Windows Server 2008 : Harnessing the Power and Potential of FIM

2/5/2011 5:39:35 PM
FIM is a very capable and powerful tool. With the right configuration and some fancy scripting, it can be configured to perform an incredible variety of automatic tasks. Today’s environments are rife with directories, which increase the amount of administration required to create accounts, delete accounts, and update user information manually. FIM can greatly ease these requirements, improving administration and security. The next section focuses on some of the most valuable capabilities of FIM and how to effectively use them.

Managing Identities with FIM

FIM can be used for the most basic and easiest configurations. For example, FIM can be used to synchronize identity information between accounts in different directories. Identity information could include names, email and physical addresses, titles, department affiliations, and much more. Generally speaking, identity information is the type of data commonly found in corporate phone books or intranets. To use FIM for identity management between Active Directory and an LDAP directory server, follow these high-level steps:

Install the Metadirectory services component of FIM.

Create a management agent for each of the directories, including an Active Directory management agent and an LDAP agent.

Configure the management agents to import directory object types into their respective connector namespaces.

Configure one of the management agents—for example, the Active Directory MA—to project the connector space directory objects and directory hierarchy into the metaverse namespace.

Within each of the management agents, a function can be configured called attribute flow to define which directory object attributes from each directory will be projected into the respective metaverse directory objects. Configure the attribute flow rules for each management agent.

Configure the account-joining properties for directory objects. This is the most crucial step because it will determine how the objects in each directory are related to one another within the metaverse namespace. To configure the account join, certain criteria such as an employee ID or first name and last name combination can be used. The key is to find the most unique combination to avoid problems when two objects with similar names are located—for example, if two users named Tom Jones exist in Active Directory.

After completely configuring the MAs and account joins, configure management agent run profiles to tell the management agent what to perform with the connected directory and connector namespace. For example, perform a full import or an export of data. The first time the MA is run, the connected directory information is imported to create the initial connector namespace.

After running the MAs once, they can be run a second time to propagate the authoritative metaverse data to the respective connector namespaces and out to the connected directories.

These steps can be used to simplify account maintenance tasks when several directories need to be managed simultaneously. In addition to performing identity management for user accounts, FIM can also be used to perform management tasks for groups. When a group is projected into the metaverse namespace, the group membership attribute can be replicated out to other connected directories through their management agents. This allows a group membership change to occur in one directory and be replicated to other directories automatically.

Provisioning and Deprovisioning Accounts with FIM

Account provisioning in FIM allows advanced configurations of directory management agents, along with special provisioning agents, to be used to automate account creation and deletion in several directories. For example, if a new user account is created in Active Directory, the Active Directory MA could tag this account. Then, when the respective MAs are run for other connected directories, a new user account can be automatically generated in those other accounts.

The provisioning and deprovisioning process in FIM can be an extremely useful tool in situations where automatic creation and deletion of user accounts is required. For example, a single user account can be created in an HR Oracle database, which can initiate a chain-event of account creations, as illustrated in Figure 1.

Figure 1. Synchronizing multiple identities with FIM.

In addition to creating these accounts, all associated accounts can be automatically deleted or disabled through a deprovisioning process in FIM. By automating this process, administration of the multitude of user accounts in an organization can be simplified and the risk of accidentally leaving a user account enabled after an employee has been terminated can be minimized.

The following high-level example demonstrates the steps required to set up simple account provisioning. In this example, a connected AD DS domain is connected to FIM. Any user accounts created in that domain have corresponding Exchange mailboxes created in a separate Active Directory resource forest:

Install FIM.

Configure a management agent for the connected AD DS domain.

Configure the AD DS MA so that the attributes necessary to create a resource mailbox flow into the metaverse.

Configure the attribute flow between the AD DS MA attributes and the FIM metaverse.

Configure an additional MA for the AD DS Exchange Resource domain.

Ensure that the AD DS Exchange Resource MA attributes that FIM will need to create the mailbox are set. These include the object types container, group, inetOrgPerson, organizationUnit, and user.

Using Visual Studio, configure a custom Rules Extension DLL to provide for the automatic creation of a mailbox-enabled user account in the resource forest. In this case, the DLL must use the MVExtensionExchange class in the script.

Install this rules extension DLL into the metaverse.

Configure run profiles to import the information and automatically create the mailboxes.

The example described previously, although complex, is useful in situations in which a single Exchange Server forest is used by multiple organizations. The security identifier (SID) of the AD DS account is imported into the metaverse and used to create a mailbox in the resource forest that has the external domain account listed as the Associated External Account. Through a centralized FIM implementation, the Exchange resource forest can support the automatic creation of resource mailboxes for a large number of connected domains.

  •  Windows Server 2008 : Synchronizing Directory Information with Forefront Identity Manager (FIM)
  •  Windows Server 2008 : Active Directory Federation Services
  •  Windows Server 2008 : Keeping a Distributed Environment in Sync
  •  Windows 7: Getting into Your Multimedia (part 2) - Navigating Windows Media Player Menus and Toolbars
  •  Windows 7: Getting into Your Multimedia (part 1) - Configuring Windows Media Player for the First Use
  •  Windows Server 2008: Active Directory Infrastructure - Deploying Read-Only Domain Controllers (RODCs)
  •  Windows Server 2008: Active Directory Infrastructure - Detailing Real-World Replication Designs
  •  Outlining Windows Server 2008 R2 IPv6 Support
  •  Windows Server 2008 : Active Directory Infrastructure - Planning Replication Topology
  •  Windows 7 : Protecting Your Computer While Browsing (part 5)
    Video tutorials
    - How To Install Windows 8

    - How To Install Windows Server 2012

    - How To Install Windows Server 2012 On VirtualBox

    - How To Disable Windows 8 Metro UI

    - How To Install Windows Store Apps From Windows 8 Classic Desktop

    - How To Disable Windows Update in Windows 8

    - How To Disable Windows 8 Metro UI

    - How To Add Widgets To Windows 8 Lock Screen

    - How to create your first Swimlane Diagram or Cross-Functional Flowchart Diagram by using Microsoft Visio 2010
    programming4us programming4us