设置域
Microsoft Identity Manger (MIM) 适用于你的 Active Directory (AD) 域。 应已安装了 AD,并确保你的环境中有一个你能够管理的域的域控制器。
本文将指导你完成一些步骤来准备要与 MIM 协同使用的域。
创建用户帐户和组
MIM 部署的所有组件都需要在域中具有自己的标识。 这包括服务和同步等 MIM 组件,以及 SharePoint 和 SQL。
注意
本演练使用名为 Contoso 的公司中的示例名和值。 将其替换为你自己的。 例如:
- 域控制器名称 - corpdc
- 域名 - contoso
- MIM 服务服务器名称 - corpservice
- MIM 同步服务器名称 - corpsync
- SQL Server 名称 - corpsql
- 密码 - Pass@word1
以域管理员的身份登录到域控制器(例如:Contoso\Administrator)。
为 MIM 服务创建以下用户账户。 启动 PowerShell 并键入以下 PowerShell 脚本来更新域。
import-module activedirectory $sp = ConvertTo-SecureString "Pass@word1" –asplaintext –force New-ADUser –SamAccountName MIMINSTALL –name MIMINSTALL Set-ADAccountPassword –identity MIMINSTALL –NewPassword $sp Set-ADUser –identity MIMINSTALL –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMMA –name MIMMA Set-ADAccountPassword –identity MIMMA –NewPassword $sp Set-ADUser –identity MIMMA –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMSync –name MIMSync Set-ADAccountPassword –identity MIMSync –NewPassword $sp Set-ADUser –identity MIMSync –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMService –name MIMService Set-ADAccountPassword –identity MIMService –NewPassword $sp Set-ADUser –identity MIMService –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMSSPR –name MIMSSPR Set-ADAccountPassword –identity MIMSSPR –NewPassword $sp Set-ADUser –identity MIMSSPR –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName SharePoint –name SharePoint Set-ADAccountPassword –identity SharePoint –NewPassword $sp Set-ADUser –identity SharePoint –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName SqlServer –name SqlServer Set-ADAccountPassword –identity SqlServer –NewPassword $sp Set-ADUser –identity SqlServer –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName BackupAdmin –name BackupAdmin Set-ADAccountPassword –identity BackupAdmin –NewPassword $sp Set-ADUser –identity BackupAdmin –Enabled 1 -PasswordNeverExpires 1 New-ADUser –SamAccountName MIMpool –name MIMpool Set-ADAccountPassword –identity MIMPool –NewPassword $sp Set-ADUser –identity MIMPool –Enabled 1 -PasswordNeverExpires 1为所有组创建安全组。
New-ADGroup –name MIMSyncAdmins –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncAdmins New-ADGroup –name MIMSyncOperators –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncOperators New-ADGroup –name MIMSyncJoiners –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncJoiners New-ADGroup –name MIMSyncBrowse –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncBrowse New-ADGroup –name MIMSyncPasswordSet –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncPasswordSet Add-ADGroupMember -identity MIMSyncAdmins -Members Administrator Add-ADGroupmember -identity MIMSyncAdmins -Members MIMService Add-ADGroupmember -identity MIMSyncAdmins -Members MIMInstall添加 SPN,以便为服务账户启用 Kerberos 身份验证
setspn -S http/mim.contoso.com Contoso\mimpool setspn -S http/mim Contoso\mimpool setspn -S http/passwordreset.contoso.com Contoso\mimsspr setspn -S http/passwordregistration.contoso.com Contoso\mimsspr setspn -S FIMService/mim.contoso.com Contoso\MIMService setspn -S FIMService/corpservice.contoso.com Contoso\MIMService在安装过程中,我们需要添加以下 DNS“A”记录以正确进行名称解析
- 指向 corpservice 物理 IP 地址的 mim.contoso.com
- 指向 corpservice 物理 IP 地址的 passwordreset.contoso.com
- 指向 corpservice 物理 IP 地址的 passwordregistration.contoso.com