Windows 2012 – Active Directory Basic Install

Below is a basic Active Directory installation for Windows 2012. The installation is a stand alone Active Directory infrastructure in which there is no current Active Directory domain in the environment.

Open Server Manager:

Select Add Roles and Features from the Configure this local server.

Select next:

Select Role Based Feature, Select Next

Select a server from the server pool, then select the computer name of the machine to install the Active Directory 2012, Finally, select Next>

Select Active Directory Domain Services, Select Next>

Select Add Features

Select Next

Select Next

Select Next

Select Install

Watch the task bar to completion

Select Close

Select Add a new forest, Enter <root domain name> then select Next

Select DNS, Enter the password and confirm password, then select Next

Select Next

Select Next

Select Next

Select Next

While it’s installing you can check the Dashboard and view the progress of the installation

After you select complete and the server reboots you will see all the new Active Directory tools installed in the Server Manager.

FIM 2010 with Exchange 2010 Configuration for provisioning

FIM 2010 with Exchange 2010 Configuration for provisioning

FIM 2010 can help provision users account while creating Exchange 2010 mail account. With this process below, we will see how FIM 2010 can create Exchange mailboxes when accounts are created in FIM 2010.

FIM Synchronization Service Manager:

In FIM 2010 Synchronization Service make sure to enable Exchange 2010 Rule Extension:

Select Tools > Options

Check the Enable metaverse rules extension

Select Browse and select Exch2010Extenstion.dll (See Below):

Then in the FIM AD MA make sure to configure the extension:

Select the Configure Extension

Select the drop down Provision for: and select Exchange 2010.

In the Exchange 2010 RPS URI put in : http://<the cas server name>/Powershell. Make sure the powershell web site is enabled for this extension to work.

Exchange 2010 Configuration:

After we have this configured, we need to make sure that an account can create mailboxes in Exchange. In exchange make sure the domain FIM sync account as the proper administrative rights to create mailboxes. Test the account by updating an account and providing them a mailbox. If the FIM sync account can’t create or update a mailbox then the permissions are incorrect.

FIM 2010 Service and Portal:

In the FIM Portal, the synchronization rule outbound will need to be configured for creating the mailbox in Exchange. We do this by updating the MS Exchange attributes in AD. Below is how we configure this rule.

Navigate to the FIM Portal

Select Administration > Synchronization Rules.

Select the outbound rule that has been created for users. If this is not created you must create an outbound rule for AD users.

On the AD Synchronization rule select the Outbound Attribute flow.

Create the five outbound attribute flows below with Initial Flow Only:

1. /o=/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=-> MSEXCHANGEHOMEServerName

2. CN=Default Role Assignment Policy,CN=Policies,CN=RBAC,CN=DomainName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,DC=Com->  MSExchangeRBACPolicyLink

3. CN=<servername of home MDB>,CN=Databases,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=DomainName,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=DomainName,DC=Com ->HomeMDB

If you have multiple databases for HomeMDB you can create a random number to be created for each database. Lets say there are 8, in the attribute flow add the function for the HomeMDB: CN=RandomNum(1,8)

4.  .domainname-> userprincipalName

5. true -> MDBUseDefaults

Additional attributes that need created for a user are the useraccountcontrol and UnicodePswd. These are needed to create an account in AD. If these attributes are not set please do them so you can get the account created in AD.

Final steps:

1. Create an account in the FIM 2010 Portal

2. Synchronize the FIM MA

3. Export the FIM AD MA

4. Check the attributes in AD

5. Logon with the new account in Outlook or Outlook Web.


As you can see it is not difficult to configure FIM 2010 to create mail accounts in Exchange 2010. The process below can reduce administration in AD and Exchange by allowing FIM to control the account creation for AD and Exchange mail account.

Active Directory and Identity and Access Management Principal Engineer
Nathan Mertz | Bennett Adelson | Columbus

FIM 2010 – User RCDC to Add User to Groups

In FIM 2010, there is no way to use the current RCDC (Resource Control Display Configuration) to create a “user” interface, not group interface, that will allow a user to be added to a group. The current out-of-the-box interface for FIM only allows for group interfaces to be used for adding users to specific groups. In the world of self service, administrators should be moving away from group and user management. However, with FIM 2010 the interface is built for a more technical staff, which is a problem for the everyday user. Below is how I solved this problem in FIM 2010. The below explaination is technical and FIM 2010, Visual Basic, and XML knowledge is needed.

How did I use the “user” interface and achieve user addition or removal from groups?

  1. Changes to the schema
  2. Changes to the User RCDC
  3. Created a Custom WorkFlow in VB.NET

Step 1: Changes to the schema

I created a new resource type reference object which contains the names of the groups I wanted users to request or to be able to be added to.  This gave me a short, easy custom list for any admin to add a role/groups to without needing to search. I then created a reference attribute on the user resource type to view the new reference type groups in a drop down. (Attributes are added in the Schema Section in the FIM Portal).

Step 2: Changes to the User RCDC

To use this drop down in the RCDC for users, I added this to the User Edit RCDC:

<my:Control my:Name="GroupRoleName" my:TypeName="UocDropDownList" my:Caption="Access Role" my:Description="Access Role"  my:RightsLevel="{Binding Source=rights, Path=Group_Ref}" my:AutoPostback="true">
        <my:Property my:Name="Required" my:Value="{Binding Source=schema, Path=Group_Ref.Required}"/>
        <my:Property my:Name="Columns" my:Value="40"/>
        <my:Property my:Name="HintPath" my:Value="Hint"/>
        <!--The new user attribute which is a reference attribute-->
        <my:Property my:Name="ItemSource" my:Value="{Binding Source=search, Path=Group_Role_Ref}"/>
        <!--The new resource type attribute where my list of roles are located--> 
        <my:Property my:Name="SelectedValue" my:Value="{Binding Source=object, Path=Group_Ref, Mode=TwoWay}"/>

FYI, the reference attribute will only be stored as an ObjectID; I look up the display name in my workflow below.

Then, I created sets that would kick off an add or remove Management Policy Rule (MPR).  I used a custom boolean attribute that if selected would add/remove the user to the set, and then kick off an MPR, and finally run a WorkFlow activity.

Step 3: Created a Custom WorkFlow in VB.NET

Finally, I created a new custom WorkFlow where I used the new resource type display names for quering the groups with a dynamic XPath query in a EnumerateResourceActivity and then an UpdateResourceActivity which added/removed the user from a group.

Here is the important code when running an enumeration activity:

Enumeration Code

Make sure to add this above the Private Sub InitializeComponent():

Private codeActivity1 As CodeActivity

Make sure to add this in the Private Sub InitializeComponent() above the Me.CanModifyActivities = False:

Me.Name = "GroupActivity"
Me.codeActivity1 = New System.Workflow.Activities.CodeActivity()
Me.codeActivity1.Name = "codeActivity1"
AddHandler Me.codeActivity1.ExecuteCode, AddressOf Me.GetGroupEnum_ExecuteCode 'CodeActivity is the child of my enumerationresourceactivity Me.enumerateResourcesActivity1.Activities.Add(Me.codeActivity1)
Me.CanModifyActivities = False

Your activity design document should look like this afterwards for the enumerate activity or it will return a count but all other data will be NULL.

Now for some of the code for setting looking up the of the display name of the Resource Type using readresourceactivity:

Private Sub UpdateGroup_ExecuteCode(sender As System.Object, e As System.EventArgs)
    Me.Log("Starting Next Code ")
    Dim currentRequest As RequestType = currentRequestInformation_CurrentRequest1
    Me.Log("After Request")
    Dim RoleQuery As String = Me.Target_Resource1(Me.GUIinsert) 'GUI Insert Taken from the WorkFlow setup/GUI screen
    Me.Log("Role Name Returned1Ref1::" & RoleQuery & ". ")
    Me.GetDisplayName.ActorId = New System.Guid("00000000-0000-0000-0000-000000000000")
    Me.GetDisplayName.Name = "GetDisplayName"
    Me.GetDisplayName.Resource = Nothing
    Me.GetDisplayName.ResourceId = New System.Guid(RoleQuery)
    Me.GetDisplayName.SelectionAttributes = New String() {"DisplayName"}
End Sub

Enumeration Activity Code

Private Sub GetDisplay_ExecuteCode(sender As System.Object, e As System.EventArgs)
    Dim RoleQuery2 As String = Me.GetDisplayName_Resource1("DisplayName")
    Me.Log("Role Name Returned1Ref2:" & RoleQuery2 & ". ")
    Me.enumerateResourcesActivity1.ActorId = New System.Guid("00000000-0000-0000-0000-000000000000")
    Me.GetGroup.Name = "GetGroup"
    Me.enumerateResourcesActivity1.PageSize = 100
    Me.enumerateResourcesActivity1.Selection = New String() {"AccountName"}
    Me.enumerateResourcesActivity1.SortingAttributes = Nothing Me.enumerateResourcesActivity1.TotalResultsCount = 0 Me.enumerateResourcesActivity1.XPathFilter = "/Group[contains(" & Me.SearchScope & ",'" & RoleQuery2 & "')]" 'SearchScope is taken from WorkFlow GUI screen
    Me.Log("XPATH Name Returned1Ref2:" & Me.enumerateResourcesActivity1.XPathFilter & ". ")
End Sub

Enumeration and Update Code

Private Sub GetGroupEnum_ExecuteCode(sender As System.Object, e As System.EventArgs)
    Dim QueryGr As Guid = Nothing Me.Log("Role Name Returned1Ref3:. ")
    If Me.enumerateResourcesActivity1.TotalResultsCount > 0 Then
        Me.Log("Role Name Returned1Ref3:Inside. ")
        Me.Log("Role Name Returned1Ref4:seq. ")
        Dim currentItem As ResourceType = TryCast(EnumerateResourcesActivity.GetCurrentIterationItem(DirectCast(sender, CodeActivity)), ResourceType)
        If (currentItem Is Nothing) Then
            Me.Log("Role Name Returned1Ref5:Null.")
            Exit Sub
            Me.Log("Role Name Returned1Ref5:Not Null.")
                Me.Log("Number : " & Convert.ToString(Me.enumerateResourcesActivity1.TotalResultsCount))
                Me.Log("UID : " & currentItem.ObjectID.GetGuid().ToString())
            Catch ex As Exception
            End Try
            ReturnValue = currentItem.ObjectID.GetGuid().ToString()
        End If
    End If
    QueryGr = New Guid(ReturnValue)
    Dim GroupValue As Guid = Me.Target_ResourceId1
    Dim updateInstruction2 As Microsoft.ResourceManagement.WebServices.WSResourceManagement.UpdateRequestParameter = New Microsoft.ResourceManagement.WebServices.WSResourceManagement.UpdateRequestParameter() updateInstruction2.PropertyName = "ExplicitMember"
    If Me.AddRemoveGroup = "Add" Then 'Taken from WorkFlow GUI Screen if the workflow is remove or add
        updateInstruction2.Mode = UpdateMode.Insert
    ElseIf Me.AddRemoveGroup = "Remove" Then
        updateInstruction2.Mode = UpdateMode.Remove
    End If
        Me.update.UpdateParameters = New UpdateRequestParameter() {updateInstruction2}
        Me.update.ActorId = New System.Guid("00000000-0000-0000-0000-000000000000")
        Me.update.ResourceId = QueryGr
    Catch ex As Exception
        Me.Log("Role Name Returned16:" & ex.ToString() & ". ")
    End Try
End Sub
GUI Screen:
I hope this help others with an example of how to customize the “user” RCDC screen.

Identity Management and Active Directory Principal Engineer
Nathan Mertz | Bennett Adelson | Columbus