Find out how Microsoft Identity Integration Server 2003 can make it easier to administer user IDs and passwords on multiple directories.
In a large corporate environment, it can be tough to manage all of the various accounts that a user might have. For example, a user has an Active Directory-based account, but the user may also have additional accounts for things like Lotus Notes, Novell eDirectory, Sun One Directory, or even an account in a Windows NT-based domain. The problem with users having many different accounts in heterogeneous environments is that there is no consistency. Often users will have a separate password and an entirely separate identity for each account.
This is where Microsoft’s Identity Integration Server 2003 comes in. Microsoft Identity Integration Server (MIIS) allows administrators to automate the process of updating account information across heterogeneous environments. This reduces the administrative workload and consequently decreases cost while improving productivity.
There are actually two different versions of MIIS 2003—the Enterprise Edition and the Feature Pack version. There is no Standard version of this product.
Both versions of MIIS provide identity integration, directory synchronization, and password management. Likewise, both versions run on Windows Server 2003 Enterprise Edition and also require SQL Server 2000. Keep in mind that Windows Server 2003 Enterprise Edition is a requirement; the software will not run on Windows Server 2003 Standard Edition.
The MIIS Enterprise Edition offers a huge variety of directories for which it can manage identity and passwords. These directories include:
- Active Directory (AD)
- Active Directory Administration Mode (ADAM)
- Exchange Server (versions 5.5, 2000, and 2003)
- Windows NT domains
- Lotus Notes
- Novell eDirectory
- Sun ONE Directory
- SQL Server (versions 7.0 and 2000)
- Directory Services Markup Language (DSML)
- LDAP Interchange Format (LDIF)
In addition to these directories, the Enterprise Edition of MIIS can also synchronize identities across flat file formats such as comma, tab, and column delimited files.
As you can see, the Enterprise Edition supports a lot of popular directory formats. For example, if a corporation had a Windows network and a Novell NetWare network, an Administrator could use MIIS Enterprise Edition to synchronize a user’s password across both network operating systems.
The biggest downside to the Enterprise Edition is the price. Keep in mind that both versions require a Windows 2003 Server running SQL 2000. On top of this, the Enterprise Edition of MIIS will set you back $24,999 per processor. Therefore, if your server has four processors, plan on dropping a hundred grand on top of the cost of the Windows and SQL server licenses and the cost of the actual hardware.
Okay, so the Enterprise Edition of MIIS isn’t cheap, but the Feature Pack Version isn’t cheap either; it’s free! So what’s the catch? First, you still have to have a Windows Server 2003 machine that’s running SQL Server 2000. The other catch is that the Feature Pack version will only synchronize identities among Microsoft products. Specifically, the Feature Pack version works with AD, ADAM, and Exchange Server versions 2000 and 2003.
The bad news about the Feature Pack version is that not all Microsoft directories are supported. If you need to synchronize identities across an Exchange 5.5 directory or a Windows NT domain, you must buy the Enterprise Edition.
For the purpose of this article, I'll be using the Feature Pack version. If you don’t already have a copy of the Feature Pack, you can download it from Microsoft's Windows Server 2003 Web site. The download is 7,266 KB.
For MIIS, the posted hardware requirements are a 500-MHz Pentium III with 512 MB of RAM and 20 MB of hard disk space. You’ll also need another 8 GB on the volume containing your SQL database. Keep in mind, though, that Microsoft is notorious for understating the hardware requirements.
While I believe that the disk space recommendations will be sufficient for most situations, expect MIIS to be painfully slow on a 500-MHz Pentium III. Likewise, MIIS will function on a server with 512 MB of RAM, but when it comes to memory, more is always better.
Setting up SQL Server
Earlier I explained that one of the requirements for deploying MIIS was SQL Server 2000. However, SQL Server 2000 doesn’t have to be licensed specifically for MIIS. You can use a previously licensed copy of SQL Server. Furthermore, MIIS doesn’t demand exclusive access to the SQL Server. This means that assuming that your server has sufficient hardware, SQL Server can service MIIS and any other applications that may require SQL Server.
In case you're wondering, SQL Server doesn’t even have to be installed on the same physical box as MIIS. MIIS can be pointed to any SQL Server in your organization so long as reliable connectivity between the two servers exists.
If you are short on hardware or need to save money on software licenses, you can install SQL Server on the same box as MIIS, but this isn’t advisable in larger organizations because of the demand that MIIS places on the server.
Wherever you choose to locate your SQL Server, it must be running either the Standard or Enterprise version of SQL Server 2003 with Service Pack 3 or higher. The SQL Server 2000 Developer Edition may be used in development environments only.
Deploying the MIIS Feature Pack
After you download MIIS, double-click on the self-extracting, executable file and the installer will ask you where you’d like to save the Setup files. Enter the desired path and click Next. The installer will then take a moment to decompress all of its files and will launch the Setup program.
On the Identity Integration Feature Pack splash screen, click the Install Identity Integration Feature Pack link. Setup will quickly verify that your system is running Windows Server 2003 Enterprise Edition and will then launch the Identity Integration Feature Pack Setup Wizard.
Click Next to bypass the wizard’s Welcome screen, and you will see the Feature Pack’s end user license agreement. Accept the license agreement, click Next, and Setup will ask you whether you want to install the complete package or do a custom installation. Select the Custom option and click Next.
The next screen you'll see allows you to select which components you want to install. As you can see in Figure A, there really isn’t a lot to choose from.
|There aren’t many components that belong to the MIIS Feature Pack.|
The main components include the MIIS Server, the user interface, and the management agents. The management agents include agents for AD, ADAM, and AD Global Address List (GAL). For demonstration purposes, verify that all components are selected, verify the installation path, and click Next.
The next screen will ask you to select the SQL Server location and instance. In this particular case, I'll be using a default instance of SQL Server installed on the local machine, as shown in Figure B.
|Setup requires you to specify the location and instance of SQL Server.|
Once you've entered the SQL configuration information, Setup asks if you would prefer to store the databases in the Identity Integration Feature Pack folder or in the SQL Server folder. Select the SQL Server folder and click Next. You'll now be prompted for the username, passwords, and domain (or computer name) of the service account that you want MIIS to use. Enter these credentials and click Next.
At this point, you'll see a set of group names displayed: Administrator, Operator, Joiner, and Connector Browse. You can change these group names if you like, but I recommend accepting the defaults shown in Figure C and clicking Next.
|These are the group names used by MIIS.|
Upon clicking Next, Setup will inform you that it's ready to begin the installation process. If you need to review or change any of your settings, click the Back button. Otherwise, click Start.
Configuring the Identity Integration Service
When the installation process completes, you can launch the Identity Manager by selecting Identity Manager from the All Programs | Identity Integration Feature Pack menu. The Identity Manager is the administrative interface that you'll use to configure MIIS.
Before I show you how to configure MIIS, I want to go over some of the key components. The primary component of MIIS is the metadirectory, which is composed of the metaverse and the connector space. The metaverse consists of a group of SQL tables that contain integrated identity information from each connected data source. A connected data source is the directory containing the identities that you want to integrate into the metaverse.
The other component to the metadirectory is the connector space. The connector space is a temporary storage area that corresponds to a specific connected data source. Each connected data source has a connector space. Management agents (which I’ll discuss in a moment) use the connector space as a location for storing temporary files when moving data into or out of the corresponding connected data source.
A management agent is the mechanism that connects a connected data source to the metadirectory. A management agent’s job is to move data from the connected directory to the connector space. Once the data arrives in the connector space, the management agent must then determine if the data in the connector space is in synch with the data stored in the metaverse. Likewise, if data in the metaverse were to be modified, the data is placed in the connector space, and the management agent will move the data to the connected directory to keep the data synchronized with the data stored in the metaverse.
One last concept that you need to be familiar with is that of rules. Management agents use rules to determine how objects within the connector space should be synchronized. Rules can be used to determine how changes within the metaverse are moved to the connector space, what should happen after a metaverse object is deleted, and other things.
Creating a management agent
As you can see, management agents are the key to making the entire synchronization process work. Therefore, to get the ball rolling, you must begin by creating some management agents. To do so, click the Management Agents button toward the top of the Identity Manager. Next, select the Create command from the Actions pane on the right. This will prompt Windows to display the Create Management Agent dialog box, shown in Figure D.
|You must choose the type of management agent you want to create.|
You can choose from three types of management agents:
- Active Directory
- Active Directory Administration Mode
- Active Directory global address list (GAL)
For demonstration purposes, I'll choose Active Directory global address list (GAL).
After selecting the type of management agent you want to create, enter a name and description for the new management agent and click Next. When you do, you'll be asked to enter some logon credentials for the directory that the management agent will be attaching to. As you might expect, you're asked to enter a username, password, and domain. However, you're also asked to enter a forest name.
This screen is actually very misleading. In the forest name field, you must actually enter the FQDN of your top-level domain. You must then enter an administrative username and password, and then the FQDN of the domain that the account resides in.
On the following screen, you must select the directory partitions that you want to include. Basically, this refers to the domains you want to pull GAL information from. This screen also contains a Connection Settings section and a Credentials section, but you really don’t need to do anything with these sections because the default settings will work fine in most cases. You'll notice in Figure E that this dialog box does have a Containers button. You can click this button to pick specific Organizational Units (OUs) and AD containers for GAL information to be pulled from.
|You must select the domains that you want to include information from.|
The following screen has two main purposes. First, you must specify the destination container for any contacts that are synchronized to this forest. This is simply a matter of selecting a domain and a container.
Second, you must specify an SMTP mail suffix for users and contacts in the forest. An example of an SMTP mail suffix would be @brienposey.com. You can also choose to route mail sent to contacts in this forest through the source forest. Click Next to continue.
The next two screens you'll encounter involve selecting object types and object attributes. These are the objects and attributes that MIIS will attempt to synchronize across the directories. For example, you might synchronize the contact, container, OU, and user objects. Within the user object, you might synchronize attributes such as title and telephone number.
On the next screen, you'll have to select a filter type for each object type that you've chosen. A filter type isn’t actually required because the filter rules will automatically apply to all of the objects. However, a rules extension can be useful if you’d like to prevent certain attributes from being synchronized.
After selecting objects to which you’d like to apply rule extensions, click Next and you'll see the Configure Join And Projection Rules dialog box. As you can see in Figure F, this screen is a little complicated.
|The Configure Join And Projection Rules page allows you to associate each object’s attributes with attributes contained in the metaverse.|
The basic premise is that you must match up Exchange attributes for each object with attributes existing within the metaverse. As you can see in the figure, you can use the New Join Rule, New Projection Rule, Edit, and Delete buttons to create, modify, and delete rules as necessary. The good news, though, is that MIIS contains a built-in set of rules for the GAL, and normally you won’t have to do anything on this screen except click Next.
The next screen you’ll see, shown in Figure G, is the Configure Attribute Flow screen. The idea behind this screen is that you must decide which direction synchronizations occur in.
|You must configure the synchronization flow direction for each attribute.|
For example, if an object is modified in the metaverse, you must decide whether or not you also want that object to be modified in its original directory. Likewise, if the directory object is modified, you have to decide if you want the change to be synchronized into the metaverse. Again, this is all set up for you ahead of time, but you really should take the time to review the settings and make sure that they're appropriate for your organization.
When you click Next, you'll see a screen that asks what you want to do with connector space objects when they're disconnected from the metaverse due to a provisioning rules extension, or when the metaverse object is deleted. Generally, I'd recommend either staging a delete for the object or making a determination with a rules extension.
Click Next, and you'll see the last configuration screen for creating a management agent. This screen simply asks you for the rule extension name. The filename is automatically filled in for you, but you can select a different file if you want. This screen also asks if you want to enable password management for the management agent. Make your selection and click Finish to create the management agent.
The management agent that you've created will now appear in the Management Agents pane. To run the management agent, simply right-click on it and select the Run command from the shortcut menu.
Other available tools
Creating a management agent is by far the most involved part of working with MIIS in most cases. There are, however, a few more options that you should know about. At the top of the Identity Manager Console, there are five buttons: Operations, Management Agents, Metaverse Designer, Metaverse Search, and Joiner. I've already talked about the Management Agents option, but I want to take a moment and talk about the remaining four options.
The Operations section is designed to show you what’s going on. Whenever a management agent runs, you can view its status here, as shown in Figure H.
|The Operations section shows you what’s going on with the management agents.|
You might have noticed in Figure H that there were some unexpected attribute errors for four of my servers. This is where the Metaverse Designer comes in. The Metaverse Designer allows you to alter the metaverse’s schema. You can add objects and attributes to the schema to better accommodate connected directories.
Another section is the Metaverse search. As the name implies, this option allows you to search the metaverse for a specific piece of information.
The final option is the Joiner. The Joiner is used to search for disconnector objects. Once such objects have been located, you can modify, join, or project the objects.