Microsoft Identity and Access Management - Identity Aggregation and Synchronization

Chapter 1: Introduction to the Identity Aggregation and Synchronization Paper

Executive Summary

An essential element of managing computer networks is organizing information about people, applications, and network devices. Managing identity information is challenging because the essential data that describes people in an environment changes so frequently. For example, in a given month a large percentage of an organization's employees may change jobs, assume different roles, become associated with different projects, move to a new office, or even change their names. All these changes, while seemingly minor, can pose a significant challenge in complex networks with multiple identity stores.

This paper discusses how to aggregate and synchronize user identity information across multiple directories and identity stores in a heterogeneous environment. The result is to enable centralized administration of user identities across an organization's identity stores. The paper also provides detailed configuration tasks you can perform to achieve this by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).

The Business Challenge

Organizations store identity information as data objects in numerous data repositories. When identity information becomes inconsistent between identity stores, it can become difficult to use appropriately. Synchronizing information between multiple data repositories is challenging, time consuming, and expensive.

The business challenges that relate to identity synchronization include:

  • Reducing the costs associated with managing large numbers of identity stores.
  • Providing the ability to expand the organization's people and IT resources without a corresponding increase in IT staff.
  • Increasing employee productivity by being able to find the right information about other users.
  • Meeting regulatory requirements associated with privacy and access controls.

In large organizations, you can often find over one hundred discrete identity stores, all of which contain overlapping and usually conflicting personal data. Managing this identity data across many systems that use manual processes or custom scripts is simply not cost effective or accurate enough to meet the business needs of most organizations.

Management needs to know that the costs of managing user identities are as low as reasonably possible. Identity life-cycle management should also scale efficiently across various applications and network resources, and not require additional staff for every application brought on line or group of users hired.

The Business Benefits

Efficient administrative processes based on capable technologies for identity aggregation and synchronization can provide the following business benefits:

  • Reduced total cost of ownership (TCO) of networked systems through reducing the costs for managing digital identity data in multiple identity stores.
  • Increased IT administrator productivity.
  • Increased knowledge worker productivity.
  • Improved security and privacy controls across the organization.

Who Should Read This Paper

The audience for this paper includes architects, IT professionals, IT decision makers, and consultants working in organizations with multiple identity stores.

Reader Prerequisites

This paper assumes the reader has a moderate knowledge of identity and access management concepts and technologies as described in the "Fundamental Concepts" paper in this series.

To implement the solutions in this paper, readers should have an understanding of the infrastructure described and implemented in the "Platform and Infrastructure" paper in this series. For a greater understanding of MIIS 2003, review the Microsoft Identity Integration Server 2003 Technical Reference.

Paper Overview

This paper consists of seven chapters. Each chapter builds on the previous one to demonstrate how a typical company plans, builds, tests, and operates an identity aggregation and synchronization solution by using MIIS 2003 with SP1 and the Microsoft Active Directory® directory service. The chapters cover the following topics:

Chapter 1: Introduction

The introduction provides an executive summary, the recommended audience for the paper, and an overview of each chapter in the paper.

Chapter 2: Approaches to Identity Aggregation and Synchronization

This chapter covers various approaches for identity aggregation and synchronization, including the recommended approach of using an identity integration product.

Chapter 3: Issues and Requirements

This chapter introduces the identity aggregation and synchronization challenges that Contoso Pharmaceuticals (a fictitious company with typical problems) faces, as well as their technical issues and requirements.

Chapter 4: Designing the Solution

This chapter describes the logical design of a solution for Contoso and how it works. It addresses Contoso issues and requirements with an identity aggregation and synchronization solution based on Microsoft technologies.

Chapter 5: Implementing the Solution

This chapter takes the design from the previous chapter and further refines it by providing step-by-step prescriptive guidance to implement the solution. It shows how you can set up identity aggregation and synchronization in a secure and functional way. This chapter also introduces the Tools and Templates provided for this paper.

Chapter 6: Testing the Solution

This chapter describes how to validate the implemented solution scenarios from Chapter 5. It also provides some troubleshooting steps to help with common implementation challenges.

Chapter 7: Operational Considerations

This chapter concludes the paper with details on operational procedures for running an identity aggregation and synchronization solution on a day-to-day basis.

Solution Scenario

In addition to a general discussion of identity synchronization approaches, this paper also provides detailed prescriptive guidance for implementing an identity aggregation and synchronization solution that builds on the Contoso Pharmaceuticals scenario introduced in the "Platform and Infrastructure" paper in this series. In this scenario, Contoso has two Active Directory forests, a Sun ONE Directory, and a Lotus Notes database to integrate.

This scenario has been compiled by Microsoft to illustrate the typical challenges organizations face in providing identity aggregation and synchronization, and includes guidance on how Microsoft technologies can address them. Chapters 3 through 7 focus entirely on this solution scenario.

Implementing an identity aggregation and synchronization solution provides a recommended foundation for building other identity life-cycle management solutions such as provisioning (fully automated or using workflow), entitlement management (groups in particular) and credential management (passwords in particular).

Note   The "Password Management" paper in this series builds on the solution scenario in this paper to provide password change, reset, and propagation services.

Chapter 2: Approaches to Identity Aggregation and Synchronization

A typical large organization may have dozens of data stores for identity information. Even medium and small organizations usually have several identity stores. The challenge is how to aggregate the correct data from all of the identities in an organization and then synchronize the correct data with identity stores that may have incorrect or out-of-date data.

For example, an employee's job title and address are usually stored in more than one identity store. When an employee moves or is promoted, the same information must be updated in several different identity stores. To further complicate matters, identity stores are often managed by independent departments. Keeping track of these changes and propagating them to all identity stores within an organization is the process of identity aggregation and synchronization.

Common Identity Data Sources

There are three main types of identity data sources:

  • Directories
  • Databases
  • Flat files

This section also discusses a special type of database: the Human Resources (HR) department database.

Directories as Identity Data Sources

To manage data objects, organizations often use a specialized data store called a directory. A directory provides a well-defined set of object classes with associated attributes and a hierarchical view for organizing objects. A directory service exposes the operations necessary to locate and manage the content of a directory.

Typically, directories are used for:

  • E-mail address books or white pages that contain name and e-mail address information.
  • E-commerce directories that contain information about users and profiles.
  • Server operating system directories that contain information about users, computers, devices, and applications.

Historically, directories were custom applications that were designed to fulfill a specific role within an organization's network environment. In many cases, separate directories were implemented to contain relevant information to satisfy specific target functions.

Databases as Identity Data Sources

There are many identity stores in an organization that are not directory-based. Identity stores for individual applications are often implemented as databases for the following reasons:

  • Developers often have a better understanding of database technologies and interfaces compared to directory services.
  • Directory service administrators may not want developers altering a directory schema.

For these cases, databases can easily adapt to storing identity information, but there are several drawbacks. Databases are inherently non-hierarchical, but when storing information about people it is usually more convenient to mimic typical organizational hierarchies like companies, departments, and teams. These hierarchical structures help to easily locate objects and provide intuitive searching capabilities. In addition, databases generally do not follow a common schema that defines the data and its characteristics.

Additionally, databases do not come with a suite of security services for authentication, authorization, trusts, and security auditing — all required functionality must be programmed uniquely (and unnecessarily) for each database.

Flat Files as Identity Data Sources

Flat files (text-based files such as comma-delimited and XML files) can also serve to store identity information, especially with older applications. Flat file identity stores suffer from all of the same issues as databases, but typically provide significantly worse performance and management.

Flat files are often used for importing and exporting information between data sources and platforms if direct integration is otherwise infeasible.

Human Resources Databases as Identity Data Sources

The HR database (or equivalent) is a special case because of the functions of the HR department and their role in the management of an organization's users. The HR database is usually an authoritative source of information about the existence of user identities and many of the key attributes of a person, such as employee ID, first name, last name, home address, and so on.

The HR department is typically the first to know that an employee has been either hired or fired, thus being the authoritative indication that a user identity should be added, or removed, from the environment. The HR database also manages many user attributes, which makes it an important source of identity data that must be synchronized to other identity stores.

For security and privacy reasons it is usually difficult to have an HR database participate directly with identity integration services. However, HR departments will typically permit a reduced database view with read-only access, or a flat file containing specific fields from the HR database to be used.

Synchronizing Identity Information

Regardless of how identity data is stored, there are several common scenarios that affect the management of this information. The following table describes some of these scenarios.

Table 2.1. Identity Scenarios and Requirements

Scenario

Requirements

Implementing single sign on

Manage user name, password, and access rights information across many different platforms and applications.

Managing a global address book

Synchronize mailbox information among the e-mail directories that are used within a company.

Managing e-commerce applications

Synchronize information for suppliers and extranet users, such as digital certificates, with e-commerce directories that reside in perimeter networks.

Hiring/firing employees

Quickly propagate information about newly hired employees to all systems that require identity information, and quickly perform the same processes in reverse when employees leave.

The following sections describe a number of approaches that are commonly used to accomplish these tasks, including:

  • Manual administration.
  • Implementing automation through custom scripts.
  • Implementing automation through product-specific integration services.
  • Using a metadirectory product.
  • Using an identity integration product.

Manual Administration

Manual administration is the default mechanism for managing the attributes of users in identity stores. Some identity stores, such as the Microsoft® Active Directory® directory service, provide tools similar to the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in. This tool provides a convenient graphical interface that is easy to use and provides quick and easy manipulation of user attributes.

Although manual tools are intuitive and easy to use for a trained IT administrator, they are cumbersome to use across multiple identity stores and often result in errors and inconsistencies.

Custom Scripts

After manual administration becomes cumbersome, the typical next step is for the IT administrator to create scripts that manage identity attributes in various stores. Through powerful scripting languages such as PERL or Visual Basic® and interfaces such as the Active Directory Scripting Interface (ADSI), it is fairly easy to create scripts that can manipulate identity data in an organization.

While easy to create and cheap to implement, most script-based identity synchronization solutions have one or more of the following issues:

  • Lack of centralized control. Because scripts are easy to create, they can spread quickly throughout an organization. Unfortunately, they are also often poorly maintained and many organizations have little understanding of all the scripts that are currently in use. This lack of maintenance and awareness can lead to significant problems with identity stores that can result in security issues and loss of data.
  • Limited error and exception handling capabilities. Incorrect error handling can cause a script to abort prematurely, which can lead to unsynchronized data between identity stores or a loss of integrity in the identity store database itself. Limited error reporting can hide the fact that problems even exist. Exception handling can have an even greater impact; a poorly-written script might delete all identity information in the target identity store. This result could range from annoying to catastrophic, but will almost certainly cause lost productivity for administrators, users, or both.
  • Dependence on the people who develop them. Investments in custom scripts are often made behind the scenes, and typically there are a limited number of experts for any script. When those people are away or leave the organization and a problem occurs, the organization suffers as a result.
  • No preview mode. A script that updates objects in one identity store with object data from another identity store can have a significant impact. A preview mode would show the result of running the script before the script is run. Unfortunately, most scripts are not this sophisticated and it often feels like you are taking a chance every time the script runs. You don't know what's going to happen — you just have to trust the script.
  • Undesirable security characteristics. A script with poor security characteristics may have the username and password of an administrator equivalent account hard-coded into the script. Unfortunately, this is all too common an occurrence. Another common characteristic of script-based mechanisms is that an administrator, or group of administrators, need to retain credentials that allow highly privileged access to some identity store so that the scripts they run in their user context have the ability to read and write the identity information in each store.
  • Limited scalability and redundancy. Most scripts do not scale well to support dozens of identity stores, do not include redundancy for hardware failures and other exceptions, and are generally unable to meet the needs of larger organizations.

Integration Services

Integration services provide another approach to automating maintenance of identity information, although they usually only integrate with a single type of identity store without the flexibility of a full identity integration product. Examples of these integration services are:

  • Windows Server 2003 R2. Windows Server 2003 R2 includes built-in interoperability components that help you integrate UNIX and Windows environments. This interoperability includes the Subsystem for UNIX-based Applications, directory services integration, and File and Print services. For more information about UNIX interoperability, see Windows Server 2003 R2 UNIX Interoperability Components.
  • Services for UNIX. Windows Services for UNIX version 3.5 provides the programs and services to support identity integration between Windows and UNIX or Linux computers. For more information about Services for UNIX, see the Windows Services for UNIX 3.5 downloads page.
  • Services for Netware. Microsoft Directory Synchronization Services (MSDSS), which is included with Services for NetWare 5 includes support for propagation of identity information from Active Directory to Novell eDirectory 8.7. For more information about MSDSS, see the Microsoft Windows Services for NetWare 5.03 page.
  • Host Integration Server (HIS). A comprehensive mainframe integration platform, HIS enables seamless access to host-based systems through a user's Active Directory account and provides automatic authentication of an identity in both Active Directory and the host system. HIS maintains account information between Windows and the host system to enable single sign on and password management. Bidirectional password synchronization is also available for mainframe security systems (RACF, ACF/2, and Top Secret) with the addition of third-party tools. For more information, see the Host Integration Server Web page.
  • Active Directory Connector (ADC). ADC provides directory synchronization and import/export tools. It lets administrators replicate a hierarchy of directory objects between Microsoft Exchange servers and Active Directory. For more information, see the Exchange Server 2003 Active Directory Connector Solutions Center.
  • Data Transformation Services (DTS). A set of Microsoft SQL Server™ 2000 components that allows database administrators to import, export, and transform both relational and non-relational sources of data, providing a powerful toolset for transferring data between systems. DTS can be an appropriate choice for translating identity data between multiple database sources and flat files. For more information about SQL Server DTS, see the Data Extraction, Transformation and Loading Techniques page.

The Role of Metadirectories

A metadirectory is a store containing information from multiple directories. It provides a centralized view of relational data from disparate identity stores throughout the enterprise. Even though separate directories may not share information, metadirectories make this relational view of data from all directories possible.

Although metadirectory products may attempt to provide a single view of identities, they do not always aggregate and synchronize identity information with each of the connected data sources. Customers want this crucial capability to ensure the applications that use each identity store relay accurate and up-to-date information to their users.

Microsoft Metadirectory Server 2.2, the precursor to Microsoft Identity Integration Server 2003, Enterprise Edition is an example of a metadirectory product.

Identity Integration Products

An identity integration product is designed to provide all of the functionality of scripts and integration services, but also address the drawbacks listed in the previous sections. Identity integration products also provide additional functionality that may be very hard or impossible to implement with scripts.

Identity integration products typically provide the following set of features:

  • Aggregation and synchronization of identity information across multiple identity stores.
  • Password management services, including password propagation of changes and resets.
  • Group management of security and distribution groups, including synchronization of groups across different identity stores.
  • Automated provisioning and centralized management of identity information.
  • E-mail contact synchronization between heterogeneous systems such as Microsoft Exchange Server and Lotus Notes.
  • Additional vendor-specific features, such as global address list (GAL) synchronization for Microsoft Exchange 2000 Server and Exchange Server 2003 across multiple forests.

Microsoft offers two identity integration products:

  • Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).
  • Identity Integration Feature Pack 1a for Windows Server™ Active Directory.

Both products have similar software requirements; Windows Server 2003, Enterprise Edition and Microsoft SQL Server 2000, Enterprise Edition or SQL Server 2000 Developer Edition (for testing purposes only). However, each product offers a different level of support for integration with external systems.

Note   SQL Server 2000 Developer Edition is licensed per developer and must be used for designing, developing, and testing purposes only. It should not be confused with Microsoft SQL Server Desktop Engine (MSDE). For more information see Microsoft SQL Server: How to Buy.

Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1

MIIS 2003 with SP1 is an enterprise identity integration product from Microsoft; it replaces the previous metadirectory product, Microsoft Metadirectory Services (MMS) 2.2. MIIS 2003 with SP1 provides all the identity integration product features listed in the previous section.

For more information about MIIS 2003 with SP1, including the MIIS 2003 Technical Reference, see the MIIS 2003 page on Microsoft.com at www.microsoft.com/miis and the Microsoft Identity Integration Server 2003 Frequently Asked Questions page.

MIIS 2003 with SP1 uses Microsoft SQL Server 2000, Enterprise Edition or Standard Edition as its identity store for the metaverse as well as for individual views of each connected directory, application, or data source. The following table defines the connected identity stores (called management agents) that are available in MIIS 2003 with SP1.

Table 2.2. MIIS 2003 with SP1 Management Agent Categories

Connected identity store

Example

Network operating systems and directory services

Microsoft Windows NT®Active Directory (Windows 2000 Server and later)Active Directory Application ModeNovell eDirectory 8.6.2, 8.7, and 8.7.3Sun ONE Directory Server 5.0, 5.1, or 5.2 (formerly iPlanet Directory Server)IBM Directory Server 4.1, 5.1 or 5.2Resource Access Control Facility (RACF)X.500 Systems

E-mail systems

Microsoft Exchange 5.5Microsoft Exchange 2000 and later (GAL synchronization)Lotus Notes and Domino 4.6 and later

Application systems

PeopleSoftSAPERP1Telephone switchesXML- and DSML-based systems

Databases

IBM DB2 Universal Database 7 and 8.1 on Windows, 8.1 on Linux and 5.1.5 on OS/400Microsoft SQL Server 7.0 and 2000Oracle 8i and 9i

File-based agents (for generic connections)

DSML v2 (Directory Services Markup Language)LDIF (LDAP Data Interchange Format)CSV (comma-separated value) and other delimited formatsFixed widthAttribute-value pairs

For an up-to-date list of supported systems and other enhancements in MIIS 2003 with SP1, see MIIS 2003 Product Overview.

Identity Integration Feature Pack 1a for Active Directory

The Identity Integration Feature Pack (IIFP) 1a for Windows Server Active Directory is a reduced feature set version of MIIS 2003 with SP1 with a limited number of management agents. The Identity Integration Feature Pack provides connections only to the following directories and e-mail applications:

  • Active Directory for Windows 2000 Server and later.
  • Active Directory Application Mode (ADAM).
  • GAL synchronization for Microsoft Exchange 2000 Server and Exchange Server 2003.

The IIFP is appropriate for environments that operate Microsoft directory products. For example, it is useful for synchronizing identity information between multiple forests and ADAM instances.

The software requirements for IIFP are similar to MIIS 2003 with SP1: Windows Server 2003, Enterprise Edition and Microsoft SQL Server 2000, Enterprise Edition, Standard Edition or Developer Edition (for testing purposes only).

Chapter 3: Issues and Requirements

Implementing effective identity aggregation and synchronization requires a detailed analysis of the key business and technology drivers. This chapter records these factors for the fictitious Contoso Pharmaceuticals environment, and lists the solution requirements along with the security vulnerabilities that must be addressed by the following closely related solution scenarios.

For more information about the Contoso Pharmaceuticals example organization, see the "Platform and Infrastructure" paper in this series.

Background

Organizations running multiple identity stores in heterogeneous environments often face the challenge of synchronizing digital identities across different stores in order to meet their business requirements.

Contoso experienced difficulties trying to integrate the digital identities from a recently acquired company, Fabrikam, with their existing information systems. Isolated directories and identity stores complicate the problem of overlapping identity information, because much of the information is missing, out of date, or incorrect.

Business Issues

Contoso identified the following business issues to address through identity aggregation and synchronization:

  • E-mail communication problems. Contoso e-mail address information is incorrect for many users in the growing company, due to the use of two different messaging systems (Lotus Notes and Microsoft® Exchange Server). Mission critical e-mail communications are occasionally delayed as users need to find out new e-mail addresses and send messages again.
  • No authoritative source of identity information. Users are unsure what identity information they can trust within Contoso, and it takes too long to get their user information updated in various places.
  • The expense of managing redundant data stores. The IT organization spends significant time and resources attempting to manage identical information in multiple locations.
  • The cost of training new IT staff to manage redundant data stores. New IT staff require significant training simply to ensure they can effectively manage the same identity information across many identity stores.

Technical Issues

Contoso has identified several technical issues related to identity synchronization:

  • Account information is inconsistent or incorrect. Digital identity attribute information in different identity stores is outdated or incorrect.
  • Certificate Mapping. Mapping digital certificates for external users to gain access to internal corporate resources.
  • Future acquisitions will be challenging and time consuming. This issue is an assumption that is based on the past experience of manually integrating Fabrikam employees. Contoso cannot predict the systems they will need to integrate, and therefore need maximum flexibility.
  • Data validity. In order for an identity synchronization solution to perform correctly, the data being synchronized should be valid. Previously used manual processes introduced large amounts of invalid data that will need to be fixed.

Security Issues

Contoso needs to keep multiple identity stores synchronized manually, which results in critical security issues such as incorrect entitlement information. Applications use entitlement information in different identity stores to authorize user access. Often this entitlement information is entered incorrectly, outdated, or inconsistent with authoritative identity stores.

While there aren't many security issues related to identity aggregation and synchronization, this solution provides a solid foundation for other solutions such as provisioning and password management, which are a source of significant security risks for many organizations.

Solution Requirements

From these issues, Contoso produced the following set of requirements for aggregating and synchronizing its digital identity information:

  • Central, comprehensive, aggregated identity store. The solution must provide a comprehensive, aggregated view of all identities within the Contoso organization.
  • Flexible attribute flow and synchronization. Synchronization must propagate authoritative identity information between multiple directories and be fully customizable with respect to generating and publishing attributes in each identity store.
  • Custom attribute generation. The ability to create new custom attributes based on other available attributes is required to support capabilities required by Contoso, such as certificate mapping.
  • Mail-enabled user synchronization. Users of both Lotus Notes and Microsoft Exchange should be able to see the e-mail addresses of users of the alternate system to facilitate the sending of messages between systems. Therefore, Lotus Notes contacts must exist in Active Directory and Exchange users must exist in the Lotus Notes address book as users with Internet addresses.
  • Rapid integration with new identity stores. Because Contoso plans more acquisitions, the company needs to be able to integrate additional identity stores easily into the solution.

Chapter 4: Designing the Solution

The previous chapter considered the business, technology, and security issues for an identity aggregation and synchronization scenario, and listed the solution requirements. Designing the appropriate solution is the next part of the overall process.

The following sections in this chapter present a solution concept, the solution prerequisites, and a solution architecture for identity aggregation and synchronization. After the design is complete, a description is provided of how each of the solutions work.

Solution Concept

Contoso has decided to use an identity integration product to meet the requirements described in the previous chapter.

The following figure depicts the solution concept for identity aggregation and synchronization in the Contoso environment:

Figure 4.1. Solution concept for identity aggregation and synchronization

The Contoso solution will aggregate data through an identity integration product. This product will contain a database of aggregated identity information from multiple connected data sources and provides a single global, integrated view of all combined objects. The product will be configured to synchronize objects and object attributes between each of the identity stores.

To overcome all of the business, technology, and security issues by achieving their solution requirements, Contoso selected Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).

Note   The "Password Management" paper in this series builds on the solution scenario in this paper to provide password change, reset, and propagation services.

Solution Prerequisites

Contoso has the following directories and identity stores that need to participate in the solution:

  • An intranet Active Directory® forest contains all existing Contoso and Fabrikam user information. Fabrikam users are mail-enabled, but do not have Exchange mailboxes. E-mail attributes are different for each company:
    • Contoso users in Active Directory have Exchange mailboxes defined because they use Exchange Server.
    • Fabrikam users in Active Directory are mail-enabled, but do not have Exchange mailboxes.
    • Lotus Notes release 6.5.4 contains all Fabrikam users from the acquisition.
  • All Contoso users have been manually added as contacts in Lotus Notes.

A Sun ONE Directory (formerly iPlanet Directory Server) contains Fabrikam user information for use with a legacy application.

An extranet Active Directory forest contains Contoso sales employee shadow accounts that are mapped to employee X.509 certificates, and accounts for customers and partners that require extranet access.

All identity information is currently maintained manually within each of these identity stores. Chapter 5, "Implementing the Solution", in this paper includes details for adding the required Lotus Notes and Sun ONE Directory users.

You can use a one-way trust from your extranet Active Directory to your intranet Active Directory instead of employee shadow accounts. The "Platform and Infrastructure" paper in this series provides more information about choosing between trusts and shadow accounts for extranet purposes and includes scripts to establish the intranet Active Directory forest and extranet Active Directory forest as described in this paper.

For more information about using X.509 certificates for extranet access and single sign on, see the "Extranet Access Management" paper in this series.

Solution Architecture

Designing and planning an identity aggregation and synchronization solution based on MIIS 2003 with SP1 should be performed as you would in any other IT project, including gathering requirements, conceptual design, logical design, physical design, building a proof of concept, and creating project plans, schedule, and a budget.

Note   The papers in this series focus on the unique aspects of each solution scenario rather than the normal activities of a technology project life-cycle. For more information about planning, building, and deploying technology solutions of all kinds see the Microsoft Solutions Framework Web site.

Contoso followed the several planning and design activities for MIIS 2003 with SP1 to arrive at an architecture for their identity aggregation and synchronization solution that includes:

  • Connected data sources.
  • Attributes that link identity objects.
  • Planned attribute flow.
  • A logical design.

Each of these architectural elements is described in the following sections.

Connected Data Sources

A central part of any identity aggregation and synchronization project is establishing which identity stores are the authoritative sources for both object types and object attributes. MIIS 2003 with SP1 uses a management agent (MA) to connect to each identity store. The MAs chosen by Contoso are listed in the following table, and detailed information about each is provided in the following sections.

Table 4.1. Contoso Management Agents

Data source

MA type

Data source description

Intranet directory

Active Directory

The intranet directory contains all Contoso and Fabrikam users.

Lotus Notes Release 6.5.4

Lotus Notes 4.6 or 5.0 (works with later releases of Lotus Notes)

The Lotus Notes address book (NAB) contains users from Fabrikam who will continue to use Lotus Notes e-mail until they migrate to Exchange 2003.

Extranet directory

Active Directory

The extranet directory contains all extranet users, including customers, partners, and shadow accounts for employees.

Sun ONE Directory Server 5.1

Sun and Netscape Directory Servers

Sun ONE Directory Server 5.1 contains entries for users from Fabrikam to support authentication requests for a legacy application.

Intranet Directory Management Agent

The Contoso intranet Active Directory is the primary directory service used by Contoso. It provides directory and security services throughout Contoso's corporate network and it is the main directory they would like to manage; changes made here should be synchronized to the other connected data sources.

The Intranet Directory MA is required to:

  • Import the e-mail addresses of Exchange Server 2003 users (which are located in Active Directory) to MIIS 2003 with SP1, so that they may be exported into Lotus Notes.
  • Update mail-enabled users in the Intranet Active Directory by using the e-mail address information of Lotus Notes users, so that Exchange users can look up the addresses.

The intranet Active Directory will be the authoritative source for Contoso user objects in this solution.

Lotus Notes Management Agent

All user accounts in the intranet Active Directory are mailbox-enabled for Exchange 2003 integration. However, users from the acquisition of Fabrikam still have e-mail accounts in Lotus Notes and accordingly must not have Exchange mailboxes as well.

Fabrikam employees will continue to use Lotus Notes for e-mail until they are migrated to Exchange 2003. Until this occurs, the Notes address book information must be synchronized to the intranet Active Directory so that other Contoso users may reference it through the global address list (GAL). Similarly, Exchange address book information in Active Directory must synchronize to Lotus Notes.

Lotus Notes will be the authoritative source for Fabrikam user objects in this solution.

Extranet Directory Management Agent

The Contoso extranet Active Directory authenticates Contoso employees that access applications from the Internet. It also supports extranet access for customer and partner user accounts.

The "Extranet Access Management" paper in this series describes how employee extranet access is based on public key infrastructure (PKI) client certificate credentials. To support this authentication method, Contoso maintains employee accounts as "shadow" accounts in the extranet directory.

These employee shadow accounts are only for certificate-based authentication and contain a limited amount of authorization information relevant to extranet applications. Only a small subset of each user's attributes need to be synchronized.

Employee X.509 certificates provided by the PKI must be mapped to their extranet shadow accounts. The user's account password and other sensitive information is not synchronized to the extranet directory.

Sun ONE Directory Server 5.1 Management Agent

Sun ONE Directory Server 5.1 contains entries for users from the merger with Fabrikam. This directory supports authentication requests to access a legacy application that would be too expensive to migrate to Active Directory.

Attributes that Link Identity Objects

One of Contoso's challenges was to find attribute values that exist consistently across all identity stores that could be used to link (or join in MIIS terminology) identities between stores. Contoso was fortunate in that all of the identity stores included in the solution scope had a single common attribute value, the employee's identification number (employeeID), which could be used to link the identity objects in each store with the objects that would be created in the metaverse.

Contoso understood that there was a possibility for errors in the employeeID attribute values in different identity stores, so there would need to be a manual intervention at some point to join user objects with the wrong employeeID attribute value. The worst case that the Contoso architects could plan for was that if an employeeID attribute in one directory was wrong but matched the value for another user. If that were the case then there could be any number of resulting problems including overwritten attributes, deleted accounts, and incorrect lookups.

To resolve this potential issue, Contoso could have specified an additional join criteria such as surname (SN). In this case, both employeeID and SN would have to match in order for the join to succeed. After careful analysis of the data in each store, Contoso decided that the risk due to bad employeeID attribute values was low and additional criteria for joins was not introduced because it would introduce a greater chance of failure during the automated join process.

Planned Attribute Flow

Attribute flow rules can be used to update attribute values both into (import) and out of (export) the metaverse. These import or export attribute flow rules can have either a direct or computed attribute mapping type.

Attribute precedence is used to configure the order in which two or more imported attributes are applied. This capability is useful when multiple management agents contribute to a single metaverse attribute and you want to guarantee that one particular imported attribute is given precedence over all others.

The following table lists a small subset of the attributes in the metaverse to show how Contoso has chosen to define attribute flow.

Table 4.2. Attribute Identity Flow in Contoso

Attribute

Purpose

Intranet

Notes

Extranet

Sun

employeeID

A unique number for each employee

Source (has precedence)

UsesCalculated

Source (if not present in Intranet)UsesCalculated

Uses

Uses

displayName

The name displayed by many user interfaces

Source (has precedence)

UsesCalculated

Source (if not present in Intranet)UsesCalculated

Uses

Uses

sAMAccountName

Logon ID

Source (has precedence)

UsesCalculated

Source (if not present in Intranet)UsesCalculated

Uses

Uses

altSecurityIdentities

Certificate mapping field

Uses

 

UsesCalculated

 

Legend:

Source = Source for each attribute. There can be more than one source for an attribute, in which case it is necessary to specify attribute precedence. In this environment, the Intranet Active Directory has precedence.Uses = This MA uses this attribute to populate the connected identity storeCalculated = Attribute is calculated by the MA extension based on the values supplied by the source identity store

Logical Design

The following figure illustrates the logical design of Contoso's identity integration configuration.

Figure 4.2. Logical design for the MIIS 2003 with SP1 identity aggregation and synchronization solution

Each connector space (CS) contains a subset of objects and attributes from the connected data source (such as Lotus Notes or Sun ONE Directory Server) and acts as a staging area between the connected data source and the MIIS 2003 with SP1 metaverse (MV).

A management agent (MA) is a bi-directional data pump that manages attribute flow between a connected data source, a connector space (CS), and the MIIS 2003 with SP1 metaverse (MV).

The metaverse is a storage area that contains the aggregated identity information from multiple connected data sources and provides a single global, integrated view of all combined objects.

The metaverse in MIIS 2003 with SP1 is stored on Microsoft SQL Server™ 2000, Enterprise Edition or Standard Edition to provide a highly scalable and robust data store. MIIS 2003 with SP1 takes advantage of the transaction capabilities in SQL Server 2000 to provide checkpoint and rollback capabilities when testing attribute flows and for error recovery logic.

How the Solution Works

After implementing the solution as described in Chapter 5, a few tasks — initial identity integration operations — are performed to prepare the environment for normal operations.

  1. Import data sources into the connector spaces. This task is accomplished by running each management agent and selecting a Full Import (Stage Only) run profile. This task stages all objects from each connected data source to the connector space.
  2. Synchronization. This task is accomplished by running each MA and selecting a Full Synchronization run profile. Each MA will do one of the following:
  • Project information from the connector space into the metaverse.
  • Join (link) connector space objects to objects in the metaverse, if they have previously been projected.

After projecting or joining, the MA will perform inbound synchronization then outbound synchronization, each depending on the flow rules established. Inbound and outbound synchronization are explained later in this section.

At Contoso, the metaverse was constructed by running each MA in the order that was needed to project new objects and attributes into the metaverse or join to existing objects. The metadirectory construction requirement resulted in the following MA run order.

  1. Intranet Active Directory MA. This MA projects all Contoso users — based on the organizational unit (OU) — into the metaverse. Fabrikam users in Active Directory are not projected in this step.
  2. Lotus Notes MA. Lotus Notes is the authoritative source for all Fabrikam users, so it projects all Fabrikam users into the metaverse.
  3. Intranet Active Directory MA. When the MA is run a second time, Fabrikam users are joined to the metaverse objects projected by the Lotus Notes MA.
  4. Sun ONE MA. All users in the Sun ONE directory are Fabrikam users, so they are joined based on employeeID to the user objects projected by the Lotus Notes MA.
  5. Extranet Active Directory MA. The users in the Extranet Active Directory are a subset of the Contoso users, so the users in the extranet directory are joined based on employeeID to the existing Contoso users projected by the Intranet Active Directory MA.

The following figure illustrates the import, project, and join operations. The numbered steps correspond with the numbers in the figures.

Figure 4.3. Importing, projecting, and joining

  1. Export metaverse attribute updates. This task is accomplished by running each MA and performing an Export. The task will export attributes in the connector space updated during synchronization (step 2) back to each connected data source, as shown in the following figure.

Figure 4.4. Attribute flow via synchronization and an MA export

Now that links are established from each connector space to the metaverse through a Project or Join, each MA can import and export objects and attributes between the connected data source and the connector space.

After this initial set of tasks is completed, Contoso regularly runs each MA as described in the following section to ensure ongoing consistency.

Run Profiles

Run profiles provide a series of steps that tell the MA what to do. Each MA requires at least one run profile consisting of at least one step. Steps might include a complete synchronization of all attributes and values from a connected identity store, or just the changes since the last update.

You can configure any number of run profiles for a particular MA, each of which can perform a specific set of steps. The following are the different operations you can carry out by using run profiles in MIIS.

  • Delta Import (Stage Only). Imports changes from the connected data source that have occurred since the last import into the connector space. Only works with data sources that keep track of changes by using some type of change logging (also called a watermark).
  • Full Import (Stage Only). Imports the entire connected data source into the connector space. This operation is useful for initial imports, directories that cannot use delta imports, or if change logging is incomplete for some reason. However, full imports take much longer and consumer more resources than delta imports. Full imports can also be run periodically (at non-peak times) to catch any potentially lost transactions.
  • Delta Synchronization. Synchronization processes changes from the connector space to the metaverse and then from the metaverse back to the connector space. A delta synchronization is unique from a Full Synchronization in that it only processes connector space object attributes that have not yet been processed by a synchronization process (called pending import objects in MIIS 2003).
  • Full Synchronization. As above, synchronization processes changes from the connector space to the metaverse and then from the metaverse back to the connector space. Full Synchronization evaluates and applies synchronization rules to all objects and attributes in the connector space. A Full Synchronization is best used for initial important and if synchronization rules are changed.
  • Delta Import/Delta Synchronization. A combination of the two previously described run profiles; called a "one step" run profile.
  • Full Import/Delta Synchronization. A one step combination of the two previously described run profiles.
  • Full Import/Full Synchronization. A one step combination of the two previously described run profiles.
  • Export. Synchronizes updates from the connector space back into the connected data source.

Note   There are additional subtle differences between one-step and two-step profiles. For a more detailed description, please see the Microsoft Knowledge Base Article Understanding Run Profiles in MIIS 2003.

Each MA is usually run through an import, synchronization, and an export, as shown in the following figure. Connected data sources considered authoritative for objects or attributes are usually imported and synchronized first.

Figure 4.5. MA run profile relationships

Ongoing Run Profiles

To enable appropriate attribute flow between the MAs, Contoso has created a regular job that runs each MA through several run profiles. All four MAs are run with the same run profiles:

  • Delta Import (Stage Only)
  • Delta Synchronization
  • Export

The first set of MA runs imports delta changes (objects that have changed since the last import) from each connected data source and stages these changes in the connector space. All delta changes in the connector space are then synchronized with the metaverse based on attribute flow; inbound synchronization pulls changes in to the metaverse, and outbound synchronization pushes changes in the metaverse into the connector space.

The Intranet Active Directory MA is run first to ensure that changes made here are available in the metaverse for the other directories. Then the other MAs complete the first round.

The second set of MA runs exports all of the changes made to each connector space back into the connected data sources. The export run profile is performed on all four MAs.

This solution provides two key capabilities that Contoso is interested in; data aggregation and synchronization. Additionally, Contoso has written some custom code to support certificate mapping for employee extranet access that uses X.509 certificates. Each of these processes is described in the following sections.

Inbound Synchronization (Data Aggregation)

Data aggregation typically happens when MIIS 2003 with SP1 is initially deployed. Many of the data sources do not contain a full view of the user and are missing attributes available in others. Data aggregation, also known as inbound synchronization, allows data only available in some identity data stores to be added to the metaverse.

The following figure represents the data aggregation process:

Figure 4.6. Inbound synchronization (data aggregation)

By using the information that has been staged in the connector space, the data aggregation process creates in the metaverse an integrated view of the data stored in connected data sources.

After identity data has been aggregated into the metaverse, (outbound) synchronization gives each identity store a more accurate depiction of the users throughout Contoso.

Outbound Synchronization (Account Management)

Outbound synchronization, also called account management, is a process by which the system uses data in the metaverse to update the content of the connector space.. The following figure continues the scenario from the previous figure to depict this process.

Figure 4.7. Outbound synchronization (account management)

The account management process updates connected directory objects when metaverse objects change. Both processes are dictated by rules that you configure in MIIS 2003 with SP1.

Rules Extensions

MIIS 2003 with SP1 administrators can customize synchronization rules by creating rules extensions. Rules extensions are used when declarative rules (simple declarations of attribute relationships) for processing information do not suffice. An attribute that needs a complex modification can be handled by an MA extension that is run during import and export run profiles.

MIIS 2003 with SP1 uses Visual Studio® .NET 2003 to provide an advanced development and debugging environment for rules extensions. You create rules extensions by using a programming language such as Microsoft Visual Basic® .NET or C#. Rules extensions are implemented as a Microsoft .NET Framework class library.

Rules extensions are often very straightforward and only need a single line to be coded, which does not require developer or programmer involvement. In more complex scenarios, developing rules extensions should be treated with the same rigor of a software development project.

Certificate Mapping Using a Rules Extension

An attribute called altSecurityIdentities is used by the Contoso extranet Active Directory to map employee shadow accounts to X.509 certificates used by employee workstations when accessing extranet applications via the Internet. Certificate authentication is preferred by Contoso for employee extranet use because no passwords are used, thereby protecting employee intranet passwords from extranet attacks. Each employee shadow account required for extranet access must have this attribute properly defined for authentication to succeed.

The altSecurityIdentities attribute is not used in the intranet Active Directory and cannot be created by using (simple) declarative rules, so an Extranet Active Directory MA extension has been developed to create this attribute. Even after accounts are created, the certificate and related attributes may change so that the altSecurityIdentities attribute would need to be updated appropriately, and Contoso prefers this process to be automated. The altSecurityIdentities attribute is a text string made up of the following identity information:

  • X509:. Indicating this is a certificate mapping string.
  • <I>. A tag indicating that the supported root CA for the mapped certificate follows.
  • Enterprise Issuing CA. The distinguished name (DN) of the enterprise issuing CA.
  • <S>. A tag indicating that the security principal within the certificate mapped to this Active Directory account follows.
  • Account DN. The DN of this employee's account as contained within their certificate.

The following is an example of a completed altSecurityIdentities string:

X509:<I>DC=com,DC=contoso,DC=corp,CN=Contoso Issuing CA

<S>DC=com,DC=contoso,DC=corp,DC=na,OU=ContosoCorp,OU=Employees,

CN=0277946,E=Jsmith@contoso.com

For the code details behind this certificate mapping, please see the ExtranetADMA extension project (ExtranetDirectoryADMA.vb file) in the Tools and Templates for this paper.

Extending the Solution

The Contoso solution presented in this paper illustrates how MIIS 2003 with SP1 can deliver identity aggregation and attribute synchronization across a wide variety of directory and non-directory identity stores. MIIS 2003 with SP1 can automate the process of managing and updating identity information across heterogeneous platforms while maintaining the integrity and ownership of the data across an organization.

You can customize decisions and configurations required for attribute flow, join, projection, and attribute manipulation. Taken together with the other products in this solution, MIIS 2003 with SP1 provides a powerful addition to your identity and access management platform.

Follow-on Solution Scenarios

Synchronizing identity information establishes a foundation for several additional identity life-cycle management solutions, including:

  • Password management
  • Provisioning
  • Group management

The "Password Management" paper in this series provides additional information about how Contoso has extended this solution to ensure password strength and provide password change, reset, and propagation capabilities.

Many organizations build on aggregation and synchronization and use additional capabilities of MIIS 2003 with SP1, such as the automation of provisioning and deprovisioning.

Another useful solution enabled by aggregation and synchronization is the automated generation and maintenance of security groups and distribution lists.

For more information about these topics, please see the MIIS 2003 Scenario Walkthroughs, available on the Microsoft Identity Integration Server 2003 Web page.

Chapter 5: Implementing the Solution

You now understand the business requirements and specifications for implementing the solution that addresses the identity aggregation and synchronization issues at Contoso. This chapter provides prescriptive guidance on how to implement the necessary components of the identity and access management solution by using Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1).

The prerequisites and implementation guidance in this chapter can be verified by following the guidance in Chapter 6, "Testing the Solution."

Tools and Templates

The Identity and Access Management download package includes Identity and Access Management Tools and Templates.msi, which is the Tools and Templates installer file. The Tools and Templates that are part of this download include text-based scripts, code samples, and configuration files that are related to identity and access management, but do not include any executable programs or compiled code.

Note   These samples are provided as examples only. Be sure to review, customize, and test these tools and templates before you use them in a production environment.

When you run the installer file, the resulting folder structure will look similar to the one displayed in the following figure, depending on where you choose to install it.

Figure 5.1. The Tools and Templates folder structure

This guide assumes that you have installed the Tools and Templates into the default location (%UserProfile%\My Documents\Identity and Access Management Tools and Templates). If you use a different installation location, ensure that you use the same path in all the steps in this document.

Note   The Tools and Templates MSI package can sometimes produce an error during the installation process. See the Identity and Access Management Series Readme.htm file for more information.

Folder: Baseline

Table 5.1. The Baseline Folder

File name

Purpose

SunOneObjects.ldf

This file is used to create users in Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) by using LDIFDE.exe.

LotusObjects.txt

This file is used to create users in Lotus Notes 6.5.4 by using the Import function in Domino Administrator.

Folder: MIIS Extensions

MIIS Extensions are used for advanced flow rules and certificate mapping. The current source code was designed for this scenario and must be complied into DLLs. These files must be placed into the Extensions directory in the MIIS folder structure. These extensions are then updated and used during the synchronization process.

Subfolder: ExtranetDirectoryADMA

ExtranetDirectoryADMA Project — implements the ExtranetDirectoryADMAExtension.DLL file.

Table 5.2. The ExtranetDirectoryADMA Subfolder

File name

Purpose

AssemblyInfo.vb

An information file that contains metadata about the assemblies in a project, such as name, version, and culture information.

ExtranetDirectoryADMA.sln

The solution file used within the development environment. It organizes all elements of the Extranet Directory ADMA into a single solution.

ExtranetDirectoryADMA.vb

VB.net file for the Extranet Directory ADMA extension.

ExtranetDirectoryADMA.vbproj

The project file for the Extranet Directory ADMA project, it contains the configuration and build settings and keeps a list of files associated with the project.

Subfolder: IntranetDirectoryADMA

IntranetDirectoryADMA Project — implements the IntranetDirectoryADMAExtension.DLL file.

Table 5.3. The IntranetDirectoryADMA Subfolder

File name

Purpose

AssemblyInfo.vb

An information file that contains metadata about the assemblies in a project, such as name, version, and culture information.

IntranetDirectoryADMA.sln

The solution file used within the development environment. It organizes all elements of the Intranet Directory ADMA into a single solution.

IntranetDirectoryADMA.vb

VB.net file for the Intranet Directory ADMA extension.

IntranetDirectoryADMA.vbproj

The project file for the Intranet Directory ADMA project, it contains the configuration and build settings and keeps a list of files associated with the project.

Subfolder: Lotus Notes MAExtension

Lotus Notes MAExtension Project — implements the Lotus Notes MAExtension.dll file.

Table 5.4. The Lotus Notes MAExtension Subfolder

File name

Purpose

AssemblyInfo.vb

An information file that contains metadata about the assemblies in a project, such as name, version, and culture information.

Lotus Notes MAExtension.sln

The solution file used within the development environment. It organizes all elements of the Lotus Notes MA into a single solution.

Lotus Notes MAExtension.vb

VB.net file for the Lotus Notes MA extension.

Lotus Notes MAExtension.vbproj

The project file for the Lotus Notes MA project. It contains the configuration and build settings and keeps a list of files associated with the project.

Folder: MA Configuration

Table 5.5. The MA Configuration Folder

File name

Purpose

IDMGTExtranet.xml

This configuration file is used to import configuration data that can be changed without having to modify the source code for configuration specific information. This file should be placed in the Extensions folder.

MVSchemaExport.xml

This schema file updates the default metaverse schema that is created when installing MIIS 2003 with SP1. The scenario requires metaverse extension to add specific attributes. The MVSchemaExport.xml file imports these additional attributes into the metaverse which then update the default MIIS schema.

Folder: MA Exports

Exported management agents contain saved MA configuration information, which can then be imported into MIIS 2003 with SP1 Identity Manager. The call-based MAs must check with the connected directory for a valid user account and password as well as connected directory specific partitions. You may need to change connection and partition information if the connected directory structure is not the same as that specified in the file.

Table 5.6. The MA Exports Folder

File name

Purpose

ExtranetADMA.xml

Exported management agent for the External Directory MA.

IntranetADMA.xml

Exported management agent for the Infrastructure Directory MA.

LotusNotesMA.xml

Exported management agent for the Lotus Notes MA.

Folder: Operations

The following scripts can be used in conjunction with the Windows schedule to the MA synchronization.

Table 5.7. The Operations Folder

File name

Purpose

MA-Runs.cmd

Used to serialize the run of the management agents by calling the runMA.vbs by passing the appropriate parameters to call the MA run profile.

runMA.vbs

Uses Windows Management Instrumentation (WMI) to execute MA runs based on MA name and profile.

Implementation Prerequisites

The Contoso identity and access management solution requires the following software. To implement and test the entire Contoso solution, all components must be installed. The recommended configuration is to implement all components in order to work through the entire solution from beginning to end. It is essential to install the software in the prescribed order for this scenario to work properly. Please refer to the diagram in chapter 4 for a clear picture of the network architecture of these components:

  • Microsoft Windows Server™ 2003, Enterprise Edition.
  • Microsoft SQL Server™ 2000, Enterprise Edition with Service Pack 3 (SP3). In the following prescriptive steps, SQL Server is running on the same server as MIIS 2003 with SP1.
  • MIIS 2003 with SP1.
  • Exchange Server 2003 in the intranet Active Directory forest.
  • Visual Studio® .NET 2003 to build rules extensions. In the following prescriptive steps, this software is installed on the same server as MIIS 2003 with SP1.
  • Scenario-specific scripts to create the MIIS 2003 with SP1 extensions and MA export files.
  • Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server).
  • Lotus Notes Domino Server Release 6.5.4.
  • Lotus Notes Client Release 6.5.4 installed on the MIIS 2003 with SP1 server.

For these implementation details to work correctly, you need to have a basic Contoso infrastructure implemented as introduced in the "Platform and Infrastructure" paper in this series, as described in the "Designing the Infrastructure" and "Implementing the Infrastructure" chapters, including:

An intranet Active Directory forest that contains the provided Contoso organizational units (OUs) and users.

An extranet Active Directory forest that contains the provided Contoso OUs, groups, and users.

A three-tier public key infrastructure (PKI) for certificate services, which is required for completion of the "Extranet Access Management" paper in this series.

Note   The beginning of Chapter 6, "Testing the Solution" later in this paper provides some basic verification tests to ensure that your infrastructure is implemented correctly.

Implementation Overview

Implementing this solution scenario will involve performing the following activities, each of which are detailed in the following sections:

  • Intranet Firewall Configuration
  • Contoso Baseline Preparation
  • Service Account Preparation
  • MIIS 2003 with SP1 Installation and Configuration
  • MIIS 2003 with SP1 Management Agent Configuration
  • Initial Identity Management Operations

Intranet Firewall Configuration

The Contoso design provides for the greatest possible isolation between the external and internal network. However, the design calls for the synchronization of shadow accounts in the extranet Active Directory. For this to work, you must open ports in the firewall between the intranet and extranet as shown in tables 5.8 and 5.9. Configure the firewall to allow traffic initiation only from the intranet side over these ports.

In order to reduce the number of open ports, configure the remote procedure call (RPC) dynamic port allocation on the domain controller for perimeter.contoso.com in the external network. Contoso selected ports in the range 57500-57520.

For more information about setting dynamic RPC ports through a firewall see How to configure RPC dynamic port allocation to work with firewalls.

For MIIS 2003 with SP1 (located in the intranet Active Directory forest corp.contoso.com) to connect to the extranet Active Directory forest (perimeter.contoso.com), the internal DNS service must be able to resolve addresses and service records for the external forest. In addition to opening the DNS ports in the firewall, also add a Conditional DNS forward directive in the intranet corp.contoso.com root nameserver that points to the extranet perimeter.contoso.com nameserver.

To configure conditional forwarders in the internal root domain controller

  1. Launch the DNS Admin tool on <ROOT_DC_NAME>.
  2. In the console tree, right-click <ROOT_DC_NAME> and then click Properties.
  3. In the <ROOT_DC_NAME> Properties dialog box, click the Forwarders tab.
  4. In the DNS Domain box, click New.
  5. In the New Forwarder dialog box, in the DNS Domain box, type perimeter.contoso.com and then click OK.
  6. Ensure the perimeter.contoso.com domain is selected. In the Selected domain's forwarder IP address list box, type <ip_address> (where <ip_address> is the IP address of the external domain DNS server), and then click Add.
  7. In the <ROOT_DC_NAME> Properties dialog box, click the Root Hints tab and then click Remove to remove all entries.

The following table lists all the outbound ports in the external firewall that need to be opened from the MIIS 2003 with SP1 server's IP address to the external domain controller's IP address.

Table 5.8. Outbound Ports from MIIS 2003 with SP1 Server to External Domain Controller

Outbound port

Protocol

Purpose

389

TCP and UDP

LDAP

88

TCP and UDP

Kerberos authentication protocol

135

TCP

RPC Endpoint Mapper

57500-57520

TCP

Dynamic RPC ports

464

TCP and UDP

Kerberos Change Password

The following table lists the outbound port in the internal firewall that needs to be opened from the internal root domain controller's IP address to the external domain controller's IP address.

Table 5.9. Outbound Port from Internal Root Domain Controller to External Domain Controller

Outbound port

Protocol

Purpose

53

TCP and UDP

DNS

Contoso Baseline Preparation

After all the prerequisites have been installed and verified, you can run the provided scripts to further configure the Contoso environment. Configuring the Contoso environment for this MIIS 2003 with SP1 scenario involves creating a set of base level objects in Lotus Notes and Sun ONE Directory Server. Complete the following tasks to configure each respective system.

  • Task 1: Populate Sun ONE Directory Server
  • Task 2: Populate Lotus Notes

Task 1: Populate Sun ONE Directory Server

The Contoso Sun ONE Directory Server is required for authentication to legacy Contoso applications. If you have implemented the Sun ONE component in your solution, these scripts will create the required users needed for the Contoso scenario. These scripts should be executed from an open command prompt.

Using SunONEObjects.ldf

Execute the SunONEObjects.ldf file by using the ldifde.exe tool. Ensure that you execute ldifde.exe as follows from the command prompt:

LDIFDE.EXE -i -s <server name> -a "<target user DN>" * -f <Ldf Object Filename>

-i enables "import" mode for LDIFDE.

-s denotes the server name hosting the Sun ONE Directory.

-a specifies the full distinguished name of a valid Sun ONE user identity that will be used to perform a simple bind to LDAP. This identity must be for a user who currently exists in Sun ONE. This value must be followed by an asterisk *.

-f specifies the LDIF compliant file to process.

An example of script execution is as follows:

LDIFDE.EXE -i -s <Sun ONE Server> -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" * -f "%UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\Baseline\SunONEObjects.ldf"

You can execute the script remotely. If so, ensure that the target workstation has access to the Sun ONE Directory Server namespace.

To configure the Sun ONE Directory Server environment

  1. Log on to the server hosting Sun ONE Directory Server 5.1 with administrative privileges.
  2. Check to ensure the SunONEObjects.ldf file is present in the %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\Baseline folder.
  3. Click Start, click Run, type CMD.EXE and then press ENTER to open a command prompt.
  4. Execute LDIFDE.EXE from the command line to process the Sun ONE LDIF compliant data file SunONEObjects.ldf.
  5. Execute LDIFDE.EXE by using the SunONEObjects.ldf file. Ensure that you execute the script as follows from the command prompt:

    LDIFDE.EXE -i -s FFL-SA-IPLANET -a "uid=admin,ou=Administrators,ou=TopologyManagement,o=NetscapeRoot" * -f "%UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\Baseline\SunONEObjects.ldf"

Replace FFL-SA-IPLANET with the hostname of your Sun ONE Directory Server.

  1. When prompted, enter the password for the user account associated with the -a switch.
  2. Ensure that the script returns a The command has completed successfully status for all operations. If any errors occur, correct the problem and rerun the script.

Task 2: Populate Lotus Notes

Lotus Notes is used for e-mail by the external Fabrikam organization. If you have implemented the Lotus Notes component in your solution, complete the following steps to manually add five test users.

Note   You can add these users automatically by using the import function in the Lotus Notes Administrator program to import the LotusObjects.txt file into the Fabrikam Directory.

To configure the Lotus Notes environment

  1. Log on to the server hosting Lotus Notes with administrative privileges to the Notes e-mail system.
  2. Using the Notes Administrator, create three Fabrikam users based on the information provided in the following tables:

    Table 5.10. Basic Tab Information for Fabrikam Users

First name

Last name

Short name

User name

Robert

Barker

rbarker

Robert Barker/Fabcorp

Richard

Byham

rbyham

Richard Byham/Fabcorp

Susan

Eaton

Seaton

Susan Eaton/Fabcorp

Table 5.11. Mail Tab Information for Fabrikam Users

Mail system

Domain

Mail server

Mail file

Internet address

Notes

Fabrikam

FFL-sa-lotus

Robert Barker/Fabcorp

rbarker@fabrikam.com

Notes

Fabrikam

FFL-sa-lotus

Richard Byham/Fabcorp

rbyham@fabrikam.com

Notes

Fabrikam

FFL-sa-lotus

Susan Eaton/Fabrikam

seaton@fabrikam.com

Table 5.12. Work/HomeTab Information for Fabrikam Users

Title

Company

Department

EmployeeID

Manager

City

Country

Engineer II

Fabrikam

Research & Development

0871357

rbyham

London

United Kingdom

Manager Research & Development

Fabrikam

Research & Development

0681581

dbradley

London

United Kingdom

Engineer

Fabrikam

Research & Development

0089171

rbyham

London

United Kingdom

  1. Using the Notes Administrator, create two Contoso users based on the information provided in the following tables:

    Table 5.13. Basic Tab Information for Contoso Users

First name

Last name

Short name

User name

Amy

Alberts

aalberts

aalberts

David

Bradley

dbradley

dbradley

Table 5.14. Mail Tab Information for Contoso Users

Mail system

Forwarding address

Other Internet Mail

aalberts@contoso.com

Other Internet Mail

dbradley@contoso.com

Table 5.15. Work/HomeTab Information for Contoso Users

Personal title

Company

Department

EmployeeID

Manager

City

Country

Research Assistant

Contoso

Customer Service

0061054

rbyham

Palo Alto

United States

Chief Executive Officer

Contoso

Operations

0042399

 

Palo Alto

United States

When complete, there should be five users (three from Fabrikam and two from Contoso) present in the environment.

MIIS 2003 with SP1 Installation and Configuration

The tasks in this section provide guidance for installing MIIS 2003 with SP1 and configuring it for the sample Contoso environment. These tasks include:

  • Task 1: Preparing the MIIS Server
  • Task 2: Service Account Creation
  • Task 3: Service Account Configuration
  • Task 4: Install MIIS 2003 with SP1 Server
  • Task 5: Build MIIS Extensions
  • Task 6: Configure Sun ONE Directory Server 5.1 for this Scenario
  • Task 7: Configure Lotus Notes release 6.5.4 for this Scenario

Task 1: Preparing the MIIS Server

The steps in this task assume that Windows Server 2003, Enterprise Edition, Microsoft SQL 2000, and MIIS 2003 with SP1 are installed on the C: drive.

Important   Perform these instructions in the prescribed sequence. Performing any steps out of order may cause the scenario to fail.

To install MIIS 2003 with SP1 and perform basic configuration

  1. Install Windows Server 2003, Enterprise Edition.
    1. The computer name for the scenario is FFL–NA–MIIS–01. You can choose another computer name without affecting the scenario.
    2. Configure the IP address of your MIIS Server in the same address space of your network. Ensure that the DNS entries in the TCP/IP properties of the network connection are correct. Otherwise, you will not be able to join the computer to the domain.
    3. Join the computer to the domain na.corp.contoso.com.
    4. Install IIS 6.0 with ASP.NET support and FrontPage Server 2002 Extensions (pre-requisites for Visual Studio .NET 2003).
  2. Install SQL Server 2000, Enterprise Edition.
  3. During setup, be sure to select Windows Authentication Mode for SQL Server.
  4. Install SQL Server 2000 Service Pack 3 (SP3). After SP3 setup completes, ensure that the SQL Server service is running.
  5. Install Microsoft Visual Studio .NET 2003 on the MIIS 2003 with SP1 server, which will allow you to develop or debug MIIS 2003 with SP1 extensions.

Note   This is only for test systems, as production systems would typically not include Visual Studio. On production systems, all debugging should be done in the test environment, and only the changed DLL should be moved into Visual Source Safe (VSS). When the DLL is in VSS, it can then be checked out and moved into the production system.

Task 2: Service Account Creation

MIIS 2003 with SP1 uses service accounts for several MAs, such as the Active Directory and the SQL Server MAs. You must ensure that these service accounts exist before you install MIIS 2003 with SP1.

To create the service accounts

  1. Create the MIISservice account by using the Computer Management, Local Users and Computers console on the MIIS server.
  2. Create the MIISADIntranet account by using Active Directory Users and Computers in the intranet forest.
  3. Create the MIISADExtranet account by using Active Directory Users and Computers in the extranet forest.

Task 3: Service Account Configuration

The Microsoft Identity Integration Server service runs in the security context of a specific account. Because the account will have access to all of the MIIS 2003 with SP1 resources, this account should be locked down.

The Active Directory MA Accounts in the intranet and extranet Active Directory forests must have permission to discover objects and their attributes as well as write attribute updates to those accounts. Because Contoso has not yet implemented provisioning and deprovisioning of user accounts, permissions are not required to create and delete objects.

To configure the service accounts for appropriate access

  1. Set restrictions for the MIIS Service Account on the MIIS server by performing the following steps:
    1. Open Local Security Policy on the MIIS server.
    2. In the console tree, click User Rights Assignment located under Security Settings, Local Policies.
    3. In the details pane, double-click the user right Deny log on as a batch job.
    4. In UserRight Properties, click Add User or Group.
    5. Add the MIISservice account, and click OK.
    6. Repeat steps c to e until all the following user rights restrictions have been set:
  • Deny log on locally.
  • Deny log on by using Terminal Services.
  • Deny access to this computer from the network.
  1. Configure the MA service accounts to discover objects by granting the Replicating Directory Changes permission:
    1. Log on to an intranet domain controller.
    2. Open the Active Directory Users and Computers Microsoft Management Console (MMC) snap-in.
    3. On the View menu, click Advanced Features.
    4. Right-click the domain object na.corp.contoso.com, and then click Properties.
    5. On the Security tab, if the account MIISADIntranet is not listed, click Add, enter the account, and click OK; if the account is listed, proceed to step h.
    6. In the Select Users, Computers, or Groups dialog box, select the desired user account, and then click Add.
    7. Click OK to return to the Properties dialog box.
    8. Click the Intranet or Extranet user account as applicable.
    9. Click to select the Replicate Directory Changes check box in the Allow column.
    10. Click Apply, and then click OK.
    11. Close the MMC snap-in.

Repeat the previous steps for the extranet Active Directory perimeter.contoso.com using the MIISADExtranet account.

Note   Replicate Directory Changes is required on each domain in the forest for which you will be discovering objects. For more information about how to set the Replicate Directory Changes permission, see How to grant the "Replicating Directory Changes" permission for the Microsoft Metadirectory Services ADMA service account.

  1. Configure the Write All Properties permission on OUs containing user accounts managed by MA service accounts by performing the following:
    1. Log on to an intranet domain controller.
    2. Open the Active Directory Users and Computers MMC snap-in.
    3. On the View menu, click Advanced Features.
    4. Right-click the Employees organizational unit OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com and then click Properties.
    5. On the Security tab, if the account MIISADIntranet is not listed, click Add, enter the account, and then click OK; if the account is listed, proceed to step h.
    6. Click OK to return to the Properties dialog box.
    7. Click the Intranet or Extranet user account as applicable.
    8. Click the Advanced button.
    9. Select the Active Directory account; click the Edit button.
    10. In the Apply Onto box, select Child Objects Only.
    11. Select the following boxes to set permissions:
  • Read All Properties
  • Write All Properties
  1. Click OK to close the Permission Entry dialog box, click OK to close the Advanced Security Settings dialog box, and then click OK again.

Repeat the previous steps in the extranet Active Directory for the MIISADExtranet account in this organizational unit: OU=Employees,OU=Accounts,DC=perimeter,DC=contoso,DC=com

Note   The Write All Properties permission should be assigned on all objects in each OU that MIIS service accounts need to manage.

Task 4: Install MIIS Server 2003

This task installs MIIS 2003 with SP1 with the default settings.

To install MIIS 2003 with SP1

  1. Install MIIS 2003 with SP1, accepting all defaults during the setup process. At the prompt for the service account, enter the account details for the new MIIS 2003 with SP1 service account MIISservice and the computer name of the server running MIIS 2003 with SP1. The account that you use when you run setup is placed in the group with the highest privileges, which is the MIIS 2003 with SP1 administrators group (MIISAdmins).
  2. After completing the setup process, you must log off the computer and then log on again for MIIS 2003 with SP1 to recognize your membership in the MIISAdmins group. Perform this step before running MIIS 2003 with SP1 the first time.

Note   If a user other than an administrator for MIIS 2003 with SP1 runs this scenario, you must first add the user to the MIISAdmins group.

  1. Increase the default Kerberos version 5 authentication protocol time-out value on the MIIS 2003 with SP1 server by adding the registry parameter KdcWaitTime to the following registry key and setting the time-out value to 30 seconds. This time-out value must be increased from the default of 5 seconds to ensure that you do not experience Kerberos protocol time-out issues caused by network latency.
    1. Start Registry Editor.
    2. Under the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Lsa\Kerberos\Parameters key, create a REG_DWORD value named KdcWaitTime and set its value to 30 (seconds).
    3. Restart the MIIS 2003 with SP1 server for the changes to take effect.

Task 5: Build MIIS Extensions

There are several MIIS Extensions included with the Tools and Templates for this paper. These extensions need to be compiled into DLLs for use with MIIS 2003 with SP1.

To open the MIIS Extensions and compile the DLLs

  1. Open Visual Studio 2003.
  2. Click File, point to Open, and then click Project.
  3. Open IntranetDirectoryADMA.sln from %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MIIS Extensions\IntranetDirectoryADMA.
  4. On the Build menu, click Build Solution.

This creates the IntranetDirectoryADMA.dll file.

  1. Repeat steps 1-4 for all projects in the following table.

    Table 5.16. Additional Custom Extension Projects

Project name

Compiled .dll file

ExtranetDirectoryADMA

ExtranetDirectoryADMA.dll

Lotus Notes MAExtension

Lotus Notes MAExtension.dll

  1. Copy all three compiled DLL files to the following location:

<MIIS Installation Directory>\Extensions directory.

Note   The default MIIS 2003 with SP1 installation directory is C:\Program Files\Microsoft Identity Integration Server.

  1. Copy the %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync \MA Configuration\IDMGTExtranet.xml file to the <MIIS Installation Directory>\Extensions folder.
  2. Edit the <MIIS Installation Directory>\Extensions\IDMGTExtranet.xml file as necessary to modify the extranet management agent parameters. The following table shows the default values for these parameters. Additionally, if your configuration is different with regard to server name or OU structure, modify this file to reflect the correct names.

    Table 5.17. Configuration Parameters for the Extranet Management Agent

XML variable

Use

Typical value

Ext-upn-suffix

UPN suffix for extranet Active Directory domain users.

@na.corp.contoso.com

ExtMailDomain

E-mail domain for extranet users.

@contoso.com

issuing-CA-dn

Distinguished name for issuing CA in reverse order format.

DC=com,DC=contoso,DC=corp,CN=ICA

CA-subject-prefix

Distinguished name for users in CA subject in reverse order format.

DC=com,DC=contoso,DC=corp,DC=na,OU=ContosoCorp,OU=Employees

Task 6: Configure Sun ONE Directory Server 5.1 for this Scenario

You must complete this task if you implement Sun ONE Directory Server integration for your implementation.

To configure MIIS 2003 with SP1 for Sun ONE Directory Server 5.1 integration

  1. Locate Sun ONE Directory Server 5.1. The Contoso environment uses OU=People and DC=Fabrikam,DC=com in the Sun ONE Directory Server.
  2. To enable delta import capabilities, enable the Retro Changelog plug-in on the Sun ONE Directory Server.

Note   To enable secure connections to your Sun ONE Directory server, enable SSL on Sun ONE.

Task 7: Configure Lotus Notes Release 6.5.4 for this Scenario

You must complete this task if you implement Lotus Notes integration.

To configure MIIS 2003 with SP1 for Lotus Notes integration

  1. Locate the Lotus Notes Domino Release 6.5.4 server. The Contoso environment uses the Lotus Notes OU Fabrikam (/O=Fabrikam) as the certifier.
  2. Install the Lotus Notes Release 6.5.4 client on the computer running MIIS 2003 with SP1. The Lotus Notes MA uses this client to access the Lotus Notes Address Book (NAB).
    1. Verify that you have access to Lotus Notes with the Lotus Notes client before you create the Lotus Notes MA while using the Lotus Notes administrator account.
    2. Assign the MIIS 2003 with SP1 service account MIISservice full control permissions on the Lotus Notes installation directory on the MIIS 2003 with SP1 server.

MIIS 2003 with SP1 Management Agent Configuration

This section provides detailed procedures to configure the four management agents (MA). During this process, you also will configure the following management agent functionality:

  • Import sources or export targets
  • Import attribute flow rules
  • Projection rules
  • Join rules
  • Export attribute flow rules
  • Run profiles

You will use MIIS 2003 with SP1 Identity Manager to create the four MAs and specify all of the details for object, attribute, and rule selection for each of them. To accomplish this you must complete the following tasks in the order they are listed:

  • Task 1:    Extend the MIIS Metaverse Schema
  • Task 2: Create the Sun ONE Directory Server Management Agent
  • Task 3: Create the Intranet Directory Management Agent
  • Task 4: Create the Extranet Directory Management Agent
  • Task 5: Create the Lotus Notes Management Agent
  • Task 6: Set Attribute Flow Precedence
  • Task 7: Set Manual Attribute Flow Precedence
  • Task 8: Create Run Profiles

Task 1: Extend the MIIS 2003 with SP1 Metaverse Schema

This scenario requires you to add two attributes to the MIIS 2003 with SP1 schema. In order to expedite this process, use the exported metaverse schema to import these attributes into MIIS.

To extend the metaverse schema using an exported metaverse schema

  1. Click Start, point to All Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.
  2. On the Tools menu, click Metaverse Designer.
  3. On the Actions menu, click Import Metaverse Schema.
  4. In the Open dialog box, locate the file %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MA Configuration\Mvschemaexport.xml, included as part of the Tools and Templates for this paper. After you have located the file, click Open.
  5. The following message should display: The schema import completed successfully. Click OK to close the dialog.

The following attributes should be added for Object Type: Person by the metaverse schema import process:

  • sAMAccountName
  • userPrincipalName

Task 2: Create the Sun ONE Directory Server 5.1 Management Agent

Now you can define the options for the Sun ONE Directory Server 5.1 MA to enable it to import existing Sun ONE directory data. In the following task, you will create the join rule and the conditions in which connector space objects for the Sun ONE Directory Server MA join to the metaverse person object. You will also create import and export attribute flow mappings for the Sun ONE Directory MA data source attributes.

To create the Sun ONE Directory Server 5.1 MA

  1. Create the management agent by performing the following:
    1. On the Tools menu, click Management Agents.
    2. On the Actions menu, click Create.
    3. In Create Management Agent, in Management agent for, click Sun and Netscape directory servers.
    4. In Name, type Sun ONE Directory MA.
    5. Click Next.
  2. Specify logon information by performing the following:
    1. In Create Management Agent, on the Specify Logon Information page, in Server, type the name of the Sun ONE Directory Server 5.1 server to which you want to connect, and then type a port number, user name, and password.
    2. Click Next.

Note   For secure communications to the Sun ONE Directory Server, enable SSL on the server and select Enable Secure Sockets Layer (SSL) for communications on the Create Management Agent, Specify Logon Information page.

  1. To set the naming context configuration, perform the following:
    1. In Select a Naming Context, select the partition for the naming context.
    2. If you are using the default scenario setup, this will be dc=fabrikam,dc=com.
    3. Click Containers to select it.
    4. On the Select Containers page, clear the check boxes for all containers except the container where the scenario data was imported during setup. If you are using the default scenario setup, this will be People.
    5. Click OK, and then click Next.
    6. Select object types.
    7. In Object Types, click inetOrgPerson.
    8. Click Next.
    9. Select attributes.
    10. In Attributes, select Show All, and then select the following attributes:
  • description
  • displayName
  • employeeNumber
  • facsimileTelephoneNumber
  • givenName
  • mail
  • manager
  • sn
  • telephoneNumber
  • uid
  • l
  • title
  1. Click Next.
  1. Do not modify the settings on the Configure Connector Filter page. Click Next.
  2. Configure join and projection rules:
    1. In Data Source Object Type, select inetOrgPerson.
    2. Click New Join Rule.
    3. In Metaverse object type, select Person.
    4. In Mapping Type, click Direct.
    5. In the Data source attribute list, select employeeNumber and in the Metaverse attribute list, select employeeID.
    6. Click Add Condition.
    7. Click OK.
    8. Click Next.
  3. Configure attribute flow.
    1. In Data source object type, select inetOrgPerson.
    2. In Metaverse object type, select Person.
    3. In Mapping Type, click Direct.
    4. In Flow Direction, click the correct flow direction based on the following table.
    5. Create the attribute mappings as indicated in the following table and then click Next.

    Table 5.18. Sun ONE Directory MA Attribute Mapping

Sun ONE Directory attribute (person object)

Metaverse attribute (person object)

Mapping type

Flow direction

description

company

Direct

Export

displayName

displayName

Direct

Export

employeeNumber

employeeID

Direct

Export

facsimileTelephoneNumber

facsimileTelephoneNumber

Direct

Export

givenName

givenName

Direct

Export

l

l

Direct

Export

mail

mail

Direct

Export

sn

sn

Direct

Export

telephoneNumber

telephoneNumber

Direct

Export

title

title

Direct

Export

uid

uid

Direct

Export

manager

manager

Direct

Import

  1. Do not modify the settings of the Configure Deprovisioning page. Click Next.
  2. Do not modify the settings of the Configure Extensions page. Click Finish.

Task 3: Create the Intranet Directory Management Agent

Complete the following steps to accomplish this task. Please note that "Intranet Directory" refers to the corp.contoso.com domain.

To set up the Intranet Directory MA

  1. In Identity Manager, on the Tools menu, click Management Agents.
  2. On the Actions menu, click Import Management Agent.
  3. In the File Open dialog box, browse to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MA Exports, select the IntranetADMA.xml file, and then click Open.
  4. In the Create Management Agent pane, ensure that the Name field contains Intranet Directory MA, and then click Next.
  5. In the Connect to Active Directory Forest pane, in the Forest name field, type corp.contoso.com (or the name of your intranet Active Directory forest).
  6. In the User name field, type MIISADIntranet to define the name of the user account MIIS 2003 with SP1 will use to access Active Directory.
  7. In the Password field, type the account password.
  8. In the Domain field, type na.corp.contoso.com to define the appropriate domain for the MIISADIntranet account, and then click Next to continue.

    The Configure Directory Partition pane opens if the account and password are validated.

Note    If you are using different forest or domain names than corp.contoso.com, a Partition Matching dialog box will appear. If this occurs, in the right pane of the Existing Partitions field, clear all existing partitions except for the Active Directory domain to which users will be provisioned. Leave only one domain partition selected. Click Match and then click OK.

  1. Review the information in the Configure Directory Partition pane, and then click Next.
  2. Review the information in the Select Object Types pane, and then click Next.
  3. Review the information in the Select Attributes pane, and then click Next.
  4. Review the information in the Configure Connector Filter pane, and then click Next.
  5. Review the Configure Join and Projection Rules, and then click Next.
  6. Review the Attribute Flow for person objects; they should be the same as shown in the following table.

    Table 5.19. Attribute Flow for the Intranet Active Directory MA

Intranet directory attribute(person object)

Metaverse attribute (person object)

Mapping type

Flow direction

c

company, c

Advanced

Export

co

company, co

Advanced

Export

company

company

Advanced

Export

department

company, department

Advanced

Export

department

company, department

Advanced

Export

displayName

company, displayName

Advanced

Export

employeeID

company, employeeID

Advanced

Export

facsimileTelephoneNumber

company, facsimileTelephoneNumber

Advanced

Export

givenName

company, givenName

Advanced

Export

l

company, l

Advanced

Export

mail

company, mail

Advanced

Export

mailNickName

company, sAMAccountName

Advanced

Export

sAMAccountName

company, sAMAccountName

Advanced

Export

sn

company, sn

Advanced

Export

targetAddress

company, mail

Advanced

Export

telephoneNumber

company, telephoneNumber

Advanced

Export

title

company, title

Advanced

Export

company, c

c

Advanced

Import

company, co

co

Advanced

Import

company, department

department

Advanced

Import

company, displayName

displayName

Advanced

Import

company, employeeID

employeeID

Advanced

Import

company, facsimileTelephoneNumber

facsimileTelephoneNumber

Advanced

Import

company, givenName

givenName

Advanced

Import

company, l

l

Advanced

Import

company, mail

mail

Advanced

Import

company, sAMAccountName

sAMAccountName

Advanced

Import

company, sn

sn

Advanced

Import

company, telephoneNumber

telephoneNumber

Advanced

Import

company, title

title

Advanced

Import

manager

manager

Direct

Import

userPrincipalName

userPrincipalName

Direct

Import

company

company

Advanced

Import

  1. Review the information in the remaining panes and then click Finish to complete this wizard.

Task 4: Create the Extranet Directory Management Agent

Complete the following steps to accomplish this task. Please note that "Extranet Directory" refers to the perimeter.contoso.com domain.

To set up the Extranet Directory MA

  1. In Identity Manager, on the Tools menu, click Management Agents.
  2. On the Actions menu, click Import Management Agent.
  3. In the File Open dialog box, browse to the location %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MA Exports, select the ExtranetADMA.xml file, and then click Open.
  4. In the Create Management Agent pane, in the Name field, type Extranet Directory MA and then click Next.
  5. In the Connect to Active Directory Forest pane, locate the Forest name field and type the extranet Active Directory forest name, perimeter.contoso.com.
  6. In the User name field, type MIISADExtranet to define the Enterprise Administrator account MIIS 2003 with SP1 will use to access the extranet Active Directory.
  7. In the Password field, type the account password.
  8. In the Domain field, type perimeter.contoso.com to define the appropriate domain for the MIISADExtranet account and then click Next.

The Configure Directory Partition pane opens if the account and password are validated.

Note   If you are using different OUs than those preconfigured in the MA export, locate the Select Containers box in the Configure Directory Partition pane and then click Containers. Expand the console tree, ensure that the OUs you are using are selected, and then click OK.

  1. Review the information in the Configure Directory Partition pane, and then click Next.
  2. Review the information in the Select Object types pane, and then click Next.
  3. Review the information in the Select Attributes pane, and then click Next.
  4. Review the information in the Configure Connector Filer pane, and then click Next.
  5. Review the Configure Join and Projection Rules, and then click Next.
  6. Review the Attribute Flow for person objects; they should be the same as shown in the following table.

    Table 5.20. Attribute Flow for the Extranet Active Directory MA

Extranet directory attribute (person object)

Metaverse attribute (person object)

Mapping type

Flow direction

altSecurityIdentities

samAccountName

Advanced

Export

c

c

Direct

Export

co

co

Direct

Export

company

company

Direct

Export

department

department

Direct

Export

employeeID

employeeID

Direct

Export

givenName

givenName

Direct

Export

l

l

Direct

Export

mail

mail

Direct

Export

manager

manager

Direct

Export

sAMAccountName

sAMAccountName

Direct

Export

sn

sn

Direct

Export

userPrincipalName

userPrincipalName, samAccountName

Advanced

Export

  1. Review the information in the remaining screens, click Next to continue. Click Finish to complete the wizard.

After completing this procedure, verify that the Extranet Directory parameters are correctly defined in the <MIIS Installation Directory>\Extensions\ IDMGMTExtranet.xml file. The extension DLLs read this XML file to use the information it contains when processing export flow rules.

Task 5: Create the Lotus Notes Management Agent

Note   MIIS 2003 with SP1 validates the account access to Lotus Notes through the installed Lotus Notes client on the MIIS 2003 with SP1 server. You must access Lotus Notes by using the Notes administrator before you continue the management agent creation process.

To create this management agent, you will import the saved (exported) configuration file to accomplish this task.

To create the Lotus Notes management agent

  1. In Identity Manager, on the Tools menu, click Management Agents.
  2. On the Actions menu, click Import Management Agent.
  3. In the File Open dialog box, browse to %UserProfile%\My Documents\Identity and Access Management Tools and Templates\Identity Aggregation and Sync\MA Exports, select the LotusNotesMA.xml file, and then click Open.
  4. In the Create Management Agent pane, in the Name field, type Lotus Notes MA and then click Next.
  5. In the Connect to Notes Server pane, in the Hierarchical server name field, type the name of the Lotus Notes server in the following hierarchical format: servername/notescertifier.
  6. Click Browse, and then navigate to the Lotus Notes client user ID file previously installed for the Lotus Notes Administrator.
  7. In the Password field, type the account password.
  8. In the Address Books field, ensure that names.nsf appears, and then click Next.
  9. In the Configure Organizational Units pane, define the association between the Lotus Notes Address Book, the OU (certifier) and the Certifier Path with the Cert.id file. To do this, click the Edit button.
  10. In the Organization Unit Certifier Detail dialog box, next to Specify certifier, click the Browse button. Navigate to the certifier ID file associated with the OU, select the file, and then click OK.
  11. In the Organization Unit field, verify O=fabcorp in the Address Book field, verify names.nsf, and then, in the Password field, enter your password and then click OK.

Note    You must supply the Lotus Notes administrator password to open the OU.

  1. In the Configure Organizational Units pane, click Next.
  2. Review the information in the Select Object types pane, and then click Next.
  3. Review the information in the Select Attributes pane, and then click Next.
  4. Review the information in the Configure Connector Filter pane, and then click Next.
  5. Review the Configure Join and Projection Rules, and then click Next.
  6. Review the Attribute Flow for person objects; they should be the same as shown in the following table:

    Table 5.21. Attribute Flow for the Lotus Notes MA

Lotus Notes attribute (person object)

Metaverse attribute (person object)

Mapping type

Flow direction

companyName

company

Advanced

Export

department

company, department

Advanced

Export

employeeID

company, employeeID

Advanced

Export

firstName

company, givenName

Advanced

Export

lastName

company, sn

Advanced

Export

mailAddress

company, mail

Advanced

Export

officeCity

company, l

Advanced

Export

officeCountry

company, co

Advanced

Export

officeFaxPhoneNumber

company, facsimileTelephoneNumber

Advanced

Export

officePhoneNumber

company, telephoneNumber

Advanced

Export

shortName

company, sAMAccountName

Advanced

Export

title

company, title

Advanced

Export

companyName

company

Advanced

Import

companyName, department

department

Advanced

Import

companyName, lastName, firstName

displayName

Advanced

Import

companyName, employeeID

employeeID

Advanced

Import

companyName, firstName

givenName

Advanced

Import

companyName, lastName

sn

Advanced

Import

companyName, internetAddress

mail

Advanced

Import

companyName, officeCity

l

Advanced

Import

companyName, officeCountry

co

Advanced

Import

companyName, officeFaxPhoneNumber

facsimileTelephoneNumber

Advanced

Import

companyName, officePhoneNumber

telephoneNumber

Advanced

Import

companyName, shortName

sAMAccountName

Advanced

Import

companyName, title

title

Advanced

Import

manager

manager

Direct

Import

  1. Review the remaining panes and then click Finish to complete the wizard.

Task 6: Set Attribute Flow Precedence

The metaverse schema that was imported earlier in the implementation has already set both attribute precedence and manual precedence. Use the following guidance for a better understanding of how and what was set with this solution.

To create the attribute precedence flow

  1. Configure attribute precedence flow for the Manager attribute:
    1. In Identity Manager, on the Tools menu, click Metaverse Designer.
    2. In Object Types, click Person.
    3. In Attributes, click manager.
    4. On the Actions menu, click Configure Attribute Flow Precedence.
    5. Use the Up or Down arrow to match the ranking indicated in the following table and click OK.

      Table 5.22. Attribute Flow Precedence

Metaverse attribute

Management agent name

Rank

manager

Intranet Directory MA

1

manager

Lotus Notes MA

2

manager

Sun ONE Directory MA

3

Task 7: Set Manual Attribute Flow Precedence

Manual precedence can be set when all management agents with import flow rules are using advanced flow rules. Contoso uses manual precedence to allow two different management agents to be authoritative over attributes into the metaverse. For Fabrikam users Lotus Notes will be authoritative. For Contoso users the Intranet Directory MA will be authoritative.

To set manual attribute flow precedence

  1. Configure manual attribute precedence flow for a number of attributes.
    1. In Identity Manager, on the Tools menu, click Metaverse Designer.
    2. In Object types, click person.
    3. In Attributes, click company.
    4. On the Actions menu, click Configure Attribute Flow Precedence.
    5. In Configure Attribute Flow Precedence, verify the check box is selected to Use Manual Flow Precedence with all of the following attributes:
  • c
  • co
  • company
  • department
  • employeeID
  • facsimileTelephoneNumber
  • givenName
  • l
  • mail
  • sAMAccountName
  • sn
  • telephoneNumber
  • title

Task 8: Create Run Profiles

The next task is to create run profiles for each of the management agents. The following steps use the Sun ONE Directory MA as an example, because this agent requires you to define four run profiles.

To create run profiles for the Sun ONE Directory MA

  1. In Identity Manager, on the Tools menu, click Management Agents and then click Sun ONE Directory MA.
  2. On the Actions menu, click Configure Run Profiles.
  3. In the Configure Run Profiles for "Sun ONE Directory MA" dialog box, click New Profile.
  4. In the Profile Name pane, in the Name field, type Full Import (Stage Only) and then click Next.
  5. In the Configure Step pane, in the Type drop-down list, click Full Import (Stage Only) and then click Next.
  6. In the Management agent configuration pane, confirm that the partition dc=fabrikam,dc=com is selected, and then click Finish.

Follow steps 1 through 6 to create three more single-step and one two-step run profiles by using the parameters provided in the following table. Then click OK to close the Configure Run Profiles for "Sun ONE Directory MA" dialog box.

Table 5.23. Additional One-step Run Profiles for the Sun ONE Directory MA

Run profile name

Type

Delta Synchronization

Delta Synchronization

Delta Import (Stage Only)

Delta Import (Stage Only)

Full Synchronization

Full Synchronization

Note   You must have the Retro Changelog plug-in enabled to be able to create a Delta Import run profile. It is strongly recommended that you configure deltas, as it will decrease the processing time of the MA run. For all other MAs, the run profiles should be imported during the Management Agent Import process. The exception will be if the partition information changes—for example, if the Active Directory MA is configured to use a different domain name in your test environment. In this case, the run profiles might be missing and therefore you must create new run profiles. Thus, each MA should be checked after it is imported to verify the run profile information is configured correctly.

To create two-step run profiles for the Sun ONE Directory MA

  1. In Identity Manager, on the Tools menu, click Management Agents, and then click Sun ONE Directory MA.
  2. On the Actions menu, click Configure Run Profiles. to make display.
  3. In the Configure Run Profiles for "Sun ONE Directory MA" dialog box, click New Profile.
  4. In the Profile Name pane, in the Name field, type Export and then click Next.
  5. In the Configure Step pane, in the Type list, click Export and then click Next.
  6. In the Management agent configuration pane, confirm that the partition dc=fabrikam,dc=com is selected, and then click Finish.
  7. Click the New Step button.
  8. In the Configure Step pane, in the Type list, click Delta Import and Delta Synchronization and then click Next.
  9. In the Management agent configuration pane, confirm that the partition dc=fabrikam,dc=com is selected, and then click Finish.
  10. Click OK to close the Configure Run Profiles dialog box.

    Table 5.24. Additional two-step run profile for the Sun ONE Directory MA

Run profile name

Type

Export

Step 1: Export

Step 2: Delta Import/Delta Synchronization

Initial Identity Integration Operations

The following sections divide identity integration operations for Contoso into different tasks. An overview of these stages and the tasks within each is provided here, and the following sections provide step-by-step instructions for each of the tasks.

MIIS identity aggregation operations consist of 7 tasks. This operational stage takes existing data from the baseline installation and propagates it to other systems.

  • Task 1: Initialize connector spaces for all MAs
  • Task 2: Project intranet Active Directory Contoso users into the metaverse
  • Task 3: Join and project Lotus Notes users to the metaverse
  • Task 4: Join intranet Active Directory Fabrikam users to existing metaverse objects
  • Task 5: Join extranet Active Directory users to existing metaverse objects
  • Task 6: Join Sun ONE Directory users to metaverse objects
  • Task 7: Export metaverse attribute updates

Task 1: Initialize Connector Spaces for All MAs

To initialize MIIS 2003 with SP1 connector spaces, you will need to run each management agent you created in the previous section. You can initialize connector space by running the management agent with a Full Import (Stage Only).

To run the Intranet Directory management agent full import

  1. Click Start, point to All Programs, click Microsoft Identity Integration Server, and then click Identity Manager.
  2. Click Management Agents, and then click Intranet Directory MA.
  3. On the Actions menu, click Run.
  4. In the Run Management Agent dialog box, in the Run Profiles area, click Full Import (Stage Only), and then click OK.
  5. Wait for the run-time state to return to idle, and then ensure that the connection status displays success for the results of the run steps at the bottom of the Management Agent pane. To search the connector space, on the Actions menu, click Search Connector Space.

Note   If the status does not show success, examine the error and correct it.

Use steps 1 through 5 to complete the initialization process for the run profiles in the following table.

Table 5.25. Additional Run Profiles to Complete MIIS 2003 with SP1 Initialization

Management agent

Run profile

Lotus Notes MA

Full Import (Stage Only)

Sun ONE Directory MA

Full Import (Stage Only)

Extranet Directory MA

Full Import (Stage Only)

Task 2: Project Intranet Directory Contoso Users into the Metaverse

Complete the following steps to accomplish this task.

To synchronize intranet Active Directory Contoso users

  1. Run the Intranet Directory Full Synchronization step by doing the following:
    1. Click Management Agent, click Intranet Directory MA, click the Actions menu, and then click Run.
    2. In the Run Profiles area, click Full Synchronization, and then click OK.
    3. Wait for the run-time state to return to idle, and then ensure that the bottom pane of the Management Agent User Interface displays success for the result of this run profile step.

This step projects intranet Active Directory Contoso users into the metaverse. Fabrikam users will remain unjoined (called disconnector objects in MIIS 2003 with SP1) because they have not been projected into the metaverse yet. To view the connector space, on the Actions menu, click Search Connector Space.

Task 3: Join and Project Lotus Notes Users to the Metaverse

Complete the following steps to accomplish this task.

To synchronize Lotus Notes users

  1. Run the Lotus Notes Full Synchronization step by doing the following:
    1. Click Management Agent, click Lotus Notes MA, click the Actions menu, and then click Run.
    2. In the Run Profiles area, click Full Synchronization, and then click OK.
    3. Wait for the run-time state to return to idle, and then ensure that the bottom pane of the Management Agent User Interface displays success for the result of this run profile step.

This step projects Lotus Notes Fabrikam users into the metaverse and joins Contoso users projected in the metaverse in Task 2. To view the connector space, on the Actions menu, click Search Connector Space.

Note   If the status does not show success, examine the error and correct it.

Task 4: Join Intranet Active Directory Fabrikam Users to Existing Metaverse Objects

Complete the following steps to accomplish this task.

To synchronize Intranet Directory Contoso users

  1. Run the Intranet Directory Full Synchronization step by doing the following:
    1. Click Management Agent, click Intranet Directory MA, on the Actions menu, click Run.
    2. In the Run Profiles area, click Full Synchronization, and then click OK.
    3. Wait for the run-time state to return to idle, and then ensure that the bottom pane of the Management Agent User Interface displays success for the result of this run profile step.

This step joins intranet Active Directory Fabrikam users into the metaverse. Before you complete this task, Fabrikam users were disconnector objects because Lotus Notes had not projected into the metaverse when we ran the full synchronization on the intranet Active Directory MA the first time. After running another Full Synchronization on the management agent, the Fabrikam users will join the existing metaverse users. To view the connector space, on the Actions menu, click Search Connector Space.

Task 5: Join Extranet Active Directory Users to Existing Metaverse Objects

Complete the following steps to accomplish this task.

To join staged Extranet Active Directory users to existing metaverse users

  1. Run the extranet Active Directory MA Full Synchronization step by doing the following:
    1. Click Management Agent, click Extranet Directory MA, on the Actions menu, click Run.
    2. In the Run Profiles area, click Full Synchronization, and then click OK.
    3. Wait for the run-time state to return to idle, and then ensure that the bottom pane of the Management Agent User Interface displays success for the result of this run profile step.

This step joins extranet Active Directory information with users in the metaverse. To view the connector space, on the Actions menu, click Search Connector Space.

Task 6: Join Sun ONE Directory Users to Existing Metaverse Objects

Complete the following steps to accomplish this task.

To join staged Sun ONE Directory users to existing metaverse users

  1. Run the Sun ONE Directory MA Full Synchronization step by doing the following:
    1. Click Management Agent, click Sun ONE Directory MA, on the Actions menu, click Run.
    2. In the Run Profiles area, click Full Synchronization, and then click OK.
    3. Wait for the run-time state to return to idle, and then ensure that the bottom pane of the Management Agent User Interface displays success for the result of this run profile step.

This step joins Sun ONE Directory information with users in the metaverse. To view the connector space, on the Actions menu, click Search Connector Space.

Task 7: Export Metaverse Attribute Updates

Complete the following steps to accomplish this task.

To export metaverse attribute updates to existing users

  1. Click Management Agent, click Lotus Notes MA, on the Actions menu, click Run.
  2. In the Run Profiles area, click Export, and then click OK.
  3. Wait for the run-time state to return to idle, and then ensure that the bottom pane of the Management Agent User Interface displays success for the result of this run profile step.
  4. Complete steps 1 through 3 to complete the initialization process for the run profiles in the following table:

Table 5.26. Additional Run Profiles to Complete MIIS 2003 with SP1 Exports

Management agent

Run profile

Intranet Directory MA

Export

Sun ONE Directory MA

Export

Extranet Directory MA

Export

Chapter 6: Testing the Solution

This chapter describes how to validate the implemented solution scenarios from the previous chapter. It also provides some troubleshooting steps to help with common implementation challenges. Comprehensive guidance for testing the end-to-end user and administrator experience is not provided.

Validating the Implementation Prerequisites

Before you start to test the implementation guidance in this paper, there are a few basic verification tests that you should perform to ensure correct configuration of the solution infrastructure. These prerequisite tests are designed to provide you with a means to quickly check that your network setup complies with the "Implementation Prerequisites" section in Chapter 5, "Implementing the Solution," before undergoing further implementation testing.

Tests to validate the prerequisites include:

  • Basic Test 1: Verify the Functionality of Domain Controllers
  • Basic Test 2: Verify Functionality of Non-Microsoft Application Servers
  • Basic Test 3: Verify Microsoft Exchange Server Configuration
  • Basic Test 4: Verify Domain Name Lookups from the MIIS 2003 with SP1 Server
  • Basic Test 5: Verify Network Connectivity

Basic Test 1: Verify the Functionality of Domain Controllers

Complete the following tests to verify that both intranet and extranet domain controllers are working properly and not generating any errors.

To verify that the domain controllers are working correctly

  1. Log on to the intranet and extranet domain controllers with administrative privileges.
  2. At a command prompt, type dcdiag.exe and then press ENTER.

The dcdiag utility executes a series of tests. All tests should pass.

To check the domain controllers' event logs for errors

  1. Log on to the intranet and extranet domain controllers with administrative privileges.
  2. At a command prompt, type eventvwr.msc and then press ENTER to open the Event Viewer Manager console.
  3. Browse to the Directory Service node and then click it to display the event logs in the right pane of the console.

There should not be any errors in the logs.

Basic Test 2: Verify Functionality of Non-Microsoft Application Servers

Complete the following tests to verify that the Lotus Notes and Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) servers are working properly.

To verify the Lotus Notes server is working correctly

  1. Log on to the Lotus Notes server by using the Lotus Domino Administrator client.
  2. On the Administration menu, select Server and check Status.

The user interface (UI) should display the server status as Listening for TCP/IP connections.

  1. At a command prompt, type eventvwr.msc and then press ENTER to open the Event Viewer Management Console. Browse to the Application node and then click it to display the event logs in the right pane of the console. There should not be any errors in the logs.

To verify the Sun ONE Directory Server is working correctly

  1. Log on to the Sun ONE Directory Server by using iPlanet Console 5.1.
  2. In the Server and Applications tree, navigate to "Directory Server" (<server name>).

The UI should display server status as Started.

  1. At a command prompt, type eventvwr.msc and then press ENTER to open the Event Viewer Management Console. Click the Application node to display the Application event log in the right pane of the console. There should not be any errors in the log.

Basic Test 3: Verify Microsoft Exchange Server Configuration

Complete the following steps to confirm that SMTP addresses end in @contoso.com.

To verify the Exchange server is configured correctly

  1. Log on to the Microsoft® Exchange server with Exchange administrator privileges.
  2. Click Start, point to All Programs, click Microsoft Exchange, and then click System Manager.
  3. Double-click Contoso, double-click Recipients, and then double-click Recipient Policies.
  4. Right-click Default policy and then click Properties.
  5. On the E-mail Addresses (Policy) tab, ensure SMTP type has an address value of @contoso.com

The Exchange server must have an SMTP type with an address value of @contoso.com

Basic Test 4: Verify Domain Name Lookups from the MIIS 2003 with SP1 Server

Complete the following steps to confirm that domain name lookups to both the intranet and extranet domains work properly from the Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1) server.

To verify domain name lookups

  1. Log on to the MIIS 2003 with SP1 server.
  2. Open a command prompt, type nslookup na.corp.contoso.com and then press ENTER. The result should be similar to the following:

    Name: na.corp.contoso.com

    Address: 192.168.0.202

  3. Repeat for perimeter.contoso.com.

NSLOOKUP must succeed when it uses the fully qualified domain names (FQDN) of the intranet and extranet domains.

Basic Test 5: Verify Network Connectivity

Complete the following steps to verify network connectivity to the intranet and extranet domain controllers, the Sun ONE Directory Server, and the Lotus Domino server.

To verify network connectivity

  1. Log on to the MIIS 2003 with SP1 server.
  2. Open a command prompt, type ping <Intranet Domain Controller hostname> and then press ENTER. The MIIS 2003 with SP1 server should receive a response from the intranet domain controller.
  3. Ping the Lotus Domino server and Sun ONE Directory servers. Responses should be received from each of these servers.
  4. Open a command prompt, type telnet <Extranet Domain Controller hostname> 53 and then press ENTER. A Telnet connection should be made to the extranet domain controller.

All network connectivity tests should pass without failure.

Validating the Implementation

After the "Contoso Baseline Preparation" and "Intranet Firewall Configuration" sections in Chapter 5, "Implementing the Solution," have been completed in your environment, you are ready to validate your implementation to ensure that the base environment meets the Contoso requirements. Executing the tests in this section will help ensure smooth implementation of the scenarios.

Validating the Base Environment

Use the information in the following sections to ensure that the base environment you established in a test lab environment is a valid representation of the Contoso scenario.

Tests to validate the base environment include:

  • Baseline Test 1: Verify Exchange Server Storage Groups and Mailbox Stores
  • Baseline Test 2: Verify Intranet Domain Organizational Units and User Accounts
  • Baseline Test 3: Verify Extranet Domain OUs and User Accounts
  • Baseline Test 4: Verify User Accounts on Non-Microsoft Application Servers
  • Baseline Test 5: Verify Intranet Firewall Configuration
Baseline Test 1: Verify Exchange Server Storage Groups and Mailbox Stores

Complete the following steps to verify that the required Storage Groups and Mailbox stores exist on the Microsoft Exchange server.

To verify Exchange server Storage Groups and Mailbox stores

  1. Log on to the Exchange server intranet domain controller with Exchange administrative privileges.
  2. Click Start, point to All Programs, click Microsoft Exchange, and then click System Manager.
  3. Expand Administrative Groups, First Administrative Group, Servers, and then <Server Name>.
  4. Verify that the Storage Groups First Storage Group and Second Storage Group are present.
  5. Expand First Storage Group.
  6. Verify that the Mailbox stores First Mailbox Store (SG1) and Second Mailbox Store (SG1) are present.
  7. Expand Second Storage Group.

The specified Storage Groups and Mailbox stores should be present and mounted.

Baseline Test 2: Verify Intranet Domain Organizational Units and User Accounts

Complete the following steps to verify that organizational units (OU) and user accounts have been created in the intranet domain na.corp.contoso.com.

To verify intranet OUs and user accounts

  1. Log on to the intranet domain controller with domain administrator privileges.
  2. Click Start, click Run, type dsa.msc and then press ENTER to open the Active Directory Users and Computers MMC (Microsoft Management Console) snap-in.
  3. Verify that the following OU structure has been created:

OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com

OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com

OU=Disabled,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com

OU=Groups,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com

OU=Solaris Workstation,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com

  1. Verify that user accounts have been created in the following OU:

OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com

The specified OUs and user accounts should exist in the intranet domain.

Baseline Test 3: Verify Extranet Domain OUs and User Accounts

Complete the following steps to verify that OUs and user accounts have been created in the extranet domain perimeter.contoso.com.

To verify extranet OUs and user accounts

  1. Log on to the extranet domain controller with domain administrator privileges.
  2. Click Start, click Run, type dsa.msc and press ENTER to open the Active Directory Users and Computers MMC snap-in.
  3. Verify that the following OU structure has been created:

OU=Accounts,DC=perimeter,DC=contoso,DC=com

OU=Employees,OU=Accounts,DC=perimeter,DC=contoso,DC=com

OU=Disabled,OU=Accounts,DC=perimeter,DC=contoso,DC=com

OU=Groups,OU=Accounts,DC=perimeter,DC=contoso,DC=com

OU=Internal,OU=Accounts,DC=perimeter,DC=contoso,DC=com

OU=Trial Users,OU=Accounts,DC=perimeter,DC=contoso,DC=com

  1. Verify that user accounts have been created in the following OU:

OU=Employees,OU=Accounts,DC=perimeter,DC=contoso,DC=com

The specified OUs and user accounts should exist in the extranet domain.

Baseline Test 4: Verify User Accounts on Non-Microsoft Application Servers

Complete the following tests to verify that user accounts have been created in the Lotus Notes and Sun ONE Directory Server 5.1 servers.

To verify user accounts on a Lotus Notes server

  1. Log on to the Lotus Notes server by using Lotus Domino Administrator.
  2. On the Administration menu, click People and Groups.

The UI should display Lotus Notes user accounts with a Company attribute of Fabrikam.

To verify user accounts in Sun ONE Directory Server 5.1

  1. Log on to the Sun ONE Directory server by using iPlanet Console 5.1.
  2. In the iPlanet Console, select Users and Groups and then click Search.

The UI should display Sun ONE Directory user accounts with an SMTP mail address attribute equal to @fabrikam.com.

Baseline Test 5: Verify Intranet Firewall Configuration

Complete the following steps to verify that an intranet firewall rule has been configured to allow the MIIS 2003 with SP1 server to communicate with the extranet domain controller.

To verify configuration of the intranet firewall

  1. Log on to the intranet firewall computer.
  2. Ensure that a firewall rule exists based on the ports listed in Table 5.8 in Chapter 5, "Implementing the Solution."
  3. Ensure that a firewall rule exists based on the ports listed in Table 5.9 in Chapter 5, "Implementing the Solution."

The specified firewall rules should exist and have been properly configured.

Validating Aggregation and Synchronization

Use the information in the following sections to test that aggregation and synchronization of identity data is correctly configured. Additionally, these tests validate that the scenario is working according to the requirements defined by Contoso.

Tests to validate aggregation and synchronization include:

  • Test 1: Verify Installation of Microsoft SQL Server 2000
  • Test 2: Verify Installation of VS.NET
  • Test 3: Verify Installation of MIIS 2003 with SP1
  • Test 4: Verify kdcWaitTime
  • Test 5: Verify Management Agent Assemblies
  • Test 6: Verify Aggregation of Identity Attribute Information
  • Test 7: Verify Synchronization of Identity Attribute Information
  • Test 8: Verify Configuration of Synchronized Lotus Notes Accounts
  • Test 9: Verify Synchronization of Intranet Active Directory Exchange Users in Lotus Notes
  • Test 10: Verify Changes Are Propagated to Lotus Notes
  • Test 11: Verify Certificate Mapping
Test 1: Verify Installation of Microsoft SQL Server 2000

Complete the following steps to verify the installation of Microsoft SQL Server™ 2000 on the MIIS 2003 with SP1 server.

To verify the installation of SQL Server 2000

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges and open the service's MMC snap-in.
  2. Ensure that the SQL Server service is running.
  3. Open Enterprise Manager to connect to SQL Server.

SQL Server 2000 should be running.

Test 2: Verify Installation of Visual Studio.NET

Complete the following steps to verify the installation of the Visual Studio.NET development environment.

To verify the installation of Visual Studio.NET

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Open the Visual Studio.NET development environment.

The Visual Studio.NET development environment should open without any errors.

Test 3: Verify Installation of MIIS 2003 with SP1

Complete the following steps to verify the installation of MIIS 2003 with SP1.

To verify the installation of MIIS 2003 with SP1

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Open Identity Manager.

Identity Manager should open without any errors.

Test 4: Verify kdcWaitTime

Complete the following steps to verify the kdcWaitTime registry key setting.

To verify the kdcWaitTime setting

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. At a command prompt, type regedit and then press ENTER, and browse to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters key.
  3. Check the KdcWaitTime value.

There should be a REG_DWORD value named KdcWaitTime and its value should be set to 30 (decimal value).

Test 5: Verify Management Agent Assemblies

Complete the tests in this section to verify the creation of management agent (MA) assemblies, that they are copied to the appropriate folder, that the configuration settings in the IDMGTExtranet.xml file are correct, and that the MAs are created in Identity Manager.

To verify MA assembly creation

The management agent solutions should compile and create the following MA assemblies without any errors:

  • IntranetDirectoryADMA.dll
  • ExtranetDirectoryADMA.dll
  • Lotus Notes MAExtension.dll

No errors should occur while building the solutions.

To verify that the MA assemblies are copied to the appropriate folder

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Browse to the folder <MIIS installation path>\Extensions\
  3. Verify the presence of the following assemblies:
  • IntranetDirectoryADMA.dll
  • ExtranetDirectoryADMA.dll
  • Lotus Notes MAExtension.dll

All the assemblies should exist in the \Extensions folder of the MIIS 2003 with SP1 server.

To verify the configuration settings in IDMGTExtranet.xml

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Browse to the folder <MIIS installation path>\Extensions\
  3. Verify the presence of the configuration file IDMGTExtranet.xml.
  4. Verify that the settings in the configuration file match the settings in Table 5.10 in Chapter 5, "Implementing the Solution."

The configuration file IDMGTExtranet.xml should be present in the MIIS 2003 with SP1 server's \Extensions folder and have the correct settings.

To verify that MAs are created in Identity Manager

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Open Identity Manager.
  3. In Identity Manager, on the Tools menu, click Management Agents.
  4. The following MAs should be present in the Identity Manager:
  • Intranet Directory MA
  • Extranet Directory MA
  • SunONE Directory MA
  • Lotus Notes MA

All the specified MAs should exist in Identity Manager.

Test 6: Verify Aggregation of Identity Attribute Information

Complete the tests in this section to verify aggregation of identity attribute information from various groups of users to the metaverse.

Each of the searches performed in these tests should return an instance of a person object in the metaverse.

To verify aggregation of information from users in the intranet Active Directory

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Open Identity Manager.
  3. In Identity Manager, on the Tools menu, click Metaverse Search.
  4. Search for object type "person" with sAMAccountname equal to sAMAccountname of an existing user in the intranet Active Directory.

To verify aggregation of information from users in the extranet Active Directory

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Open Identity Manager.
  3. In Identity Manager, on the Tools menu, click Metaverse Search.
  4. Search for object type "person" with sAMAccountname equal to sAMAccountname of an existing user in the extranet Active Directory.

To verify aggregation of information from Sun ONE users

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Open Identity Manager.
  3. In Identity Manager, on the Tools menu, click Metaverse Search.
  4. Search for object type "person" with mail equal to the e-mail address of an existing user in the Sun ONE Directory Server.

To verify aggregation of information from Lotus Notes users

  1. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  2. Open Identity Manager.
  3. In Identity Manager, on the Tools menu, click Metaverse Search.
  4. Search for object type "person" with mail equal to the Internet e-mail address of an existing user in Lotus Notes.
Test 7: Verify Synchronization of Identity Attribute Information

Complete the tests in this section to verify the synchronization of identity attribute information from persons in the metaverse to users in the organization.

To verify synchronization of information to users in the intranet Active Directory

  1. Log on to the intranet domain controller with domain administrator privileges.
  2. Click Start, click Run, type adsiedit.msc and then press ENTER to open the ADSI Edit MMC snap-in.
  3. Verify that users in OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com have the following attributes populated:
  • employeeID
  • telephoneNumber

User objects should have the specified attributes populated in the intranet Active Directory.

To verify synchronization of information to users in the extranet Active Directory

  1. Log on to the extranet domain controller with domain administrator privileges.
  2. Click Start, click Run, type adsiedit.msc and then press ENTER to open the ADSI Edit MMC snap-in.
  3. Verify that users in OU=Employees,OU=Accounts, DC=perimeter,DC=contoso,DC=com have the following attributes populated:
  • employeeID
  • telephoneNumber

User objects should have the specified attributes populated in the extranet Active Directory.

To verify synchronization of information to Lotus Notes Person records

  1. Log on to the Lotus Notes server with Lotus Domino Administrator.
  2. On the Administration menu, select People and Groups.
  3. Verify that Person records have the following attributes populated:
  • Employee ID
  • Office Phone

The Person records should have the specified attributes populated in Lotus Notes.

To verify synchronization of information to Sun ONE inetOrgPerson records

  1. Log on to the Sun ONE server with iPlanet Console 5.1.
  2. In the iPlanet Console, select Users and Groups, and then click Search.
  3. Verify inetOrgPerson records have the following attributes populated:
  • EmployeeNumber
  • TelephoneNumber

The inetOrgPerson records should have the specified attributes populated in Sun ONE Directory Server 5.1.

Test 8: Verify Configuration of Synchronized Lotus Notes Accounts

Complete the following steps to verify that synchronized Lotus Notes accounts for users in the intranet Active Directory have contoso.com e-mail addresses.

To verify the configuration of synchronized Lotus Notes accounts

  1. Log on to the Lotus Notes server with Lotus Domino Administrator.
  2. On the Administration menu, select People and Groups.
  3. Verify that some Person records have the Internet address attribute populated with <mailalias>@contoso.com.

Synchronized Lotus Notes accounts for intranet Active Directory users should have the Internet address attribute populated as specified.

Test 9: Verify Synchronization of Intranet Active Directory Exchange Users in Lotus Notes

Complete the following steps to verify that intranet Active Directory Exchange users are synchronized as Person records in Lotus Notes with the Internet address attribute properly set.

To verify synchronization of intranet Active Directory Exchange users

  1. Log on to the intranet domain controller with domain administrator privileges.
  2. Click Start, click Run, type dsa.msc and then press ENTER to open the Active Directory Users and Computers MMC snap-in.
  3. Verify that some users in OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com have the mail attribute populated with <mailalias>@fabrikam.com.

Intranet Active Directory Exchange users should be synchronized as Person records in Lotus Notes.

Test 10: Verify Changes Are Propagated to Lotus Notes

Complete the following steps to verify that telephone number changes to intranet Active Directory users are propagated to the Lotus Notes server.

To verify changes are propagated to Lotus Notes

  1. Log on to the intranet domain controller with administrator privileges.
  2. Click Start, click Run, type dsa.msc and then press ENTER to open the Active Directory Users and Computers MMC snap-in.
  3. Browse to OU=Employees, OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com.
  4. Right-click the user dbradley, and then click Properties.
  5. Change the telephone number to a different value and click OK.
  6. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  7. Open Identity Manager.
  8. On the Tools menu, click Management Agents.
  9. Select Intranet Directory MA.
  10. On the Actions menu, click Run.
  11. Select Delta Import (Stage Only) and click OK.
  12. After the state of the Intranet Directory MA returns to Idle, on the Actions menu, click Run again.
  13. Select Delta Synchronization and click OK.
  14. After the state of the MA returns to Idle, run a Delta Synchronization on all other MAs.
  15. Run an Export on all MAs.
  16. Log on to the Lotus Notes server with Lotus Domino Administrator.
  17. On the Administration menu, select People and Groups.
  18. Double-click the Bradley, David Person object.
  19. Click the Work/Home tab.
  20. Verify that the telephone number is changed appropriately.

The telephone number of the person should be changed in the Lotus Notes server.

Test 11: Verify Certificate Mapping

Complete the following steps to verify certificate mapping for extranet users.

To verify certificate mapping

  1. Log on to the extranet domain controller with domain administrator privileges.
  2. Click Start, click Run, type adsiedit.msc and then press ENTER to open the ADSI Edit MMC snap-in.
  3. Browse to OU=Emploees,OU=Accounts, DC=perimeter,DC=contoso,DC=com.
  4. Right-click the object CN=dbradley and then click Properties.
  5. In the Attributes list box select altSecurityIdentities and click Edit.
  6. Select the value and click Remove.
  7. Click OK twice to exit the dialog box.
  8. Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges.
  9. Open Identity Manager.
  10. On the Tools menu, click Management Agents.
  11. Select Extranet Directory MA.
  12. On the Actions menu, click Run.
  13. Select Delta Import (Stage Only) and then click OK.
  14. After the state of the MA returns to Idle, run a Delta Synchronization.
  15. After the run completes, run an Export on the Extranet Directory MA.
  16. Log on to the extranet domain controller with domain administrator privileges.
  17. Click Start, click Run, type adsiedit.msc and then press ENTER to open the ADSI Edit MMC snap-in.
  18. Browse to OU=Employees,OU=Accounts, DC=perimeter,DC=contoso,DC=com.
  19. Right-click the object CN=dbradley and then click Properties.
  20. In the Attributes list box, verify the value of altSecurityIdentities.

The value for the altSecurityIdentities attribute should be populated by the MA of the directory used for certificate mapping.

Troubleshooting

This section of the chapter provides information about some common errors that you may encounter while testing this scenario and how to most likely resolve them. However, the information provided in the following tables is not an exhaustive list of errors and troubleshooting procedures.

Table 6.1. Troubleshooting Baseline Procedures

Error

Troubleshooting procedure

Cannot open dsa.msc.

Ensure that the account being used to open dsa.msc has administrative privileges.

Cannot connect to the Lotus Notes server using Lotus Domino Administrator from the MIIS 2003 with SP1 server.

Verify that the Lotus Notes server is running and listening for TCP/IP connections.

Verify that the latest Cert.id and User.id files are updated in the <Lotus Installation folder>\Notes\Data folder.

Cannot open Identity Manager.

Ensure that the account used to open Identity Manager is a member of the MIIS Admins group.

Table 6.2. Troubleshooting Aggregation and Synchronization

Error

Troubleshooting procedure

Status: "Stopped-extension-dll-file-not-found."

While trying to run Full Synchronization for any MA and the state of the MA returns to Idle

Check if the following DLL files are present in the <MIIS 2003 with SP1 Installation folder>\Extensions folder.•    IntranetDirectoryADMA.dll•    ExtranetDirectoryADMA.dll•    Lotus Notes MAExtension.dll

Error: Permission-issue

Connected data source error: Insufficient access rights to perform the operation

Verify the MIISADIntranet and MIISADExtranet accounts are given adequate permissions as described in the "Service Account Configuration" section in Chapter 5, "Implementing the Solution."

Error: Missing-DN

While running Full Import (Stage Only) of Lotus Notes MA

Verify the properties of Lotus Notes users are populated in the manual process as described in the "Populate Lotus Notes" task in the "Contoso Baseline Preparation" section of Chapter 5, "Implementing the Solution."

Chapter 7: Operational Considerations

This chapter describes certain activities required to administer the Contoso identity and access management solution. It includes details on managing the database for Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1), monitoring for errors, and troubleshooting issues.

Managing the MIIS 2003 with SP1 Database

MIIS 2003 with SP1 stores the entire metaverse in a Microsoft SQL Server™ database. This section describes some database management activities.

Managing Database Size

MIIS 2003 with SP1 database sizes will vary based on the number of objects processed through the system, the number of management agents, and the number of multivalued and reference attributes. However, run history data is very expensive in terms of increasing database size.

Managing Run History

Run history information is detailed and consumes a lot of space in the database. To manage the size of the database, it is important to manage run histories information in MIIS 2003 with SP1. It's possible to clear run histories manually with Identity Manager, but the best way of managing this information is to automate the process on a predefined schedule.

You can automate the clearing of run histories by using Windows Management Instrumentation (WMI) or with the MIIS_ClearRunHistory.exe tool, which is part of the MIIS Resource Tool Kit. For more information, download the Resource Tool Kit from the Microsoft Identity Integration Server 2003 Resource Took Kit 2.0 page.

Managing Log Files

Simple versus full recovery mode for a Microsoft SQL Server database affects log file size. The MIIS 2003 with SP1 database is set to simple recovery mode by default. In most of the configuration for MIIS 2003 with SP1, full recovery mode is not required due to the nature of MIIS 2003 with SP1 server data, and the fact that it can be rebuilt from existing connected directory data.

Simple recovery mode sets the log settings to overwrite, which reduces log file sizes during the time between backups. In addition, you may encounter a problem if you do not regularly clear run history information; you may end up having to delete a large number of run histories. MIIS 2003 with SP1 deletes run histories in one delete transaction, which means that even if you are running in simple recovery mode, executing this transaction can take a considerable amount of time — especially if your log files are rapidly increasing in size.

If you do not have the disk capacity to handle such a situation you may run out of disk space on the log file drive, which will require you to truncate the log file using the query analyzer. If the problem becomes significant (for example, if you have a large buildup of run histories and a small drive capacity without resources to increase the size), you can use a batch file to clear the run history in small increments and truncate the log file in between runs.

Scheduling and Automating Management Agent Runs

This section shows how to automatically schedule MA runs. You can schedule a command file to run the management agents regularly using the Windows Scheduler service.

To accomplish this task and schedule the MAs hourly, complete the following tasks on the MIIS 2003 with SP1 server:

To create an account to run scheduled tasks

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.
  2. Expand Local Users and Computer, then click the Users folder.
  3. Right-click and choose New User.
  4. Add the following information:
  • Username: MIISScheduler
  • Description: MIIS Schedule Account
  1. Add a password to the password box.
  2. Clear the User must change password at next logon check box.
  3. Select the User cannot change password and Password never expires check boxes.
  4. Click Create.
  5. Click Close.

To add the MIISScheduler account to the appropriate groups

  1. Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.
  2. Expand Local Users and Computer, then click the Users folder.
  3. Double click the MIISScheduler user account.
  4. Click the Member Of tab.
  5. Click Add.
  6. In the Enter the object names to select box, type MIISOperators and then click Check Names.
  7. The object should resolve to FFL-NA-MIIS-01\MIISOperators.
  8. In the Enter the object names to select box, type Administrators and then click Check Names.
  9. The object should resolve to FFL-NA-MIIS-01\Administrators.
  10. Click OK twice.

Note   In order to run a command or batch file (because it requires using cmd.exe) you must either be a member of the administrators group or run interactive. If you only use a VBScript, you can schedule this to run under the context of a non-administrator. Therefore, if you don't want to add the user to the administrator group, you can either modify the existing VBScript to either hardcode the values or to pass them in using alternative method.

To set user rights for the MIISScheduler account on the MIIS Server

  1. Open Local Security Policy on the MIIS Server.
  2. In the console tree, under Security Settings, Local Policies, click User Rights Assignment.
  3. In the details pane, double-click the Log on as a Batch Job user right.
  4. In UserRight Properties, click Add User or Group.
  5. Add the MIISScheduler account, and then click OK.
  6. Repeat steps 3 to 5 to and restrict the following user rights:
  • Deny log on locally
  • Deny log on by using Terminal Services

Note   The Access this computer from the Network user right is required for the MIISScheduler account when creating the task. However, after the task has been created it is not required to run the scheduled task. Therefore, you may want to restrict this account further after you have created the scheduled MA run by enabling the Deny access to this computer from the network user right for the MIISScheduler user account.

To set up a scheduled MA run

  1. Click Start, point to All Programs, point to Accessories, point to System Tools and then click Scheduled Tasks.
  2. Double-click Add Scheduled Task. When the Scheduled Task Wizard displays, click Next to continue.
  3. On the second screen of the wizard, click the Browse button.
  4. Navigate the folder structure to the Tools and Templates folder where you extracted the files from the download of this series.
  5. Select MA-Runs.cmd and click Open.
  6. Under Type a name for this task, enter Hourly User Synchronization. Click the Daily button and then click Next.
  7. Under Start time, use the spin controls or type in 7:00AM.
  8. Under Perform this task, select the Every Day radio button. The Start date should default to today. Click Next to continue.
  9. In the Enter the user name field, enter the scheduler account created in the previous section in the format FFL-NA-MIIS-01\MIISScheduler.
  10. Enter the password for the chosen account twice, and then click Next to continue.
  11. Select the Open advanced properties for this task when I click finish check box.
  12. Click Finish to close the wizard.
  13. In the Advanced Properties dialog box, in Hourly User Synchronization, click the Schedule tab.
  14. Click the Advanced button.
  15. Select the Repeat Task check box.
  16. In the Every boxes use the drop down list box to select 1 Hour.
  17. Click the Until section, select the Time radio button, and select 10:00PM.
  18. Click OK to save changes and close the dialog box.
  19. Click OK to close the Hourly User Synchronization dialog box.

For more information about configuring the Windows Scheduling Service, search for "schedule a new task" in Windows Help and Support.

Note   You can use the MASequencer tool in the MIIS 2003 with SP1 Resource Toolkit instead of the MA-runs.cmd file to schedule management agents. For more information, download the Microsoft Identity Integration Server 2003 Resource Took Kit 2.0.

Monitoring MIIS 2003 with SP1 Errors

All error messages in MIIS 2003 with SP1 are recorded in the application event logs and the statistics are displayed when the management agent run completes. You can access these statistics using the Operation view in Identity Manager. You can save each run history into a file and send them to Microsoft Support Services to help diagnose problems on the system.

Saving a Run History

Complete the following steps to accomplish this task:

To save a run history

  1. Open Identity Manager, and then select Operation View.
  2. Right-click the operation you want to save, and then select Save to File.
  3. In the File Name box, type a name to identify the run history.
  4. Expand the Save as Type list box and select the Run Files (*.xml) management agent.

Saving Application Event Logs

Complete the following steps to accomplish this task:

To save an application log

  1. Open Event Viewer, on the main menu, click Action and then click Save Log File As.
  2. In the File Name box, type a name to identify the application event log.
  3. Expand the Save as Type list box, and then choose the Event Log. (*.evt) management agent.

Dropping a Log File

You can drop a log file during the import or export phase of running a call-based management agent. You may want to drop a log file to:

  • Examine updates before you commit them to MIIS 2003 with SP1 or the connected directory.
  • Examine performance-related issues.
Creating a Log File

Use this setting to drop a log file while continuing to update either the connector space or the connected directory in MIIS 2003 with SP1. This setting is useful when you are trying to troubleshoot an issue in which you need to see the last object processed before an error. In addition, you can use this setting to track changes to the connector space or the connected directory. However, this setting will increase the management agent processing time slightly, and it will also require disk space for storage.

If you plan to keep log file data for an extended period, you will need a mechanism to archive the files and purge them periodically. Typically, this level of auditing is not required unless you are requesting Microsoft to track an intermittent ongoing issue. However, some organizations may have reasons to track changes at this level.

Configuring Run Profiles with Log File Options

This example implements the full import (stage only) drop log file option. However, you should configure your log file settings for the specific goals you are trying to meet in your troubleshooting process.

Complete the following steps to accomplish this task:

To use the full import (stage only) drop log file option

  1. In Identity Manager, click Management Agents, on the Action menu, click Configure Run Profiles.
  2. Click New Profile, type a profile name, such as Full Import – drop file, and then click Next.
  3. In the Specify step type area, in the type box, select Full Import (Stage Only).
  4. Click Set Log File Options, select Create a Log File, and then type a log file name, such as FullImportDrop.xml.
  5. Click OK to save log files settings, click Next, and then click Finish.
Using the MIIS 2003 with SP1 Preview Function

You can use the Preview function in MIIS 2003 with SP1 to test the effects of synchronization for an object in a connector space before you synchronize it with the metaverse. Preview can be useful for viewing source object details, steps in the synchronization process leading up to an error, connector filters, object deletion, join and projection rules, etc.

To use Preview, you must log on as a member of the MIISAdmins security group. It is a best practice to use Preview to test any changes made to rules in MIIS 2003 with SP1 before executing a synchronization. Use the Preview function after manual processing when you have completed a Delta or Full Import Stage Only run profile.

Note   Microsoft recommends testing all changes in a non-production MIIS 2003 with SP1 environment. If the change is to an MA, you can use the Export Server Configuration and Import Server Configuration functionality in MIIS 2003 with SP1 to update the MA on the production system. Alternatively, for changes to custom extensions, you would move the compiled .DLL file, in which case you should consider using a version control system such as Visual SourceSafe (VSS).

To use the Preview function to test synchronization

  1. On the Tools menu, click Management Agents, and then click a management agent that has an associated connector space.
  2. On the Actions menu, click Search Connector Space.
  3. In Search Results, click a connector space object, and then click Preview.
  4. In Select Preview Mode, choose one of the following options:
  • To synchronize the object, evaluating all of the attributes on the object and any rules that apply, click Full Synchronization. (The synchronization is simulated: Actual full synchronization does not occur.)
  • To synchronize the object, evaluating only those attributes that have changed since the last synchronization, click Delta Synchronization. (The synchronization is simulated: Actual delta synchronization does not occur.)
  1. Click Generate Preview, and then in Contents click a page to display details.
  2. To save the Preview results, select the Save Preview Results check box, type a name and define a location for the file, and click OK.