Extending the value of the directory

1
Extending the value of the directory

• Mark Cribben
• Consultant

2
Agenda

• Extending the schema
• ADAM
• IIFP / GALSync

3
Extending the schema

• Why modify the schema?
• Rules for schema modification
• Process for schema changes
• What if it goes wrong?

4
Why modify the schema?

• New AD aware, commercial applications
• Usually have their schema changes integrated into
  the setup programme
• Should have followed the AD schema rules
• In house applications that are AD aware
• Additional attributes to help business or IT

5
Rules for schema modification

• Documenting the existing schema
• You can use the schemadoc program available from
  herehttp//msdn.microsoft.com/library/default.as
  p?url/library/en-us/dnactdir/html/schemadoc.asp
• Valid OIDs.
• Importance cannot be stressed enough.
• http//msdn.microsoft.com/library/default.asp?url
  /library/en-us/ad/ad/obtaining_an_object_identifie
  r.asp
• Who can perform the modification?
• Where the modification can be performed

6
Demo

• Viewing the Schema

7
Process for schema changes

• Identify the Schema FSMO
• Identify the administrator to perform the
  operation
• Test!!
• Take Schema FSMO offline plus one other DC that
  is a direct replication partner
• Verify successful application of changes
• Re-introduce the Schema FSMO

8
What if it goes wrong?

• Remember Schema changes cannot be rolled back
  via authoritative restore!
• During change
• Is Schema FSMO still offline?
• If not, why not?!
• Remove permanently from forest
• Seize FSMO role to another functioning DC
• Post change
• What do you need to change?
• Defunct schema classes / attributes?

9
Current field experiences

• Most customers have had a trouble free upgrade
  experience specifically in going from Windows
  2000 to Windows Server 2003 (adprep /forestprep)
• Most common situation is the mangled attribute
  problemhttp//support.microsoft.com/default.aspx?
  scidkben-us314649
• Some reports of third party applications that
  have caused schema conflicts.
• No real workaround. Contact application vendor
  and get them to fix the problem.
• Changes to Adprep in Windows Server 2003 Sp1

10
ADAM

• ADAM background
• ADAM in the field

11
ADAM Background

• Same programming model as Active Directory
• Supports ADSI, LDIF files, LDAP APIs,
  System.DirectoryServices
• Replication Administration model similar to AD
• Same store as AD - DIT file and Log file layout
  is same
• Differences from NOS AD
• No locator via DNS SRV records instead uses
  Service Connection Points
• No MAPI protocol support
• Does not integrate with LSASS

12
ADAM Architecture
Active Directory in Application Mode
Infrastructure Active Directory
LSASS
ADAM
LDAP
LDAP
MAPI
REPL
KDC
Lanman
REPL
DSA
DSA
SAM
dependencies
(traditional AD minus infrastructure mgmt)
DNS
FRS

• Same code base as Active Directory in Windows
  2003
• Familiar tool set and capabilities

13
ADAM in the field

• Core uses of ADAM so far
• Developers needing an LDAP directory
• Supplementary LDAP directory for internal
  employee information
• Application directory
• Internet / Intranet application directory service

14
Example use of ADAM

• Financial Services organisation
• Using ADAM to supplement online banking
  authentication
• Authentication performed by third party product
• Uses ADAM as the repository for customer
  authentication data and account information
• Currently hosting approximately 3 million user
  objects

15
Example use of ADAM

• Migrated from Site Server
• ADAM is used to store the user account
  information and authentication criteria
• Schema extended to support third party
  authentication server
• Stores information about the online accessible
  accounts the customer has and how to retrieve the
  necessary info for the customer
• Essentially one active ADAM instance although
  there are 3 instances in the configuration set
• Auditing was critical to this scenario and they
  are using the R2 version of mgmt tools to provide
  explicit ACLs on objects in ADAM

16
IIFP / GALSync

• IIFP refresher
• Common scenarios
• GALsync
• Examples from the field

17
IIFP Background

• The free version of MIIS
• Available as a download from microsoft.comhttp//
  www.microsoft.com/downloads/details.aspx?FamilyID
  d9143610-c04d-41c4-b7ea-6f56819769d5DisplayLange
  n
• Requires Windows Sever 2003 Enterprise Edition,
  SQL Server 2000 sp3
• Provides synchronisation between AD, ADAM and
  Exchange
• No external or third party products

18
Common Scenarios

• Autonomy and Isolation Requirements
• Mergers Acquisitions
• Divestitures
• Grass Roots Deployments
• Test/Pilot Environment

19
Autonomy and Isolation

• Service Isolation
• Critical AD-enabled app must have high
  availability.
• Compromise of one DC must not affect entire
  forest
• Service Autonomy
• Org specific apps require schema extension
• Data Isolation
• Legal requirements of Financial institutions or
  Defense contractors to limit access to data
• See Delegation of Administration in AD
• http//www.microsoft.com/technet/prodtechnol/ad/wi
  ndows2000/plan/addeladm.asp

20
Mergers and Acquisitions

• After a merger or acquisition an organization may
  be in a multiple forest environment for some time.

Fabrikam, Inc.
Contoso, Ltd.
corp.contoso.com
corp.fabrikam.com
na.corp.contoso.com
ap.contoso.corp.com
mf.corp.fabrikam.com
rd.corp.fabrikam.com
jpn.ap.contoso.corp.com
21
Mergers

• Look at the current landscape of mergers
• Financial Services LloydsTSB, HBoS, RBS
• Retail Morrisons, ASDA
• IT HP/Compaq, Microsoft, IBM, Quest
• Services PWC
• Increasingly these organisations now have their
  own AD forests and messaging infrastructures
• How do we get the value of the merged
  organisations in the shortest time?

22
Divestitures

• Before - IT group may create a separate forest
  with its own messaging infrastructure
• After the spin off - The IT group will manage a
  multi-forest Windows network for some time.
• We have seen some decidedly unsupported methods
  to handle divestitures!

23
Grass Roots Deployments

• Business unit deploys forest w/out central IT
  sanction.
• The central IT may
• Merge existing forest into central IT forest
• Implement a multi-forest deployment
• However, organization has multiple forests for
  some time.
• Also known as skunkworks projects! More common
  than you would anticipate.

24
Test/Pilot Forest

• Forest with limited number of users and resources
  
• Used to test deployment of new operations,
  procedures and applications before introducing
  them into the main production forest

25
Multiple Forests and Increased TCO?

• Headcount to train, design, deploy and operate
  each forest
• Configuration to enable key cross-forest
  functionality
• Multiple Forest Considerations
• http//www.microsoft.com/technet/treeview/default.
  asp?url/technet/prodtechnol/windowsserver2003/pla
  n/mtfstwp.asp

26
Exchange across forests

• GALsync has assumed a significant role in helping
  organisations that are either merging, acquiring
  or are operating in a federated / franchised
  model.
• This key scenario has been deployed by a number
  of customers in the UK.

27
Resource Forest Model
Forest 1 No Exchange
Forest 3 Exchange
Forest 2 No Exchange
A single Exchange Org is deployed in a single AD
Forest
28
Multiple Forests Model
Forest 1 Exchange
Forest 3 Exchange
Forest 2 Exchange
Exchange is in each forest
29
Cross-forest Collaboration

• Exchange and the Global Address List
• Multiple Forest Model
• Synchronize Address Book using MIIS
• Resource Forest Model
• If address book info is updated in Account Forest
  then sync it to Exchange forest using MIIS
• If address book info is updated in Exchange
  Forest - no additional sync is required

30
GAL Sync The Solution
MIIS Server
Forest 3 Exchange
Forest 1 Exchange
Outlook Client
Exchange Server/GC
Exchange Server/GC
Outlook Client
MIIS will get object information for every user
in a forest,
Users, contacts and groups in source forest will
become contacts in target forest
Exchange will populate Address List (s) with the
contacts
31
GAL Sync The Solution
Forest 1 Exchange
Forest 3 Exchange
Outlook Client
Exchange Server/GC
Exchange Server/GC
Outlook Client
User in forest 1 wants to send mail to user in
forest 3
User in forest 1 looks up user in forest 3 in the
address book.
User sees a contact in forest 1 representing the
user in forest 3
Mail sent to the contact is routed to the mailbox
of the user in forest 3
32
GAL Sync The Solution

• GAL Sync ADMA is a preconfigured Active Directory
  Management Agent released with MIIS 2003
• Uses the LDAP DIRSYNC control
• Handles rename and moves of objects
• Detects and uses AD forest schema
• Available on the MIIS feature pack (free) and
  MIIS Enterprise versions
• Documentation
• Step by step scenario document
• Users Guide

33
Synchronization Logic Reference

• Users are synced as contacts
• Mail Enabled Distribution and Security Groups are
  synced as contacts
• Group membership is not synced
• Authoritative Contacts are synced per OU as
  contacts
• Authoritative Contacts may be routed through the
  source forest
• Data is synced in the target forest into a single
  MIIS Sync OU

34
GAL Sync Deployment

• Step1 Gathering data
• Determine Source and Target forest information
• Step2 Setup GAL Sync ADMA
• Setup one GAL Sync AD Management Agent per
  Exchange forest with source and target forest
  information
• Step3 Verify configuration
• Type of objects, rules, run profiles
• Step 4 Run Sync

35
Free Busy Synchronization

• User in one forest may need to look up free-busy
  data for user in another forest
• Free-Busy Info is stored on the exchange servers
  (not in AD)
• Solution - PF Replication Utility
• KB Q238573 Installing, Configuring, and Using
  the InterOrg Replication Utility
• GAL Sync needed for F/B data to be linked to mail
  recipients cross forest

36
Additional considerations

• Name resolution between forests
• Firewalls and NAT?
• Sizing
• Scheduling
• Number of domains in source forest

37
Customer scenario

• Company operating a global brand image but each
  country was a franchise
• Each had their own AD forest
• Most countries had also designed their AD as a
  global AD infrastructure so had placeholder
  domain!
• NAT between country boundaries even though the
  Wan was managed by another arm of the global
  organisation
• The initial problem was addressing email between
  executives across the company
• Perception from senior management was that the
  company was disjointed and segregated

38
Customer scenario (2)

• Preparation work
• Identify countries involved in the project
• Set up the team to do the work
• Get information from each of the country units
  about their AD design
• Identify required accounts
• Define how address lists were to be published
• Initially instigated a manual process to at least
  get the ball rolling and show progress

39
Customer scenario (3)

• Design approach
• Establish DNS resolution
• Pre Sp1 so had to ensure that a number of
  firewall ports were open including rpc! This did
  not go down well and is fixed in Sp1.
• Registered NAT address on the target DC allowing
  it to auto register in DNS (Could have also got
  around this by configuring the MA with the target
  IP address)
• Configured an account in each forest which was
  managed by the hosting forest admins
• Granted AD permissions
• Create a target OU in each forest for the
  incoming contacts

40
Customer scenario (4)

• Design approach (continued)
• Create run profiles
• Test initially between 2 companies
• Roll out across the rest of the estate
• Problems
• Firewall rules
• Admin cooperation especially when it came to
  configuring an admin level account for the
  synchronisation
• Aligning AD infrastructures as some companies had
  scattered admin accounts throughout their domain!
• The WAN team were a pain to work with. Generally
  they time slotted each company and allocated one
  day per month for WAN config
• Troubleshooting was problematic due to the
  distributed nature of the various networking
  owners

41
Beyond GALsync

• IIFP will support AD to AD as well as AD to ADAM
  sync
• The customer scenario just discussed has a next
  step of integrating printing between the two
  forests
• Use IIFP to synchronise sites, subnets and
  printers
• Allow the use of printer location tracking
• Meets the requirement of making it easy for
  roaming users to print in other offices
• What other objects could be synchronised between
  forests?

42
Welcome to this TechNet Event

• FREE bi-weekly technical newsletter
• FREE regular technical events hosted across the
  UK
• FREE weekly UK US led technical webcasts
• FREE comprehensive technical web site
• Monthly CD / DVD subscription with the latest
  technical tools resources
• FREE quarterly technical magazine

We would like to bring your attention to the key
elements of the TechNet programme the central
information and community resource for IT
professionals in the UK
To subscribe to the newsletter or just to find
out more, please visit www.microsoft.com/uk/techne
t or speak to a Microsoft representative during
the break
43

• http//www.microsoft.com/uk/technet