Integrating Directories Across Environments

Previous page
Table of content
Next page

There are several ways to integrate directories across multiple environments. Two of the most popular architectures are creating a master/slave model or a metadirectory model. When designing a master/slave model the architect must decide which directory service will be used to manage directory objects actively and which one will only receive published updates. In the metadirectory model a separate directory management product is introduced to act as the master directory. The existing directories receive published updates from the metadirectory.

Integrating LDAP Directories with Active Directory

Active Directory's LDAP is based on v3 of the LDAP standard. Not all LDAP implementations are based on LDAP v3. This makes it somewhat challenging to integrate them.

The LDAP schema objects that are going to be synchronized must match exactly. To do this you must do some planning and decide which of the versions of LDAP schemas will be the standard for the integration. By extending the LDAP schema you enable synchronization of entries within the schema and ensure that they will match correctly.

Different tools are available for accessing (reading) and manipulating or editing the LDAP schema of Active Directory. Tools can be purchased from third parties, such as Softerra's LDAP Administrator, to manage multiple LDAP schemas on different platforms with one product. The native Windows Server 2003 tool to edit the Active Directory is an MMC snap-in named ADSI Edit.

Configuring ADSI Edit Snap-in

To install the ADSI Edit snap-in into a new MMC console you need to perform the following steps:

  1. Select Start, Run and type mmc. Then click OK.

  2. In the Console window select File, Add/Remove Snap-in.

  3. Select the Add button in the Add/Remove Snap-in dialog box.

  4. In the Available Standalone Snap-ins pane choose Active Directory Schema. Choose Add and then Close.

  5. The ADSI Edit snap-in should now appear in the Add/Remove Snap-in window; choose OK.

  6. The MMC Console can now be saved by selecting File, Save As.

Creating a Referral in Active Directory

The ADSI Edit MMC snap-in can be used to perform referrals to external naming contexts. This allows a limited coexistence for users and applications to access multiple directories during an integration/migration project. You create a referral by performing the following steps:

  1. Open the ADSI Edit MMC snap-in console, right-click on ADSI Edit and choose the Connect To option, as shown in Figure 16.1.

    Figure 16.1. Connecting to a naming context.

    graphics/16fig01.gif

  2. In the Connection Settings dialog box, change the naming context to Configuration, as shown in Figure 16.2, and then click OK.

    Figure 16.2. Choosing a naming context.

    graphics/16fig02.gif

  3. Right-click on CN=Partitions and select New, Object, as shown in Figure 16.3.

    Figure 16.3. Creating a new object.

    graphics/16fig03.gif

  4. In the Select Create Object dialog box, shown in Figure 16.4, the default class option is crossRef. Choose Next.

    Figure 16.4. Selecting the object class.

    graphics/16fig04.gif

  5. In the CN Attributes dialog box, shown in Figure 16.5, enter a common name for the LDAP directory to be referred to and choose Next.

    Figure 16.5. Entering a common name.

    graphics/16fig05.gif

  6. In the nCName (naming context name) attribute dialog box, shown in Figure 16.6, enter the naming context of the LDAP server, and choose Next.

    Figure 16.6. Entering the referenced naming context.

    graphics/16fig06.gif

  7. In the dnsRoot Attribute dialog box enter the fully qualified domain name of the LDAP server, shown in Figure 16.7, and choose Next.

    Figure 16.7. Entering the referred server.

    graphics/16fig07.gif

  8. The final dialog box enables you to choose More Attributes, such as an administrative description of this object. Choose Finish to add the referrer object to the CN=Partitions container.

Connect To Option

It is also possible to connect to alternative domains or domain controllers through the Connect To option by typing or selecting the domain or server name in the Select or Type a Domain or Server field.


Integration Using Metadirectories

In larger environments where major investments have been made in large Unix or mainframe directory deployments, migration might not be an option. In cases such as these a metadirectory could be a desirable option to consider.

A metadirectory is used to consolidate disparate data from multiple directory structures. The metadirectory might consolidate a superset of data gathered from multiple disparate directories with different attributes, managed from different systems. A second option is a subset of data, while maintaining the company's common namespace alongside the namespace mappings to all of the connected systems, as well as key attributes, such as e-mail and public keys. Either approach works, and depends on your company's strategy for its directory usage.

Microsoft Identity Integration Server 2003 (MIIS) is an example of a LDAP metadirectory integration product. MIIS uses SQL Server 2000 (SP3 or later) to store the LDAP schema and synchronizes with multiple disparate LDAP schemas.


Previous page
Table of content
Next page
Microsoft Windows Server 2003 Insider Solutions
Microsoft Windows Server 2003 Insider Solutions
ISBN: 0672326094
EAN: 2147483647
Year: 2003
Pages: 325
Authors: Rand Morimoto, Andrew Abbate, Eric Kovach, Ed Roberts
BUY ON AMAZON
Crystal Reports 9 on Oracle (Database Professionals)
The CISSP and CAP Prep Guide: Platinum Edition
Managing Enterprise Systems with the Windows Script Host
Persuasive Technology: Using Computers to Change What We Think and Do (Interactive Technologies)
Visual Studio Tools for Office(c) Using C# with Excel, Word, Outlook, and InfoPath
Extending and Embedding PHP
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy