Provisioning with Microsoft Metadirectory Services Paige Verwolf Support Professional Beta Support T

1
Provisioning with Microsoft Metadirectory
ServicesPaige VerwolfSupport ProfessionalBeta
Support TeamMicrosoft Corporation
2
Diversity Is Reality

• Identity information today is fragmented
• Average major corporation has many sources of
  identity
• Consists mostly of adapted directories
• No recognized master directory
• Systems never designed to work together
• Systems and data owned by different political
  units
• No automation for the hire/fire scenario

3
Diversity Is Reality (2)

• A lot of information redundancy
• Leads to management complexity and inconsistent
  data
• Frequently managed by hand for example, Help
  Desks
• Experienced even by medium-sized organizations
• E-mail address book synchronization
• Mixed Network Operating System (NOS) (Microsoft
  Windows/NetWare) environments

4
Typical Customer Environment

• Network Devices
• Telephone
• Configuration
• QoS policy
• Security policy

• Information about people, computers, and network
  entities resides in many different repositories
  and is proliferating

5
Microsoft Metadirectory Services

• What is a Metadirectory?
• A database application that stores and
  synchronizes identity data
• Who needs a Metadirectory?
• Companies that have a number of disparate
  directories and data sources within their
  organization
• Companies wanting to reduce administration
  overhead for these data sources
• Companies who want to automate the hire/fire
  operations that exist today

6
MMS Has Been Built to Enable

• Object joins
• Attribute brokering
• Attribute data remapping
• Inter-forest synchronization
• Hire-fire/directory-enabled provisioning
• and of course, to be a Metadirectory!

7
Building a Metadirectory

• Management agents are written specifically for a
  connected directory
• Metaverse and connector space objects are built
  using customizable templates
• Join operations are used to link connector space
  and metaverse objects in the Metadirectory
• Attribute flow rules are defined to manage data
  flow between directories
• All aspects of the Metadirectory can be
  customized for unique IT environments

8
Management Agent Definition

• Specialized entry in Metadirectory
• Defines and controls the relationship between a
  CD and Metadirectory
• Acts as a synchronization process controller
• One management agent (MA) per CD
• Contains
• MA templates
• Attribute flow rules
• Inclusions and exclusions

Metadirectory
Management Agent
CD
MA
Management Agent
CD
MA
Management Agent
CD
Connector Namespace
Metaverse
9
Files-Based Management Agent
10
Active Directory Service-Based Management Agent
Active Directory MA
Connected Directory
Connected Directory
Connected Directory
11
Types of Metadirectory Designs

• Classic Metadirectory
• This type of Metadirectory design uses joins to
  permit a distributed administrative model
• Metadirectory provisioning
• This type of Metadirectory design has one
  authoritative directory which is used to create
  and manage objects
• Combination of classic and provisioning
• Many organizations will build a Metadirectory
  using a combination of both designs

12
Classic Metadirectory

• Relies on the join operations to link many
  different directory objects to one metaverse
  object
• After the join has occurred, attribute flow rules
  enable attribute brokering so different data
  sources can be authoritative for a certain set of
  attributes on a particular object
• After the metaverse is updated, attribute updates
  can be sent out to connected directories based on
  export flow rules
• All this can be done on a predefined schedule

13
Classic Metadirectory Example
The Metadirectory
Jim Smith
Jim Smith
SamAccountName ObjectUID TelephoneNumber
Active Directory
J. Smith
Name Email Location
Exchange 5.5
Full Name Title Employee Job Classification
James Smith
Full Name Title Employee Job Classification
Connector
HR Database
14
Join Services
Applications
ERPDatabase
User
E-mailDirectory
User
Name John Smith
MMS
Email Alias jsmith
UID JSmith1234
HRDatabase
User

• Microsoft Metadirectory Services (MMS) can join
  identity data to permit you to view and access an
  object holistically
• MMS tracks objects as they change their positions
  in different directories to maintain the join
• Join permits attribute brokering so different
  data sources can be authoritative for a certain
  set of attributes on a certain object

15
Provisioning with MMS

• Streamlining the hiring process by creating
  object in many different directories
• Provides a method to permit inter-forest
  synchronization between Microsoft Active
  Directory forests
• Can be used to create a common Global Address
  List (GAL) in Exchange 2000
• Provides a clean-up mechanism to handle employee
  terminations
• Reduces administrative overhead
• Increases security by removing or disabling user
  accounts quickly after termination

16
Provisioning ScenarioManagement Agents

• Populator MA creates object in the metaverse
• Typically, this is an HR type MA
• This can be more than one MA
• Destination MA creates accounts in the connected
  directory
• Typically, this is used with the ADMA or other
  MAs which will be responsible for creating
  objects in a specific connected directory
• This can be more than one MA
• TAMA creates connector objects in the Destination
  MAs connector space
• Typically, only one TAMA management agent is
  needed

17
Provisioning Example
Metadirectory
Reflector Mode MA
New Objects
New Objects
Metaverse Namespace
Update
TAMA Executes
Management Agent's Run
Update
18
TAMA Resources

• Resources
• Definition
• A resource is an object in the Metadirectory that
  is associated with a particular management agent
• Attributes associated with a resource indicate
  where in that particular management agent's
  connector namespace a connector entry is created
• A resource also specifies the distinguished name
  of the connector
• Types
• Simple resources
• Complex resources

19
Configuring a TAMA Resource
20
Account Profile

• Account Profile
• Definition
• A profile is an object in the Metadirectory that
  contains one or more resources
• There is a multivalued attribute, called
  zcTaAccountResourceDNs, for the profile entry
  that lists the distinguished names of all
  resources associated with that profile
• An entry's account profile is the set of TAMA
  resources associated with that entry
• Each metaverse entry can have one or more TAMA
  resources associated with it in a TAMA account
  profile

21
Configuring a TAMA Profile
Entry Administration
Account Profile
Operational
References
Virtual Nodes
Joined To
Mail
Microsoft Windows
Member of
Creating a TAMA Account Profile
resHR_MA,DsaNamemdserver,ouApplications,oFocus
Inc,cUS
The Together Administration Management Agent
(TAMA) is a tool that automatically adds
newly-created metaverse entries, either manually
inserted or imported from a connected directory,
to all the other connected space you specify. Use
this form to Drag and Drop TAMA Resources to the
Account Profile list to create a TAMA Account
Select Account Resources Use a drag-and-drop
operation to create an Account Profile
Select Account Resources Drag and Drop them
above to create an Account Profile
Provisioning Agent
Replication Agreements
Tutorial
HR_MA
Connector Space Collectives
Connector Space Security
OK
Cancel
22
TAMA Management Agent

• This is a special management agent designed to
  scan the metaverse to find new objects
• TAMA will locate new metaverse objects and will
  create connector objects under the MA
• Based on its scope of ownership, TAMA will take
  ownership of existing joined metaverse objects
• TAMA will tag any object that it created or took
  ownership of as ManagedByProfile

23
Creating TAMA
24
TAMA Configuration
25
TAMA Rules
26
TAMA Process
27
Order of Operations for TAMA

• TAMA control script is called.
• TAMA control script calls Importt.exe with the
  together switch putting the MA in TAMA mode.
• Importt scans the portion of the metaverse
  namespace it is responsible for, starting at the
  boundary node if specified, otherwise the whole
  metaverse will be scanned.
• As Importt reads each metaverse entry, it looks
  for account profiles. The account profiles are
  specified on a node of the metaverse and contain
  one or more resources.
• If a resource assignment exists in the TAMA rules
  script, it is applied to each entry.

28
Order of Operations for TAMA (2)

• If an account profile exists, TAMA looks at each
  of the resources in turn and checks to see if a
  corresponding connector entry exists in the
  connector namespace of each management agent
  specified in each resource.
• If connector does not exist, TAMA uses the
  specified management agent's Construct New
  Connectors template to construct a new connector
  namespace entry and join it to the metaverse
  namespace entry. If the connector already
  exists and TAMA did not create it, TAMA will take
  ownership. In either scenario, the attribute
  msMMS-ManagedByProfile TRUE is set on each
  connector space entry.
• TAMA moves on to the next metaverse entry in its
  area and repeats steps 4 through 7.

29
Management Agent Templates

• Templates used in a provisioning scenario
• New connectors template
• Used to construct the connector space objects
  when TAMA provisions the object under a
  particular MA
• This template is located on the destination MA
• CD accounts from connectors
• Used to build the object export data used to send
  object additions to the connected directory
• Output templates only used with flat file MAs
• Output templates are used to format the data that
  will be placed in the created files
• Inclusion/exclusion rules used when TAMA
  provisions objects that are configured on the
  destination MA

30
How to Bypass Resource Creation

• When there are a large number of containers for
  which you must provision objects, a large number
  of resources must be created
• This is true for both assigning resources to
  account profiles, and if TAMA rules are used to
  assign resources
• A workaround is to create one resource at the
  top-level node and then use the New Connectors
  template on the destination MA
• Conditional tests can then be used to build the
  connector object Distinguished Names

31
Attribute Flow Rules

• Understanding attribute flow
• Attribute flow is independent of the act of
  provisioning
• Attribute flow rules are processed when TAMA is
  run, and also when the management agent is run
• After the object is created in the connected
  directory after being provisioned, attribute flow
  will be needed to update both connected directory
  and metaverse attribute values
• Attribute flow scripts available
• Simple flow
• Advanced flow
• Disconnection flow
• CD flow

32
TAMA Specific Attributes

• msMMS-ManagedByProfile
• Used to tag the connector object as owned by MMS
• msMMS-DisconnectionTime
• Time stamp is set when an object is disconnected
• msMMS-OverrideManagedByProfile
• Can be set on the connector object to override
  the ManagedByProfile attribute (SP1)
• msMMS-TimeToLive
• Time specified for how long the object will
  remain disconnected

33
De-Provisioning

• De-provisioning does not exist as a function of
  TAMA. In other words, TAMA does not disconnect
  objects based on rules.
• However, a fire scenario can be configured using
  attribute flow rules on the populator and the
  destination MAs.
• This function is scheduled to be included with
  the MMS 3.0 product release.

34
Implementing a Fire Scenario

• The trigger attribute can be set on the object by
  the populator MA to indicate the object was
  terminated
• The trigger attribute can be evaluated by the
  destination MA and the Disconnect_specific()
  function can be applied to the metaverse object
• The CD flow script can be used to flow an
  attribute value to the connected directory to
  disable the object
• The msMMS-TimeToLive attribute can be used to
  disconnect the objects after a specified period
  of time

35
Inter-Forest Scenarios ADMA

• The ADMA can be used to create user or contact
  objects in the Active Directory
• Unified Global Address List for Exchange 2000 by
  creating contacts for each user object in the
  other forest
• ADMA configuration permits certain object
  creation settings for contact and user objects
• User objects can be created Enabled or Disabled
• Exchange-specific attributes can be used to
  create mailboxes in Exchange-enabled Active
  Directories

36
MMS 2.x Limitations

• Limitations related to provisioned objects
• Renaming of an entry in the connector space or in
  the connected directory when the metaverse entry
  is changed
• Moving or renaming of objects in a connected
  directory such as Active Directory
• Synchronizing user passwords between connected
  directories
• Database store file size limited to 2 Gigabytes
• Synchronization of schema objects for Active
  Directory inter-forest scenarios

37
Best PracticesProvisioning Scenario

• Design a simple and flat metaverse if possible.
• Understanding the data available in all
  applicable directories is necessary, and map
  ownership of attributes.
• We recommend not synchronizing group membership
  between directories such as Active Directory
  forests.
• During the testing phase, stage MA runs to make
  sure the rules are being carried out correctly.

38
Best Practices (2)Provisioning Scenario

• Use a three-stage implementation model
• Development Use this environment to test
  templates and rules with a small subset of
  production data.
• Test Use this environment to run through a full
  set of the production data.
• Production Implement after all testing is
  complete.
• Typically, we suggest running management agents
  in delta mode and then running a full mode once a
  week to make sure data convergence occurs.

39
Best Practices (3)Provisioning Scenario

• In the MA control script, use Zscript to define
  the MA configuration and operational settings for
  both delta and full MA runs.
• Use the MMS Compaction Utility to compact the
  database periodically.
• Back up the database regularly and before running
  a compaction on the database.
• Schedule MAs to run sequentially using an
  external script or batch file. Running MAs at the
  same time is not recommended nor supported in
  this version.

40
Troubleshooting Provisioning Scenario

• Apply the Follow the Data Methodology to
  isolate issues
• Look for error messages generated in the MA and
  TAMA operators logs
• Increase the logging levels on the MAs
• Query the Microsoft Knowledge Base for known
  issues
• Consider specific connected directory
  requirements when provisioning objects

41

• Thank you for joining us for todays Microsoft
  Support
• WebCast.
• For information about all upcoming Support
  WebCasts
• and access to the archived content (streaming
  media
• files, PowerPoint slides, and transcripts),
  please visit
• http//support.microsoft.com/webcasts/
• We sincerely appreciate your feedback. Please
  send any
• comments or suggestions regarding the Support
• WebCasts to supweb_at_microsoft.com.