Test the Deployment of a Cross-Forest Management Solution Using Forefront Identity Manager (FIM) 2010

  • Article

Updated: June 3, 2010

Applies To: Forefront Identity Manager 2010

To ensure that the cross-forest management solution that you deployed using Microsoft® Forefront® Identity Manager (FIM) 2010 is correct, perform the actions detailed in the following table.

Section Step Success? Troubleshooting

Microsoft Office SharePoint® Server 2007

Log on to FIM as a user from the Contoso.com forest.
  • Ensure that Office SharePoint Server 2007 is configured for multi-forest browsing.

Office SharePoint Server 2007

Log on to FIM as a user from the Fabrikam.com forest.
  • Ensure that Office SharePoint Server 2007 is configured for multi-forest browsing.

Users

Create a user in the Fabrikam domain.
  • Permissions: Ensure that you have the rights to create a user.

  • Domain not present in combox: Ensure that you have created the Fabrikam.com domain and forest correctly.

Users

Create a user in the Contoso domain.
  • Permissions: Ensure that you have the rights to create a user.

  • Domain not present in combox: Ensure that you have created the Fabrikam domain and forest correctly.

Security groups

Create a security group in the Fabrikam domain.
  • Permissions: Ensure that you have the rights to create a security group.

  • Domain not present in combox: Ensure that you have created the Fabrikam domain and forest correctly.

Security groups

Create a security group in the Contoso domain.
  • Permissions: Ensure that you have the rights to create a security group.

  • Domain not present in combox: Ensure that you have created the Fabrikam domain and forest correctly.

Distribution lists

Create a distribution list in the Fabrikam domain.
  • Permissions: Ensure that you have the rights to create a distribution list.

  • Domain not present in combox: Ensure that you have created the Fabrikam domain and forest correctly.

Distribution lists

Create a distribution list in the Contoso domain.
  • Permissions: Ensure that you have the rights to create a distribution list.

  • Domain not present in combox: Ensure that you have created the Fabrikam domain and forest correctly.

Sets

Verify that the Fabrikam AD DS Users set is populated with the Fabrikam User.
  • Sets: Ensure that the AD DS User provisioning set is created correctly.

Sets

Verify that the Contoso AD DS Users set is populated with the Contoso User.
  • Sets: Ensure that the AD DS User provisioning set is created correctly.

Sets

Verify that the Fabrikam AD DS Security Group set is populated with the Fabrikam Security Group.
  • Sets: Ensure that AD DS Security Group provisioning set is created correctly.

Sets

Verify that the Contoso AD DS Security Group set is populated with the Contoso Security Group.
  • Set: Ensure that AD DS Security Group provisioning set is created correctly.

Sets

Verify that the Fabrikam AD DS Distribution List set is populated with the Fabrikam distribution list.
  • Sets: Ensure that the AD DS Distribution List provisioning set is created correctly.

Sets

Verify that the Contoso AD DS Distribution List set is populated with the Contoso distribution list.
  • Sets: Ensure that the AD DS Distribution List provisioning set is created correctly.

Requests

Verify that the request to create the Fabrikam User triggered the AD DS User provisioning workflow.
  • Workflow: Ensure that the AD DS User provisioning workflow is created correctly.

  • Management policy rule (MPR): Ensure that the AD DS User provisioning MPR is created correctly.

Requests

Verify that the request to create the Contoso User triggered the AD DS User provisioning workflow.
  • Workflow: Ensure that the AD DS User provisioning workflow is created correctly.

  • MPR: Ensure that the AD DS User provisioning MPR is created correctly.

Requests

Verify that the request to create the Fabrikam Security Group triggered the AD DS Security Group provisioning workflow.
  • Workflow: Ensure that the AD DS Security Group provisioning workflow is created correctly.

  • MPR: Ensure that the AD DS Security Group provisioning MPR is created correctly.

Requests

Verify that the request to create the Contoso Security Group triggered the AD DS Security Group provisioning workflow.
  • Workflow: Ensure that the AD DS Security Group provisioning workflow is created correctly.

  • MPR: Ensure that the AD DS Security Group provisioning MPR is created correctly.

Requests

Verify that the request to create the Fabrikam distribution list triggered the AD DS Distribution List provisioning workflow.
  • Workflow: Ensure that the AD DS Distribution List provisioning workflow is created correctly.

  • MPR: Ensure that the AD DS Distribution List provisioning MPR is created correctly.

Requests

Verify that the request to create the Contoso distribution list triggered the AD DS Distribution List provisioning workflow.
  • Workflow: Ensure that the AD DS Distribution List provisioning workflow is created correctly.

  • MPR: Ensure that the AD DS Distribution List provisioning MPR is created correctly.

Synchronization

Run Import and Sync on the FIM management agent (MA). This should result in all users and groups being provisioned to Active Directory® Domain Services(AD DS).
  • Users and Groups not imported: Import again 60 seconds after creation of users and groups.

  • Users not provisioned to AD: Ensure that AD DS User synchronization rules are created correctly.

  • Security groups are not provisioned to AD DS: Ensure that AD DS Security Group synchronization rules are created correctly.

  • Distribution lists are not provisioned to AD DS: Ensure that AD DS Distribution List synchronization rules are created correctly.

Synchronization

Run Export on the AD DS MA. This should result in all users and groups being created in AD DS.
  • Permissions: Ensure that the AD MA credentials have Write access.

Synchronization

Run Import and Sync on the AD MA. This should result in all users and groups in FIM being updated with e-mail messages and security identifiers (SIDs).
  • Permissions: Ensure that the AD MA credential have directory replicate privileges.

Synchronization

Run Export on the FIM MA. This should result in all users and groups in FIM being populated with e-mail messages and SIDs.
  • Permissions: Ensure that the FIM MA credentials are configured correctly.

Sets

Verify that the Fabrikam AD DS Contacts for User set is populated with the Contoso User.
  • Sets: Ensure that AD DS Contacts for User provisioning set is created correctly.

  • Ensure that the Domain Synchronization workflow and MPR are created correctly.

  • Ensure that the Domain Configuration objects correctly reference the Forest Configuration objects.

Sets

Verify that the Contoso AD DS Contacts for Users set is populated with the Fabrikam User.
  • Ensure that AD DS Contacts for User provisioning set is created correctly.

  • Ensure that the Domain Synchronization workflow and MPR are created correctly.

  • Ensure that the Domain Configuration objects correctly reference the Forest Configuration objects.

Sets

Verify that the Fabrikam AD DS Contacts for Mail-enabled Security Group set is populated with the Contoso Security Group.
  • Ensure that AD DS Contacts for Mail Enabled Security Group provisioning set is created correctly.

  • Ensure that the Domain Configuration objects correctly reference the Forest Configuration objects.

Sets

Verify that the Contoso AD DS Contacts for Mail Enabled Security Group set is populated with the Fabrikam Security Group.
  • Ensure that AD DS Contacts for Mail Enabled Security Group provisioning set is created correctly.

  • Ensure that the Domain Synchronization workflow and MPR are created correctly.

  • Ensure that the Domain Configuration objects correctly reference the Forest Configuration objects.

Sets

Verify that the Fabrikam AD DS Contacts for Distribution List set is populated with the Contoso distribution list.
  • Ensure that the AD DS Contacts for Distribution List provisioning set is created correctly.

  • Ensure that the Domain Synchronization workflow and MPR are created correctly.

  • Ensure that the Domain Configuration objects correctly reference the Forest Configuration objects.

Sets

Verify that the Contoso AD DS Contacts for Distribution List set is populated with the Fabrikam distribution list.
  • Ensure that the AD DS Contacts for Distribution List provisioning set is created correctly.

  • Ensure that the Domain Synchronization workflow and MPR are created correctly.

  • Ensure that the Domain Configuration objects correctly reference the Forest Configuration objects.

Synchronization

Run Import and Sync on the FIM MA. This should result in all contacts being provisioned to AD DS.
  • Users and Groups not updated: Import again 60 seconds after creation of users and groups.

  • User Contacts not provisioned to AD DS: Ensure that AD DS Contacts for User synchronization rules are created correctly.

  • Mail-Enabled Security Group Contacts are not provisioned to AD: Ensure that AD DS Contacts for Mail-enabled Security Group synchronization rules are created correctly.

  • Contacts for Distribution Lists are not provisioned to AD DS: Ensure that AD DS Contacts for Distribution List synchronization rules are created correctly.

Synchronization

Run Export on the AD MA. This should result in all contacts being created in AD DS.
  • Ensure that the AD MA credentials have Write access to AD DS.

Synchronization

Run Import and Sync on the AD DS MA. This should result in no updates to FIM.
  • It is possible that some detail in AD DS may have changed. If the update to FIM occurs, ensure that it makes sense given the state of AD DS.

Groups

Add the Contoso User to the Fabrikam distribution list.
  • Permissions: Ensure that you have the rights to update a distribution list.

Groups

Add the Fabrikam User to the Contoso distribution list.
  • Permissions: Ensure that you have the rights to update a distribution list.

Groups

Add the Contoso distribution list to the Fabrikam distribution list.
  • Permissions: Ensure that you have the rights to update a distribution list.

Groups

Add the Fabrikam distribution list to the Contoso distribution list.
  • Permissions: Ensure that you have the rights to update a distribution list.

Synchronization

Run Import and Sync on the FIM MA. This should result in distribution list membership updates to AD DS.
  • Users and Groups are not updated: Import again 60 seconds after creation of users and groups.

  • Membership is not updated to AD DS. Ensure that AD DS distribution list synchronization rules are created correctly.

Synchronization

Run Export on the AD MA. This should result in membership updates exported to AD DS.
  • Ensure that the AD MA credentials have Write access to AD DS.

Synchronization

Run Import and Sync on the AD MA. This should result in no updates to FIM.
  • It is possible that some detail in AD DS may have changed. If the update to FIM occurs, ensure that it makes sense given the state of AD DS.

Active Directory Users and Computers

Ensure that the Fabrikam distribution list contains the Contoso User and Contoso distribution list.
  • User is not a member: Ensure that the Contact for the Contoso User has been created.

  • Distribution List is not a member: Ensure that the Contact for the Contoso distribution list has been created.

Active Directory Users and Computers

Ensure that the Contoso distribution list contains the Fabrikam distribution list.
  • User is not a member: Ensure that the Contact for the Fabrikam User has been created.

  • Distribution List is not a member: Ensure that the Contact for the Fabrikam distribution list has been created.

Groups

Add the Contoso User to the Fabrikam Security Group.
  • Permissions: Ensure that you have the rights to update a Security Group.

Groups

Add the Fabrikam User to the Contoso Security Group.
  • Permissions: Ensure that you have the rights to update a Security Group.

Requests

Verify that the request to update the Fabrikam Security Group triggered the Group Membership Validation workflow.
  • Workflow: Ensure that the Group Membership Validation workflow is created correctly.

  • MPR: Ensure that the Group Membership Validation MPR is created correctly.

Requests

Verify that the request to update the Contoso Security Group triggered the Group Membership Validation workflow.
  • Workflow: Ensure that the Group Membership Validation workflow is created correctly.

  • MPR: Ensure that the Group Membership Validation MPR is created correctly.

Sets

Verify that the Fabrikam AD DS Foreign Security Principals (FSPs) for User set is populated with the Contoso User.
  • Sets: Ensure that AD DS FSPs for User provisioning set is created correctly.

Sets

Verify that the Contoso AD DS FSP for Users set is populated with the Fabrikam User.
  • Sets: Ensure that AD DS FSPs for User provisioning set is created correctly.

Groups

Add the Contoso Security Group to the Fabrikam Security Group.
  • Permissions: Ensure that you have the rights to update a Security Group.

Groups

Add the Fabrikam Security Group to the Contoso Security Group.
  • Permissions: Ensure that you have the rights to update a Security Group.

Requests

Verify that the request to update the Fabrikam Security Group triggered the Group Membership Validation workflow.
  • Workflow: Ensure that the Group Membership Validation workflow is created correctly.

  • MPR: Ensure that the Group Membership Validation MPR is created correctly.

Requests

Verify that the request to update the Contoso Security Group triggered the Group Membership Validation workflow.
  • Workflow: Ensure that the Group Membership Validation workflow is created correctly.

  • MPR: Ensure that the Group Membership Validation MPR is created correctly.

Sets

Verify that the Fabrikam AD DS FSPs for Security Group set is populated with the Contoso Security Group.
  • Ensure that AD DS FSPs for Mail-enabled Security Group provisioning set is created correctly.

Sets

Verify that the Contoso AD DS FSPs for Security Group set is populated with the Fabrikam Security Group.
  • Ensure that AD DS FSPs for Mail-enabled Security Group provisioning set is created correctly.

Synchronization

Run Import and Sync on the FIM MA. This should result in Security Group membership updates to AD DS.
  • Users and Groups are not updated: Import again 60 seconds after creation of users and groups.

  • Membership is not updated to AD DS: Ensure that AD DS Security Groups synchronization rules are created correctly.

Synchronization

Run Export on the AD MA. This should result in membership updates to AD DS.
  • Ensure that the AD MA credentials have Write access to AD DS.

Synchronization

Run Import and Sync on the AD MA. This should result in no updates to FIM.
  • It is possible that some detail in AD DS may have changed. If the update to FIM occurs, ensure that it makes sense given the state of AD DS.

Active Directory Users and Computers

Ensure that the Fabrikam Security group contains the Contoso User and Contoso Security Group.
  • User is not a member: Ensure that the FSP for the Contoso User has been created.

  • Security Group is not a member: Ensure that the FSP for the Contoso Security Group has been created.

Active Directory Users and Computers

Ensure that the Contoso Security Group contains the Fabrikam User and Fabrikam Security Group.
  • User is not a member: Ensure that the FSP for the Fabrikam User has been created.

  • Security Group is not a member: Ensure that the FSP for the Fabrikam distribution list has been created.