Working with OLSync R4 and Forefront Identity Manager 2010 RC1.   4 comments

Hi All,
This is just a quick and dirty entry illustrating the steps I went through to get the Live@EDU Outlook Live Management Agent (R4 release) to install on Forefront Identity Manager 2010 RC1. I say this is a “dirty” entry because it’s really just a cut and paste from the most recent reply I sent to someone prodding me for more information with the salutations and best wishes taken out for privacy reasons.
The content is not a click-by-click walkthrough, and as I note in the body, it’s not necessarily the perfect manner in which to work around the 64-bit and installation prerequisite caveats. That said, the approach worked for us, and we are now running both products in a production capacity for some 12,500+ student accounts. In fact, I daresay it’s working better than we’d initially expected.
One task I still have to work through, which is worth reiterating here, is to set up another FIM installation to take a look at the option of importing the OLMA directly from within the FIM Synchronisation Manager. Right now, I have no idea where I’m going to find the time, but it is something I will look at if there’s still a point in doing so sometime down the track. The sole incentive for doing so is to avoid the hassle involved with manipulating the original MSI in order to get it to install the OLMA.
Without further ado, the content you’re most likely interested in is pasted below.
Good luck,
Lain

Yes, we’ve successfully provisioned accounts from Active Directory to Live@EDU with FIM2010 RC1 – in fact, we’re using RC1 in production now, and maintain a current user base of 12,500-ish students accounts in Live@EDU, so it’s a reasonable sized environment.

As I included in my post, we are running FIM over two servers:

FIM Server:

  • Windows 2008 R2 64-bit hosted on VMware
  • 12 GB RAM
  • OLSync R4 32-bit (in “AD account only” mode, because we do not yet have Exchange)
  • Four management agents (SQL Server, iPlanet, Active Directory and Outlook Live)
  • Manual configuration of OLMA
  • The portal component of FIM is not installed, so there is no codeless provisioning
FIM back end:
  • Windows Server 2008 R2 32-bit
  • 4 GB RAM
  • SQL Server 2008 with SP1
I’m assuming you already have FIM installed, in which case the only issue you face is installed the Outlook Live Management Agent (OLSync R4). The .msi from the Microsoft Connect site is specifically locked down to 32-bit operating systems, and has four or five prerequisite checks. These two facets stop you from installing OLSync on the FIM server, since the FIM server can only be 64-bit, not 32-bit.

There are two methods for installing the Outlook Live Management Agent:

  1. via the .msi package, or
  2. via the Management Agents section > Actions menu > Import Management Agent… option from within FIM itself.
I used option 1, but I had to alter the .msi from Microsoft to do it. Firstly, I had to change the 32-bit flag within the .msi to 64-bit using a Microsoft program called Orca, and secondly, I created a transform to avoid the prerequisite checks that the installer launches (checking for ILM2007 and an empty management agent directory). While this allowed me to install the Outlook Live Management Agent, the installation for the configuration wizard failes, as it requires a component specific to ILM2007 FP1 which is no longer found in FIM2010. I did not find this to be a problem, as I simply configured the OLMA manually.

While the above approach worked, I’m hoping to take a look at using the second option I mentioned, as I expect it will be easier than editing the msi. Instead of installing the .msi, it can be instructed to just extract the OLMA source files. These files include the management agent XML files, so some time next week when I have a chance to build a second FIM server, I’m going to take a look at that option just for fun, because as I say, I expect it will be easier than the first option.

Once you have the Outlook Live Management Agent installed, it’s a simple matter of configuring the various screens within the MA in order to provision accounts into Live@EDU. Firstly, you need to have set up a special account manually within the Live Administration page called a service account. Once you have this service account, you can fill out the Management Agent as follows:

Configure Connection Information page:

If you are unsure as to how to create a service account, please refer to this article from the guys over at the Live service: http://help.outlook.com/en-us/140/dd490638.aspx.
Configure Additional Parameters page:
Configure Join and Projection Rules: (this section will vary for you if you run Exchange; we don’t run Exchange – at least, not yet)
  • Mailbox.Join: Alias->Direct->accountName (you can choose your own relationship here; this is what we chose to use)
  • Mailbox.Project: Person
Configure Attribute Flow page (Mailbox class on the left, metaverse Person on the right):
  • UserPrincipalName <- LiveID (LiveID is a custom attribute we added to the metaverse.person class, since our original source is not AD)
  • Name <- accountName (metaverse.accountName is our flat name that we also use as the AD sAMAccountName, for example lain.robertson; Name MUST be unique!)
  • DisplayName <- displayName
  • Alias <- accountName
  • WindowsLiveID <- LiveID
  • FirstName <- firstName
  • LastName <- lastName
  • DistinguishedName -> LiveDN (Live DN is a custom attribute we added to the metaverse.person class as a way of verifying a user has successfully been provisioned to Live)
Configure Extensions page (note: this section is only useful if you’re running the Password Change Notification Services):
For the pages that I’ve deliberately left out, they can be skipped (apart from the first page, where you have to provide a name for your MA).

From this point onwards, I’m going to assume you know what you’re doing with FIM, because it’s no different to ILM2007 in that you run Imports, Synchronisations, and in OLMAs case, the combined EDIDS step that performs the export, immediately followed by the delta import and synchronisation.

I hope this helps you get started!

Cheers,
Lain

Advertisements

4 responses to “Working with OLSync R4 and Forefront Identity Manager 2010 RC1.

Subscribe to comments with RSS.

  1. Hello,
    Great post! Its crazy how little information exists on the subject of OLSync and FIM 2010.

    I was wondering if I could pick your brain about Method 2.

    I have everything extracted, and placed into (what I was able to derive as) the appropriate folders in the FIM directory, but when I use FIM to “Import” an agent and click on the OLMA.xml file it says that the Management Agent type for OLMA.xml is not installed.

    I am sure i am missing something small… and was wondering if you or anyone would be able to point me in the right direction.

    thanks!

    • Hi John,

      That’s kind of odd as making sure the files are in place is the only task required. If they’re successfully in place, you should be able to create a new management agent and find the “Outlook Live Management Agent” is now listed (you don’t have to complete the process of creating the management agent – this is just a check).

      Keep in mind that importing a management agent is different to installing the actual OLMA. Installing the OLMA just ensures the agent is available for selection as one of the options in the agent selection screen. Importing a management agent doesn’t do this part. Instead, it imports the subsequent MA definition, such as the directory settings, attribute flows, join criteria, etc – all the same stuff you would define in a new MA after installing the actual MA.

      Summarising that:

      • Putting the files in the right place “installs” the OLMA
      • Configuring a new management agent using the above OLMA is what carries out the work. This is the stage that “import a management agent” relates to

      I’m guessing you’ve already read the more recent post, but if not, there’s more information here.

      Let me know if I can help any other way (or if the above wasn’t helpful at all).

      Cheers,
      Lain

      • Thank you for the quick response!

        As far as my above post goes, a server restart was the only missing element.

        FIM is an extremely new environment for me, so of course i have hit another road block…
        I was able to “import” my AD details into FIM, but now I need to use them to populate my Live@edu with accounts.
        So my FIM has two MA: ADMA and OLMA. ADMA has already been used for the initial Full import into FIM, the next step for us is to use that info and populate Live@edu through the OLMA.

        From the newer post I gathered that I have to write an extension to make this happen. Is there any documentation anywhere that describes anything, even something as mundane as the language or syntax to use? Or something more helpful, like a sample extension that someone created for a similar purpose. (Seeing as how several people have used live@edu with FIM I assume that this has been done before).
        I am not new to programming but generally work with .NET languages.

        Any links would be extremely helpful, and again I appreciate all of the information from your sight!

        thanks again!

  2. Actually it looks like the newer post has similar questions.. I will read through those links! thanks.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: