FIM2010的配置及应用(二)

FIM2010的配置及应用(二)

前面章节我们介绍了FIM2010的全新安装,今天主要介绍FIM2010的简单配置,通过Management Agent代理来收集AD内的用户信息,具体见下:

Implementing the Automated Password Synchronization Solution - Step-by-Step

2 out of 4 rated this helpful - Rate this topic

Applies To: Forefront Identity Manager

This document provides step-by-step instructions for implementing the automated password synchronization solution that is described in Automated Password Synchronization Solution Guide for MIIS 2003 at http://go.microsoft.com/fwlink/?LinkId=81749. You will follow these steps to implement the solution:

Step 1: Install PCNS on All Active Directory Domain Controllers

Step 2: Configure the Service Principal Name (SPN)

Step 3: Configure PCNS

Step 4: Configure the Management Agents

Step 5: Enable Password Synchronization

Step 1: Install PCNS on All Active Directory Domain Controllers

To install Password Change Notification Service (PCNS) on a computer running Microsoft Windows?, you use the Password Change Notification Service.msi file. The file is located on the MIIS 2003 installation CD in the Password Synchronization folder.  

clip_image001Note

The user who installs PCNS must be a member of the Domain Admins group. Additionally, if the Active Directory? directory service schema must be updated to include object classes and attributes that PCNS requires, the user must be a member of the Schema Admins group.


During PCNS installation, MIIS verifies the Active Directory schema to ensure that classes and attributes needed to run PCNS are available. If they are not available, you are prompted to update the schema by launching the PCNS Schema Update Wizard.  

clip_image001[1]Note

To update the Active Directory schema, follow the instructions in the PCNS Schema Update Wizard, and then run the Password Change Notification Service.msi file again to install the PCNS components.

To modify the Active Directory schema, you must be a member of both the Domain Admins and the Schema Admins groups.

The Active Directory schema must be extended only once for each Active Directory forest. The schema modifications are replicated to the other domain controllers in the forest. For more information about the object classes and attributes added during the schema update, see MIIS 2003 Help.


首先是下载PCNS软件

http://www.microsoft.com/en-us/download/details.aspx?id=19495

clip_image003

然后在AD上 执行安装

clip_image005

To install PCNS

On the MIIS 2003 SP1 installation CD, double-click the Password change Notification Service.msi icon.

Use the Password Change Notification Service x64.msi or Password Change Notification x86 as appropriate for the hardware in your environment.

In Welcome to the Setup Wizard for Microsoft Password Change Notification Service, click Next.

In the installation wizard, read and accept Microsoft Software License Terms, and then click Next.

Click Install to begin the installation.

Click Yes to restart your computer now, or click No to restart your computer later.

To verify that PCNS has started

Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

At a command-line prompt, type eventvwr.msc, and then press ENTER to open Event Viewer.

In the console tree, click Event Viewer, and then click Application to display the event logs in the details pane.

Verify that the following events from Pcnssvc.exe are in the log:

2105 �C PCNS has started.

2102 �C Target <MIIS 2003 server name> is enabled. Password changes will be queued for this MIIS 2003 target server.

The presence of these events confirms that PCNS has started successfully.

clip_image007

Step 2: Configure the Service Principal Name (SPN)

MIIS 2003 uses Setspn.exe to create and configure the service principal name (SPN). Setspn.exe is included with the Microsoft Windows 2000 Resource Kit Tools and the Microsoft Windows Server? 2003 Support Tools on the Windows Server 2003 installation CD.  

clip_image001[2]Note

You can also download Setspn.exe from Windows 2000 Resource Kit Tool: Setspn.exe at http://go.microsoft.com/fwlink/?LinkID=33571.


To configure the SPN using Setspn.exe

At a command-line prompt, type the commands shown by the following syntax:

Setspn.exe -a <user defined named for target MIIS 2003 server>/<fully qualified domain name of the server running MIIS 2003>\<domain\user name of the MIIS 2003 service account>

For example:

Setspn.exe -a PCNSCLNT/fab-dev-01.usergroup.fabrikam.com fab-dev-01\MIISServAccount

The SPN must be unique and cannot appear on any other service account. Otherwise, the Kerberos authentication fails and password change requests are not sent to MIIS 2003.

To verify the SPN setting for MIIS 2003

Log on to each Active Directory domain controller where PCNS was installed with administrative privileges.

At a command prompt, type setspn �CL <MIIS service account>, and then press ENTER.

Verify that the following SPN is registered for the <MIIS service account>: PCNSCLNT\<MIIS server host name>

clip_image009

clip_image011

clip_image013

clip_image015

clip_image017

clip_image019

clip_image021

clip_image023

clip_image025

clip_image027

clip_image029

clip_image031

clip_image033

clip_image035

clip_image037

clip_image039

clip_image041

clip_image043

clip_image045

clip_image047

你可能感兴趣的:(FIM2010配置)