Microsoft Windows Server 2003 Unleashed (R2 Edition)

In many of today's business environments, it is common for many directories to be used to provide authentication for different environments or to provide enterprise-wide address books or contact information. To simplify data synchronization between different applications such as email, phone books, human resources databases, and payroll databases, an organization should use a metadirectory product such as Microsoft Identity Integration Server (MIIS) 2003.

The History of MIIS

MIIS is Microsoft's metadirectory solution. A metadirectory can be considered a master directory that contains the most authoritative directory services data within an organization. In 1996, when the Burton Group (http://www.tbg.com) coined and defined the term, no products existed on the market. Since then, many companies have created their own version of a metadirectory, but each might have its own complicated setup and functionality.

The original version of Microsoft's metadirectory solution was known as Microsoft Metadirectory Services (MMS). This version of the application was effective, but was extremely technical. Many components required customized scripting to function properly, and support for third-party products was minimal.

With the 3.0 release of the product came a change in branding, and Microsoft Identity Integration Server (MIIS) 2003 was born. MIIS introduced more of the metadirectory power that its predecessor possessed, and expanded on the capabilities by introducing built-in Management Agents to provide for synchronization to a wide variety of directories, as listed here:

• Windows 2000/2003 Active Directory

• Active Directory in Application Mode (ADAM)

• Windows NT 4.0

• Novell NDS and eDirectory

• SunONE/iPlanet Directory

• Lotus Notes and Domino

• Microsoft Exchange 5.5

• ERP

• PeopleSoft

• SAP

• Microsoft SQL Server

• dBase

• Oracle

• Informix

• DSMLv2

• Text files such as LDIF, CSV, delimited, fixed-width, and attribute value pairs

• Other LDAP-compliant directories

One of the important new features of MIIS 2003 is the capability to allow users to reset their own passwords through a self-service Web page. This frees up a lot of help desk and security time formerly used to reset user passwords, as well as providing a more secure and private method of resetting the passwords.

Presenting the Identity Integration Feature Pack (IIFP)

Realizing the need for a "lite" version of MIIS, Microsoft made available the Identity Integration Feature Pack (IIFP), a free download from Microsoft that allows for metadirectory functionality between Active Directory, Exchange 2000/2003 Global Address List (GAL), and Active Directory in Application Mode (ADAM) forests. This version is as functional as MIIS, except for the fact that it only supports synchronization and provisioning between AD, and not to the other supported directories of MIIS. If you only need to synchronize between two or more AD forests, however, IIFP is perfect for the job. IIFP can be downloaded from one of the links on the MIIS Web site at Microsoft at http://www.microsoft.com/miis.

The SQL Server Database for MIIS

MIIS and the IIFP require the use of a back-end Microsoft SQL Server 2000 database. This database is used to store configuration information and the person-objects stored in the metaverse. The database can be located on a dedicated MIIS server, or it can be on an existing SQL Server box. All of the maintenance and administrative needs of any other SQL database exist for the MIIS databases as well.

MIIS Terminology

Organizations that have many different directories and need to keep information synchronized between these directories need a metadirectory product such as MIIS. MIIS provides a single interface for administrators to access the different directories and to configure how the directories will synchronize and/or replicate with one another, through the metadirectory. Before discussing MIIS any further, an understanding of some key terms is required.

• Management agent (MA) An MIIS management agent is a tool used to communicate with a specific type of directory. For example, an Active Directory management agent allows for MIIS to import or export data and perform tasks within Microsoft Active Directory.

• Connected directory (CD) A connected directory is a directory that MIIS communicates with using a configured MA. An example of a connected directory could be a Microsoft Exchange 5.5 directory database.

• Connector namespace (CS) The connector namespace is the replicated information and container hierarchy extracted from or destined to the respective connected directory.

• Metaverse namespace (MV) The metaverse namespace is the authoritative directory data created from the information gathered from each of the respective connector namespaces.

• Metadirectory Within MIIS, the metadirectory is made up of all the connector namespaces plus the authoritative metaverse namespace.

• Attributes Attributes are the fields of information that are exported from or imported to directory entries. Common directory entry attributes are name, alias, email address, phone number, employee ID, or other information.

MIIS can be used for many tasks but is most commonly used for managing directory entry identity information. The intention here is to manage user accounts by synchronizing attributes such as login ID, first name, last name, telephone number, title, and department. For example, if a user named Jane Doe is promoted and her title is changed from manager to vice president, the title change could first be entered in the HR or Payroll databases, and through MIIS management agents, the change can be replicated to other directories within the organization. This ensures that when someone looks up the title attribute for Jane Doe, it is the same in all the directories synchronized with MIIS. This is a common and basic use of MIIS referred to as identity management. Other common uses of MIIS include account provisioning/deprovisioning, or the automatic centralized creation and deletion of user accounts and group management.

MIIS Management Agents

MIIS 2003 comes with many built-in management agents to simplify an MIIS implementation. These agents are used to configure how MIIS will communicate and interact with the connected directories when the agent is run. The type of management agent chosen depends on what type of directory is being connected.

When a management agent is first created, all the configuration of that agent can be performed during that instance. The elements that can be configured include which type of directory objects will be replicated to the connector namespace, which attributes will be replicated, directory entry join and projection rules, attribute flow rules between the connector namespace and the metaverse namespace, plus more. If a necessary configuration is unknown during the MA creation, it can be revisited and modified later.

Management Agent Run Profiles

After creating a management agent, run profiles must be created to define how the management agent will perform. Options include Full Import, Delta Import, Export Apply Rules, and Full Import and Re-Evaluate Rules. This allows MIIS administrators to give finer administrative privileges to run agents without compromising data integrityfor example, if only an import run profile was created. If you only have to import a profile, the management agent would import the desired directory objects and attributes from the connected directory to the respective connector namespace. The data in the connected directory would never be modified.

Installing Microsoft Identity Integration Server 2003

Installation of MIIS 2003 is straightforward because Service Pack 1 for MIIS eliminated the need to install MIIS on SQL Server 2000 Enterprise edition. Instead, it can be installed on either Standard or Enterprise Edition. To install, perform the following tasks:

At this point, MIIS should be installed and ready for the configuration of management agents, run profiles, and other necessary components for identity management.