Tài liệu Lab A: Implementing Active Directory Interforest Synchronization pptx

Create a management agent for the Domain.nwtraders.msft forest by using the following parameters: • Name: Domain • Type: Microsoft Active Directory management agent • Mode: Reflector •

Lab A: Implementing Active Directory Interforest Synchronization

Objectives

After completing this lab, you will be able to synchronize two Active Directory forests by using MMS

Prerequisites

Before working on this lab, you must have:

! Experience creating and operating management agents

! An understanding of how TAMA functions

Lab Setup

To complete this lab, you need the following:

! MMS Server installed and running

! MMS Compass installed and configured to connect to your MMS Server

! Run the C:\Moc\2062A\Labfiles\Lab.vbs script This will prepare your computer for this lab

Scenario

The following table details the organizational unit, user, and contact objects that currently exist in the Contoso, Ltd forest

Name Type Location

Domain (Extern) Organizational unit NA Warehouse Organizational unit NA Cindy Durkin User Warehouse

Kim Yoshida User Warehouse Kevin Yim Contact Warehouse

forest

Name

Group Type

Group Scope Members

Hide from Distribution List

GWarehouse Security Global Cindy Durkin No GwarehouseHidden Security Global None Yes WGWarehouse Security Domain

Local

None No

WGWarehouseHidden Security Domain

Local

None Yes WWarehouse Security Universal None No WWarehouseHidden Security Universal None Yes

The following table details the organizational unit, user and contact objects that

currently exist in the Domain (where Domain represents your assigned domain)

forest

Name Type Location

Contoso (Extern) Organization unit NA Marketing Organizational unit NA Sales Organizational unit NA Kate Dresen User Marketing

Clay Martin Contact Marketing Wendy Wheeler User Sales

The following table details the groups that currently exist in your forest

Name Group Type Group Scope Members

Hide from Distribution List

Marketing Security Global Kate

Dressen

No

MarketingEmpty Security Domain

Local

None No MarketingEmptyHidden Security Universal None Yes Sales Distribution Global None No SalesEmpty Distribution Universal None No SalesEmptyHidden Distribution Universal None Yes

Exercise 1

Creating and Configuring the Management Agents

In this exercise, you will create the management agents that are required to connect to the two

Active Directory forests

Scenario

The first step in synchronizing the two Active Directory forests is to create the required

management agents

1 Create a management agent

for the

Domain.nwtraders.msft

forest by using the following

parameters:

• Name: Domain

• Type: Microsoft Active

Directory management

agent

• Mode: Reflector

• Forest to discover:

domain.nwtraders.msft

• Username:

domain\administrator

• Password: password

• Active Directory

Containers to Discover:

Contoso (Extern),

Marketing, and Sales

a Log on as administrator with a password of password

b Start MMS Compass, and then log on to your MMS Server

c In the control pane of MMS Compass, click Bookmarks, click

Management Agents, and then click Create New Management Agent

d In the Create Management Agent dialog box, in the Name of the

Management Agent box, type Domain (where domain is your

assigned domain name)

e In the Type of the Management Agent box, click Microsoft Active

Directory Management Agent, and then click Create

f On the Mode and Namespace Management tab, ensure that the

Management Agent Mode is set to Reflector

g On the Active Directory Discovery Settings tab, in the Forest to

discover box, type domain.nwtraders.msft

h In the Username box, type domain\administrator in the Password

box, type password and then click OK, in the Change Password dialog box, type password and then click OK

i In the directory pane, click the Domain management agent, and then in

the control pane, click Configure MA

j In the Configure the Management Agent dialog box, on the Active

Directory Discovery Settings tab, click Active Directory Containers

to Discover

k In the Active Directory Containers to Discover dialog box, click …

l In the Enter Network Password dialog box, in the Password box, type password and then click OK

m In the Forest Browser dialog box, expand

DC=domain,DC=nwtraders,DC=msft, click to select Contoso

(Extern), Marketing, and Sales, and then click OK

n Click OK to close the Active Directory Containers to Discover dialog box, and then click OK to close the Configure the

Management Agent dialog box

Tasks Detailed Steps

2 Create a management agent

for the contoso.msft forest

by using the following

parameters:

• Name: Contoso

• Type: Microsoft Active

Directory Management

Agent

• Mode: Reflector

• Forest to discover:

contoso.msft

• Username:

contoso\administrator

• Password: password

• Active Directory

Containers to Discover:

Domain (Extern), and

Warehouse

a In the directory pane, click Server, and then in the control pane, click

Create New Management Agent

b In the Create Management Agent dialog box, in the Name of the

Management Agent box, type Contoso

c In the Type of the Management Agent box, click Microsoft Active

Directory Management Agent, and then click Create

d On the Mode and Namespace Management tab, ensure that the

Management Agent Mode is set to Reflector

e On the Active Directory Discovery Settings tab, in the Forest to

discover box, type contoso.msft

f In the Username box, type contoso\administrator and in the

Password box, type password and then click OK, in the Change Password dialog box, type password and then click OK

g In the directory pane, click the Contoso management agent, and then in the control pane, click Configure MA

h In the Configure the Management Agent dialog box, on the Active

Directory Discovery Settings tab, click Active Directory Containers

to Discover

i In the Active Directory Containers to Discover dialog box, click …

j In the Enter Network Password dialog box, in the Password box, type password and then click OK

k In the Forest Browser dialog box, expand DC=contoso,DC=mst,

click to select Domain (Extern), and Warehouse, and then click OK

l Click OK to close the Active Directory Containers to Discover dialog box, and then click OK to close the Configure the

Management Agent dialog box

Exercise 2

Operating the Management Agents

In this exercise, you will operate the management agents in order to perform the initial discovery of the two Active Directory forests and to populate the metadirectory

Scenario

Now that the required management agents have been created and configured, you must operate the

management agents in order to perform the initial discovery and to populate the metaverse

namespace

1 Run the Domain

management agent Review

the Operator’s log for errors

a In the directory pane of MMS Compass, click the Domain management

agent, and then in the control pane, click Operate MA

b In the Operate the Management Agent dialog box, click Run the

Management Agent

c Review the Operator’s log for errors

d Examine the metadirectory to verify that the management agent created the required entries

2 Run the Contoso

management agent Review

the Operator’s log for errors

a In the directory pane, click the Contoso management agent, and then in the control pane, click Operate MA

b In the Operate the Management dialog box, click Run the

Management Agent

c Review the Operator’s log for errors

d Examine the metadirectory to verify that the management agent created the required entries

Where in the metadirectory were entries created? Why were they created in that location?

Entries were created both in the connector namespace and in the metaverse namespace because the management agents were configured to operate in Reflector mode

Exercise 3

Creating and Configuring TAMA Account Resources

In this exercise, you will create and configure the required TAMA account resources

Scenario

Now that the metadirectory has been populated with the required Active Directory containers from

each forest, the next step is to create TAMA account resources These resources will be used by the Provisioning Agent management agent to determine where in the Active Directory management

agents’ connector namespaces connectors need to be created

1 Create a copy of the Sample

Hierarchical Active

Directory Object Creation

Resource and configure it

by using the following

parameters:

• Management Agent:

Contoso

• Location under MA

(Optional): Domain

(Extern)

• Metaverse Boundary

Node: Domain

• Rename to: Domain to

Contoso

a In the directory pane of MMS Compass, open the Together

Administration folder

b Right-click Sample Hierarchical Active Directory Object Creation

Resource, and then click Copy

c In the directory pane, in the Together Administration folder, right-click any empty area, and then right-click Paste

d In the Copy Entry Action dialog box, click Duplicate this entry, and then click OK

e In the Sample Hierarchical Active Directory Object Creat dialog box, click Select the MA

f In the Select the MA dialog box, click Contoso, drag and drop it to the

Management Agent box, and then click OK

g Click Select a location, in the Select a location dialog box, expand

Contoso, expand contoso.msft, drag and drop Domain (Extern) to the

Location Under MA (Optional) box, and then click OK

h Click …, in the … dialog box, expand msft, expand nwtraders, drag

and drop domain in the Metaverse Boundary Node box, and then

click OK

i Click OK to close the Sample Hierarchical Active Directory Object

Creat dialog box

j Int eh directory pane, right-click Copy of Sample Hierarchical Active

Directory Object Creation Resource, click Rename, type Domain to

Contoso Resource and then press ENTER

Tasks Detailed Steps

2 Create a copy of the Sample

Hierarchical Active

Directory Object Creation

Resource and configure it by

using the following

parameters:

• Management Agent:

Domain

• Location under MA

(Optional): Contoso

(Extern)

• Metaverse Boundary

Node: Contoso

• Rename to: Contoso to

Domain

a Right-click Sample Hierarchical Active Directory Object Creation

Resource, and then click Copy

b In the directory pane, in the Together Administration folder, right-click any empty area, and then right-click Paste

c In the Copy Entry dialog box, click Duplicate this entry, and then click OK

d In the Sample Hierarchical Active Directory Object Creat dialog box, click Select the MA

e In the Select the MA dialog box, click Domain, drag and drop it to the

Management Agent box, and then click OK

f Click Select a location, in the Select a location dialog box,

double-click Domain, double-double-click domain.nwtraders.msft, drag and drop

Contoso(Extern) to the Location Under MA (Optional) box, and

then click OK

g Click …, in the … dialog box, and then expand msft, drag and drop

Contoso on the Metaverse Boundary Node box, and then click OK

h Click OK to close the Sample Hierarchical Active Directory Object

Creat dialog box

i Right-click Copy of Sample Hierarchical Active Directory Object

Creation Resource, click Rename, type Contoso to Domain

Resource and then press ENTER

Exercise 4

Assigning TAMA Account Resources to TAMA Account Profiles

In this exercise, you will assign the appropriate TAMA account resources to the appropriate TAMA account profiles

Scenario

Now that the TAMA account resources have been created, the next step it to assign those resources

to TAMA account profiles To synchronize the Active Directory objects from Domain to Contoso,

you will assign the Domain to Contoso account resource to the account profile for the domain

portion of the metaverse namespace Conversely, to synchronize the Active Directory objects from

Contoso to Domain, you will assign the Contoso to Domain account resource to the contoso portion

of the metaverse namespace

1 Assign the Domain to

Contoso account resource to

the account profile for the

domain metaverse

namespace entry

a At the top of the directory pane of MMS Compass, click The Known

Universe

b In the directory pane, click the domain metaverse namespace entry, and

then in the control pane, click Administration

c In the Entry Administration dialog box, on the Account Profile tab,

under Resource List, drag and drop the Domain to Contoso account

resource to the Account Profile box, and then click OK

2 Assign the Contoso to

Domain account resource to

the account profile for the

contoso metaverse

namespace entry

a In the directory pane, click the contoso metaverse namespace entry, and then in the control pane, click Administration

b In the Entry Administration dialog box, on the Account Profile tab,

under Resource List, drag and drop the Contoso to Domain account

resource to the Account Profile box, and then click OK

Exercise 5

Operating the Provisioning Agent Management Agent

In this exercise, you will operate the Provisioning Agent management agent in order to create the

connectors in the other management agent’s connector namespaces

Scenario

Now that the account resources have been properly assigned to the respective account profiles, you need to operate the Provisioning Agent management agent in order to have the appropriate

connectors created

1 Operate the Provisioning

Agent management agent

Check the Operator’s log for

errors Verify that the

required connectors were

created

a In the directory pane of MMS Compass, click Provisioning Agent, and then in the control pane, click Operate MA

b In the Operate the Together Administration MA dialog box, click

Run the Management Agent

c Check the Operator’s log for errors

d Verify that the required connectors were created

Were the required connectors added to the connector namespace for the Contoso management agent? Were

the required connectors added to the connector namespace for the Domain management agent?

Yes, the required connectors were added to the respective connector namespaces for both of the management agents

Exercise 6

Operating the Active Directory Management Agents

In this exercise, you will operate the Active Directory management agents in order to complete

interforest synchronization

Scenario

Now that the connector namespaces of the management agents have been populated with the

appropriate connectors, the final step is to operate the two Active Directory management agents in

order to complete interforest synchronization

1 Run the Domain

management agent Review

the Operator’s log for errors

a In the directory pane of MMS Compass, click the Domain management

agent, and then in the action pane, click Operate MA

b In the Operate the Management dialog box, click Run the

Management Agent

c Review the Operator’s log for errors

2 Run the Contoso

management agent Review

the Operator’s log for errors

a In the directory pane, click the Contoso management agent, and then in the action pane, click Operate MA

b In the Operate the Management dialog box, click Run the

Management Agent

c Review the Operator’s log for errors

3 Verify that the objects from

Contoso were added to

Domain

a Open Active Directory Users and Computers from the Administrative

Tools menu

b In the directory pane, expand Contoso (Extern)

c Verify that the objects from Contoso were added to your domain

4 Verify that the objects from

Domain were added to

Contoso

a In the directory pane of Active Directory Users and Computers,

right-click Active Directory Users and Computers, and then right-click Connect

to Domain

b In the Connect to Domain dialog box, type contoso.msft and then click OK

c In the directory pane, expand Domain (Extern)

d Verify that the objects from Domain were added to Contoso

e Close all windows and then log off