1/20/2014

Step 10: Create FIM management agents

Step 10: Create FIM management agents

This topic has not yet been rated Updated: January 15, 2013 Applies To: Forefront Identity Manager To complete the configuration of the test lab, you must create nine Forefront Identity Manager 2010 (FIM) management agents that provide the interface between FIM and the external data systems whose identity data is synchronized by FIM.

To create the HRPerson MA

1. Log on to FIM1 as CORP\Administrator. 2. Click Start, click All Programs, click Microsoft Forefront Identity Manager, and then click Synchronization Service. 3. In Synchronization Service Manager, click Management Agents. 4. Under Actions, click Create. 5. In the Create Management Agent wizard, in the Management agent for list, click SQL Server. 6. In Name, type HRPerson, and then click Next. 7. On the Connect to Database page, in Server, type APP1, in Database, type HR, and then in Table/View, type emp. 8. In User name, type Administrator, in Password, type the password of the CORP\Administrator account, in Domain, type CORP, and then click Next. 9. On the Configure Columns page, click Next. 10. On the Configure Connector Filter page, click Next. 11. On the Configure Join and Projection Rules, click New Join Rule. 12. In the Join Rule for Person dialog box, in the Data source attribute list, click EmpAccountName, in the Metaverse object type list, click person, in the Metaverse attribute list, click accountName, and then click Add Condition. In the warning that appears, click OK. 13. Click OK to close the Join Rule for Person dialog box. 14. On the Configure Join and Projection Rules page, click New Projection Rule. 15. In the Projection dialog box, click OK. 16. On the Configure Join and Projection Rules page, click Next.

http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx

1/10

1/20/2014

Step 10: Create FIM management agents

17. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click EmpAccountName, click Direct, click Import, in the Metaverse attribute list, click sn, and then click New. 18. Repeat the preceding step, substituting the settings in the following table:

Data Source attribute EmpAccountName EmpAccountName EmpDepartment EmpEmployeeID EmpName EmpFunction EmpName <dn> EmpAccountName EmpAccountName EmpEmail EmpType 19. On the Configure Attribute Flow page, click Next. 20. On the Configure Deprovisioning page, click Next. 21. On the Configure Extensions page, click Finish.

Metaverse attribute givenName cn department employeeID displayName jobTitle description csObjectID accountName objectID email employeeType

22. In Synchronization Service Manager, click HRPerson, and then, under Actions, click Configure Run Profiles. 23. In the Configure Run Profiles for HRPerson dialog box, click New Profile. 24. In the Configure Run Profile wizard, on the Profile Name page, type Import Employees from HR, and then click Next. 25. On the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next.
http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx 2/10

1/20/2014

Step 10: Create FIM management agents

26. On the Management Agent Configuration page, click Finish. 27. In the Configure Run Profiles for HRPerson dialog box, click OK.

To create the HROrg MA

1. In Synchronization Service Manager, click Management Agents. 2. Under Actions, click Create. 3. In the Create Management Agent wizard, in the Management agent for list, click SQL Server. 4. In Name, type HROrg, and then click Next. 5. On the Connect to Database page, in Server, type APP1, in Database, type HR, and then in Table/View, type org. 6. In User name, type Administrator, in Password, type the password of the CORP\Administrator account, in Domain, type CORP, and then click Next. 7. On the Configure Columns page, click Set Anchor. 8. In the Set Anchor dialog box, in the Available attributes list, click OrgID , and then click Add. 9. In the Selected attributes list, click id, click Remove, and then click OK. 10. On the Configure Columns page, click Object Type. 11. In the Set Object Type dialog box, click Fixed object type, type organization, and then click OK. 12. On the Configure Columns page, click Next. 13. On the Configure Connector Filter page, click Next. 14. On the Configure Join and Projection Rules, click New Projection Rule. 15. In the Projection dialog box, in the Metaverse object type, click organization, and then click OK. 16. On the Configure Join and Projection Rules page, click Next. 17. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click Organization, click Direct, click Import, in the Metaverse attribute list, click description, and then click New. 18. Repeat the preceding step, substituting the settings in the following table:

Data Source attribute Parent

http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx

Metaverse attribute company

3/10

1/20/2014

Step 10: Create FIM management agents

Organization 19. On the Configure Attribute Flow page, click Next. 20. On the Configure Deprovisioning page, click Next. 21. On the Configure Extensions page, click Finish.

displayName

22. In Synchronization Service Manager, click HROrg, and then, under Actions, click Configure Run Profiles. 23. In the Configure Run Profiles for HROrg dialog box, click New Profile. 24. In the Configure Run Profile wizard, on the Profile Name page, type Import orgunits from HR, and then click Next. 25. On the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next. 26. On the Management Agent Configuration page, click Finish. 27. In the Configure Run Profiles for HROrg dialog box, click OK.

To create the AMCOrgunits MA

1. In Synchronization Service Manager, click Management Agents. 2. Under Actions, click Create. 3. In the Create Management Agent wizard, in the Management agent for list, click Access Management (Microsoft). 4. In Name, type AMCOrgunits, and then click Next. 5. On the Connectivity page, in the Authentication Mode list, click Integrated Authentication, in User Name, type Administrator, in Password, type the password for the CROP\Administrator account, in Domain, type CORP, in B1 Database Server , type APP1, in Database Name, type B1, and then click Next. 6. On the Configure Partitions and Hierarchies page, click Next. 7. On the Select Object Types page, select Organizational unit, and then click Next. 8. On the Select Attributes page, select all attributes, and then click Next. 9. On the Configure Anchors page, click Next. 10. On the Configure Connector Filter page, click Next. 11. On the Configure Join and Projection Rules page, click New Projection Rule. 12. In the Projection dialog box, in the Metaverse object type list, click organization, and then click OK. 13. On the Configure Join and Projection Rules, click Next.
http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx 4/10

1/20/2014

Step 10: Create FIM management agents

14. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click bholdDescription, click Direct, click Export, in the Metaverse object type list, click organization, in the Metaverse attribute list, click description, and then click New. 15. In the Data source attribute list, click Parent, click Direct, click Export, in the Metaverse attribute list, click company, and then click New. 16. On the Configure Attribute Flow page, click Next. 17. On the Configure Deprovisioning page, click Next. 18. On the Configure Extensions page, click Finish. 19. In Synchronization Service Manager, click AMCOrgunits, and then, under Actions, click Configure Run Profiles. 20. In the Configure Run Profiles for AMCOrgunits dialog box, click New Profile. 21. In the Configure Run Profile wizard, on the Profile Name page, type Export to BHOLD , and then click Next. 22. On the Configure Step page, in the Type list, click Export, and then click Next. 23. On the Management Agent Configuration page, click Finish. 24. In the Configure Run Profiles for AMCOrgunits dialog box, click OK.

To create the AMCUsers MA

1. In Synchronization Service Manager, click Management Agents. 2. Under Actions, click Create. 3. In the Create Management Agent wizard, in the Management agent for list, click Access Management (Microsoft). 4. In Name, type AMCUsers, and then click Next. 5. On the Connectivity page, in the Authentication Mode list, click Integrated Authentication, in User Name, type Administrator, in Password, type the password for the CROP\Administrator account, in Domain, type CORP, in B1 Database Server , type APP1, in Database Name, type B1, and then click Next. 6. On the Configure Partitions and Hierarchies page, click Next. 7. On the Select Object Types page, select the User check box, and then click OK. 8. On the Select Attributes page, select all the attributes in the list, and then click Next. 9. On the Configure Anchors page, click Next. 10. On the Configure Connector Filter page, click New.
http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx 5/10

1/20/2014

Step 10: Create FIM management agents

11. In the Filter for person dialog box, in the Data source attribute list, click bholdDefAlias, in the Operator list, click Is not present, click Add Condition, and then click OK. 12. On the Configure Connector Filter page, click Next. 13. On the Configure Join and Projection Rules page, click New Projection Rule. 14. In the Projection dialog box, in the Metaverse object type list, click person, and then click OK. 15. On the Configure Join and Projection Rules page, click Next. 16. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source attribute list, click bholdDescription, click Direct, click Export, in the Metaverse attribute list, click displayName, and then click New. 17. Repeat the previous step, substituting the values in the following table:

Data source attribute OrganizationalUnit BholdDefAlias bholdDomain JobTitle Email

Metaverse attribute department accountName domain jobTitle email

18. In the Data source attribute list, click Domain, click Advanced, click Export, and then click New. 19. In the Advanced Export Attribute Flow Options dialog box, click Constant, in Value type CORP, and then click OK. 20. On the Configure Attribute Flow page, click Next. 21. On the Configure Deprovisioning page, click Stage a delete on the object for the next export run, and then click Next. 22. On the Configure Extensions page, click Finish. 23. In Synchronization Service Manager, click AMCUsers, and then, under Actions, click Configure Run Profiles. 24. In the Configure Run Profiles for AMCUsers dialog box, click New Profile. 25. In the Configure Run Profile wizard, on the Profile Name page, type Export to BHOLD , and then click Next. 26. On the Configure Step page, in the Type list, click Export, and then click Next.
http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx 6/10

1/20/2014

Step 10: Create FIM management agents

27. On the Management Agent Configuration page, click Finish. 28. In the Configure Run profiles for AMCUsers dialog box, click New Step. 29. In the Configure Run Profile wizard, on the Configure Step page, in the Type list, click Delta Synchronization, and then click Next. 30. On the Management Agent Configuration page, click Finish. 31. In the Configure Run Profiles for AMCUsers dialog box, click OK.

To create the ADUsers MA

1. In Synchronization Service Manager, click Management Agents. 2. Under Actions, click Create. 3. In the Create Management Agent wizard, in the Management agent for list, click Active Directory Domain Services. 4. In Name, type ADUsers, and then click Next. 5. On the Connect to Active Directory Forest page, in Forest Name, type corp.contoso.com, in User name, type Administrator, in Password, type the password for the CORP\Administrator account, in Domain, type corp, and then click Next. 6. On the Configure Directory Partitions page, select the DC=corp,DC=contoso,DC=com check box, and then click Containers. 7. In the Select Containers dialog box, clear the DC=corp,DC=contoso,DC=com check box, select the FIMManaged check box, and then click OK. 8. On the Configure Directory Partitions page, click Next. 9. On the Configure Provisioning Hierarchy page, click Next. 10. On the Select Object Type page, select the following check boxes, and then click Next: container domainDNS organizationalUnit user 11. On the Select Attributes page, select the Show All check box, select the following check boxes, and then click Next: department description
http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx 7/10

1/20/2014

Step 10: Create FIM management agents

displayName employeeID mail objectSid sAMAccountName title unicodePwd userAccountControl userPrincipalName 12. On the Configure Connector Filter page, click Next. 13. On the Configure Join and Projection Rules page, under Data Source Object Type, click user, and then click New Join Rule. 14. In the Join Rule for user dialog box, in the Data source attribute list, click sAMAccountName, in the Metaverse object type list, click person, in the Metaverse attribute list, click accountName, click Add Condition, in the warning click OK, and then in the dialog box, click OK. 15. On the Configure Join and Projection Rules page, click New Projection Rule. 16. In the Projection dialog box, in the Metaverse object type list, click person, and then click OK. 17. On the Configure Join and Projection Rules page, click Next. 18. On the Configure Attribute Flow page, in Build Attribute Flow, in the Data source object type list, click user, in the Data source attribute list, click description, click Export, select the Allow Nulls check box, in the Metaverse object type list, click person, in the Metaverse attribute list, click description, and then click New. 19. Repeat the previous step, substituting the values in the following table:

Data source attribute displayName employeeID sAMAccountName mail

http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx

Row Direction Export Export Export Export

Allow Nulls Yes Yes Yes Yes

Metaverse attribute description employeeID accountName email

8/10

1/20/2014

Step 10: Create FIM management agents

title department userPrincipalName objectSid <dn>

Export Export Export Import Import

Yes Yes No No No

jobTitle department accountName objectSid objectID

20. In the Data source attribute list, click userAccountControl, click Advanced, click Export, and then click New. 21. In the Advanced Export Attribute Flow Options dialog box, click Constant, type 66048, and then click OK. 22. In the Data source attribute list, click unicodePwd, click Advanced, click Export, and then click New. 23. In the Advanced Export Attribute Flow Options dialog box, click Constant, type T3mpP@55, and then click OK. 24. In the Metaverse attribute list, click domain, click Advanced, click Import, and then click New. 25. In the Advanced Import Attribute Flow Options dialog box, click Constant, type CORP, and then click OK. 26. On the Configure Attribute Flow page, click Next. 27. On the Configure Deprovisioning page, click Stage a delete on the object for the next export run, and then click Next. 28. On the Configure Extensions page, click Finish. 29. In Synchronization Service Manager, click ADUsers, and then, under Actions, click Configure Run Profiles. 30. In the Configure Run Profiles for ADUsers dialog box, click New Profile. 31. In the Configure Run Profile wizard, on the Profile Name page, type Export and import AD users, and then click Next. 32. On the Configure Step page, in the Type list, click Export, and then click Next. 33. On the Management Agent Configuration page, verify the following settings, and then click Finish:

Setting Partition Bach size (objects)

http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx

Value DC=corp,DC=contoso,DC=com 100

9/10

1/20/2014

Step 10: Create FIM management agents

Page size (objects) Timeout (in seconds)

500 120

34. In the Configure Run Profiles for ADUsers dialog box, click New Step. 35. In the Configure Run Profile wizard, on the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next. 36. On the Management Agent Configuration, ensure that the settings match the previous table, and then click Finish. 37. In the Configure Run Profiles for ADUsers dialog box, click New Profile. 38. In the Configure Run Profile wizard, on the Profile Name page, type Sync, and then click Next. 39. On the Configure Step page, in the Type list, click Full Import and Full Synchronization, and then click Next. 40. On the Management Agent Configuration, ensure that the settings match the previous table, and then click Finish. 41. In the Configure Run Profiles for ADUsers dialog box, click OK.

Next step
To continue building the BHOLD Access Management Connector test lab, see Step 11: Verify the installation.

2014 Microsoft. All rights reserved.

http://technet.microsoft.com/en-us/library/jj853094(v=ws.10).aspx

10/10