Here are some of MIM synchronization's best practices to follow:
- Index any Metaverse object you are using for a join.
- The account used for the MIM Synchronization service should be different from the account used for the MIM Service MA.
- The source code for all rules extensions should be backed up and maintained in a source control program. You will need the source code if you ever need to debug a rules extension.
- When writing a rule extension, check whether the attribute is present before looking for a value. An example is as follows:
if (csentry["department"].IsPresent) {...} - We suggest performing a full import run profile and a full synchronization on each MA at least every 30 days.
- Clear the synchronization operational run history regularly as the data will make the database grow over time and have an impact on its performance.
- Avoid using the Joiner tool as much as possible because any explicitly joined or projected object will not honor existing or future connector filter rules.
- Try to keep domains of the same forest in the same MA because it allows MIM to automatically manage references between domains.
- When you install MIM, you have the choice to make the MIM security groups (
MIMAdmins,MIMSyncBrowse,MIMSyncJoiners,MIMSyncOperators, andMIMSyncPasswordReset) local to the synchronization server or Active Directory groups. We recommend making the MIM security groups similar to Active Directory groups as it allows you to have a standby synchronization server. - Closely monitor the membership of the MIM security groups that have access to the MIM databases and physical access to the MIM servers involved in the solution.
- Restrict access to the
Program FilesMicrosoft Forefront Identity Manager2010Synchronization ServiceExtensionsand.. ExtensionsCachefolder because an attacker could compile malicious code and have it be run by the Synchronization service. - If you have deployed the MIM portal, the MIM MA should have two connector filter rules: one that blocks the synchronization account and another that blocks the administrator account. The best way is to use GUIDs, as follows:
<dn> Equals fb89aefa-5ea1-47f1-8890-abe7797d6497 <dn< Equals 7fb2b853-24f0-4498-9534-4e10589723c4
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.