Sie sind auf Seite 1von 20

Introduction to Publishing To Active Directory from Two Authoritative Data Sources ...

Page 1 of 20

2011 Micr osoft Corporat ion. All r ight s reserved.

Introduction to Publishing To Active Directory from Two Authoritative Data Sources


Updat ed: Mar ch 31, 2010 Applies To: Forefront I dent it y Manager 2010 Wit h declarat ive pr ovisioning, a new feat ure int r oduced in Micr osoft Forefront I dent it y Manager ( FI M) 2010, y ou can im plem ent your com plet e ident it y int egr at ion business logic w it hout developing a r ules ext ension source code. This docum ent show s how t o populat e Act ive Direct or y users fr om t w o aut horit at ive dat a sources by using declar at ive provisioning. For an over view of FI M 2010 docum ent at ion and guidance for using it , see t he Docum ent at ion Roadm ap [ ht t p: / / go.m icrosoft . com / fw link/ ? LinkI d= 187028 ] .

Pr e r e qu isit e Kn ow le dge

This docum ent assum es t hat you have a basic underst anding of t he follow ing inform at ion t echnology ( I T) concept s and t ask s: Managing Act ive Direct or y Dom ain Serv ices ( AD DS) , including m anaging or ganizat ional unit s, groups and users, and dom ain cont roller s. The synchr onizat ion pr ocess as out lined in Underst anding Dat a Synchronizat ion w it h Ext ernal Syst em s [ ht t p: / / go.m icr osoft .com / fw link / ?LinkI D= 187498 ] Managing inbound synchronizat ion r ules as out lined in t he I nt r oduct ion t o I nbound Synchronizat ion [ ht t p: / / go.m icrosoft .com / fw link/ ? LinkI d= 165858 ] . Managing out bound synchronizat ion r ules as out lined in t he I nt r oduct ion t o Out bound Synchronizat ion [ ht t p: / / go.m icr osoft .com / fw link / ?LinkI d= 165859 ] . A descr ipt ion of how t o set up FI M 2010 and Act ive Dir ect ory Dom ain Services ( AD DS) is out of t he scope of t his docum ent .

Au die n ce

This guide is int ended for I T planners, syst em s ar chit ect s, t echnology decision m aker s, consult ant s, infr ast r uct ure planner s, and I T personnel w ho plan t o deploy FI M 2010 by using codeless pr ovisioning.

Tim e Re q u ir e m e n t s

The pr ocedures in t his docum ent r equir e 60 t o 90 m inut es for a new user t o com plet e. N ot e

These t im e est im at es assum e t hat t he t est ing envir onm ent is alr eady configur ed for t he scenar io and do not include t he tim e r equired t o set up t he t est envir onm ent .

Ge t t in g Su ppor t

I f you hav e quest ions regarding t he cont ent of t his docum ent or if you have general feedback you w ould like t o discuss, feel free t o post a m essage t o t he Forefront I dent it y Manager 2010 TechNet For um [ ht t p: / / go.m icrosoft . com / fw link/ ?LinkI d= 163230 ] .

Sce n a r io D e script ion

The abilit y t o configure an ident it y int egr at ion scenario w it hout t he need t o w rit e code is one key feat ur e in FI M 2010. This feat ur e is know n as declarat ive pr ovisioning. Wit h declar it ive provisioning, you can configur e all aspect s of y our ident it y int egrat ion scenario by using t he FI M Port al. Fabrikam , a fict it ious corporat ion, uses a hum an resources ( HR) dat abase t o t r ack inform at ion about all full - t im e em ployees. This dat abase is t he aut hor it at ive sour ce for t he creat ion of user account s in t he cor por at e Act ive Dir ect ory environm ent . I n addit ion t o t he full t im e em ployees, Fabr ikam is also required t o gr ant access t o ot her em ploy ee t ypes such as cont ract ors t o t he corporat e net w or k. To save operat ional cost s, Fabrikam needs t o aut om at e t he process of m anaging Act iv e Direct ory account s for t he various em ployee t ypes. FI M 2010 provides all t he feat ures needed t o cover Fabrikam s r equir em ent s. FI M includes a dat abase and t he r equir ed front - end in t he for m of a Web port al- based applicat ion t o m anage t he inform at ion about t he var ious em ployee t ypes. Plus, Fabr ikam can use FI M for aut om at ed m anagem ent of dist ribut ed ident it y infor m at ion fr om a cent ral point . To evaluat e t he capabilit ies of FI M 2010, Fabrikam has a lab envir onm ent w it h a sim plified im plem ent at ion of t he cor por at e net w ork. This environm ent consist s of an at t ribut e- v alue pair ( AVP) dat a source t hat funct ions as t he HR dat abase, an Act ive Dir ect ory envir onm ent , and FI M 2010. All t hree dat a sources have a r elat ed m anagem ent agent . This docum ent descr ibes t he st eps Fabrik am uses t o t est t he new feat ur es pr ovided by FI M 2010 in t he out lined scenario. Te st in g e n vir on m e nt The scenario out lined in t his docum ent has been developed and t est ed on a st and - alone com put er . On t his com put er , FI M 2010 is alr eady

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sources ... Page 2 of 20

deployed and t he com put er is configur ed t o be a dom ain cont roller for t he Act ive Direct or y for est , Fabr ikam .com . The nam e of t his dom ain cont r oller is Fabrikam DC1. The following illust rat ion out lines t he configurat ion.

To perfor m t he procedures in t his docum ent , t he dom ain cont roller has been configured w it h t he follow ing char act erist ics: Window s Server 2008 64- bit Ent erprise Microsoft .NET Fr am ew or k 3.5 Service Pack 1 ( SP1) Microsoft SQL Server 2008 64 - bit Ent erprise SP1 Window s SharePoint Ser vices 3.0 SP1, 64 - bit Window s Pow er Shell 1.0 FI M 2010 N ot e

A descript ion of t he installation of FI M 2010 and t he requir ed soft war e com ponent s is out of t he scope of t his docum ent . For a com plet e descript ion of how t o inst all FI M 2010, see t he FI M I nst allat ion Guide [ htt p: / / go.m icr osoft .com / fwlink/ ? Link I d= 165845 ] .

Sce n a r io Roa dm a p

The scenario r oadm ap in t his docum ent consist s of t hree m ain building blocks: 1. Con fig ur in g t h e sce n a r io - I n t his sect ion, you creat e all t he required scenar io com ponent s including t he required sam ple user s, m anagem ent agent s, run profiles, and an inbound synchr onizat ion rule. I n it ia liz ing t he sce na r io - I n t his sect ion, you deploy your init ial configurat ion inside FI M 2010. Te st in g t h e sce n a r io. - I n t his sect ion, you v erify t hat t he scenar io funct ions according t o t he out lined scenario specificat ion.

2. 3.

I m ple m e n t ing t h e Pr oce d ur e s in t h is D ocu m e n t

To im plem ent t he procedur es in t his docum ent , you com plet e t he follow ing st eps in t he order shown: 1. 2. 3. 4. 5. Configuring t he connect ed dat a sour ces Configuring t he FI M Synchr onizat ion Ser vice Configuring t he FI M Service I nit ializing t he t est ing envir onm ent Test ing t he configurat ion

Con figu r in g t he conne ct e d da t a sou r ce s For t he scenar io in t his docum ent , you need t o cr eat e a dat a file for t he AVP m anagem ent agent and a new organizat ional unit in your AD DS. Cr e a t in g t h e da t a file For t he scenar io in t his docum ent , you cr eat e an AVP dat a file. To cr e a t e t h e da t a file 1. Copy t he records fr om t he dat a below , and t hen past e t hem int o a new Not epad file. Copy Code

Em oy eeI D: 10 pl Del t aOper at i on: Add Com pany: Fabr i k am Fi r s t Nam Ter r y e:

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sources ... Page 3 of 20

Last Nam Adam e: s Us er I D: t adam s Em oy eeTy pe: Ful l Ti m Em oy ee pl e pl M anager : Em oy eeI D: 11 pl Del t aOper at i on: Add Com pany: Fabr i k am Fi r s t Nam Ji m y e: m Last Nam Bi s c hof f e: Us er I D: j bi sc hof f Em oy eeTy pe: Ful l Ti m Em oy ee pl e pl M anager : 10 Em oy eeI D: 12 pl Del t aOper at i on: Add Com pany: Fabr i k am Fi r s t Nam Lol a e: Last Nam J ac obsen e: Us er I D: l j acobs en Em oy eeTy pe: Ful l Ti m Em oy ee pl e pl M anager : 11

2.

Save t he Not epad file on your local drive as C: \ HRDat a.t xt .

Cr e a t in g t h e or ga niz a t ion a l un it For t he scenar io in t his docum ent , you cr eat e an organizat ional unit t hat r eceives t he new ly cr eat ed sam ple obj ect . To cr e a t e t h e or ga n iza t iona l u nit 1. 2. 3. 4. To open t he Act ive D ir e ct or y U se r s a nd Com pu t er s snap- in, open t he Run com m and, and t hen t ype dsa .m sc. I n t he t ree view , r ight - click f a br ik a m .com , select N e w , and t hen click Or ga n iza t iona l U nit . I n t he N a m e t ext box, t ype FI M Obj e ct s. To creat e t he organizat ional unit , click OK.

Con figu r in g t he FI M Synchr oniza t ion Se r vice You can configure t he FI M Synchronizat ion Service by perform ing t he follow ing t asks: 1. 2. Cr eat ing m anagem ent agent s. Cr eat ing run profiles.

Cr e a t in g m a n a ge m e nt a ge nt s For t he scenar io in t his docum ent , you m ust creat e t hree m anagem ent agent s: 1. 2. 3. Fabrikam HRMA Fabrikam FI MMA Fabrikam ADMA

The follow ing sect ions provide det ailed inst ruct ions t o help you cr eat e t he required m anagem ent agent s m anually

Cr e a t in g t h e Fa br ik a m H RM A
The Fabrikam HRMA is a m anagem ent agent for t he AVP t ex t file. To creat e t his m anagem ent agent , you use t he Cr eat e Managem ent Agent w izard. To cr e a t e t h e Fa br ik a m H RM A 1. 2. 3. I n FI M 2010, open t he Synch r oniza t ion Se r vice M a n a ge r and on t he Tools m enu, click M a n a ge m e nt Age n t s. To open t he Creat e Managem ent Agent w izar d, on t he Act ions m enu, click Cr e a t e . On t he Cr e a t e M a na ge m e nt Age nt page, provide t he follow ing set t ings, and t hen click N e x t : M a na ge m en t a ge n t f or : AVP t ext file N a m e : Fabrikam HRMA 4. On t he Se le ct Tem pla t e I npu t File page, pr ovide t he follow ing set t ings, and t hen click N e x t : Te m pla t e I n put File : C: \ HRDat a.t xt Code Pa ge : West ern European ( Window s) 5. On t he Con figu r e At t r ibut e s page, pr ov ide t he follow ing set t ings, and t hen click N e x t : a. To open t he Se t Anchor dialog box, click Se t Anchor .

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sources ... Page 4 of 20

b. c. d. e. f. g. 6. 7. 8. 9. 10. 11.

I n t he At t r ibut e s list , select Em ploye e I D , and t hen click Add . To close t he Se t Anchor dialog box, click OK. I n t he At t r ibut e s list , select M a n a ger . To open t he Edit At t r ibut e dialog box, click Edit . I n t he Type list , select Ref er en ce ( D N ) . To close t he Edit At t r ibut e dialog box, click OK.

On t he D e fine Obj e ct Types page, click N e x t . On t he Con figu r e Conne ct or Filt e r page, click N ex t . On t he Con figu r e Join a nd Pr oj e ct ion Rule s page, click N e x t . On t he Con figu r e At t r ibut e Flow page, click N e x t . On t he Con figu r e D e pr ovisionin g page, click N e x t . On t he Con figu r e Ex t e n sions page, click N e x t .

Cr e a t in g t h e Fa br ik a m FI M M A
The Fabrikam FI MMA is a m anagem ent agent for t he FI M Ser vice Managem ent Agent . To creat e t his m anagem ent agent , you use t he Cr eat e Managem ent Agent w izard. When you configure a FI M m anagem ent agent , you need t o specify a user account . This docum ent uses fim m a as nam e for t his account . You need t o replace t his nam e w it h account you have specified in your environm ent . Cau t ion

The account you use for your FI M m anagem ent agent m ust be t he sam e account a s t he one you hav e specified dur ing t he inst allat ion of FI M. For m or e infor m at ion, see How can I m anage m y FI M MA account ? [ ht t p: / / go.m icrosoft .com / fwlink / ?LinkI d= 188271 ] .
To cr e a t e t h e Fa br ik a m FI M M A 1. 2. To open t he Creat e Managem ent Agent w izar d, on t he Act ions m enu, click Cr e a t e . On t he Cr e a t e M a na ge m e nt Age nt page, provide t he follow ing set t ings, and t hen click N e x t : M a na ge m en t a ge n t f or : FI M Ser vice m anagem ent agent N a m e : Fabrikam FI MMA 3. On t he Con ne ct t o D a t a ba se page, provide t he follow ing set t ings, and t hen click N e x t : Ser v er : localhost D a t a ba se : FI MSer vice FI M Se r vice ba se a ddr e ss: ht t p: / / localhost : 5725 Au t h e nt ica t ion m ode : Window s int egr at ed aut hent icat ion U se r na m e : fim m a Pa ssw or d: < t he account s passw ord> D om a in : fabrik am 4. On t he Se le ct e d Obj e ct Type s page, verify t hat t he obj ect t ypes t hat are list ed below are select ed, and t hen click N e x t : Ex pe ct edRule En t r y D e t ect e dRule Ent r y Synchr on iza t ionRu le Pe r son 5. 6. 7. On t he Se le ct e d At t r ibut e s page, verify t hat all list ed at t ribut es are select ed, and t hen click N e x t . On t he Con figu r e Conne ct or Filt e r page, click N ex t . On t he Con figu r e Obj e ct Ty pe M a ppin gs page, add t he follow ing m apping, and t hen click N e x t : a. b. c. d. I n t he D a t a Sou r ce Obj e ct Type list , select Pe r son . To open t he M a pping dialog box, click Add M a pping . I n t he M e t a ve r se obj e ct t y pe list , select pe r son . To close t he M a ppin g dialog box, click OK.

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sources ... Page 5 of 20

8.

On t he Con figu r e At t r ibut e Flow page, apply t he follow ing at t ribut e flow m appings, and t hen click N e x t :

Flow D ir e ct ion

D a t a sour ce a t t r ibut e

M e t a ve r se a t t r ibut e

I m por t I m por t I m por t I m por t I m por t I m por t I m por t I m por t I m por t I m por t Ex por t Ex por t Ex por t Ex por t Ex por t Ex por t Ex por t Ex por t Ex por t Ex por t
a. b. c. d.

Account Nam e Com pany DisplayNam e Dom ain Em ployeeI D Em ployeeTy pe Ex pect edRulesList Fir st Nam e Last Nam e Manager Account Nam e Com pany DisplayNam e Dom ain Em ployeeI D Em ployeeTy pe Fir st Nam e Last Nam e Manager Obj ect SI D

account Nam e com pany displayNam e dom ain em ployeeI D em ployeeTy pe ex pect edRulesList fir st Nam e last Nam e m anager account Nam e com pany displayNam e dom ain em ployeeI D em ployeeTy pe fir st Nam e last Nam e m anager obj ect Sid

Select Pe r son as t he D a t a sou r ce obj e ct t ype . Select pe r son as t he M e t a ver se obj e ct t ype . Select D ir e ct as t he M a pping Type . For each row in t he prev ious t able, com plet e t he follow ing st eps: a. b. c. d. Select t he Flow D ir e ct ion show n for t hat row in t he t able. Select t he D a t a sou r ce a t t r ibut e show n for t hat r ow in t he t able. Select t he m e t a ve r se a t t r ibu t e show n for t hat row in t he t able. To apply t he flow m apping, click N e w .

9. 10.

On t he Con figu r e D e pr ovisionin g page, click N e x t . To creat e t he m anagem ent agent , on t he Configur e Ex t e nsions page, click Fin ish .

Cr e a t in g t h e Fa br ik a m AD M A
The Fabrikam ADMA is a m anagem ent agent for AD DS. To cr eat e t his m anagem ent agent , you use t he Creat e Managem ent Agent w izar d. To cr e a t e t h e Fa br ik a m AD M A 1. 2. To open t he Creat e Managem ent Agent w izar d, on t he Act ions m enu, click Cr e a t e . On t he Cr e a t e M a na ge m e nt Age nt page, provide t he follow ing set t ings, and t hen click N e x t : M a na ge m en t a ge n t f or : Act ive Direct or y Dom ain Ser vices N a m e : Fabrikam ADMA 3. On t he Con ne ct t o Act ive D ir e ct or y For est page, pr ovide t he follow ing set t ings, and t hen click N e x t :

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sources ... Page 6 of 20

For e st n a m e : fabr ikam .com U se r na m e : adm inist r at or Pa ssw or d : < t he account s passw or d> D om a in : fabrik am 4. On t he Con figu r e D ir e ct or y Pa r t it ion s page, provide t he following set t ings, and t hen click N ex t : a. b. c. d. e. 5. 6. I n t he Se lect dir e ct or y pa r t it ion s list , select D C= Fa br ik a m , D C= com . To open t he Se le ct Cont a ine r s dialog box, click Cont a in er s. To cancel t he select ion of all select ed nodes, click t he D C= Fa br ik a m ,D C= com node. Click t he FI M Obj e ct s node. To close t he Se le ct Cont a ine r s dialog box, click OK.

On t he Con figu r e Pr ovision ing H ier a r chy page, click N e x t . On t he Se le ct Obj e ct Types page, pr ovide t he follow ing set t ings, and t hen click N e x t : I n t he Obj e ct t ype s list , select use r .

7.

On t he Se le ct At t r ibu t e s page, pr ovide t he follow ing set t ings, and t hen click N e x t : Select Show All. I n t he At t r ibut e s list , select t he follow ing at t ribut es: com pa ny displa yn a m e e m ploye e I D e m ploye e Type giv en N a m e m a n a ger obj e ct Sid sAM Accoun t N a m e sn un icode Pw d use r Accoun t Cont r ol

8. 9. 10. 11. 12.

On t he Con figu r e Conne ct or Filt e r page, click N ex t . On t he Con figu r e Join a nd Pr oj e ct ion Rue s page, click N e x t . On t he Con figu r e At t r ibut e Flow page, click N e x t . On t he Con figu r e D e pr ovisionin g page, click N e x t . On t he Con figu r e Ex t e n sions page, click Finish .

Cr e a t in g r u n pr ofiles This t opic provides inst ruct ions for creat ing and configur ing t he required run profiles.

Cr e a t in g r u n pr of ile s f or t h e Fa br ik a m H RM A m a na ge m e nt a ge n t
Before you can st ar t w it h t he configur at ion of t he r un pr ofiles for t his m anagem ent agent , you need t o copy t he im port dat a file you have already creat ed in a prev ious sect ion int o t he m anagem ent agent s dat a folder . To copy t h e m a n a ge m e nt a gen t s da t a file 1. 2. Open t he Ru n com m and dialog box. I n t he Ope n t ext box, t ype copy " C:\ H RD a t a .t x t " " % pr ogr a m f ile s% \ M icr osoft For ef r ont I de n t it y M a n a ge r \ 2 0 1 0 \ Syn ch r oniz a t ion Se r vice \ M a D a t a \ Fa br ik a m H RM A " .

The follow ing t able show s t he run profiles you cr eat e for t he Fabrikam HRMA :

Pr of ile

Run pr of ile n a m e

St ep t ype

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sources ... Page 7 of 20

Profile 1 Profile 2

Full I m port Full Synchr onizat ion

Full I m port ( St age Only) Full Sy nchr onizat ion

To cr e a t e r u n pr ofile s for t h e Fa br ik a m H RM A m a na ge m en t a ge n t 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. 12. 13. I n FI M 2010, open t he Synch r oniza t ion Se r vice M a n a ge r and, in t he Tools m enu, click M a na ge m e n t Age nt s. I n t he m a na ge m e nt a ge nt list , click Fa br ik a m H RM A. To open t he Con figur e Run Pr ofile s for dialog box , on t he Act ions m enu, click Conf igu r e Ru n Pr ofile s. To open t he Configure Run Profile w izard, click N ew Pr of ile . I n t he N a m e t ext box, t ype Full I m por t , and t hen click N e x t . I n t he Type list , click Fu ll I m por t ( St a ge On ly) , and t hen click N e x t . I n t he I nput file nam e t ext box, t ype H RD a t a .t x t . To creat e t he run profile, click Finish . To open t he Configure Run Profile w izard, click N ew Pr of ile . I n t he N a m e box, t ype Full Syn chr on iza t ion , and t hen click N e x t . I n t he Type list , select Full Synchr oniza t ion , and t hen click N e x t . To creat e t he run profile, click Finish . To close t he Configur e Run Pr of ile s dialog box, click OK.

Cr e a t in g r u n pr of ile s f or t h e Fa br ik a m AD M A m a na ge m e nt a ge n t
The follow ing t able list s t he r un pr ofiles you creat e for t he Fabr ikam ADMA m anagem ent agent :

Pr ofile

Run pr ofile na m e

St ep t ype

Profile1 Profile2 Profile3 Profile4 Profile5

Full I m por t Full Synchr onizat ion Delt a I m port Delt a Synchr onizat ion Ex por t

Full I m por t ( St age Only ) Full Sy nchronizat ion Delt a I m por t ( St age Only) Delt a Synchr onizat ion Expor t

To cr e a t e r u n pr ofile s for t h e Fa br ik a m AD M A m a n a ge m e nt a ge nt 1. 2. 3. 4. I n FI M 2010, open t he Synch r oniza t ion Se r vice M a n a ge r and, on t he Tools m enu, click M a n a ge m e nt Age n t s. I n t he M a na ge m e nt Age nt s list , select Fa br ik a m AD M A. To open t he Con figur e Run Pr ofile s for dialog box , on t he Act ions m enu, click Conf igu r e Ru n Pr ofile s. For each r un pr ofile in t he t able im m ediat ely above t his procedure, com plet e t he follow ing st eps: a. b. c. d. 5. To open t he Configur e Run Pr ofile w izard, click N e w Pr ofile . I n t he N a m e box, t ype t he pr ofile nam e show n in t he t able, and click N e x t . I n t he Type list , select t he st ep t ype show n in t he t able, and t hen click N ex t . Click Fin ish t o creat e t he r un pr ofile.

To close t he Configur e Run Pr of ile s dialog box, click OK.

Cr e a t in g r u n pr of ile s f or t h e Fa br ik a m FI M M A m a n a ge m e nt a ge nt
The follow ing t able list s t he r un pr ofiles you creat e for t he Fabr ikam FI MMA m anagem ent agent :

Pr ofile

Run pr ofile na m e

St ep t ype

Profile1 Profile2 Profile3 Profile4

Full I m por t Full Synchr onizat ion Delt a I m port Delt a Synchr onizat ion

Full I m por t ( St age Only ) Full Sy nchronizat ion Delt a I m por t ( St age Only) Delt a Synchr onizat ion

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sources ... Page 8 of 20

Profile5

Ex por t

Expor t

To cr e a t e r u n pr ofile s for t h e Fa br ik a m FI M M A m a na ge m e nt a ge nt 1. 2. 3. 4. I n FI M 2010, open Syn chr oniz a t ion Se r vice M a na ge r and, on t he Tools m enu, click M a na ge m e n t Age nt s. I n t he m a na ge m e nt a ge nt list , select Fa br ik a m FI M M A. To open t he Con figur e Run Pr ofile s for dialog box , on t he Act ions m enu, click Conf igu r e Ru n Pr ofile s. For each r un pr ofile in t he t able im m ediat ely above t his procedure, com plet e t he follow ing st eps: a. b. c. d. 5. To open t he Configur e Run Pr ofile w izard, click N e w Pr ofile . I n t he N a m e box, t ype t he pr ofile nam e show n in t he t able, and t hen click N e x t . I n t he Type list , click t he st ep t y pe show n in t he t able, and t hen click N e x t . To cr eat e t he r un pr ofile, click Finish .

To close t he Configur e Run Pr of ile s dialog box, click OK.

Con figu r in g t he FI M Ser vice For t he scenar io in t his docum ent you perform t he follow ing configurat ion st eps in t he FI M Service: 1. 2. Cr eat ing t he HR user inbound synchr onizat ion rule Cr eat ing t he Act ive Dir ect ory user pr ov isioning policy

Cr e a t in g t h e H R user in bou nd syn ch r oniz a t ion r ule The obj ect ive of t he HR user inbound synchronizat ion r ule is t o populat e t he FI M ser vice w it h dat a fr om t he HR dat a file. The follow ing t able shows t he configurat ion of t his synchronizat ion r ule.

To configure t he HR inbound synchronizat ion r ule, you use t he relat ed w izard pages. To cr e a t e t h e H R u se r inboun d sy nchr on iza t ion r u le 1. 2. 3. 4. On t he FI M port al hom e page, on t he navigat ion bar , click Adm inist r a t ion . To open t he Synchr oniza t ion Rule s page, click Syn chr on iza t ion Ru les. To open t he Creat e Sy nchr onizat ion Rule w izard, in t he t oolbar , click N e w . On t he Ge ne r a l t ab, provide t he follow ing inform at ion, and t hen click N ex t : D ispla y N a m e : HR User I nbound Sy nchr onizat ion Rule D a t a Flow D ir e ct ion : I nbound 5. On t he Scope t ab, provide t he follow ing inform at ion, and t hen click N ex t : M e t a ve r se Re sour ce Type : person

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sources ... Page 9 of 20

Ex t e r na l Syst e m : Fabrikam HRMA Ex t e r na l Syst e m Re sou r ce Type : per son 6. On t he Re la t ionsh ip t ab, pr ovide t he follow ing infor m at ion, and t hen click N e x t : To configure t he Re la t ionship Cr it e r ia , select e m ploye e I D fr om t he M e t a ve r se Obj e ct :pe r son ( At t r ibut e ) list and Em ploye e I D fr om t he Conne ct e dSyst e m Obj e ct :pe r son( At t r ibut e ) list . Select Cr ea t e Re sou r ce I n FI M . 7. On t he I nboun d At t r ibut e Flow page, pr ov ide t he follow ing infor m at ion, and t hen click N e x t :

Flow r u le

Sou r ce

D e st ina t ion

Rule 1 Rule 2 Rule 3 Rule 4 Rule 5 Rule 6 Rule 7


a.

Com pany Em ployeeI D Em ployeeTy pe First Nam e Last Nam e Manager User I D

com pany em ploy eeI D em ploy eeType fir st Nam e last Nam e m anager account Nam e

For each row in t he prev ious t able, perform t he follow ing st eps: a. b. c. d. e. To open t he Flow D e fin it ion dialog box, click N e w At t r ibut e Flow . On t he Sour ce t ab, select t he at t ribut e show n for t hat row in t he t able. On t he D e st ina t ion t ab, select t he at t r ibut e show n for t hat r ow in t he t able. To apply t he at t ribut e flow configurat ion, click OK. To set t he displa yN a m e at t r ibut e, perfor m t he follow ing st eps: a. b. c. d. e. f. g. h. i. To open t he Flow D e finit ion dialog box , click N e w At t r ibut e Flow . On t he Sour ce t ab, in t he a t t r ibu t e s list , select Fir st N a m e . Click Con ca t en a t e V a lue . I n t he a t t r ibut e s list , select St r ing . I n t he t ext box, t y pe a space. Click Con ca t en a t e V a lue . I n t he a t t r ibut e s list , select La st N a m e . On t he D e st ina t ion t ab, in t he a t t r ibut e s list , select displa yN a m e . To apply t he at t r ibut e flow configur at ion, click OK.

8.

On t he Su m m a r y t ab, click Su bm it .

Cr e a t in g t h e Act ive D ir e ct or y pr ovisionin g policy The Act ive Dir ect ory users in t he scenar io of t his docum ent originat e in t he HR dat a file. Because of t his, you have an out bound facing obj ect and at t ribut e flow from t he m et av erse t o t he Act ive Direct or y connect or space. For an out bound facing synchronizat ion oper at ion, an out bound synchr onizat ion rule needs t o be linked t o all affect ed obj ect s. I n FI M, w orkflow s ar e used t o add or rem ove m anaged obj ect s from t he scope of an out bound synchronizat ion r ule. A t hird com ponent , a Managem ent Policy Rule ( MPR) , is required t o det er m ine w hen a Workflow needs t o be act ivat ed. The com binat ion of an out bound synchronizat ion r ule, a Workflow , and a MPR t hat is used t o add or r em ove a m anaged obj ect fr om t he scope of an out bound synchronizat ion r ule is know n as t he provisioning policy . The follow ing illust r at ion out lines t he dependencies of t he pr ovisioning policy com ponent s:

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 10 of 20

Creat ing t he Act ive Direct or y provisioning policy consist s of t he follow ing building blocks:

Creat ing t he Act iv e Directory user sy nchronizat ion r ule

Creat ing t he Act iv e Directory prov isioning wor k flow

Creat ing t he All Cont ract or s and FTEs Set

Creat ing t he Act iv e Directory m anagem ent policy r ule

Tip

When you are done configur ing y our provisioning policy , you can run Using Power Shell t o docum ent y our pr ovisioning policy configurat ion [ ht t p: / / go.m icr osoft .com / fw link/ ?LinkI d= 188273 ] t o t est t he accur acy of y our configur at ion.

The follow ing illust r at ion show s t he result of r unning t he scr ipt t o docum ent your synchronizat ion policy configurat ion.

Cr e a t in g t h e Act iv e D ir e ct or y use r sy nch r oniz a t ion r u le


You can enable t he scenario user s t o access t he FI M port al by populat ing t he dom ain and t he secur it y ident ifier ( SI D) at t r ibut e on an FI M user obj ect . The dom ain and t he SI D at t r ibut e are cont r ibut ed by your AD DS. This is w hy t he synchr onizat ion rule t hat is used t o m anage t he user obj ect s in t his scenario is a com binat ion of an inbound and an out bound synchr onizat ion rule. The follow ing t able show s t he configurat ion of t his synchr onizat ion rule.

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 11 of 20

To configure t he Act ive Direct ory synchr onizat ion rule, you use t he relat ed w izard pages. To cr e a t e t h e Act ive D ir ect or y u se r synch r oniz a t ion r ule 1. 2. 3. On t he FI M Port al hom e page, click Adm inist r a t ion , and t hen select Synchr oniza t ion Rule s. To open t he Creat e Sy nchr onizat ion Rules w izar d, click N e w . On t he Ge ne r a l t ab, provide t he follow ing inform at ion, and t hen click N ex t : D ispla y N a m e : Act ive Direct or y User Synchronizat ion Rule D a t a Flow D ir e ct ion : I nbound and Out bound 4. On t he Scope t ab, provide t he follow ing inform at ion, and t hen click N ex t : M e t a ve r se Re sour ce Type : person Ex t e r na l Syst e m : Fabrikam ADMA Ex t e r na l Syst e m Re sou r ce Type : user 5. On t he Re la t ionsh ip t ab, pr ovide t he follow ing infor m at ion, and t hen click N e x t : a. Re la t ionsh ip Cr it e r ia : Met av erseObj ect : person( At t ribut e) : em ployeeI D Connect edSyst em Obj ect : per son( At t r ibut e) : em ployee I D b. 6. 7. Cr e a t e Re sour ce in Ex t e r na l Syst e m : select ed

On t he W or k flow Pa r a m e t e r s t ab, click N ex t . On t he Out boun d At t r ibut e Flow t ab, provide t he follow ing inform at ion, and t hen click N e x t :

Sou r ce

D e st ina t ion

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 12 of 20

account Nam e com pany displayNam e em ployeeI D em ployeeTy pe first Nam e last Nam e m anager
a.

sAMAccount Nam e com pany displayNam e em ployeeI D em ployeeTy pe giv enNam e sn m anager

For each row in t he prev ious t able, perform t he follow ing st eps: a. b. c. d. e. To open t he Flow D e fin it ion dialog box, click N e w At t r ibut e Flow . On t he Sour ce t ab, select t he at t ribut e show n for t hat row in t he t able. On t he D e st ina t ion t ab, select t he at t r ibut e show n for t hat r ow in t he t able. To apply t he at t ribut e flow configurat ion, click OK.

b.

To set t he D N at t r ibut e flow , perfor m t he follow ing st eps: a. b. c. d. e. f. g. h. i. To open t he Flow D e fin it ion dialog box, click N e w At t r ibut e Flow . On t he Sour ce t ab, in t he at t r ibut es list , select St r ing , and t hen in t he associat ed t ext box, t ype CN = . Click Conca t e na t e V a lu e . I n t he at t ribut es list , select displa yN a m e Click Conca t e na t e V a lu e . I n t he at t ribut es list , select St r ing . I n t he t ext box, t ype ,OU = FI M Obj e ct s,D C= Fa br ik a m ,D C= com . On t he D e st ina t ion t ab, in t he at t ribut es list , select dn . To apply t he at t ribut e flow configurat ion, click OK.

c.

To set an init ial passw ord, per for m t he follow ing st eps: a. b. c. d. To open t he Flow D e fin it ion dialog box, click N e w At t r ibut e Flow . On t he Sour ce t ab, in t he at t r ibut es list , select St r ing , and t hen in t he associat ed t ext box, t ype P@ssW 0 r d . On t he D e st ina t ion t ab, in t he D e st in a t ion list , select u nicode Pw d. To apply t he at t ribut e flow configurat ion, click OK.

d.

To set t he u se r Accou nt Cont r ol at t ribut e, perfor m t he follow ing st eps: a. b. c. d. To open t he Flow D e fin it ion dialog box, and t hen click N e w At t r ibu t e Flow . On t he Sour ce t ab, in t he at t r ibut es list , select N um be r , and t he t ype 5 1 2 in t he associat ed t ext box. On t he D e st ina t ion t ab, in t he D e st in a t ion list , select u se r Accou nt Con t r ol list . To apply t he at t ribut e flow configurat ion, click OK.

e.

Select I nit ia l Flow On ly for t he follow ing flow s: CN= + first Nam e+ + last Nam e+ ,OU= FI MObj ect s,DC= Fabr ikam ,DC= com = > dn 512= > userAccount Cont rol P@ssW0rd = > unicodePw d

8.

On t he I nboun d At t r ibut e Flow t ab, provide t he following infor m at ion, and t he click Fin ish . a. b. c. d. e. f. To open t he Flow D e finit ion dialog box , click N e w At t r ibut e Flow . On t he Sour ce t ab, in t he at t ribut es list , select obj e ct Sid . On t he D e st ina t ion t ab, in t he D e st ina t ion list , select obj e ct Sid. To apply t he at t r ibut e flow configur at ion, click OK. To open t he Flow D e finit ion dialog box , click N e w At t r ibut e Flow .

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 13 of 20

g. h. 9.

On t he Sour ce t ab, in t he at t ribut es list , select St r in g, and t hen t ype FABRI KAM in t he associat ed t ext box. On t he D e st ina t ion t ab, in t he D e st ina t ion list , select dom a in .

On t he Su m m a r y t ab, click Su bm it .

Cr e a t in g t h e Act iv e D ir e ct or y pr ov isionin g w or k flow


The obj ect ive of t he Act ive Direct or y provisioning w orkflow is t o br ing user obj ect s int o t he scope of t he Act ive Dir ect ory user synchronizat ion r ule. The follow ing t able show s t he configurat ion of t he w or kflow .

To configure t he Act ive Direct ory provisioning w orkflow , you use t he relat ed w izard pages. To cr e a t e t h e Act ive D ir ect or y pr ovision ing w or k f low 1. 2. 3. On t he FI M Port al hom e page, in t he M a na ge m en t Policy Rule s sect ion of t he navigat ion bar, click W or k f low s t o open t he W or k flow s page. To open t he Creat e Wor kflow w izar d, on t he t oolbar , click N ew . On t he Ge ne r a l t ab, provide t he follow ing inform at ion, and t hen click N ex t : W or k flow N a m e : Act ive Direct or y Provisioning Workflow W or k flow Type : Act ion 4. On t he Act ivit ies t ab, per for m t he follow ing st eps, and t hen click N e x t : a. b. c. d. 5. I n t he Act ivit y Pick er , select Syn ch r oniz a t ion Rule Act ivit y , and t hen click Se le ct . I n t he Synch r oniza t ion Rule s list , select Act ive D ir e ct or y U se r Syn chr on iza t ion Ru le . I n t he Act ion Sele ct ion opt ions, select Add. Click Sa ve .

On t he Su m m a r y t ab, click Su bm it .

Cr e a t in g t h e All Cont r a ct or s a nd FTEs Se t


One opt ion t o t r igger an MPR is t o use a m em ber ship change in a Set . For t he scenar io in t his docum ent , all users t hat becom e a m em ber of t he AD Cont ract ors and FTE Set are supposed t o be brought int o t he scope of t he Act ive Direct or y synchr onizat ion rule. The follow ing illust r at ion show s t he filt er st at em ent of t his Set .

To configure t he AD Cont ract ors and FTEs Set , you use t he r elat ed w izar d pages. To cr e a t e t h e AD Cont r a ct or s a n d FTEs Se t 1. 2. 3. To open t he Se t s page, in t he M a n a ge m e nt Policy Ru les sect ion on t he navigat ion bar, click Se t s. To open t he Creat e Set w izar d, on t he t oolbar, click N e w . On t he Ge ne r a l t ab, provide t he follow ing inform at ion, and t hen click N ex t : D ispla y N a m e : AD Cont ract ors and FTEs 4. On t he Cr it e r ia - ba se d M e m be r s page, pr ovide t he follow ing inform at ion, and t hen click N e x t : a. b. Select En a ble cr it e r ia - ba se d m e m be r ship in cur r e nt se t . I n t he select st at em ent , click a ll r e sou r ce s, and t hen fr om t he resources list , select use r .

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 14 of 20

c. d. e. f. g. h. i. 5. 6.

I n t he select st at em ent , click a ll, and t hen from t he m at ch list , select a ny . Click Add St a t em e nt . Click < Click t o se lect a t t r ibut e > , and t hen fr om t he at t r ibut es list , select Em ploye e Type . Click < click t o se le ct va lu e> , and t hen in t he t ext box , t ype Con t r a ct or . Click Add St a t em e nt . Click < Click t o se lect a t t r ibut e > , and t hen fr om t he at t r ibut es list , select Em ploye e Type . Click < click t o se le ct va lu e> , and t hen in t he t ext box, t ype Full Tim e Em ploye e .

On t he M a nu a lly - m a na ge d M e m be r s t ab, click N e x t . On t he Su m m a r y t ab, click Su bm it .

Cr e a t in g t h e Act iv e D ir e ct or y Pr ov isionin g M a n a ge m e n t Policy Rule


The obj ect ive of t he Act ive Direct or y Provisioning Managem ent Policy Rule is t o bring obj ect s t hat have t ransit ioned int o t he All Cont ract or s and FTEs Set int o t he scope of t he Act ive Dir ect ory User Sy nchr onizat ion Rule by invoking t he Act ive Direct or y Provisioning Workflow . The follow ing t able show s t he configurat ion of t he MPR.

To configure t he Managem ent Policy, you use t he r elat ed w izard pages. To cr e a t e t h e Act ive D ir ect or y Pr ovision in g M a n a ge m e nt Policy Ru le 1. 2. 3. To open t he M a n a ge m e nt Policy Ru le s page, on t he FI M Por t al hom e page, in t he navigat ion bar , click M a na ge m e n t Policy Ru le s . To open t he Cr e a t e M a na ge m e n t Policy Rule w izard, on t he t oolbar, click N e w . On t he Ge ne r a l t ab, provide t he follow ing inform at ion, and t hen click N ex t : D ispla y N a m e : Act ive Direct or y Provisioning Managem ent Policy Rule Type : Set Transit ion 4. On t he Tr a nsit ion D e fin it ion t ab, perfor m t he follow ing st eps, and t hen click N ex t : Tr a n sit ion Se t : All Cont ract or s and FTEs Tr a n sit ion Type : Transit ion I n 5. On t he Policy W or k flow s t ab, perfor m t he follow ing st eps, and t hen click Fin ish : I n t he Act ion W or k flow s list , select Act ive D ir e ct or y Pr ovisionin g W or k flow . 6. On t he Su m m a r y t ab, click Su bm it .

I n it ia lizin g t h e t e st ing e nvir on m e n t Before you can t est your configurat ion w it h t est dat a, you need t o init ialize t he configurat ion. The follow ing st eps are par t of t his pr ocess: Enabling pr ov isioning I nit ializing t he Fabrikam FI MMA Configur ing at t r ibut e flow pr ecedence I nit ializing t he Fabrikam ADMA At t he end of t he init ializat ion phase, t he Act ive Direct or y User Synchronizat ion Rule and t he HR User I nbound Synchr onizat ion Rule are proj ect ed int o t he m et averse. To ver ify t his, you should per form a m et averse sear ch. The follow ing illust rat ion show s an exam ple for t his.

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 15 of 20

En a b lin g p r ovisionin g

For t he scenario in t his docum ent , you need t o ensure t hat pr ovisioning is enabled.
To e n a b le pr ovisioning 1. 2. 3. 4. I n FI M, open t he Synch r oniza t ion Se r vice M a n a ge r . To open t he Opt ions dialog box, on t he Tools m enu, click Opt ions. Select Ena ble Synch r oniza t ion Rule Pr ov isioning . To close t he Opt ions dialog box, click OK.

I n it ia lizin g t h e Fa br ik a m FI M M A To init ialize t he Fabr ikam FI MMA, you need t o run a com plet e sy nchr onizat ion cycle on t his m anagem ent agent . The com plet e cycle consist s of t he follow ing run profile r uns:

St e p

Run pr ofile n a m e

1 2 3 4

Full I m port Full Sy nchr onizat ion Export Delt a I m por t

To in it ia lize t he Fa br ik a m FI M M A 1. 2. 3. 4. Open t he Sy nchr on iza t ion Ser v ice M a na ge r and on t he Tools m enu, click M a na ge m e n t Age nt s. I n t he M a na ge m e nt Age nt s list , select Fa br ik a m FI M M A To open t he Ru n M a na ge m e n t Age nt dialog box, on t he Act ion s m enu, click Run . For each r ow in t he t able im m ediat ely above t his pr ocedur e, com plet e t he follow ing st eps: a. b. 5. To open t he Run M a n a gem e nt Age n t dialog box, on t he Act ions m enu, click Ru n . I n t he Run pr ofile s list , select t he r un pr ofile show n for t hat r ow in t he t able.

To st art t he run profile, click OK.

Con figu r in g a t t r ibu t e f low pr e ce de nce During t he init ializat ion of t he FI M m anagem ent agent , t he t w o configur ed synchr onizat ion rules have been brought int o t he m et averse. Since t he sam ple HR dat a sour ce is aut hor it at ive for cert ain at t r ibut es, you need t o adj ust t he at t ribut e flow precedence for t he at t r ibut es cont r ibut ed by t his m anagem ent agent t o ensur e t hat t hese at t ribut es can flow int o t he m et averse and lat er also int o t he FI M dat a st ore. The follow ing illust r at ion show s an ex am ple for t he corr ect configurat ion of t he account Nam e and t he com pany at t ribut es.

The follow ing t able list s t he affect ed at t r ibut es

St e p

At t r ibut e na m e

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 16 of 20

1 2 3 4 5 6 7 8

account Nam e com pany displayNam e em ployeeI D em ployeeTy pe fir st Nam e last Nam e m anager

To con fig u r e t h e a t t r ibut e flow pr e ce den ce 1. 2. 3. I n Syn chr oniza t ion Se r vice M a n a ge r , in t he Tools m enu, click M e t a ve r se D e signe r . I n t he Obj e ct t ype s list , click pe r son . For each r ow in t he t able im m ediat ely above t his pr ocedur e, com plet e t he follow ing st eps: a. b. c. d. I n t he At t r ibut e s list , click t he at t r ibut e show n for t hat r ow in t he t able. To open t he Configur e At t r ibut e Flow Pr e cede nce dialog box, on t he Act ion s m enu, click Configur e At t r ibu t e Flow Pr e ce de nce . Move your Fa br ik a m H RM A t o t he t op of t he list . To close t he Conf igu r e At t r ibut e Flow Pr e ce de nce dialog box, click OK.

I m port an t

Aft er changing t he at t r ibut e flow pr ecedence, y ou should r un a full synchr onizat ion r un on the Fa b r ik a m FI M M A.
I n it ia lizin g t h e Fa br ik a m AD M A To init ialize t he Act ive Direct or y m anagem ent agent , you need t o run a full im port and a full synchr onizat ion on it . The full im port is required t o bring t he or ganizat ional unit FI MObj ect s t hat is used as t ar get for t he sam ple obj ect s int o t he connect or space. The full synchronizat ion is r equired because t he synchronizat ion r ules have changed by pr oj ect ing t he new sy nchr onizat ion rules fr om t he FI M connect or space int o t he m et averse.

St e p

Run pr ofile n a m e

1 2

Full I m port Full Sy nchr onizat ion

To in it ia lize t he Fa br ik a m AD M A 1. 2. 3. 4. Open t he Sy nchr on iza t ion Ser v ice M a na ge r and in t he Tools m enu, click M a n a gem e nt Agen t s. I n t he M a na ge m e nt Age nt s list , select Fa br ik a m AD M A. To open t he Ru n M a na ge m e n t Age nt dialog box, on t he Act ion s m enu, click Run . For each r ow in t he t able im m ediat ely above t his pr ocedur e, com plet e t he follow ing st eps: a. b. 5. To open t he Run M a n a gem e nt Age n t dialog box, on t he Act ions m enu, click Ru n . I n t he Run pr ofile s list , select t he r un pr ofile show n for t hat r ow in t he t able.

To st art t he run profile, click OK.

Te st in g t h e configur a t ion To t est t he configurat ion, you creat e som e t est user s in t he FI M Port al, process t he sam ple obj ect s from t he HR dat a file, and, finally , you process all sam ple obj ect s in t he FI M Por t al t o AD DS. Cr e a t in g sa m ple user obj e ct s in t h e FI M Por t a l To cr eat e t he sam ple users in t he FI M Por t al, you use t he r elat ed w izar d pages. The follow ing t able show s t he sam ple user configur at ion:

At t r ibut e

Use r 1

Use r 2

First Nam e Last Nam e

Brit t a Sim on

Jossef Goldber g

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 17 of 20

Display Nam e Account Nam e Em ploy ee Ty pe Em ploy ee I D


To cr e a t e sa m ple use r s in t h e FI M Por t a l 1. 2. 3. 4.

Brit t a Sim on bsim on Cont r actor 13

Jossef Goldberg j goldber g Cont r act or 14

To open t he FI M Port al, st art I nt ernet Explorer, and t hen navigat e t o ht t p: / / localhost / ident it ym anagem ent / default .aspx. To open t he U se r s page, in t he navigat ion bar , click U se r s. To open t he Cr e a t e U se r w izard, on t he t oolbar , click N e w . On t he Ge ne r a l t ab, provide t he follow ing inform at ion, and t hen click N ex t : Fir st N a m e : Brit t a La st N a m e : Sim on D ispla y N a m e : Brit t a Sim on Accoun t N a m e : bsim on D om a in : Fabrik am

5.

On t he W or k I n fo t ab, provide t he follow ing inform at ion, and t hen click Fin ish : Em ploye e Type : Cont ract or Em ploye e I D : 13

6. 7. 8.

On t he Su m m a r y t ab, click Su bm it : To open t he Creat e User w izard, on t he t oolbar, click N e w . On t he Ge ne r a l t ab, provide t he follow ing inform at ion, and t hen click N ex t : Fir st N a m e : Jossef La st N a m e : Goldberg D ispla y N a m e : Jossef Goldber g Accoun t N a m e : j goldberg D om a in : Fabrik am

9.

On t he W or k I n fo t ab, provide t he follow ing inform at ion, and t hen click Fin ish : Em ploye e Type : Cont ract or Em ploye e I D : 14

10.

On t he Su m m a r y t ab, click Su bm it :

Aft er creat ing t he new sam ple user s, you should verify w het her bot h users have t he pot ent ial t o be pr ovisioned t o t he Act ive Direct ory dat a source. The verificat ion consist s of t w o st eps: Checking t he Set m em ber ship Checking t he pr ovisioning st at e Ch e ck in g t h e Se t m e m be r sh ip The Act ive Dir ect ory out bound m anagem ent policy is t riggered by a change of t he Set m em bership. For new ly creat ed user s, only t he condit ion specified under Condit ion Aft er is r elevant . To be able t o be event ually provisioned t o AD DS, t he user m ust be a m em ber of t he All Cont r act or s and FTEs et . To ch e ck t h e Se t m em be r ship 1. 2. 3. 4. 5. To open t he Se t s page, in t he M a n a ge m e nt Policy Ru les sect ion of t he navigat ion bar , click Se t s. I n t he D ispla y N a m e list , click All Cont r a ct or s a nd FTEs. On t he Cr it e r ia - ba se d M e m be r s t ab, click V ie w M e m be r s. Verify t hat Br it t a Goldbe r g and Josse f Goldbe r g are list ed. Close t he dialog box.

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 18 of 20

Ch e ck in g t h e pr ovision ing st a t e The m em bership in t he All Cont r act or s and FTEs Set t rigger s t he process t hat associat es a sam ple obj ect w it h t he Act ive Direct or y out bound sy nchr onizat ion rule. I f t his pr ocess has run successfully, an ent ry is added t o t he user s Ex pe ct e d Rule s List at t ribut e. You can v erify t he provisioning st at e of a user, by rev iew ing t he Expect ed Rules List at t r ibut e of t he obj ect . The follow ing illust r at ion show s an exam ple for t his.

To ch e ck t h e pr ovisionin g st a t e 1. 2. 3. 4. 5. 6. To open t he U se r s page, in t he navigat ion bar , click U se r s. To display all user s, click t he Sea r ch for but t on. I n t he D ispla y N a m e list , select Br it t a Sim on . To open t he D e t a ils dialog box, on t he t oolbar, click D e t a ils. On t he Pr ovisionin g t ab, verify t hat AD Out boun d Sy nchr on iza t ion Ru le is list ed under Ex pe ct e d Ru le s List . Close t he D e t a ils dialog box.

Pr ocessin g t h e sa m ple obj e ct s in t he H R da t a f ile The obj ect ive of t his st ep is t o bring t he obj ect s in t he HR dat a file int o t he FI M Port al. To accom plish t his, you r un t he follow ing run profiles:

St e p

M a n a ge m e nt Age n t

Run Pr of ile

1 2 3

Fabr ik am HRMA Fabr ik am HRMA Fabr ik am FI MMA

Full I m port Full Sy nchr onizat ion Export

You should ver ify aft er each run profile run w het her your scenar io w or ks as expect ed. The first st ep in t his verificat ion pr ocess is t o review t he synchronizat ion st at ist ics. Aft er t he im port on t he Fabrikam HRMA, t hr ee new ly st aged obj ect s are r epor t ed by t he synchronizat ion st at ist ics. The follow ing illust rat ion shows an exam ple for t his.

I n addit ion t o rev iew ing t he synchronizat ion st at ist ics, you should also perfor m a connect or space search t o verify t hat your obj ect s have t he expect ed at t ribut e values. During t he follow ing sy nchr onizat ion run, t hese t hr ee obj ect s are proj ect ed int o t he m et averse and also provisioned int o t he connect or space of t he Fabrikam FI MMA. The follow ing illust r at ion show s an ex am ple of t he r elat ed synchr onizat ion st at ist ics.

Tip

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 19 of 20

Before running an export r un profile, it is a good pr act ice t o ver ify w het her y ou have st aged ex por t oper at ions on a m anagem ent agent . You can do t his by running Using Pow er Shell t o display t he export st at e of a m anagem ent agent [ ht t p: / / go.m icr osoft .com / fw link / ?LinkI d= 188276 ]

When you run t he scr ipt t hat displays t he export st at e of a m anagem ent agent , t hree Adds sh ould be repor t ed. The follow ing illust r at ion shows an exam ple for t his.

To p r ocess t h e sa m ple obj e ct s in t he H R da t a f ile 1. 2. Open Synch r oniza t ion Se r vice M a n a ger and, in t he Tools m enu, click M a na ge m e n t Age nt s. For each r ow in t he t able im m ediat ely above t his pr ocedur e, com plet e t he follow ing st eps: a. b. c. Select t he m anagem ent agent show n for t hat row in t he t able. To open t he Run M a n a gem e nt Age n t dialog box, on t he Act ions m enu, click Ru n . I n t he Run pr ofile s list , select t he r un pr ofile show n for t hat r ow in t he t able, and t hen click OK t o st ar t it .

Pr ocessin g t h e sa m ple obj e ct s in t he FI M Por t a l The obj ect ive of t he last t est ing phase is t o publish all sam ple obj ect s in AD DS. You should ver ify w het her t he obj ect s you have im port ed from your HR syst em fulfill t he pr erequisit es t o be provisioned t o AD DS. As first st ep, you should rev iew t he m em ber ship in t he All Cont r act or s and FTEs Set . The follow ing illust r at ion show s an ex am ple for t his.

I n addit ion t o t his, you should review t he Expect ed Rules List at t ribut e values of t he new user obj ect s. I f t he Expect ed Rules List at t r ibut e has been populat ed w it h t he right value, you are ready t o provision your sam ple obj ect s t o AD DS. During t he synchronizat ion r un on your Fabr ikam FI MMA, five new obj ect s ar e provisioned t o t he connect or space of t he Fabrik am FI MM. The follow ing illust rat ion show s an exam ple for t his.

To confirm t he report of t he synchronizat ion st at ist ics, you can run t he scr ipt t hat list s t he pending expor t s on your Fabr ikam ADMA. The follow ing illust rat ion show s an exam ple for t his.

During an export run profile run on your Fabrikam ADMA, t he five sam ple users ar e creat ed in AD DS. You should verify t his by looking at t he cont ent of t he FI MObj ect s organizat ional unit . The follow ing illust rat ion show s an exam ple for t his.

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011

Introduction to Publishing To Active Directory from Two Authoritative Data Sourc... Page 20 of 20

To pr ovision your sam ple obj ect s t o AD DS, you r un a sequence of r un pr ofiles. The follow ing t able list s t he required run profiles for t his phase:

St e p

M a n a gem e nt a ge nt

Ru n pr ofile

1 2 3 4

Fabrikam FI MMA Fabrikam FI MMA Fabrikam ADMA Fabrikam ADMA

Delt a I m por t Full Sy nchronizat ion Expor t Delt a I m por t

To p r ocess t h e sa m ple obj e ct in t he FI M Por t a l 1. 2. Open Synch r oniza t ion Se r vice M a n a ger and in t he Tools m enu, click M a na ge m e n t Age nt s. For each r ow in t he t able im m ediat ely above t his pr ocedur e, com plet e t he follow ing st eps: a. b. c. Select t he m anagem ent agent show n for t hat row in t he t able. To open t he Run M a n a gem e nt Age n t dialog box, on t he Act ions m enu, click Ru n . I n t he Run pr ofile s list , select t he r un pr ofile show n for t hat r ow in t he t able, and t hen click OK t o st ar t it .

Se e Also
Re fe r e n ce Docum ent at ion Roadm ap Underst anding Dat a Synchronizat ion w it h Ext ernal Syst em s How Do I Synchronize Users from Act ive Dir ect ory Dom ain Services t o FI M How Do I Synchronize Groups fr om Act ive Direct or y Dom ain Ser vices t o FI M How do I Provision Users t o Act ive Dir ect ory Dom ain Services How do I Provision Groups t o Act ive Direct or y Dom ain Serv ices FI M Exper t s Corner FI M Scr ipt box

Ta gs:

Com m un it y Cont e n t

http://64.4.11.252/en-us/library/ee534908(WS.10,printer).aspx

19-08-2011