Lab A: Implementing Active Directory Interforest Synchronization Objectives After completing this lab, you will be able to synchronize two Active Directory forests by using MMS. Prerequisites Before working on this lab, you must have: ! Experience creating and operating management agents. ! An understanding of how TAMA functions. Lab Setup To complete this lab, you need the following: ! MMS Server installed and running. ! MMS Compass installed and configured to connect to your MMS Server. ! Run the C:\Moc\2062A\Labfiles\Lab.vbs script. This will prepare your computer for this lab. Scenario The following table details the organizational unit, user, and contact objects that currently exist in the Contoso, Ltd forest. Name Type Location Domain (Extern) Organizational unit NA Warehouse Organizational unit NA Cindy Durkin User Warehouse Kim Yoshida User Warehouse Kevin Yim Contact Warehouse 2 Lab A: Implementing Active Directory Interforest Synchronization BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY The following table details the groups that currently exist in the Contoso, Ltd. forest. Name Group Type Group Scope Members Hide from Distribution List GWarehouse Security Global Cindy Durkin No GwarehouseHidden Security Global None Yes WGWarehouse Security Domain Local None No WGWarehouseHidden Security Domain Local None Yes WWarehouse Security Universal None No WWarehouseHidden Security Universal None Yes The following table details the organizational unit, user and contact objects that currently exist in the Domain (where Domain represents your assigned domain) forest. Name Type Location Contoso (Extern) Organization unit NA Marketing Organizational unit NA Sales Organizational unit NA Kate Dresen User Marketing Clay Martin Contact Marketing Wendy Wheeler User Sales The following table details the groups that currently exist in your forest. Name Group Type Group Scope Members Hide from Distribution List Marketing Security Global Kate Dressen No MarketingEmpty Security Domain Local None No MarketingEmptyHidden Security Universal None Yes Sales Distribution Global None No SalesEmpty Distribution Universal None No SalesEmptyHidden Distribution Universal None Yes Estimated time to complete this lab: xx minutes Lab A: Implementing Active Directory Interforest Synchronization 3 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 1 Creating and Configuring the Management Agents In this exercise, you will create the management agents that are required to connect to the two Active Directory forests. Scenario The first step in synchronizing the two Active Directory forests is to create the required management agents. Tasks Detailed steps 1. Create a management agent for the Domain.nwtraders.msft forest by using the following parameters: • Name: Domain • Type: Microsoft Active Directory management agent • Mode: Reflector • Forest to discover: domain.nwtraders.msft • Username: domain\administrator • Password: password • Active Directory Containers to Discover: Contoso (Extern), Marketing, and Sales. a. Log on as administrator with a password of password. b. Start MMS Compass, and then log on to your MMS Server. c. In the control pane of MMS Compass, click Bookmarks, click Management Agents, and then click Create New Management Agent. d. In the Create Management Agent dialog box, in the Name of the Management Agent box, type Domain (where domain is your assigned domain name). e. In the Type of the Management Agent box, click Microsoft Active Directory Management Agent, and then click Create. f. On the Mode and Namespace Management tab, ensure that the Management Agent Mode is set to Reflector. g. On the Active Directory Discovery Settings tab, in the Forest to discover box, type domain.nwtraders.msft h. In the Username box, type domain\administrator in the Password box, type password and then click OK, in the Change Password dialog box, type password and then click OK. i. In the directory pane, click the Domain management agent, and then in the control pane, click Configure MA. j. In the Configure the Management Agent dialog box, on the Active Directory Discovery Settings tab, click Active Directory Containers to Discover. k. In the Active Directory Containers to Discover dialog box, click … l. In the Enter Network Password dialog box, in the Password box, type password and then click OK. m. In the Forest Browser dialog box, expand DC=domain,DC=nwtraders,DC=msft, click to select Contoso (Extern), Marketing, and Sales, and then click OK. n. Click OK to close the Active Directory Containers to Discover dialog box, and then click OK to close the Configure the Management Agent dialog box. 4 Lab A: Implementing Active Directory Interforest Synchronization BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Tasks Detailed Steps 2. Create a management agent for the contoso.msft forest by using the following parameters: • Name: Contoso • Type: Microsoft Active Directory Management Agent • Mode: Reflector • Forest to discover: contoso.msft • Username: contoso\administrator • Password: password • Active Directory Containers to Discover: Domain (Extern), and Warehouse. a. In the directory pane, click Server, and then in the control pane, click Create New Management Agent. b. In the Create Management Agent dialog box, in the Name of the Management Agent box, type Contoso c. In the Type of the Management Agent box, click Microsoft Active Directory Management Agent, and then click Create. d. On the Mode and Namespace Management tab, ensure that the Management Agent Mode is set to Reflector. e. On the Active Directory Discovery Settings tab, in the Forest to discover box, type contoso.msft f. In the Username box, type contoso\administrator and in the Password box, type password and then click OK, in the Change Password dialog box, type password and then click OK. g. In the directory pane, click the Contoso management agent, and then in the control pane, click Configure MA. h. In the Configure the Management Agent dialog box, on the Active Directory Discovery Settings tab, click Active Directory Containers to Discover. i. In the Active Directory Containers to Discover dialog box, click … j. In the Enter Network Password dialog box, in the Password box, type password and then click OK. k. In the Forest Browser dialog box, expand DC=contoso,DC=mst, click to select Domain (Extern), and Warehouse, and then click OK. l. Click OK to close the Active Directory Containers to Discover dialog box, and then click OK to close the Configure the Management Agent dialog box. Lab A: Implementing Active Directory Interforest Synchronization 5 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 2 Operating the Management Agents In this exercise, you will operate the management agents in order to perform the initial discovery of the two Active Directory forests and to populate the metadirectory. Scenario Now that the required management agents have been created and configured, you must operate the management agents in order to perform the initial discovery and to populate the metaverse namespace. Tasks Detailed steps 1. Run the Domain management agent. Review the Operator’s log for errors. a. In the directory pane of MMS Compass, click the Domain management agent, and then in the control pane, click Operate MA. b. In the Operate the Management Agent dialog box, click Run the Management Agent. c. Review the Operator’s log for errors. d. Examine the metadirectory to verify that the management agent created the required entries. 2. Run the Contoso management agent. Review the Operator’s log for errors. a. In the directory pane, click the Contoso management agent, and then in the control pane, click Operate MA. b. In the Operate the Management dialog box, click Run the Management Agent. c. Review the Operator’s log for errors. d. Examine the metadirectory to verify that the management agent created the required entries. Where in the metadirectory were entries created? Why were they created in that location? Entries were created both in the connector namespace and in the metaverse namespace because the management agents were configured to operate in Reflector mode. 6 Lab A: Implementing Active Directory Interforest Synchronization BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 3 Creating and Configuring TAMA Account Resources In this exercise, you will create and configure the required TAMA account resources. Scenario Now that the metadirectory has been populated with the required Active Directory containers from each forest, the next step is to create TAMA account resources. These resources will be used by the Provisioning Agent management agent to determine where in the Active Directory management agents’ connector namespaces connectors need to be created. Tasks Detailed steps 1. Create a copy of the Sample Hierarchical Active Directory Object Creation Resource and configure it by using the following parameters: • Management Agent: Contoso • Location under MA (Optional): Domain (Extern) • Metaverse Boundary Node: Domain • Rename to: Domain to Contoso a. In the directory pane of MMS Compass, open the Together Administration folder. b. Right-click Sample Hierarchical Active Directory Object Creation Resource, and then click Copy. c. In the directory pane, in the Together Administration folder, right- click any empty area, and then click Paste. d. In the Copy Entry Action dialog box, click Duplicate this entry, and then click OK. e. In the Sample Hierarchical Active Directory Object Creat dialog box, click Select the MA. f. In the Select the MA dialog box, click Contoso, drag and drop it to the Management Agent box, and then click OK. g. Click Select a location, in the Select a location dialog box, expand Contoso, expand contoso.msft, drag and drop Domain (Extern) to the Location Under MA (Optional) box, and then click OK. h. Click …, in the … dialog box, expand msft, expand nwtraders, drag and drop domain in the Metaverse Boundary Node box, and then click OK. i. Click OK to close the Sample Hierarchical Active Directory Object Creat dialog box. j. Int eh directory pane, right-click Copy of Sample Hierarchical Active Directory Object Creation Resource, click Rename, type Domain to Contoso Resource and then press ENTER. Lab A: Implementing Active Directory Interforest Synchronization 7 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Tasks Detailed Steps 2. Create a copy of the Sample Hierarchical Active Directory Object Creation Resource and configure it by using the following parameters: • Management Agent: Domain • Location under MA (Optional): Contoso (Extern) • Metaverse Boundary Node: Contoso • Rename to: Contoso to Domain a. Right-click Sample Hierarchical Active Directory Object Creation Resource, and then click Copy. b. In the directory pane, in the Together Administration folder, right- click any empty area, and then click Paste. c. In the Copy Entry dialog box, click Duplicate this entry, and then click OK. d. In the Sample Hierarchical Active Directory Object Creat dialog box, click Select the MA. e. In the Select the MA dialog box, click Domain, drag and drop it to the Management Agent box, and then click OK. f. Click Select a location, in the Select a location dialog box, double- click Domain, double-click domain.nwtraders.msft, drag and drop Contoso(Extern) to the Location Under MA (Optional) box, and then click OK. g. Click …, in the … dialog box, and then expand msft, drag and drop Contoso on the Metaverse Boundary Node box, and then click OK. h. Click OK to close the Sample Hierarchical Active Directory Object Creat dialog box. i. Right-click Copy of Sample Hierarchical Active Directory Object Creation Resource, click Rename, type Contoso to Domain Resource and then press ENTER. 8 Lab A: Implementing Active Directory Interforest Synchronization BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 4 Assigning TAMA Account Resources to TAMA Account Profiles In this exercise, you will assign the appropriate TAMA account resources to the appropriate TAMA account profiles. Scenario Now that the TAMA account resources have been created, the next step it to assign those resources to TAMA account profiles. To synchronize the Active Directory objects from Domain to Contoso, you will assign the Domain to Contoso account resource to the account profile for the domain portion of the metaverse namespace. Conversely, to synchronize the Active Directory objects from Contoso to Domain, you will assign the Contoso to Domain account resource to the contoso portion of the metaverse namespace. Tasks Detailed steps 1. Assign the Domain to Contoso account resource to the account profile for the domain metaverse namespace entry. a. At the top of the directory pane of MMS Compass, click The Known Universe. b. In the directory pane, click the domain metaverse namespace entry, and then in the control pane, click Administration. c. In the Entry Administration dialog box, on the Account Profile tab, under Resource List, drag and drop the Domain to Contoso account resource to the Account Profile box, and then click OK. 2. Assign the Contoso to Domain account resource to the account profile for the contoso metaverse namespace entry. a. In the directory pane, click the contoso metaverse namespace entry, and then in the control pane, click Administration. b. In the Entry Administration dialog box, on the Account Profile tab, under Resource List, drag and drop the Contoso to Domain account resource to the Account Profile box, and then click OK. Lab A: Implementing Active Directory Interforest Synchronization 9 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 5 Operating the Provisioning Agent Management Agent In this exercise, you will operate the Provisioning Agent management agent in order to create the connectors in the other management agent’s connector namespaces. Scenario Now that the account resources have been properly assigned to the respective account profiles, you need to operate the Provisioning Agent management agent in order to have the appropriate connectors created. Tasks Detailed steps 1. Operate the Provisioning Agent management agent. Check the Operator’s log for errors. Verify that the required connectors were created. a. In the directory pane of MMS Compass, click Provisioning Agent, and then in the control pane, click Operate MA. b. In the Operate the Together Administration MA dialog box, click Run the Management Agent. c. Check the Operator’s log for errors. d. Verify that the required connectors were created. Were the required connectors added to the connector namespace for the Contoso management agent? Were the required connectors added to the connector namespace for the Domain management agent? Yes, the required connectors were added to the respective connector namespaces for both of the management agents. 10 Lab A: Implementing Active Directory Interforest Synchronization BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Exercise 6 Operating the Active Directory Management Agents In this exercise, you will operate the Active Directory management agents in order to complete interforest synchronization. Scenario Now that the connector namespaces of the management agents have been populated with the appropriate connectors, the final step is to operate the two Active Directory management agents in order to complete interforest synchronization. Tasks Detailed steps 1. Run the Domain management agent. Review the Operator’s log for errors. a. In the directory pane of MMS Compass, click the Domain management agent, and then in the action pane, click Operate MA. b. In the Operate the Management dialog box, click Run the Management Agent. c. Review the Operator’s log for errors. 2. Run the Contoso management agent. Review the Operator’s log for errors. a. In the directory pane, click the Contoso management agent, and then in the action pane, click Operate MA. b. In the Operate the Management dialog box, click Run the Management Agent. c. Review the Operator’s log for errors. 3. Verify that the objects from Contoso were added to Domain. a. Open Active Directory Users and Computers from the Administrative Tools menu. b. In the directory pane, expand Contoso (Extern). c. Verify that the objects from Contoso were added to your domain. 4. Verify that the objects from Domain were added to Contoso. a. In the directory pane of Active Directory Users and Computers, right- click Active Directory Users and Computers, and then click Connect to Domain. b. In the Connect to Domain dialog box, type contoso.msft and then click OK. c. In the directory pane, expand Domain (Extern). d. Verify that the objects from Domain were added to Contoso. e. Close all windows and then log off. . Lab A: Implementing Active Directory Interforest Synchronization Objectives After completing this lab, you will be able to synchronize two Active Directory. None Yes Estimated time to complete this lab: xx minutes Lab A: Implementing Active Directory Interforest Synchronization 3 BETA MATERIALS FOR