Synchronizing Directory Information with Microsoft Identity Integration Services (MIIS) 2003

In most enterprises today, each individual application or system has its own user database or directory to track who is permitted to use that resource. Identity and access control data reside in different directories as well as applications such as specialized network resource directories, mail servers, human resource, voice mail, payroll, and many other applications.

Each has its own definition of the user's "identity" ( name , title, ID numbers , roles, membership in groups). Many have their own password and process for authenticating users. Each has its own tool for managing user accounts, and sometimes its own dedicated administrator responsible for this task. Further, most enterprises have multiple processes for requesting resources and for granting and changing access rights. Some of these are automated, but many are paper-based. Many differ from business unit to business unit, even when performing the same function.

Administration of these multiple repositories often leads to time-consuming and redundant efforts in administration and provisioning. It also causes frustration for users, requiring them to remember multiple IDs and passwords for different applications and systems. The larger the organization, the greater is the potential variety of these repositories and the effort required to keep them updated.

In the past, Microsoft has provided a number of tools and services to provide coexistence with other directories and to migrate users to Active Directory. For Novell NetWare and eDirectory environments, these tools include Services For NetWare (SFNW), Gateway Services For NetWare (GSNW), and the broader support provided by Microsoft Metadirectory Services 3.0. Microsoft's latest metadirectory solution to provide coexistence and migration support is Microsoft Identity Integration Server (MIIS) 2003.

Understanding MIIS 2003

MIIS is a system that manages and coordinates identity information from multiple data sources in an organization, enabling you to combine that information into a single logical view that represents all of the identity information for a given user or resource.

MIIS enables a company to synchronize identity information across a wide variety of heterogeneous directory and non-directory identity stores. This enables customers to automate the process of updating identity information across heterogeneous platforms while maintaining the integrity and ownership of that data across the enterprise.

Password management capabilities enable end-users or helpdesk staff to easily reset passwords across multiple systems from one easy-to-use Web interface. End-users and helpdesk staff no longer have to use multiple tools to change their passwords across multiple systems.

Understanding MIIS 2003 Concepts

It is important to understand some key terms used with MIIS 2003 before comprehending how it can be used to integrate various directories. Keep in mind that the following terms are used to describe MIIS 2003 concepts but might also help give you a broader understanding of how metadirectories function in general:

• Management Agent (MA) An MIIS 2003 management agent is a tool used to communicate with a specific type of directory. For example, an Active Directory management agent enables MIIS 2003 to import or export data and perform tasks within Active Directory.

• Connected Directory (CD) A connected directory is a directory that MIIS 2003 communicates with using a configured MA. An example of a connected directory is a Microsoft Exchange 5.5 directory database.

• Connector Namespace (CS) The connector namespace is the replicated information and container hierarchy extracted from or destined to the respective connected directory.

• Metaverse Namespace (MV) The metaverse namespace is the authoritative directory data created from the information gathered from each of the respective connector namespaces.

• Metadirectory Within MIIS 2003, the metadirectory is made up of all the connector namespaces plus the authoritative metaverse namespace.

• Attributes Attributes are the fields of information that are exported from or imported to directory entries. Common directory entry attributes are name, alias, email address, phone number, employee ID, or other information.

MIIS 2003 can be used for many tasks but is most commonly used for managing directory entry identity information. The intention here is to manage user accounts by synchronizing attributes, such as login ID, first name, last name, telephone number, title, and department. For example, if a user named Jane Doe is promoted and her title is changed from manager to vice president, the title change could first be entered in the HR or Payroll databases; then through MIIS 2003 management agents , the change could be replicated to other directories within the organization. This ensures that when someone looks up the title attribute for Jane Doe, it is the same in all the directories synchronized with MIIS 2003. This is a common and basic use of MIIS 2003 referred to as identity management . Other common uses of MIIS 2003 include account provisioning and group management.

Exploring MIIS 2003 Account Provisioning

MIIS enables administrators to easily provision and de-provision users' accounts and identity information, such as distribution, email and security groups across systems, and platforms. Administrators will be able to quickly create new accounts for employees based on events or changes in authoritative stores such as the human resources system. Additionally, as employees leave a company they can be immediately de-provisioned from those same systems.

Account provisioning in MIIS 2003 enables advanced configurations of directory management agents, along with special provisioning agents, to be used to automate account creation and deletion in several directories. For example, if a new user account is created in Active Directory, the Active Directory MA could tag this account. Then, when the respective MAs are run for other connected directories, a new user account could be automatically generated.

One enhancement of MIIS 2003 over MMS is that password synchronization is now supported for specific directories that manage passwords within the directory. MIIS 2003 provides an application programming interface (API) accessed through the Windows Management Interface (WMI). For connected directories that manage passwords in the directory's store, password management is activated when you configure the management agent in Management Agent Designer. In addition to enabling password management for each management agent, Management Agent Designer returns a system name attribute using the WMI interface for each connector space object.

Outlining the Role of Management Agents (MAs) in MIIS 2003

A management agent links a specific connected data source to the metadirectory. The management agent is responsible for moving data from the connected data source and the metadirectory. When data in the metadirectory is modified, the management agent can also export the data to the connected data source to keep the connected data source synchronized with the metadirectory. Generally, there is at least one management agent for each connected directory. MIIS 2003, Enterprise Edition, includes management agents for the following identity repositories:

• Active Directory

• Active Directory Application Mode (ADAM)

• Attribute-value pair text files

• Comma-separated value files

• Delimited text files

• Directory Services Markup Language (DSML) 2.0

• Exchange 5.5

• Exchange 2000 and Exchange Server 2003 Global Address List (GAL) synchronization

• Fixed-width text files

• LDAP Directory Interchange Format (LDIF)

• Lotus Notes/Domino 4.6/5.0

• Novell NDS, eDirectory, DirXML

• Sun/iPlanet/Netscape directory 4.x/5.x (with "changelog" support)

• Microsoft SQL Server 2000, SQL Server 7.0

• Microsoft Windows NT4 Domains

• Oracle 8i/9i

• Informix, dBase, ODBC and OLE DB support via SQL Server Data Transformation Services

Management agents contain rules that govern how an object's attributes are mapped, how connected directory objects are found in the metaverse, and when connected directory objects should be created or deleted.

These agents are used to configure how MIIS 2003 will communicate and interact with the connected directories when the agent is run. When a management agent is first created, all the configuration of that agent can be performed during that instance. The elements that can be configured include which type of directory objects will be replicated to the connector namespace, which attributes will be replicated, directory entry join and projection rules, attribute flow rules between the connector namespace and the metaverse namespace, plus more. If a necessary configuration is unknown during the MA creation, it can be revisited and modified later.

Defining MIIS 2003 and Group Management

Just as MIIS 2003 can perform identity management for user accounts, it also can perform management tasks for groups. When a group is projected into the metaverse namespace, the group membership attribute can be replicated to other connected directories through their management agents. This enables a group membership change to occur in one directory and be replicated to other directories automatically.

Installing MIIS 2003 with SQL 2000

Both versions of MIIS 2003 require a licensed version of SQL Server 2000 with SP3 or greater to run, and an install of the product will prompt for the location of a SQL 2000 Server, as illustrated in Figure 6.1.