Lab A:ImplementingActiveDirectory
Interforest Synchronization
Objectives
After completing this lab, you will be able to synchronize two ActiveDirectory
forests by using MMS.
Prerequisites
Before working on this lab, you must have:
!
Experience creating and operating management agents.
!
An understanding of how TAMA functions.
Lab Setup
To complete this lab, you need the following:
!
MMS Server installed and running.
!
MMS Compass installed and configured to connect to your MMS Server.
!
Run the C:\Moc\2062A\Labfiles\Lab.vbs script. This will prepare your
computer for this lab.
Scenario
The following table details the organizational unit, user, and contact objects that
currently exist in the Contoso, Ltd forest.
Name Type Location
Domain (Extern) Organizational unit NA
Warehouse Organizational unit NA
Cindy Durkin User Warehouse
Kim Yoshida User Warehouse
Kevin Yim Contact Warehouse
2 LabA:ImplementingActiveDirectoryInterforestSynchronization
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
The following table details the groups that currently exist in the Contoso, Ltd.
forest.
Name
Group
Type
Group
Scope
Members
Hide from
Distribution
List
GWarehouse Security Global Cindy Durkin No
GwarehouseHidden Security Global None Yes
WGWarehouse Security Domain
Local
None No
WGWarehouseHidden Security Domain
Local
None Yes
WWarehouse Security Universal None No
WWarehouseHidden Security Universal None Yes
The following table details the organizational unit, user and contact objects that
currently exist in the Domain (where Domain represents your assigned domain)
forest.
Name Type Location
Contoso (Extern) Organization unit NA
Marketing Organizational unit NA
Sales Organizational unit NA
Kate Dresen User Marketing
Clay Martin Contact Marketing
Wendy Wheeler User Sales
The following table details the groups that currently exist in your forest.
Name
Group Type
Group
Scope
Members
Hide from
Distribution
List
Marketing Security Global Kate
Dressen
No
MarketingEmpty Security Domain
Local
None No
MarketingEmptyHidden Security Universal None Yes
Sales Distribution Global None No
SalesEmpty Distribution Universal None No
SalesEmptyHidden Distribution Universal None Yes
Estimated time to complete this lab: xx minutes
LabA:ImplementingActiveDirectoryInterforestSynchronization 3
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Exercise 1
Creating and Configuring the Management Agents
In this exercise, you will create the management agents that are required to connect to the two
Active Directory forests.
Scenario
The first step in synchronizing the two ActiveDirectory forests is to create the required
management agents.
Tasks Detailed steps
1.
Create a management agent
for the
Domain.nwtraders.msft
forest by using the following
parameters:
• Name: Domain
• Type: Microsoft Active
Directory management
agent
• Mode: Reflector
• Forest to discover:
domain.nwtraders.msft
• Username:
domain\administrator
• Password: password
• ActiveDirectory
Containers to Discover:
Contoso (Extern),
Marketing, and Sales.
a.
Log on as administrator with a password of password.
b.
Start MMS Compass, and then log on to your MMS Server.
c.
In the control pane of MMS Compass, click Bookmarks, click
Management Agents, and then click Create New Management
Agent.
d.
In the Create Management Agent dialog box, in the Name of the
Management Agent box, type Domain (where domain is your
assigned domain name).
e.
In the Type of the Management Agent box, click Microsoft Active
Directory Management Agent, and then click Create.
f.
On the Mode and Namespace Management tab, ensure that the
Management Agent Mode is set to Reflector.
g.
On the ActiveDirectory Discovery Settings tab, in the Forest to
discover box, type domain.nwtraders.msft
h.
In the Username box, type domain\administrator in the Password
box, type password and then click OK, in the Change Password
dialog box, type password and then click OK.
i.
In the directory pane, click the Domain management agent, and then in
the control pane, click Configure MA.
j.
In the Configure the Management Agent dialog box, on the Active
Directory Discovery Settings tab, click ActiveDirectory Containers
to Discover.
k.
In the ActiveDirectory Containers to Discover dialog box, click …
l.
In the Enter Network Password dialog box, in the Password box,
type password and then click OK.
m.
In the Forest Browser dialog box, expand
DC=domain,DC=nwtraders,DC=msft, click to select Contoso
(Extern), Marketing, and Sales, and then click OK.
n.
Click OK to close the ActiveDirectory Containers to Discover
dialog box, and then click OK to close the Configure the
Management Agent dialog box.
4 LabA:ImplementingActiveDirectoryInterforestSynchronization
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Tasks Detailed Steps
2.
Create a management agent
for the contoso.msft forest
by using the following
parameters:
• Name: Contoso
• Type: Microsoft Active
Directory Management
Agent
• Mode: Reflector
• Forest to discover:
contoso.msft
• Username:
contoso\administrator
• Password: password
• ActiveDirectory
Containers to Discover:
Domain (Extern), and
Warehouse.
a.
In the directory pane, click Server, and then in the control pane, click
Create New Management Agent.
b.
In the Create Management Agent dialog box, in the Name of the
Management Agent box, type Contoso
c.
In the Type of the Management Agent box, click Microsoft Active
Directory Management Agent, and then click Create.
d.
On the Mode and Namespace Management tab, ensure that the
Management Agent Mode is set to Reflector.
e.
On the ActiveDirectory Discovery Settings tab, in the Forest to
discover box, type contoso.msft
f.
In the Username box, type contoso\administrator and in the
Password box, type password and then click OK, in the Change
Password dialog box, type password and then click OK.
g.
In the directory pane, click the Contoso management agent, and then in
the control pane, click Configure MA.
h.
In the Configure the Management Agent dialog box, on the Active
Directory Discovery Settings tab, click ActiveDirectory Containers
to Discover.
i.
In the ActiveDirectory Containers to Discover dialog box, click …
j.
In the Enter Network Password dialog box, in the Password box,
type password and then click OK.
k.
In the Forest Browser dialog box, expand DC=contoso,DC=mst,
click to select Domain (Extern), and Warehouse, and then click OK.
l.
Click OK to close the ActiveDirectory Containers to Discover
dialog box, and then click OK to close the Configure the
Management Agent dialog box.
LabA:ImplementingActiveDirectoryInterforestSynchronization 5
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Exercise 2
Operating the Management Agents
In this exercise, you will operate the management agents in order to perform the initial discovery of
the two ActiveDirectory forests and to populate the metadirectory.
Scenario
Now that the required management agents have been created and configured, you must operate the
management agents in order to perform the initial discovery and to populate the metaverse
namespace.
Tasks Detailed steps
1.
Run the Domain
management agent. Review
the Operator’s log for errors.
a.
In the directory pane of MMS Compass, click the Domain management
agent, and then in the control pane, click Operate MA.
b.
In the Operate the Management Agent dialog box, click Run the
Management Agent.
c.
Review the Operator’s log for errors.
d.
Examine the metadirectory to verify that the management agent created
the required entries.
2.
Run the Contoso
management agent. Review
the Operator’s log for errors.
a.
In the directory pane, click the Contoso management agent, and then in
the control pane, click Operate MA.
b.
In the Operate the Management dialog box, click Run the
Management Agent.
c.
Review the Operator’s log for errors.
d.
Examine the metadirectory to verify that the management agent created
the required entries.
Where in the metadirectory were entries created? Why were they created in that location?
Entries were created both in the connector namespace and in the metaverse namespace because the
management agents were configured to operate in Reflector mode.
6 LabA:ImplementingActiveDirectoryInterforestSynchronization
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Exercise 3
Creating and Configuring TAMA Account Resources
In this exercise, you will create and configure the required TAMA account resources.
Scenario
Now that the metadirectory has been populated with the required ActiveDirectory containers from
each forest, the next step is to create TAMA account resources. These resources will be used by the
Provisioning Agent management agent to determine where in the ActiveDirectory management
agents’ connector namespaces connectors need to be created.
Tasks Detailed steps
1.
Create a copy of the Sample
Hierarchical Active
Directory Object Creation
Resource and configure it
by using the following
parameters:
• Management Agent:
Contoso
• Location under MA
(Optional): Domain
(Extern)
• Metaverse Boundary
Node: Domain
• Rename to: Domain to
Contoso
a.
In the directory pane of MMS Compass, open the Together
Administration folder.
b.
Right-click Sample Hierarchical ActiveDirectory Object Creation
Resource, and then click Copy.
c.
In the directory pane, in the Together Administration folder, right-
click any empty area, and then click Paste.
d.
In the Copy Entry Action dialog box, click Duplicate this entry, and
then click OK.
e.
In the Sample Hierarchical ActiveDirectory Object Creat dialog
box, click Select the MA.
f.
In the Select the MA dialog box, click Contoso, drag and drop it to the
Management Agent box, and then click OK.
g.
Click Select a location, in the Select a location dialog box, expand
Contoso, expand contoso.msft, drag and drop Domain (Extern) to the
Location Under MA (Optional) box, and then click OK.
h.
Click …, in the … dialog box, expand msft, expand nwtraders, drag
and drop domain in the Metaverse Boundary Node box, and then
click OK.
i.
Click OK to close the Sample Hierarchical ActiveDirectory Object
Creat dialog box.
j.
Int eh directory pane, right-click Copy of Sample Hierarchical Active
Directory Object Creation Resource, click Rename, type Domain to
Contoso Resource and then press ENTER.
LabA:ImplementingActiveDirectoryInterforestSynchronization 7
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Tasks Detailed Steps
2.
Create a copy of the Sample
Hierarchical Active
Directory Object Creation
Resource and configure it by
using the following
parameters:
• Management Agent:
Domain
• Location under MA
(Optional): Contoso
(Extern)
• Metaverse Boundary
Node: Contoso
• Rename to: Contoso to
Domain
a.
Right-click Sample Hierarchical ActiveDirectory Object Creation
Resource, and then click Copy.
b.
In the directory pane, in the Together Administration folder, right-
click any empty area, and then click Paste.
c.
In the Copy Entry dialog box, click Duplicate this entry, and then
click OK.
d.
In the Sample Hierarchical ActiveDirectory Object Creat dialog
box, click Select the MA.
e.
In the Select the MA dialog box, click Domain, drag and drop it to the
Management Agent box, and then click OK.
f.
Click Select a location, in the Select a location dialog box, double-
click Domain, double-click domain.nwtraders.msft, drag and drop
Contoso(Extern) to the Location Under MA (Optional) box, and
then click OK.
g.
Click …, in the … dialog box, and then expand msft, drag and drop
Contoso on the Metaverse Boundary Node box, and then click OK.
h.
Click OK to close the Sample Hierarchical ActiveDirectory Object
Creat dialog box.
i.
Right-click Copy of Sample Hierarchical ActiveDirectory Object
Creation Resource, click Rename, type Contoso to Domain
Resource and then press ENTER.
8 LabA:ImplementingActiveDirectoryInterforestSynchronization
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Exercise 4
Assigning TAMA Account Resources to TAMA Account Profiles
In this exercise, you will assign the appropriate TAMA account resources to the appropriate TAMA
account profiles.
Scenario
Now that the TAMA account resources have been created, the next step it to assign those resources
to TAMA account profiles. To synchronize the ActiveDirectory objects from Domain to Contoso,
you will assign the Domain to Contoso account resource to the account profile for the domain
portion of the metaverse namespace. Conversely, to synchronize the ActiveDirectory objects from
Contoso to Domain, you will assign the Contoso to Domain account resource to the contoso portion
of the metaverse namespace.
Tasks Detailed steps
1.
Assign the Domain to
Contoso account resource to
the account profile for the
domain metaverse
namespace entry.
a.
At the top of the directory pane of MMS Compass, click The Known
Universe.
b.
In the directory pane, click the domain metaverse namespace entry, and
then in the control pane, click Administration.
c.
In the Entry Administration dialog box, on the Account Profile tab,
under Resource List, drag and drop the Domain to Contoso account
resource to the Account Profile box, and then click OK.
2.
Assign the Contoso to
Domain account resource to
the account profile for the
contoso metaverse
namespace entry.
a.
In the directory pane, click the contoso metaverse namespace entry,
and then in the control pane, click Administration.
b.
In the Entry Administration dialog box, on the Account Profile tab,
under Resource List, drag and drop the Contoso to Domain account
resource to the Account Profile box, and then click OK.
LabA:ImplementingActiveDirectoryInterforestSynchronization 9
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Exercise 5
Operating the Provisioning Agent Management Agent
In this exercise, you will operate the Provisioning Agent management agent in order to create the
connectors in the other management agent’s connector namespaces.
Scenario
Now that the account resources have been properly assigned to the respective account profiles, you
need to operate the Provisioning Agent management agent in order to have the appropriate
connectors created.
Tasks Detailed steps
1.
Operate the Provisioning
Agent management agent.
Check the Operator’s log for
errors. Verify that the
required connectors were
created.
a.
In the directory pane of MMS Compass, click Provisioning Agent, and
then in the control pane, click Operate MA.
b.
In the Operate the Together Administration MA dialog box, click
Run the Management Agent.
c.
Check the Operator’s log for errors.
d.
Verify that the required connectors were created.
Were the required connectors added to the connector namespace for the Contoso management agent? Were
the required connectors added to the connector namespace for the Domain management agent?
Yes, the required connectors were added to the respective connector namespaces for both of the
management agents.
10 LabA:ImplementingActiveDirectoryInterforestSynchronization
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Exercise 6
Operating the ActiveDirectory Management Agents
In this exercise, you will operate the ActiveDirectory management agents in order to complete
interforest synchronization.
Scenario
Now that the connector namespaces of the management agents have been populated with the
appropriate connectors, the final step is to operate the two ActiveDirectory management agents in
order to complete interforest synchronization.
Tasks Detailed steps
1.
Run the Domain
management agent. Review
the Operator’s log for errors.
a.
In the directory pane of MMS Compass, click the Domain management
agent, and then in the action pane, click Operate MA.
b.
In the Operate the Management dialog box, click Run the
Management Agent.
c.
Review the Operator’s log for errors.
2.
Run the Contoso
management agent. Review
the Operator’s log for errors.
a.
In the directory pane, click the Contoso management agent, and then in
the action pane, click Operate MA.
b.
In the Operate the Management dialog box, click Run the
Management Agent.
c.
Review the Operator’s log for errors.
3.
Verify that the objects from
Contoso were added to
Domain.
a.
Open ActiveDirectory Users and Computers from the Administrative
Tools menu.
b.
In the directory pane, expand Contoso (Extern).
c.
Verify that the objects from Contoso were added to your domain.
4.
Verify that the objects from
Domain were added to
Contoso.
a.
In the directory pane of ActiveDirectory Users and Computers, right-
click ActiveDirectory Users and Computers, and then click Connect
to Domain.
b.
In the Connect to Domain dialog box, type contoso.msft and then
click OK.
c.
In the directory pane, expand Domain (Extern).
d.
Verify that the objects from Domain were added to Contoso.
e.
Close all windows and then log off.
.
Lab A: Implementing Active Directory
Interforest Synchronization
Objectives
After completing this lab, you will be able to synchronize two Active Directory. None Yes
Estimated time to complete this lab: xx minutes
Lab A: Implementing Active Directory Interforest Synchronization 3
BETA MATERIALS FOR