Cross Forest Management - (Create groups with FSP's as Members) Part 1

Scenario:

  • 2 Forest
    • Contoso
    • Fabrikam
  • Each Forest has Exchange installed
  • Fabrikam needs to allow members of members of groups to access SharePoint Resources
  • Contoso will be the source for all Groups
  • Groups need to be created in the Fabrikam Forest with an updated Display Name and samAccountName to include "SP_"
    • Contoso
      • TestGroup
    • Fabrikam
      • SP_TestGroup
  • Members of Groups in the Fabrikam Forest will contain the "FSP" Foreign Security Principal that references the User in Contoso.
  • Foreign Security Principals will be updated to include the Display Name and Description of the Referenced Source Objects from Contoso
  • Use Scoping Filter Synchronization Rules instead of Traditional Synchronization Rules, you may wish to read the following Blog Postings for additional information on the Synchronization Rule Types

PreRequsites

Group Management configured for Source Forest (Contoso)

Create the Following Outbound Synchronization Rules

  • Outbound Groups to Fabrikam as SharePoint Group
    • Display Name - (something like) Outbound Groups to Fabrikam as SharePoint Groups
    • Description - (Type anything you would like to identify purpose of Sync Rule
    • Data Flow Direction - Outbound
    • Apply Rule - Select 2nd Option "To all Metaverse resources of this type according to Outbound System Scoping Filter. Outbound System Scoping Filter is defined ins the Scope Tab.
  • Click on Next
  • On the Scope Tab
    • Metaverse Resource Type - group
    • External System - Fabrikam ADMA (Select the Management Agent of the MA that connects to the Destination Forest.
    • External System Resource Type - group
  • Outbound System Scoping FIlter
    • You can leave this section as default with nothing selected if you want all groups from inthe Metaverse created in the Destination Forest
      • NOTE: The Object type selected above for Metaverse Resource Type ill be used to define the scope of objects that this syncrule will apply to.
  • Inbound System Scoping FIlter
    • Leave Default
  • Click on Next
    • Relationship Criteria - Do not populate this is used for Inbound Sync Rules
    • Create Resource In FIM - Leave Unchecked
    • Create Resource in External System - Check this option
    • Enable Deprovisioning - Leave Unchecked
  • Click on Next
  • Outbound Attribute Flows
    • "SP_+accountName - samAccountName
    • description - description
    • "SP_"+displayName - displayName
    • member - member (See below)
    • number -2147483644 -groupType
    • (Build DN)
      • "CN="+"SP_+accountName+",OU=MIMGroups,OU=MIMObjects,DC=Fabrikam,DC=com" - dn
        • Set as Initial Flow Only

 

  • For Member Attribute flow Destination
    • Flow Scope group,foreignSecurityPrincipal

 

 

  • Outbound Users to Fabrikam (FSP)
    • Display Name - (something like) Outbound Users to Fabrikam (FSP)
    • Description - (Type anything you would like to identify purpose of Sync Rule
    • Data Flow Direction - Outbound
    • Apply Rule - Select 2nd Option "To all Metaverse resources of this type according to Outbound System Scoping Filter. Outbound System Scoping Filter is defined ins the Scope Tab.
  • Click on Next
  • On the Scope Tab
    • Metaverse Resource Type - person
    • External System - Fabrikam ADMA (Select the Management Agent of the MA that connects to the Destination Forest.
    • External System Resource Type - foreignSecurityPrinipal
  • Outbound System Scoping FIlter
    • You can leave this section as default with nothing selected if you want "FSP" created for all Users from Source Forest.
      • NOTE: The Object type selected above for Metaverse Resource Type ill be used to define the scope of objects that this syncrule will apply to.
  • Inbound System Scoping FIlter
    • Leave Default
  • Click on Next
    • Relationship Criteria - Do not populate this is used for Inbound Sync Rules
    • Create Resource In FIM - Leave Unchecked
    • Create Resource in External System - Check this option
  • Click on Next
  • Outbound Attribute Flows
    • description - description
    • displayName - displayName
    • Function ConvertSidToString
      • ConvertSidToString(objectSid) - name
    • Function ConvertSidToString
      • ConvertSidToString(objectSid) - cn
    • (Build DN)
      • "CN="+ConvertSidToString(objectSid)+",CN=ForeignSecurityPrinicpals,DC=Fabrikam,DC=com" - dn
        • Set as Initial Flow Only
  • Click on Finish

 

  • Run a Full Import on the FIMMA
  • Run a Full Sync on the FIMMA
  • From the Source Forest MA locate a few objects Users and Groups and run a Preview these objects to verify desired outcome
  • Continue normal Sync Cycle

In Cross Forest Management - (Create groups with FSP's as Members) Part 2 we will discuss a deeper level of whats happening behind the scenes and Joining up these objects in case there is a need to rebuild the metaverse.

 

References

Cross-Forest Management Deployment Guide

Security Principals Technical Reference