Set up a domain

Microsoft Identity Manger (MIM) works with your Active Directory (AD) domain. You should already have AD installed, and make sure you have a domain controller in your environment for a domain that you are able to administer.

This article walks you through the steps to prepare your domain to work alongside MIM.

Create user accounts and groups

All the components of your MIM deployment need their own identities in the domain. This includes the MIM components like Service and Sync, as well as SharePoint and SQL.

1. Sign in to the domain controller as the domain administrator (e. g. Contoso\Administrator).

2. Create the following user accounts for MIM services. Start PowerShell and type the following PowerShell script to update the domain.

   import-module activedirectory
   $sp = ConvertTo-SecureString "Pass@word1" –asplaintext –force
   New-ADUser –SamAccountName MIMINSTALL –name MIMINSTALL
   Set-ADAccountPassword –identity MIMINSTALL –NewPassword $sp
   Set-ADUser –identity MIMINSTALL –Enabled 1 –PasswordNeverExpires 1
   New-ADUser –SamAccountName MIMMA –name MIMMA
   Set-ADAccountPassword –identity MIMMA –NewPassword $sp
   Set-ADUser –identity MIMMA –Enabled 1 –PasswordNeverExpires 1
   New-ADUser –SamAccountName MIMSync –name MIMSync
   Set-ADAccountPassword –identity MIMSync –NewPassword $sp
   Set-ADUser –identity MIMSync –Enabled 1 –PasswordNeverExpires 1
   New-ADUser –SamAccountName MIMService –name MIMService
   Set-ADAccountPassword –identity MIMService –NewPassword $sp
   Set-ADUser –identity MIMService –Enabled 1 –PasswordNeverExpires 1
   New-ADUser –SamAccountName MIMSSPR –name MIMSSPR
   Set-ADAccountPassword –identity MIMSSPR –NewPassword $sp
   Set-ADUser –identity MIMSSPR –Enabled 1 –PasswordNeverExpires 1
   New-ADUser –SamAccountName SharePoint –name SharePoint
   Set-ADAccountPassword –identity SharePoint –NewPassword $sp
   Set-ADUser –identity SharePoint –Enabled 1 –PasswordNeverExpires 1
   New-ADUser –SamAccountName SqlServer –name SqlServer
   Set-ADAccountPassword –identity SqlServer –NewPassword $sp
   Set-ADUser –identity SqlServer –Enabled 1 –PasswordNeverExpires 1
   New-ADUser –SamAccountName BackupAdmin –name BackupAdmin
   Set-ADAccountPassword –identity BackupAdmin –NewPassword $sp
   Set-ADUser –identity BackupAdmin –Enabled 1 -PasswordNeverExpires 1
   New-ADUser –SamAccountName MIMpool –name MIMpool
   Set-ADAccountPassword –identity MIMPool –NewPassword $sp
   Set-ADUser –identity MIMPool –Enabled 1 -PasswordNeverExpires 1
   

3. Create security groups to all the groups.

   New-ADGroup –name MIMSyncAdmins –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncAdmins
   New-ADGroup –name MIMSyncOperators –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncOperators
   New-ADGroup –name MIMSyncJoiners –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncJoiners
   New-ADGroup –name MIMSyncBrowse –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncBrowse
   New-ADGroup –name MIMSyncPasswordSet –GroupCategory Security –GroupScope Global –SamAccountName MIMSyncPasswordSet
   Add-ADGroupMember -identity MIMSyncAdmins -Members Administrator
   Add-ADGroupmember -identity MIMSyncAdmins -Members MIMService
   Add-ADGroupmember -identity MIMSyncAdmins -Members MIMInstall
   

4. Add SPNs to enable Kerberos authentication for service accounts

   setspn -S http/mim.contoso.com Contoso\mimpool
   setspn -S http/mim Contoso\mimpool
   setspn -S http/passwordreset.contoso.com Contoso\mimsspr
   setspn -S http/passwordregistration.contoso.com Contoso\mimsspr
   setspn -S FIMService/mim.contoso.com Contoso\MIMService
   setspn -S FIMService/corpservice.contoso.com Contoso\MIMService
   

5. During Setup we need to add the following DNS 'A' records for proper name resolution

• mim.contoso.com Point to corpservice physical ip address
• passwordreset.contoso.com Point to corpservice physical ip address
• passwordregistration.contoso.com Point to corpservice physical ip address