jbischoff
   EmployeeType:Full Time Employee
   Manager:10
   
   EmployeeID:12
   DeltaOperation:Add
   Company:Fabrikam
   FirstName:Lola
   LastName:Jacobsen
   UserID:ljacobsen
   EmployeeType:Full Time Employee
   Manager:11
   

2. Save the Notepad file on your local drive as C:\HRData.txt.

Creating the organizational unit

For the scenario in this document, you create an organizational unit that receives the newly created sample object.

To create the organizational unit

1. To open the Active Directory Users and Computers snap-in, open the Run command, and then type dsa.msc.

2. In the tree view, right-click fabrikam.com, select New, and then click Organizational Unit.

3. In the Name text box, type FIMObjects.

4. To create the organizational unit, click OK.

Configuring the FIM Synchronization Service

You can configure the FIM Synchronization Service by performing the following tasks:

1. Creating management agents.

2. Creating run profiles.

Creating management agents

For the scenario in this document, you must create three management agents:

1. Fabrikam HRMA

2. Fabrikam FIMMA

3. Fabrikam ADMA

The following sections provide detailed instructions to help you create the required management agents manually

Creating the Fabrikam HRMA

The Fabrikam HRMA is a management agent for the AVP text file. To create this management agent, you use the Create Management Agent wizard.

To create the Fabrikam HRMA

1. In FIM 2010 R2, open the Synchronization Service Manager and on the Tools menu, click Management Agents.

2. To open the Create Management Agent wizard, on the Actions menu, click Create.

3. On the Create Management Agent page, provide the following settings, and then click Next:

   • Management agent for: AVP text file

   • Name: Fabrikam HRMA

4. On the Select Template Input File page, provide the following settings, and then click Next:

   • Template Input File: C:\HRData.txt

   • Code Page: Western European (Windows)

5. On the Configure Attributes page, provide the following settings, and then click Next:

   1. To open the Set Anchor dialog box, click Set Anchor.

   2. In the Attributes list, select Employee ID, and then click Add.

   3. To close the Set Anchor dialog box, click OK.

   4. In the Attributes list, select Manager.

   5. To open the Edit Attribute dialog box, click Edit.

   6. In the Type list, select Reference (DN).

   7. To close the Edit Attribute dialog box, click OK.

6. On the Define Object Types page, click Next.

7. On the Configure Connector Filter page, click Next.

8. On the Configure Join and Projection Rules page, click Next.

9. On the Configure Attribute Flow page, click Next.

10. On the Configure Deprovisioning page, click Next.

11. On the Configure Extensions page, click Next.

Creating the Fabrikam FIMMA

The Fabrikam FIMMA is a management agent for the FIM Service Management Agent. To create this management agent, you use the Create Management Agent wizard.

When you configure a FIM Service management agent, you need to specify a user account. This document uses fimma as name for this account. You need to replace this name with account you have specified in your environment.

To create the Fabrikam FIMMA

1. To open the Create Management Agent wizard, on the Actions menu, click Create.

2. On the Create Management Agent page, provide the following settings, and then click Next:

   • Management agent for: FIM 2010 R2 Service management agent

   • Name: Fabrikam FIMMA

3. On the Connect to Database page, provide the following settings, and then click Next:

   • Server: localhost

   • Database: FIMService

   • FIM Service base address: https://localhost:5725

   • Authentication mode: Windows integrated authentication

   • User name: fimma

   • Password: <the account’s password>

   • Domain: fabrikam

4. On the Selected Object Types page, verify that the object types that are listed below are selected, and then click Next:

   • ExpectedRuleEntry

   • DetectedRuleEntry

   • SynchronizationRule

   • Person

5. On the Selected Attributes page, verify that all listed attributes are selected, and then click Next.

6. On the Configure Connector Filter page, click Next.

7. On the Configure Object Type Mappings page, add the following mapping, and then click Next:

   1. In the Data Source Object Type list, select Person.

   2. To open the Mapping dialog box, click Add Mapping.

   3. In the Metaverse object type list, select person.

   4. To close the Mapping dialog box, click OK.

8. On the Configure Attribute Flow page, apply the following attribute flow mappings, and then click Next:

   Flow Direction	Data source attribute	Metaverse attribute
   Import	AccountName	accountName
   Import	Company	company
   Import	DisplayName	displayName
   Import	Domain	domain
   Import	EmployeeID	employeeID
   Import	EmployeeType	employeeType
   Import	FirstName	firstName
   Import	LastName	lastName
   Import	Manager	manager
   Export	AccountName	accountName
   Export	Company	company
   Export	DisplayName	displayName
   Export	Domain	domain
   Export	EmployeeID	employeeID
   Export	EmployeeType	employeeType
   Export	FirstName	firstName
   Export	LastName	lastName
   Export	Manager	manager
   Export	ObjectSID	objectSid

   1. Select Person as the Data source object type.

   2. Select person as the Metaverse object type.

   3. Select Direct as the Mapping Type.

   4. For each row in the previous table, complete the following steps:

      1. Select the Flow Direction shown for that row in the table.

      2. Select the Data source attribute shown for that row in the table.

      3. Select the metaverse attribute shown for that row in the table.

      4. To apply the flow mapping, click New.

9. On the Configure Deprovisioning page, click Next.

10. To create the management agent, on the Configure Extensions page, click Finish.

Creating the Fabrikam ADMA

The Fabrikam ADMA is a management agent for AD DS. To create this management agent, you use the Create Management Agent wizard.

To create the Fabrikam ADMA

1. To open the Create Management Agent wizard, on the Actions menu, click Create.

2. On the Create Management Agent page, provide the following settings, and then click Next:

   • Management agent for: Active Directory Domain Services

   • Name: Fabrikam ADMA

3. On the Connect to Active Directory Forest page, provide the following settings, and then click Next:

   • Forest name: fabrikam.com

   • User name: administrator

   • Password : <the account’s password>

   • Domain: fabrikam

4. On the Configure Directory Partitions page, provide the following settings, and then click Next:

   1. In the Select directory partitions list, select DC=Fabrikam, DC=com.

   2. To open the Select Containers dialog box, click Containers.

   3. To cancel the selection of all selected nodes, click the DC=Fabrikam,DC=com node.

   4. Click the FIMObjects node.

   5. To close the Select Containers dialog box, click OK.

5. On the Configure Provisioning Hierarchy page, click Next.

6. On the Select Object Types page, provide the following settings, and then click Next:

   • In the Object types list, select user.

7. On the Select Attributes page, provide the following settings, and then click Next:

   • Select Show All.

   • In the Attributes list, select the following attributes:

     • company

     • displayname

     • employeeID

     • employeeType

     • givenName

     • manager

     • objectSid

     • sAMAccountName

     • sn

     • unicodePwd

     • userAccountControl

8. On the Configure Connector Filter page, click Next.

9. On the Configure Join and Projection Rues page, click Next.

10. On the Configure Attribute Flow page, click Next.

11. On the Configure Deprovisioning page, click Next.

12. On the Configure Extensions page, click Finish.

Creating run profiles

This topic provides instructions for creating and configuring the required run profiles.

Creating run profiles for the Fabrikam HRMA management agent

Before you can start with the configuration of the run profiles for this management agent, you need to copy the import data file you have already created in a previous section into the management agents’ data folder.

To copy the management agents’ data file

1. Open the Run command dialog box.

2. In the Open text box, type copy "C:\HRData.txt" "%programfiles%\Microsoft Forefront Identity Manager\2010\Synchronization Service\MaData\Fabrikam HRMA".

The following table shows the run profiles you create for the Fabrikam HRMA :

Profile	Run profile name	Step type
Profile 1	Full Import	Full Import (Stage Only)
Profile 2	Full Synchronization	Full Synchronization

To create run profiles for the Fabrikam HRMA management agent

1. In FIM 2010 R2, open the Synchronization Service Manager and, in the Tools menu, click Management Agents.

2. In the management agent list, click Fabrikam HRMA.

3. To open the Configure Run Profiles for dialog box, on the Actions menu, click Configure Run Profiles.

4. To open the Configure Run Profile wizard, click New Profile.

5. In the Name text box, type Full Import, and then click Next.

6. In the Type list, click Full Import (Stage Only), and then click Next.

7. In the Input file name text box, type HRData.txt.

8. To create the run profile, click Finish.

9. To open the Configure Run Profile wizard, click New Profile.

10. In the Name box, type Full Synchronization, and then click Next.

11. In the Type list, select Full Synchronization, and then click Next.

12. To create the run profile, click Finish.

13. To close the Configure Run Profiles dialog box, click OK.

Creating run profiles for the Fabrikam ADMA management agent

The following table lists the run profiles you create for the Fabrikam ADMA management agent:

Profile	Run profile name	Step type
Profile1	Full Import	Full Import (Stage Only)
Profile2	Full Synchronization	Full Synchronization
Profile3	Delta Import	Delta Import (Stage Only)
Profile4	Delta Synchronization	Delta Synchronization
Profile5	Export	Export

To create run profiles for the Fabrikam ADMA management agent

1. In FIM 2010 R2, open the Synchronization Service Manager and, on the Tools menu, click Management Agents.

2. In the Management Agents list, select Fabrikam ADMA.

3. To open the Configure Run Profiles for dialog box, on the Actions menu, click Configure Run Profiles.

4. For each run profile in the table immediately above this procedure, complete the following steps:

   1. To open the Configure Run Profile wizard, click New Profile.

   2. In the Name box, type the profile name shown in the table, and click Next.

   3. In the Type list, select the step type shown in the table, and then click Next.

   4. Click Finish to create the run profile.

5. To close the Configure Run Profiles dialog box, click OK.

Creating run profiles for the Fabrikam FIMMA management agent

The following table lists the run profiles you create for the Fabrikam FIMMA management agent:

Profile	Run profile name	Step type
Profile1	Full Import	Full Import (Stage Only)
Profile2	Full Synchronization	Full Synchronization
Profile3	Delta Import	Delta Import (Stage Only)
Profile4	Delta Synchronization	Delta Synchronization
Profile5	Export	Export

To create run profiles for the Fabrikam FIMMA management agent

1. In FIM 2010 R2, open Synchronization Service Manager and, on the Tools menu, click Management Agents.

2. In the management agent list, select Fabrikam FIMMA.

3. To open the Configure Run Profiles for dialog box, on the Actions menu, click Configure Run Profiles.

4. For each run profile in the table immediately above this procedure, complete the following steps:

   1. To open the Configure Run Profile wizard, click New Profile.

   2. In the Name box, type the profile name shown in the table, and then click Next.

   3. In the Type list, click the step type shown in the table, and then click Next.

   4. To create the run profile, click Finish.

5. To close the Configure Run Profiles dialog box, click OK.

Configuring the FIM Service

For the scenario in this document you perform the following configuration steps in the FIM 2010 R2 Service:

1. Creating the HR user inbound synchronization rule

2. Creating the ADDS FTE synchronization rule

3. Creating the ADDS Contractor synchronization rule

Creating the HR user inbound synchronization rule

The objective of the HR user inbound synchronization rule is to populate the FIM 2010 R2 service with data from the HR data file. The following table shows the configuration of this synchronization rule.

To configure the HR inbound synchronization rule, you use the related wizard pages.

To create the HR user inbound synchronization rule

1. On the FIM 2010 R2 portal home page, on the navigation bar, click Administration.

2. To open the Synchronization Rules page, click Synchronization Rules.

3. To open the Create Synchronization Rule wizard, in the toolbar, click New.

4. On the General tab, provide the following information, and then click Next:

   • Display Name: HR User Inbound Synchronization Rule

   • Data Flow Direction: Inbound

5. On the Scope tab, provide the following information, and then click Next:

   • Metaverse Resource Type: person

   • External System: Fabrikam HRMA

   • External System Resource Type: person

6. On the Relationship tab, provide the following information, and then click Next:

   • To configure the Relationship Criteria, select employeeID from the MetaverseObject:person(Attribute) list and EmployeeID from the ConnectedSystemObject:person(Attribute) list.

   • Select Create Resource In FIM.

7. On the Inbound Attribute Flow page, provide the following information, and then click Next:

   Flow rule	Source	Destination
   Rule 1	Company	company
   Rule 2	EmployeeID	employeeID
   Rule 3	EmployeeType	employeeType
   Rule 4	FirstName	firstName
   Rule 5	LastName	lastName
   Rule 6	Manager	manager
   Rule 7	UserID	accountName

   1. For each row in the previous table, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

      5. To set the displayName attribute, perform the following steps:

         1. To open the Flow Definition dialog box, click New Attribute Flow.

         2. On the Source tab, in the attributes list, select FirstName.

         3. Click Concatenate Value.

         4. In the attributes list, select String.

         5. In the text box, type a space.

         6. Click Concatenate Value.

         7. In the attributes list, select LastName.

         8. On the Destination tab, in the attributes list, select displayName.

         9. To apply the attribute flow configuration, click OK.

8. On the Summary tab, click Submit.

Creating the ADDS FTE Synchronization Rule

The objective of the ADDS FTE synchronization rule is to provision full time employees from the HR data file to your Active Directory Domain Service and to enable the users to access the FIM portal. You can enable the scenario users to access the FIM portal by populating the domain and the security identifier (SID) attribute on an FIM 2010 R2 user object. The domain and the SID attribute are contributed by your AD DS. This is why the synchronization rule that is used to manage the user objects in this scenario is a combination of an inbound and an outbound synchronization rule.

The following table shows the configuration of this synchronization rule.

To configure the Active Directory synchronization rule, you use the related wizard pages.

To create the ADDS FTE Synchronization Rule

1. On the FIM Portal home page, click Administration, and then select Synchronization Rules.

2. To open the Create Synchronization Rules wizard, click New.

3. On the General tab, provide the following information, and then click Next:

   • Display Name: ADDS FTE Synchronization Rule

   • Data Flow Direction: Inbound and Outbound

   • Apply Rule: To all metaverse resources of this type according to Outbound System Scoping Filter

     

4. On the Scope tab, provide the following information, and then click Next:

   • Metaverse Resource Type: person

   • External System: Fabrikam ADMA

   • External System Resource Type: user

   • Outbound System Scoping Filter

     1. MetaverseObject:person(Attribute): employeeType

     2. Operator: equal

     3. Value: Full Time Employee

5. On the Relationship tab, provide the following information, and then click Next:

   1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): employee ID

   2. Create Resource in External System: selected

6. On the Workflow Parameters tab, click Next.

7. On the Outbound Attribute Flow tab, provide the following information, and then click Next:

   Source	Destination
   accountName	sAMAccountName
   company	company
   displayName	displayName
   employeeID	employeeID
   employeeType	employeeType
   firstName	givenName
   lastName	sn
   manager	manager

   1. For each row in the previous table, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

   2. To set the DN attribute flow, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the attributes list, select String, and then in the associated text box, type CN=.

      3. Click Concatenate Value.

      4. In the attributes list, select displayName

      5. Click Concatenate Value.

      6. In the attributes list, select String.

      7. In the text box, type ,OU=FIMObjects,DC=Fabrikam,DC=com.

      8. On the Destination tab, in the attributes list, select dn.

      9. To apply the attribute flow configuration, click OK.

   3. To set an initial password, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the attributes list, select String, and then in the associated text box, type P@ssW0rd.

      3. On the Destination tab, in the Destination list, select unicodePwd.

      4. To apply the attribute flow configuration, click OK.

   4. To set the userAccountControl attribute, perform the following steps:

      1. To open the Flow Definition dialog box, and then click New Attribute Flow.

      2. On the Source tab, in the attributes list, select Number, and the type 512 in the associated text box.

      3. On the Destination tab, in the Destination list, select userAccountControl list.

      4. To apply the attribute flow configuration, click OK.

   5. Select Initial Flow Only for the following flows:

      • “CN=”+firstName+” “+lastName+”,OU=FIMObjects,DC=Fabrikam,DC=com” =>dn

      • 512=>userAccountControl

      • “P@ssW0rd”=>unicodePwd

8. On the Inbound Attribute Flow tab, provide the following information, and the click Finish.

   1. To open the Flow Definition dialog box, click New Attribute Flow.

   2. On the Source tab, in the attributes list, select objectSid.

   3. On the Destination tab, in the Destination list, select objectSid.

   4. To apply the attribute flow configuration, click OK.

   5. To open the Flow Definition dialog box, click New Attribute Flow.

   6. On the Source tab, in the attributes list, select String, and then type FABRIKAM in the associated text box.

   7. On the Destination tab, in the Destination list, select domain.

9. On the Summary tab, click Submit.

Creating the ADDS Contractor Synchronization Rule

The configuration of the ADDS Contractor Synchronization Rule is for the scenario in this document almost identical to the configuration of the outbound synchronization rule in the previous section. The only difference is the configuration of the outbound system scoping filter.

The following table shows the configuration of this synchronization rule.

To configure the Active Directory synchronization rule, you use the related wizard pages.

To create the ADDS Contractor Synchronization Rule

1. On the FIM Portal home page, click Administration, and then select Synchronization Rules.

2. To open the Create Synchronization Rules wizard, click New.

3. On the General tab, provide the following information, and then click Next:

   • Display Name: ADDS Contractor Synchronization Rule

   • Data Flow Direction: Inbound and Outbound

   • Apply Rule: To all metaverse resources of this type according to Outbound System Scoping Filter

     

4. On the Scope tab, provide the following information, and then click Next:

   • Metaverse Resource Type: person

   • External System: Fabrikam ADMA

   • External System Resource Type: user

   • Outbound System Scoping Filter

     1. MetaverseObject:person(Attribute): employeeType

     2. Operator: equal

     3. Value: Contractor

5. On the Relationship tab, provide the following information, and then click Next:

   1. Relationship Criteria:

      • MetaverseObject:person(Attribute): employeeID

      • ConnectedSystemObject:person(Attribute): employee ID

   2. Create Resource in External System: selected

6. On the Workflow Parameters tab, click Next.

7. On the Outbound Attribute Flow tab, provide the following information, and then click Next:

   Source	Destination
   accountName	sAMAccountName
   company	company
   displayName	displayName
   employeeID	employeeID
   employeeType	employeeType
   firstName	givenName
   lastName	sn
   manager	manager

   1. For each row in the previous table, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, select the attribute shown for that row in the table.

      3. On the Destination tab, select the attribute shown for that row in the table.

      4. To apply the attribute flow configuration, click OK.

   2. To set the DN attribute flow, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the attributes list, select String, and then in the associated text box, type CN=.

      3. Click Concatenate Value.

      4. In the attributes list, select displayName

      5. Click Concatenate Value.

      6. In the attributes list, select String.

      7. In the text box, type ,OU=FIMObjects,DC=Fabrikam,DC=com.

      8. On the Destination tab, in the attributes list, select dn.

      9. To apply the attribute flow configuration, click OK.

   3. To set an initial password, perform the following steps:

      1. To open the Flow Definition dialog box, click New Attribute Flow.

      2. On the Source tab, in the attributes list, select String, and then in the associated text box, type P@ssW0rd.

      3. On the Destination tab, in the Destination list, select unicodePwd.

      4. To apply the attribute flow configuration, click OK.

   4. To set the userAccountControl attribute, perform the following steps:

      1. To open the Flow Definition dialog box, and then click New Attribute Flow.

      2. On the Source tab, in the attributes list, select Number, and the type 512 in the associated text box.

      3. On the Destination tab, in the Destination list, select userAccountControl list.

      4. To apply the attribute flow configuration, click OK.

   5. Select Initial Flow Only for the following flows:

      • “CN=”+firstName+” “+lastName+”,OU=FIMObjects,DC=Fabrikam,DC=com” =>dn

      • 512=>userAccountControl

      • “P@ssW0rd”=>unicodePwd

8. On the Inbound Attribute Flow tab, provide the following information, and the click Finish.

   1. To open the Flow Definition dialog box, click New Attribute Flow.

   2. On the Source tab, in the attributes list, select objectSid.

   3. On the Destination tab, in the Destination list, select objectSid.

   4. To apply the attribute flow configuration, click OK.

   5. To open the Flow Definition dialog box, click New Attribute Flow.

   6. On the Source tab, in the attributes list, select String, and then type FABRIKAM in the associated text box.

   7. On the Destination tab, in the Destination list, select domain.

9. On the Summary tab, click Submit.

Initializing the testing environment

Before you can test your configuration with test data, you need to initialize the configuration. The following steps are part of this process:

• Enabling provisioning

• Initializing the Fabrikam FIMMA

• Configuring attribute flow precedence

• Initializing the Fabrikam ADMA

At the end of the initialization phase, the ADDS FTE synchronization rule, the ADDS contractor synchronization rule and the HR User inbound synchronization rule are projected into the metaverse. To verify this, you should perform a metaverse search. The following illustration shows an example for this.

Enabling provisioning

For the scenario in this document, you need to ensure that provisioning is enabled.

To enable provisioning

1. In FIM 2010 R2, open the Synchronization Service Manager.

2. To open the Options dialog box, on the Tools menu, click Options.

3. Select Enable Synchronization Rule Provisioning.

4. To close the Options dialog box, click OK.

Initializing the Fabrikam FIMMA

To initialize the Fabrikam FIMMA, you need to run a complete synchronization cycle on this management agent. The complete cycle consists of the following run profile runs:

Step	Run profile name
1	Full Import
2	Full Synchronization
3	Export
4	Delta Import

To initialize the Fabrikam FIMMA

1. Open the Synchronization Service Manager and on the Tools menu, click Management Agents.

2. In the Management Agents list, select Fabrikam FIMMA

3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

4. For each row in the table immediately above this procedure, complete the following steps:

   1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

   2. In the Run profiles list, select the run profile shown for that row in the table.

5. To start the run profile, click OK.

Configuring attribute flow precedence

During the initialization of the FIM Service management agent, the three configured synchronization rules have been brought into the metaverse. Because the sample HR data source and the ADDS data source are authoritative for certain attributes, you need to adjust the attribute flow precedence configuration.

For the scenario in this document, the inbound flows from your synchronization rules must have the highest precedence.

The following illustration shows an example for the correct configuration of the accountName and the company attributes.

The following table lists the affected attributes and the management agent that must have the highest precedence

Step	Attribute Name	Management Agent
1	accountName	Fabrikam HRMA
2	company	Fabrikam HRMA
3	displayName	Fabrikam HRMA
4	domain	Fabrikam ADMA
5	employeeID	Fabrikam HRMA
6	employeeType	Fabrikam HRMA
7	firstName	Fabrikam HRMA
8	lastName	Fabrikam HRMA
9	manager	Fabrikam HRMA

To configure the attribute flow precedence

1. In Synchronization Service Manager, in the Tools menu, click Metaverse Designer.

2. In the Object types list, click person.

3. For each row in the table immediately above this procedure, complete the following steps:

   1. In the Attributes list, click the attribute shown for that row in the table.

   2. To open the Configure Attribute Flow Precedence dialog box, on the Actions menu, click Configure Attribute Flow Precedence.

   3. Move the management agent shown for that row in the table to the top of the list.

   4. To close the Configure Attribute Flow Precedence dialog box, click OK.

Initializing the Fabrikam ADMA

To initialize the Active Directory management agent, you need to run a full import and a full synchronization on it. The full import is required to bring the organizational unit FIMObjects that is used as target for the sample objects into the connector space. The full synchronization is required because the synchronization rules have changed by projecting the new synchronization rules from the FIM Service connector space into the metaverse.

Step	Run profile name
1	Full Import
2	Full Synchronization

To initialize the Fabrikam ADMA

1. Open the Synchronization Service Manager and in the Tools menu, click Management Agents.

2. In the Management Agents list, select Fabrikam ADMA.

3. To open the Run Management Agent dialog box, on the Actions menu, click Run.

4. For each row in the table immediately above this procedure, complete the following steps:

   1. To open the Run Management Agent dialog box, on the Actions menu, click Run.

   2. In the Run profiles list, select the run profile shown for that row in the table.

5. To start the run profile, click OK.

Testing the configuration

To test the configuration, you create some test users (contractors) in the FIM Portal, process the sample objects from the HR data file, and, finally, you process the the FIM Portal sample objects in the FIM Portal to AD DS.

Creating sample user objects in the FIM Portal

To create the sample users in the FIM Portal, you use the related wizard pages.

The following table shows the sample user configuration:

Attribute	User 1	User 2
First Name	Britta	Jossef
Last Name	Simon	Goldberg
Display Name	Britta Simon	Jossef Goldberg
Account Name	bsimon	jgoldberg
Employee Type	Contractor	Contractor
Employee ID	13	14

To create sample users in the FIM Portal

1. To open the FIM Portal, start Internet Explorer, and then navigate to https://localhost/identitymanagement/default.aspx.

2. To open the Users page, in the navigation bar, click Users.

3. To open the Create User wizard, on the toolbar, click New.

4. On the General tab, provide the following information, and then click Next:

   • First Name: Britta

   • Last Name: Simon

   • Display Name: Britta Simon

   • Account Name: bsimon

   • Domain: Fabrikam

5. On the Work Info tab, provide the following information, and then click Finish:

   • Employee Type: Contractor

   • Employee ID: 13

6. On the Summary tab, click Submit:

7. To open the Create User wizard, on the toolbar, click New.

8. On the General tab, provide the following information, and then click Next:

   • First Name: Jossef

   • Last Name: Goldberg

   • Display Name: Jossef Goldberg

   • Account Name: jgoldberg

   • Domain: Fabrikam

9. On the Work Info tab, provide the following information, and then click Finish:

   • Employee Type: Contractor

   • Employee ID: 14

10. On the Summary tab, click Submit:

Processing the sample objects in the HR data file

The objective of this step is to bring the objects in the HR data file into the FIM Portal and your Active Directory Domain Service. To accomplish this, you run the following run profiles:

Step	Management Agent	Run Profile
1	Fabrikam HRMA	Full Import
2	Fabrikam HRMA	Full Synchronization
3	Fabrikam FIMMA	Export
4	Fabrikam ADMA	Export
5	Fabrikam ADMA	Delta Import
6	Fabrikam ADMA	Delta Synchronization
7	Fabrikam FIMMA	Export

You should verify after each run profile run whether your scenario works as expected. The first step in this verification process is to review the synchronization statistics.

After the import on the Fabrikam HRMA, three newly staged objects are reported by the synchronization statistics. The following illustration shows an example for this.

In addition to reviewing the synchronization statistics, you should also perform a connector space search to verify that your objects have the expected attribute values.

During the following synchronization run, these three objects are:

1. Projected into the metaverse

2. Provisioned into the connector space of the Fabrikam FIMMA.

3. Provisioned into the connector space of the Fabrikam ADMA

The following illustration shows an example of the related synchronization statistics.

When you run the script that displays the export state of a management agent, three Adds should be reported. The following illustration shows an example for this.

To complete an export run, you should always run a delta import, which is also known as confirming import. In addition to confirming the export operation, the import run is also required to retrieve the objectSid attribute for the new ADDS users. The attribute values are published in the FIM Portal by using a delta synchronization run on the Fabrikam ADMA that is followed by an export and delta import on the Fabrikam FIMMA.

To process the sample objects in the HR data file

1. Open Synchronization Service Manager and, in the Tools menu, click Management Agents.

2. For each row in the table immediately above this procedure, complete the following steps:

   1. Select the management agent shown for that row in the table.

   2. To open the Run Management Agent dialog box, on the Actions menu, click Run.

   3. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

The export run creates the representations of the sample objects from the HR data file in the FIM Portal. The domain attribute has at this point not been populated yet. The following illustration shows an example for this.

The domain and the objectSid attribute will be populated with data from your Active Directory Domain Service.

Processing the sample objects in the FIM Portal

The objective of the last testing phase is to publish the sample contractor objects in your FIM Portal to your AD DS and to populate all sample objects with the data that is required for FIM Portal access.

During the synchronization run on your Fabrikam FIMMA, two new objects are provisioned to the connector space of the Fabrikam FIMM. The following illustration shows an example for this.

To confirm the report of the synchronization statistics, you can run the script that lists the pending exports on your Fabrikam ADMA. The following illustration shows an example for this.

After you have exported the two users from the FIM Portal to your ADDS, you can find all five sample users in the FIMObjects organizational unit. The following illustration shows an example for this.

To finalize the scenario in this document, you need synchronize missing values for the objectSid attribute from your ADDS to the FIM Portal.

To complete the scenario that is outlined in this document, you run a sequence of run profiles.

The following table lists the required run profiles for this phase:

Step	Management agent	Run profile
1	Fabrikam FIMMA	Delta Import
2	Fabrikam FIMMA	Delta Synchronization
3	Fabrikam ADMA	Export
4	Fabrikam ADMA	Delta Import
5	Fabrikam ADMA	Delta Synchronization
6	Fabrikam FIMMA	Export
7	Fabrikam FIMMA	Delta Import

To process the sample object in the FIM Portal

1. Open Synchronization Service Manager and in the Tools menu, click Management Agents.

2. For each row in the table immediately above this procedure, complete the following steps:

   1. Select the management agent shown for that row in the table.

   2. To open the Run Management Agent dialog box, on the Actions menu, click Run.

   3. In the Run profiles list, select the run profile shown for that row in the table, and then click OK to start it.

See Also

Reference

Documentation Roadmap
Understanding Data Synchronization with External Systems
How Do I Synchronize Users from Active Directory Domain Services to FIM
How Do I Synchronize Groups from Active Directory Domain Services to FIM
How do I Provision Users to Active Directory Domain Services
How do I Provision Groups to Active Directory Domain Services
FIM Experts Corner
FIM Scriptbox