FIM2010的配置及应用(二)
前面章节我们介绍了FIM2010的全新安装,今天主要介绍FIM2010的简单配置,通过Management Agent代理来收集AD内的用户信息,具体见下:
Implementing the Automated Password Synchronization Solution - Step-by-Step
2 out of 4 rated this helpful - Rate this topic
Applies To: Forefront Identity Manager
This document provides step-by-step instructions for implementing the automated password synchronization solution that is described in Automated Password Synchronization Solution Guide for MIIS 2003 at http://go.microsoft.com/fwlink/?LinkId=81749. You will follow these steps to implement the solution:
Step 1: Install PCNS on All Active Directory Domain Controllers
Step 2: Configure the Service Principal Name (SPN)
Step 3: Configure PCNS
Step 4: Configure the Management Agents
Step 5: Enable Password Synchronization
Step 1: Install PCNS on All Active Directory Domain Controllers
To install Password Change Notification Service (PCNS) on a computer running Microsoft Windows?, you use the Password Change Notification Service.msi file. The file is located on the MIIS 2003 installation CD in the Password Synchronization folder.
|
The user who installs PCNS must be a member of the Domain Admins group. Additionally, if the Active Directory? directory service schema must be updated to include object classes and attributes that PCNS requires, the user must be a member of the Schema Admins group. |
NoteDuring PCNS installation, MIIS verifies the Active Directory schema to ensure that classes and attributes needed to run PCNS are available. If they are not available, you are prompted to update the schema by launching the PCNS Schema Update Wizard.
|
To update the Active Directory schema, follow the instructions in the PCNS Schema Update Wizard, and then run the Password Change Notification Service.msi file again to install the PCNS components. To modify the Active Directory schema, you must be a member of both the Domain Admins and the Schema Admins groups. The Active Directory schema must be extended only once for each Active Directory forest. The schema modifications are replicated to the other domain controllers in the forest. For more information about the object classes and attributes added during the schema update, see MIIS 2003 Help. |
![clip_p_w_picpath001[1]](http://img.e-com-net.com/image/info3/cf7b7d81b7ab48a0b06b7ded45f682e0.jpg "clip_p_w_picpath001[1]"){kind=small}
Note首先是下载PCNS软件
http://www.microsoft.com/en-us/download/details.aspx?id=19495
然后在AD上 执行安装
To install PCNS
On the MIIS 2003 SP1 installation CD, double-click the Password change Notification Service.msi icon.
Use the Password Change Notification Service x64.msi or Password Change Notification x86 as appropriate for the hardware in your environment.
In Welcome to the Setup Wizard for Microsoft Password Change Notification Service, click Next.
In the installation wizard, read and accept Microsoft Software License Terms, and then click Next.
Click Install to begin the installation.
Click Yes to restart your computer now, or click No to restart your computer later.
To verify that PCNS has started
Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.
At a command-line prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.
In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.
Verify that the following events from Pcnssvc.exe are in the log:
2105 – PCNS has started.
2102 – Target <MIIS 2003 server name> is enabled. Password changes will be queued for this MIIS 2003 target server.
The presence of these events confirms that PCNS has started successfully.
Step 2: Configure the Service Principal Name (SPN)
MIIS 2003 uses Setspn.exe to create and configure the service principal name (SPN). Setspn.exe is included with the Microsoft Windows 2000 Resource Kit Tools and the Microsoft Windows Server? 2003 Support Tools on the Windows Server 2003 installation CD.
|
You can also download Setspn.exe from Windows 2000 Resource Kit Tool: Setspn.exe at http://go.microsoft.com/fwlink/?LinkID=33571. |
![clip_p_w_picpath001[2]](http://img.e-com-net.com/image/info3/de6dd34dcf014c5e91b78384df29d330.jpg "clip_p_w_picpath001[2]"){kind=small}
NoteTo configure the SPN using Setspn.exe
At a command-line prompt, type the commands shown by the following syntax:
Setspn.exe -a <user defined named for target MIIS 2003 server>/
For example:
Setspn.exe -a PCNSCLNT/fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount
The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to MIIS 2003.
To verify the SPN setting for MIIS 2003
Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.
At a command prompt, type setspn –L <MIIS service account>, and then press ENTER.
Verify that the following SPN is registered for the <MIIS service account>: PCNSCLNT\<MIIS server host name>
