In most enterprises today,
each individual application or system has its own user database or
directory to track who is permitted to use that resource. Identity and
access control data reside in different directories as well as
applications such as specialized network resource directories, mail
servers, human resource, voice mail, payroll, and many other
applications.
Each has its own
definition of the user’s “identity” (for example, name, title, ID
numbers, roles, membership in groups). Many have their own password and
process for authenticating users. Each has its own tool for managing
user accounts and, sometimes, its own dedicated administrator
responsible for this task. In addition, most enterprises have multiple
processes for requesting resources and for granting and changing access
rights. Some of these are automated, but many are paper-based. Many
differ from business unit to business unit, even when performing the
same function.
Administration
of these multiple repositories often leads to time-consuming and
redundant efforts in administration and provisioning. It also causes
frustration for users, requiring them to remember multiple IDs and
passwords for different applications and systems. The larger the
organization, the greater the potential variety of these repositories
and the effort required to keep them updated.
In response to
this problem, Microsoft developed Microsoft Metadirectory Services (MMS)
to provide for identity synchronization between different directories.
As the product improved, it was rereleased under the new name Microsoft
Identity Integration Server (MIIS) 2003.
The use of MIIS 2003
for Exchange 2007 is particularly useful because it can synchronize
information between the AD forest that contains Exchange and the other
messaging systems in use within the organization.
Understanding MIIS 2003
MIIS is a
system that manages and coordinates identity information from multiple
data sources in an organization, enabling you to combine that
information into a single logical view that represents all of the
identity information for a given user or resource.
MIIS enables a
company to synchronize identity information across a wide variety of
heterogeneous directory and nondirectory identity stores. This enables
customers to automate the process of updating identity information
across heterogeneous platforms while maintaining the integrity and
ownership of that data across the enterprise.
Password management
capabilities enable end users or help desk staff to easily reset
passwords across multiple systems from one easy-to-use web interface.
End users and help desk staff no longer have to use multiple tools to
change their passwords across multiple systems.
Note
There
are actually two versions of MIIS. The first version, known as the
Identity Integration Feature Pack for Microsoft Windows Server, is free
to anyone licensed for Windows Server 2003 Enterprise Edition. It
provides functionality to integrate identity information between
multiple Active Directory forests or between Active Directory and Active
Directory Application Mode (ADAM).
The second version
requires a separate licensing scheme and also requires SQL Server
2000/2005 for the back-end database. This version is known as the
Microsoft Identity Integration Server 2003—Enterprise Edition. It
provides classic metadirectory functionality that enables administrators
to synchronize and provision identity information across a wide variety
of stores and systems.
Understanding MIIS 2003 Concepts
It is important to
understand some key terms used with MIIS 2003 before comprehending how
it can be used to integrate various directories. Keep in mind that the
following terms are used to describe MIIS 2003 concepts but might also
help give you a broader understanding of how metadirectories function in
general:
Management agent (MA)—
A MIIS 2003 MA is a tool used to communicate with a specific type of
directory. For example, an Active Directory MA enables MIIS 2003 to
import or export data and perform tasks within Active Directory.
Connected directory (CD)—
A connected directory is a directory that MIIS 2003 communicates with
using a configured MA. An example of a connected directory is a
Microsoft Exchange Server 5.5 directory database.
Connector namespace (CS)—
The connector namespace is the replicated information and container
hierarchy extracted from or destined to the respective connected
directory.
Metaverse namespace (MV)—
The metaverse namespace is the authoritative directory data created
from the information gathered from each of the respective connector
namespaces.
Metadirectory— Within MIIS 2003, the metadirectory is made up of all the connector namespaces plus the authoritative metaverse namespace.
Attributes—
Attributes are the fields of information that are exported from or
imported to directory entries. Common directory entry attributes are
name, alias, email address, phone number, employee ID, or other
information.
MIIS 2003 can be used for
many tasks, but is most commonly used for managing directory entry
identity information. The intention here is to manage user accounts by
synchronizing attributes, such as logon ID, first name, last name,
telephone number, title, and department. For example, if a user named
Jane Doe is promoted and her title is changed
from manager to vice president, the title change could first be entered
in the HR or Payroll databases; then through MIIS 2003 MAs, the change
could be replicated to other directories within the organization. This
ensures that when someone looks up the title attribute for Jane Doe, it
is the same in all the directories synchronized with MIIS 2003. This is a
common and basic use of MIIS 2003 referred to as identity management. Other common uses of MIIS 2003 include account provisioning and group management.
Note
MIIS 2003 is a versatile
and powerful directory synchronization tool that can be used to simplify
and automate some directory management tasks. Because of the nature of
MIIS 2003, it can also be a very dangerous tool as MAs can have full
access to the connected directories. Misconfiguration of MIIS 2003 MAs
could result in data loss, so careful planning and extensive lab testing
should be performed before MIIS 2003 is released to the production
directories of any organization. In many cases, it might be prudent to
contact Microsoft consulting services and certified Microsoft solution
provider/partners to help an organization decide whether MIIS 2003 is
right for its environment, or even to design and facilitate the
implementation.
Exploring MIIS 2003 Account Provisioning
MIIS enables
administrators to easily provision and deprovision users’ accounts and
identity information, such as distribution, email and security groups
across systems, and platforms. Administrators will be able to quickly
create new accounts for employees based on events or changes in
authoritative stores such as the human resources system. In addition, as
employees leave a company, they can be immediately deprovisioned from
those same systems.
Account provisioning in MIIS
2003 enables advanced configurations of directory MAs, along with
special provisioning agents, to be used to automate account creation and
deletion in several directories. For example, if a new user account is
created in Active Directory, the Active Directory MA could tag this
account. Then, when the respective MAs are run for other connected
directories, a new user account could be automatically generated.
One enhancement of MIIS
2003 over MMS is that password synchronization is now supported for
specific directories that manage passwords within the directory. MIIS
2003 provides an application programming interface (API) accessed
through the Windows Management Instrumentation (WMI). For connected
directories that manage passwords in the directory’s store, password
management is activated when a MA is configured in MA Designer. In
addition to enabling password management for each MA, Management Agent
Designer returns a system name attribute using the WMI interface for
each connector space object.
Outlining the Role of Management Agents (MAs) in MIIS 2003
A
MA links a specific connected data source to the metadirectory. The MA
is responsible for moving data from the connected data source and the
metadirectory. When data in the metadirectory is modified, the MA can
also export the data to the connected data source to keep the connected
data source synchronized with the metadirectory. Generally, there is at
least one MA for each connected directory. MIIS 2003, Enterprise
Edition, includes MAs for the following identity repositories:
Active Directory
Active Directory Application Mode (ADAM)
Attribute-value pair text files
Comma-separated value files
Delimited text files
Directory Services Markup Language (DSML) 2.0
Exchange Server 5.5
Exchange Server 2000/2003 and Exchange Server 2007 Global Address List (GAL) synchronization
Fixed-width text files
LDAP Directory Interchange Format (LDIF)
Lotus Notes/Domino 4.6/5.0
Novell NDS, eDirectory, DirXML
Sun/iPlanet/Netscape directory 4.x/5.x (with “changelog” support)
Microsoft SQL Server 2005/2000/7.0
Microsoft Windows NT 4.0 domains
Oracle 8i/9i
Informix, dBase, ODBC, and OLE DB support via SQL Server Data Transformation Services
Note
Service Pack 2 for
MIIS introduced integrated support for synchronization with additional
directories such as Service Advertising Protocol (SAP). In addition, it
also introduced the ability for end users to reset their own passwords
via a web management interface.
MAs
contain rules that govern how an object’s attributes are mapped, how
connected directory objects are found in the metaverse, and when
connected directory objects should be created or deleted.
These agents are used
to configure how MIIS 2003 will communicate and interact with the
connected directories when the agent is run. When a MA is first created,
all the configuration of that agent can be performed during that
instance. The elements that can be configured include which type of
directory objects will be replicated to the connector namespace, which
attributes will be replicated, directory entry join and projection
rules, attribute flow rules between the connector namespace and the
metaverse namespace, plus more. If a necessary configuration is unknown
during the MA creation, it can be revisited and modified later.
Defining MIIS 2003 and Group Management
Just as MIIS 2003 can
perform identity management for user accounts, it also can perform
management tasks for groups. When a group is projected into the
metaverse namespace, the group membership attribute can be replicated to
other connected directories through their MAs. This enables a group
membership change to occur in one directory and be replicated to other
directories automatically.
Installing MIIS 2003 with SQL 2000/2005
Both versions of
MIIS 2003 require a licensed version of SQL Server 2000 with SP3 or
greater or SQL Server 2005 to run, and an install of the product will
prompt for the location of a SQL server, as illustrated in Figure 1.
It
is not necessarily required to install a new instance of SQL because an
existing SQL 2000 SP3 or greater system can be used as well. If an
existing SQL 2000/2005 server is not available, SQL can be installed on
the same system as MIIS 2003. This particular system must be running
Windows Server 2003 as MIIS requires this version of the OS.
