Prepare your network to handle Mobile Information Server

To prevent big problems from occurring in the future, you should take the time to prepare your network to handle Mobile Information Server. In this Daily Drill Down, Jim Boyce shows you what you need to do before running Setup.

Microsoft Mobile Information Server (MIS) provides a link between your network’s resources and users who rely on wireless devices to stay connected. MIS is a complex product, and it impacts almost every aspect of your Windows 2000 network. As such, it’s not the type of product you want to install without doing advanced planning. In this Daily Drill Down, I’ll show you what parts of Windows 2000 MIS affects and how to prepare these parts for the MIS installation.

No quick fix for MIS
Don’t consider this article a complete reference on MIS. Think of it as a primer that will help you understand the requirements for deployment before beginning the installation process. In upcoming Daily Drill Downs, I’ll cover installation, configuration steps, and user management.

MIS’s impact on Active Directory
If you are installing only Server ActiveSync and don’t plan to implement the other features offered by MIS, there are no required Active Directory (AD) schema changes. To support other features, however, MIS requires some significant changes to the Active Directory schema. The installation process adds several new classes and attributes to accommodate wireless users and the data required to enable and manage mobile connectivity. The AD changes identify MIS components, users, devices, virtual directories, message limits, and so on.

How these AD changes impact your existing network and directory depends, in part, on the security model you choose when you install MIS. For example, if you choose to use your existing domain and accounts for MIS authentication, then, naturally, your existing AD will be affected. However, if you install a new domain forest specifically for MIS, AD changes would apply only to the new forest and not to your existing one. In most cases, there isn’t a downside to modifying your existing schema—the changes don’t have a significant impact on server requirements or performance, for example. However, if you choose to remove MIS later, you can’t peel out those schema changes—they’re permanent.

To modify the AD schema, run ForestPrep from your MIS CD-ROM on the domain controller in the domain where the schema master resides. By default, this is the first domain created in the forest. You must be a member of the Schema Admins And Enterprise Admins group in the domain, as well as a member of the local Administrators group on the DC on which you run ForestPrep. To update the schema, open a command console and then open the folder where you extracted the evaluation version or open the MIS CD. Execute the following command:
Setup.exe /vForestPrep=1

ForestPrep also creates a new global security group named Microsoft Mobility Admins (MMA), prompting you to specify the domain where the group should be created. The group allows users to install MIS.

If you are running Exchange 2000 Server, specify the domain in which the Exchange 2000 servers reside. If you are not running Exchange 2000 Server, you can specify the MIS domain (or another domain, when appropriate).

After you complete the schema changes, add the accounts for users who will need the ability to install MIS to this group. Also add the Account Operators group to the Microsoft Mobility Admins group in the domain where you originally placed the MMA group.

The schema updates will take some time to propagate to all of your domain controllers. The amount of time required depends on the number of DCs as well as other factors. Just make sure the schema changes have fully propagated before you try installing MIS.

Domain preparation
The next step in the MIS installation process is to prepare the domain you will use for MIS authentication and account management. You can choose one of four security models:
  • Existing domain and accounts: Use an existing corporate domain for wireless accounts.
  • Auxiliary accounts: Create auxiliary accounts in the user’s existing domain and use those auxiliary accounts for wireless authentication.
  • Auxiliary domain: Create an auxiliary domain in the existing domain forest and use accounts in that domain to authenticate wireless users.
  • Auxiliary forest/domain: Create a new forest and create domains in that new forest, using those accounts for wireless authentication.

No matter which security model you choose, you will still have some additional domain preparation steps to take before you can install MIS. For example, if you are using an auxiliary domain or auxiliary forest/domain, you will need to create that forest and/or domain. If you’re creating a new forest, you’ll need to make sure there is a two-way transitive trust between the auxiliary domain and the domains in which you install MIS.

If you use Exchange 2000 Server and want to implement Outlook Mobile Access for Exchange 2000 Server browsing, you will also need to update the domain for Exchange 2000 Server. The account you use to prepare the domain for Exchange 2000 Server must be a member of the Domain Admins group and a member of the Administrators group on the auxiliary domain controller. You’ll also need to lay hands on the Exchange 2000 Server CD.

To prepare the domain, insert the Exchange 2000 Server CD and open a command console. Open the CD drive and execute the following command:
\setup\i386\setup /DomainPrep

Proceed through the Setup wizard and when the Component Select page displays, make sure DomainPrep is listed as the installation action. Click Next and let the wizard complete the domain preparation process.

In addition to prepping the domain, you also need to make sure that Exchange 2000 can access the user objects that will be created in the auxiliary domain. You accomplish this by configuring a new Recipient Update Service on the Exchange 2000 Server.

Open the Exchange System Manager on the Exchange Server and expand the Recipients container. Right-click in the right pane and choose New, Recipient Update Service. In the resulting wizard, specify the auxiliary domain and a server running Exchange 2000 Server. When the wizard is finished, right-click the newly created Recipient Update Service and choose Action, Rebuild. Wait for the changes to propagate before moving on to the next step. You’ll know propagation is complete when the auxiliary domain contains the Exchange Domain Servers group.

If you are using an auxiliary forest, the preparations are a bit more complex. First, you need to create the forest and root domain. Then, establish a one-way trust relationship from the auxiliary domain to the primary forest domain. (The auxiliary domain trusts the primary forest domain, but not vice versa.) Use the fully qualified domain name (FQDN) of the primary forest domain when you establish the trust if you don’t have the necessary DNS forwarders or secondary zones in place to handle domain name resolution.

Remember the Microsoft Mobility Admins group you created earlier? It’s time to add that group from the primary forest domain to the Account Operators group in the auxiliary domain. You also need to make sure that the account that you will use to configure wireless users is a member of the Account Operators group in the auxiliary domain. MIS creates wireless accounts automatically when you configure accounts for wireless access, and, without this membership, automatic account creation will fail.

Next, you need to turn your attention to the domains in which MIS will be installed. Prior to running Setup to install MIS, you need to prep the domain for it. This includes creating the necessary security groups and system accounts to support MIS. Log on to your server with an account that is a member of the Domain Admins group for the domain in which you’re running DomainPrep, and a member of the local Administrators group on the computer where you will run DomainPrep. Open a command console and then open the MIS CD or the folder where you extracted the evaluation version. Run the following command:
Setup.exe /vDomainPrep=1

DomainPrep prompts you for passwords for the MIS system accounts, which include EVENTSOURCE, Message Processor, and HTTP Connectors. Remember to keep track of the passwords you assign to these accounts. Again, you need to add the Microsoft Mobility Admins group to the Account Operators group in all domains in which you will later install MIS.

Accommodate Exchange Server 5.5
If you are providing wireless access to Exchange 5.5 servers that reside on Windows NT domains, you need to take some additional steps. Domains that contain MIS servers need to trust the Windows NT domain(s), but the NT domains do not need to trust the MIS domains. This trust relationship allows MIS to pull data from the Exchange 5.5 servers for wireless users with accounts on those servers.

Another consideration for Exchange Server 5.5 is the service accounts the MIS servers will use to access the Exchange servers. The Exchange Server 5.5 Data Provider included with MIS uses an Exchange 5.5 account that has Service Account Administrator privileges to pull data for wireless users. This service account will need administrative access to all mailboxes for wireless users.

You will specify the Exchange Server 5.5 service account when you install MIS, and you can only specify one account. This isn’t a problem in situations where you have only one Exchange Server 5.5 site or where multiple sites share a single service account. If you currently have multiple sites with unique service accounts, create a new service account, configure it with Service Account Administrator privileges, and specify that account when you install MIS. This eliminates the need to install a separate MIS server for each Exchange Server 5.5 site (unless, of course, that’s your preferred deployment method).

The next step you need to take prior to installing MIS is to make sure the Active Directory in the MIS domain has a connection agreement with the Active Directory Connector (ADC) on the Exchange Server 5.5 server. The ADC and connection agreement enable the data in the Exchange Server 5.5 directory to be integrated into the Active Directory. To set up the connection agreement where the Exchange server resides in a different domain, you need to make sure that the MIS domain trusts the Exchange Server domain. The Exchange Server domain doesn’t need to trust the MIS domain.

Before installing the ADC, make sure the Exchange 5.5 servers are running at least Exchange Server 5.5 SP3. Also make sure you use the version of ADC included with Exchange 2000 Server (or later). You’ll need to update the schema in the MIS forest and install the ADC on a DC in the MIS domain. Then, create a new connection agreement to the Exchange Server 5.5 site. For more information about using the Active Directory Connector, see the Daily Drill Down “Understanding Exchange 2000's Active Directory Connector.”

Prepping the MIS servers
Before you can install MIS, you will need to set up a server with Windows 2000 Server with the latest service pack. You will also need to perform a few other server configuration steps before adding MIS.

First, add the Message Queuing Service. Through the installation wizard, set the service up as a server rather than a dependent client without routing, and don’t specify that you want it to weaken permissions. You also might need to make some changes to the server’s configuration for IIS. Make sure that, at a minimum, the IIS World Wide Web service and the SMTP service are installed.

If you’ll be using SSL to secure notifications to wireless devices or support secure browsing and synchronization, you need to obtain and install certificates on the MIS server. If your MIS server connects to a carrier’s server that will be using SSL, you need to make sure that the MIS server trusts the certification authority that issues the carrier’s SSL certificate. If you find it necessary to add the certificate to your MIS server’s trust list, log on using the MIS Message Processor account (a system account created by MIS) and add the carrier’s CA certificate to the certificate trust list for that account.

If you’ll be using SSL to secure synchronization and browsing, you need to obtain and install certificates on the MIS servers under IIS. You can issue your own certificates from a local CA to support browsing, but you will likely need to obtain a certificate from a public CA to support synchronization from Pocket PC 2002 devices, which support a predefined set of public CAs. Synchronization will fail if you install locally issued certificates.

If it sounds like there’s a lot of preparatory work involved in getting ready to install Mobile Information Server, that’s because there is. MIS affects almost every aspect of your network, so you have to make sure that Active Directory and Exchange are both ready to handle it. After you’ve laid the proper groundwork, then you can reach for the MIS CD and run Setup with confidence.