This ending week I encountered an interesting case where an organization has a large # of stand-alone servers (not joined to a domain controller). The number is 750++ servers and growing. The challenge was how to manage identity on the servers.

Fast forward skipping the discussions why these servers are stand alone and not joined to an Active Directory forest.

FIM as it stands provides brilliant support for Active Directory yet it doesn’t provide an out of the box support for WinNT account storage. A custom M/A was due. Code is attached to this post; hope it helps you in a similar situation. Some notes:

• FIM extensible M/A APIs are pretty forward and don’t need schema handling and runtime resolution. Unlike similar architecture provided by WCF LOB SDK or BizTalk server.
• WinNT LDAP is pretty simple few attributes for user and groups. Schema is not extendable so you can always use M/A safely.

The M/A provides the following features:

• Sync
  • User (CRUD Operations)
  • Group (CRUD Operations)
  • Password
    • Password Reset with FIM PCNS.

How the code works:

• The code provides 2 entry points one for Sync & one for password reset.
• User & Group are represented by classes “factorized” by factory that takes care of creating a user based on CSEntry (FIM Class) or DirectoryEntery (WinNT class).
• User  & Object classes implement an IidmObject interface which specifies the CRUD Operation in addition to state management needed for processing.

In addition to the code, I have attached M/A metadata file and an export to ease the deployment operation on your end you can use FIM Management Agent Packaging utility to generate your own named M/A.

For more information on how to create a custom M/A

Creating Connected Data Source Extensions: http://msdn.microsoft.com/en-us/library/ms695383.aspx
How to create Management Agents: http://msdn.microsoft.com/en-us/library/ms695385.aspx

Questions & comments? The easiest way is find me on Twitter: @khnidk

Khaled Hnidk