設定網域
Microsoft Identity Manager (MIM) 與 Active Directory (AD) 網域搭配使用。 您應已安裝 AD,請確定環境中有您能夠管理的網域的網域控制站。
本文會逐步引導您整備要與 MIM 一起運作的網域。
建立使用者帳戶和群組
MIM 部署的所有元件在網域中都需要自己的身分識別。 這包括 MIM 元件 (例如服務與同步) 及 SharePoint 和 SQL。
注意
本逐步解說使用 Contoso 公司的範例名稱和值。 請替換成您自己的值。 例如:
- 網域控制站名稱 - corpdc
- 網域名稱 - contoso
- MIM 服務伺服器名稱 - corpservice
- MIM 同步伺服器名稱 - corpsync
- SQL Server 名稱 - corpsql
- 密碼 - Pass@word1
以網域系統管理員 (例如 Contoso\Administrator) 身分登入網域控制站。
為 MIM 服務建立下列使用者帳戶。 啟動 PowerShell 並輸入下列 PowerShell 指令碼以更新網域。
import-module activedirectory $sp = ConvertTo-SecureString "Pass@word1" –asplaintext –force New-ADUser –SamAccountName MIMINSTALL –name MIMINSTALL Set-ADAccountPassword –identity MIMINSTALL –NewPassword $sp Set-ADUser –identity MIMINSTALL –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMMA –name MIMMA Set-ADAccountPassword –identity MIMMA –NewPassword $sp Set-ADUser –identity MIMMA –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMSync –name MIMSync Set-ADAccountPassword –identity MIMSync –NewPassword $sp Set-ADUser –identity MIMSync –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMService –name MIMService Set-ADAccountPassword –identity MIMService –NewPassword $sp Set-ADUser –identity MIMService –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName MIMSSPR –name MIMSSPR Set-ADAccountPassword –identity MIMSSPR –NewPassword $sp Set-ADUser –identity MIMSSPR –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName SharePoint –name SharePoint Set-ADAccountPassword –identity SharePoint –NewPassword $sp Set-ADUser –identity SharePoint –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName SqlServer –name SqlServer Set-ADAccountPassword –identity SqlServer –NewPassword $sp Set-ADUser –identity SqlServer –Enabled 1 –PasswordNeverExpires 1 New-ADUser –SamAccountName BackupAdmin –name BackupAdmin Set-ADAccountPassword –identity BackupAdmin –NewPassword $sp Set-ADUser –identity BackupAdmin –Enabled 1 -PasswordNeverExpires 1 New-ADUser –SamAccountName MIMpool –name MIMpool Set-ADAccountPassword –identity MIMPool –NewPassword $sp Set-ADUser –identity MIMPool –Enabled 1 -PasswordNeverExpires 1建立所有群組的安全性群組。
New-ADGroup –name MIMSyncAdmins –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncAdmins New-ADGroup –name MIMSyncOperators –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncOperators New-ADGroup –name MIMSyncJoiners –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncJoiners New-ADGroup –name MIMSyncBrowse –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncBrowse New-ADGroup –name MIMSyncPasswordSet –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncPasswordSet Add-ADGroupMember -identity MIMSyncAdmins -Members Administrator Add-ADGroupmember -identity MIMSyncAdmins -Members MIMService Add-ADGroupmember -identity MIMSyncAdmins -Members MIMInstall新增 SPN 以啟用服務帳戶的 Kerberos 驗證
setspn -S http/mim.contoso.com Contoso\mimpool setspn -S http/mim Contoso\mimpool setspn -S http/passwordreset.contoso.com Contoso\mimsspr setspn -S http/passwordregistration.contoso.com Contoso\mimsspr setspn -S FIMService/mim.contoso.com Contoso\MIMService setspn -S FIMService/corpservice.contoso.com Contoso\MIMService安裝時,我們需要新增下列的 DNS 'A' 記錄,以便正確的解析名稱
- mim.contoso.com 指向 corpservice 實體 ip 位址
- passwordreset.contoso.com 指向 corpservice 實體 ip 位址
- passwordregistration.contoso.com 指向 corpservice 實體 ip 位址