How do I setup AD sync for FIM just to use the password reset portal? Active Directory Forefront Identity Manager
I am new to FIM 2010. We are just wanting to use it for SSPR - password reset at this point. We do not need to provision accounts; that will be another phase. We have everything setup except the key part which is AD syncing. Can anyone explain how to set up the FIM MA and AD MA for just the basics so we can reset passwords (again not concerned about provisioning accounts yet). All the documents I read are just labs and examples. We have all the work flows set up and the proper service accounts added where they belong - I'm just stuck on the syncing. Any help would be much appreciated!
April 25th, 2012 6:32pm
You need to have the AD MA setup, the FIM MA setup and then configure an inbound sync rule on the AD MA for the user object type. Ensure that the FilterSynchronization object allows the sync engine to create and modify users in the FIM Service. Then create the following run profiles on the AD MA Full Import Delta Import Delta Sync Full Sync Then create the following run profiles on the FIM MA: Full Import Delta Import Delta Sync Full Import Export Then run the the full import on AD, then the full sync, then run the export on the FIM MA Then a full import on the FIM MA. David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html
April 25th, 2012 8:27pm
Thanks David - that is really helpful! I am still unclear when setting up the FIM MA and AD MA what attributes to select (do I select them all) and what to configure with the attribute flow (keeping in mind we only want to reset password, not provision accounts). Thanks in advance! The run profiles were a huge help!
April 26th, 2012 6:31pm
Danny, You are welcome. At a minimum you need to flow samAccountName, domain name, and SID. I also recommend flowing DisplayName, givenName, sn, jobtitle, and department, so that way when you look at the users in the Portal you have a bit more identifying information. Of these extras I strongly recommend DisplayName since so many times you will want to have that.David Lundell, Get your copy of FIM Best Practices Volume 1 http://blog.ilmbestpractices.com/2010/08/book-is-here-fim-best-practices-volume.html
April 27th, 2012 9:24am