FIM2010的配置及应用(二)

前面章节我们介绍了FIM2010的全新安装,今天主要介绍FIM2010的简单配置,通过Management Agent代理来收集AD内的用户信息,具体见下:

Implementing the Automated Password Synchronization Solution - Step-by-Step

2 out of 4 rated this helpful - Rate this topic

Applies To: Forefront Identity Manager

This document provides step-by-step instructions for implementing the automated password synchronization solution that is described in Automated Password Synchronization Solution Guide for MIIS 2003 at http://go.microsoft.com/fwlink/?LinkId=81749. You will follow these steps to implement the solution:

Step 1: Install PCNS on All Active Directory Domain Controllers

Step 2: Configure the Service Principal Name (SPN)

Step 3: Configure PCNS

Step 4: Configure the Management Agents

Step 5: Enable Password Synchronization

Step 1: Install PCNS on All Active Directory Domain Controllers

To install Password Change Notification Service (PCNS) on a computer running Microsoft Windows?, you use the Password Change Notification Service.msi file. The file is located on the MIIS 2003 installation CD in the Password Synchronization folder.  

clip_p_w_picpath001Note

The user who installs PCNS must be a member of the Domain Admins group. Additionally, if the Active Directory? directory service schema must be updated to include object classes and attributes that PCNS requires, the user must be a member of the Schema Admins group.


During PCNS installation, MIIS verifies the Active Directory schema to ensure that classes and attributes needed to run PCNS are available. If they are not available, you are prompted to update the schema by launching the PCNS Schema Update Wizard.  

clip_p_w_picpath001[1]Note

To update the Active Directory schema, follow the instructions in the PCNS Schema Update Wizard, and then run the Password Change Notification Service.msi file again to install the PCNS components.

To modify the Active Directory schema, you must be a member of both the Domain Admins and the Schema Admins groups.

The Active Directory schema must be extended only once for each Active Directory forest. The schema modifications are replicated to the other domain controllers in the forest. For more information about the object classes and attributes added during the schema update, see MIIS 2003 Help.


首先是下载PCNS软件

http://www.microsoft.com/en-us/download/details.aspx?id=19495

FIM2010的配置及应用(二)_第1张图片

然后在AD上 执行安装

FIM2010的配置及应用(二)_第2张图片

To install PCNS

On the MIIS 2003 SP1 installation CD, double-click the Password change Notification Service.msi icon.

Use the Password Change Notification Service x64.msi or Password Change Notification x86 as appropriate for the hardware in your environment.

In Welcome to the Setup Wizard for Microsoft Password Change Notification Service, click Next.

In the installation wizard, read and accept Microsoft Software License Terms, and then click Next.

Click Install to begin the installation.

Click Yes to restart your computer now, or click No to restart your computer later.

To verify that PCNS has started

Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

At a command-line prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

Verify that the following events from Pcnssvc.exe are in the log:

2105 – PCNS has started.

2102 – Target <MIIS 2003 server name> is enabled. Password changes will be queued for this MIIS 2003 target server.

The presence of these events confirms that PCNS has started successfully.

FIM2010的配置及应用(二)_第3张图片

Step 2: Configure the Service Principal Name (SPN)

MIIS 2003 uses Setspn.exe to create and configure the service principal name (SPN). Setspn.exe is included with the Microsoft Windows 2000 Resource Kit Tools and the Microsoft Windows Server? 2003 Support Tools on the Windows Server 2003 installation CD.  

clip_p_w_picpath001[2]Note

You can also download Setspn.exe from Windows 2000 Resource Kit Tool: Setspn.exe at http://go.microsoft.com/fwlink/?LinkID=33571.


To configure the SPN using Setspn.exe

At a command-line prompt, type the commands shown by the following syntax:

Setspn.exe -a <user defined named for target MIIS 2003 server>/>\<domain\user name of the MIIS 2003 service account>

For example:

Setspn.exe -a PCNSCLNT/fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount

The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to MIIS 2003.

To verify the SPN setting for MIIS 2003

Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

At a command prompt, type setspn –L <MIIS service account>, and then press ENTER.

Verify that the following SPN is registered for the <MIIS service account>: PCNSCLNT\<MIIS server host name>

FIM2010的配置及应用(二)_第4张图片

FIM2010的配置及应用(二)_第5张图片

FIM2010的配置及应用(二)_第6张图片

FIM2010的配置及应用(二)_第7张图片

FIM2010的配置及应用(二)_第8张图片

FIM2010的配置及应用(二)_第9张图片

FIM2010的配置及应用(二)_第10张图片

FIM2010的配置及应用(二)_第11张图片

FIM2010的配置及应用(二)_第12张图片

FIM2010的配置及应用(二)_第13张图片

FIM2010的配置及应用(二)_第14张图片

FIM2010的配置及应用(二)_第15张图片

FIM2010的配置及应用(二)_第16张图片

FIM2010的配置及应用(二)_第17张图片

FIM2010的配置及应用(二)_第18张图片

FIM2010的配置及应用(二)_第19张图片

FIM2010的配置及应用(二)_第20张图片

FIM2010的配置及应用(二)_第21张图片

FIM2010的配置及应用(二)_第22张图片

FIM2010的配置及应用(二)_第23张图片