Microsoft Windows Server 2003 Unleashed (R2 Edition)

MIIS is a very capable and powerful tool. With the right configuration and some fancy scripting, it can be configured to perform an incredible variety of automatic tasks. Today's environments are rife with directories, which increase the amount of administration required to create accounts, delete accounts, and update user information manually. MIIS can greatly ease these requirements, improving administration and security. The next section focuses on some of the most valuable capabilities of MIIS and how to effectively use them.

Managing Identities with MIIS

MIIS can be used for the most basic and easiest configurations. For example, MIIS can be used to synchronize identity information between accounts in different directories. Identity information could include names, email and physical addresses, titles, department affiliations, and much more. Generally speaking, identity information is the type of data commonly found in corporate phone books or intranets. To use MIIS for identity management between Active Directory and an LDAP directory server, follow these high-level steps:

1.

Install MIIS 2003.

2.

Create a management agent for each of the directories, including an Active Directory management agent and an LDAP agent.

3.

Configure the management agents to import directory object types into their respective connector namespaces, as shown in Figure 8.15.

4.

Configure one of the management agentsfor example, the Active Directory MAto project the connector space directory objects and directory hierarchy into the metaverse namespace.

5.

Within each of the management agents, a function can be configured called attribute flow to define which directory object attributes from each directory will be projected into the respective metaverse directory objects. Configure the attribute flow rules for each management agent.

6.

Configure the account-joining properties for directory objects. This is the most crucial step because it will determine how the objects in each directory are related to one another within the metaverse namespace. To configure the account join, certain criteria such as an employee ID or first name and last name combination can be used. The key is to find the most unique combination to avoid problems when two objects with similar names are locatedfor example, if two users named Tom Jones exist in Active Directory.

7.

After completely configuring the MAs and account joins, configure management agent run profiles to tell the management agent what to perform with the connected directory and connector namespace. For example, perform a full import or an export of data. The first time the MA is run, the connected directory information is imported to create the initial connector namespace.

8.

After running the MAs once, they can be run a second time to propagate the authoritative metaverse data to the respective connector namespaces and out to the connected directories.

Figure 8.15. Using the MA Wizard.

These steps can be used to simplify account maintenance tasks when several directories need to be managed simultaneously. In addition to performing identity management for user accounts, MIIS can also can used to perform management tasks for groups. When a group is projected into the metaverse namespace, the group membership attribute can be replicated out to other connected directories through their management agents. This allows a group membership change to occur in one directory and be replicated to other directories automatically.

Provisioning and Deprovisioning Accounts with MIIS

Account provisioning in MIIS allows advanced configurations of directory management agents, along with special provisioning agents, to be used to automate account creation and deletion in several directories. For example, if a new user account is created in Active Directory, the Active Directory MA could tag this account. Then, when the respective MAs are run for other connected directories, a new user account can be automatically generated in those other accounts.

The provisioning and deprovisioning process in MIIS can be an extremely useful tool in situations where automatic creation and deletion of user accounts is required. For example, a single user account can be created in an HR PeopleSoft database, which can initiate a chain-event of account creations, as illustrated in Figure 8.16.

Figure 8.16. Provisioning accounts with MIIS.

In addition to creating these accounts, all associated accounts can be automatically deleted through a deprovisioning process in MIIS. By automating this process, administration of the multitude of user accounts in an organization can be simplified and the risk of accidentally leaving a user account enabled after an employee has been terminated can be minimized.

The following high-level example demonstrates the steps required to set up simple account provisioning. In this example, a connected Windows NT domain is connected to MIIS. Any user accounts created in that domain has corresponding Exchange Server 2003 mailboxes created in a separate Active Directory forest.

1.

Install MIIS Enterprise.

2.

Configure a management agent for the connected Windows NT 4.0 Domain.

3.

Configure the NT 4.0 MA so that the attributes necessary to create a resource mailbox flow into the metaverse.

4.

Configure the attribute flow between the NT MA attributes and the MIIS metaverse, as illustrated in Figure 8.17.

5.

Configure an MA for the Active Directory domain in the Exchange Resource forest.

6.

Ensure that the Active Directory MA attributes that MIIS will need to create the mailbox are set similarly to the settings noted in Figure 8.18.

7.

Using Visual Studio .NET 2003, configure a custom Rules Extension DLL to provide for the automatic creation of a mailbox-enabled user account in the resource forest. In this case, the DLL must use the MVExtensionExchange class in the script.

8.

Install this rules extension DLL into the metaverse, as illustrated in Figure 8.19.

9.

Configure Run Profiles to import the information and automatically create the mailboxes.

Figure 8.17. Configuring attribute flow in the NT MA.

Figure 8.18. Configuring attribute flow in an MA.

Figure 8.19. Installing a customized rules extension DLL into the metaverse.

The example described previously, although complex, is useful in situations in which a single Exchange Server 2003 or Exchange 2000 forest is used by multiple organizations. The Security ID (SID) of the NT Domain account is imported into the metaverse and used to create a mailbox in the resource forest that has the external domain account listed as the Associated External Account. Through a centralized MIIS implementation, the Exchange resource forest can support the automatic creation of resource mailboxes for a large number of connected domains.

Summarizing MIIS 2003

MIIS is a versatile and powerful directory synchronization tool that can be used to simplify and automate some directory management tasks. Due to the nature of MIIS, it can also be a very dangerous tool because the management agents can have full access to the connected directories. Misconfiguration of MIIS management agents could result in data loss, so careful planning and extensive lab testing should be performed before MIIS is released to the production directories of any organization. It is often wise to contact certified Microsoft solution providers/partners to help decide whether MIIS is right for your environment, or even to design and facilitate the implementation.

Категории