In most enterprises today, each individual application or system has its own user database or directory to track who is permitted to use that resource. Identity and access control data reside in different directories as well as applications such as specialized network resource directories, mail servers, human resource, voice mail, payroll, and many other applications.

Each has its own definition of the user’s “identity” (for example, name, title, ID numbers, roles, membership in groups). Many have their own password and process for authenticating users. Each has its own tool for managing user accounts and, sometimes, its own dedicated administrator responsible for this task. In addition, most enterprises have multiple processes for requesting resources and for granting and changing access rights. Some of these are automated, but many are paper-based. Many differ from business unit to business unit, even when performing the same function.

Administration of these multiple repositories often leads to time-consuming and redundant efforts in administration and provisioning. It also causes frustration for users, requiring them to remember multiple IDs and passwords for different applications and systems. The larger the organization, the greater the potential variety of these repositories and the effort required to keep them updated.

In response to this problem, Microsoft developed Microsoft Metadirectory Services (MMS) to provide for identity synchronization between different directories. As the product improved, it was rereleased under the new name Microsoft Identity Integration Server (MIIS) 2003.

The use of MIIS 2003 for Exchange 2007 is particularly useful because it can synchronize information between the AD forest that contains Exchange and the other messaging systems in use within the organization.

Understanding MIIS 2003

MIIS is a system that manages and coordinates identity information from multiple data sources in an organization, enabling you to combine that information into a single logical view that represents all of the identity information for a given user or resource.

MIIS enables a company to synchronize identity information across a wide variety of heterogeneous directory and nondirectory identity stores. This enables customers to automate the process of updating identity information across heterogeneous platforms while maintaining the integrity and ownership of that data across the enterprise.

Password management capabilities enable end users or help desk staff to easily reset passwords across multiple systems from one easy-to-use web interface. End users and help desk staff no longer have to use multiple tools to change their passwords across multiple systems.

NOTE

There are actually two versions of MIIS. The first version, known as the Identity Integration Feature Pack for Microsoft Windows Server, is free to anyone licensed for Windows Server 2003 Enterprise Edition. It provides functionality to integrate identity information between multiple Active Directory forests or between Active Directory and Active Directory Application Mode (ADAM).

The second version requires a separate licensing scheme and also requires SQL Server 2000/2005 for the back-end database. This version is known as the Microsoft Identity Integration Server 2003—Enterprise Edition. It provides classic metadirectory functionality that enables administrators to synchronize and provision identity information across a wide variety of stores and systems.

Understanding MIIS 2003 Concepts

It is important to understand some key terms used with MIIS 2003 before comprehending how it can be used to integrate various directories. Keep in mind that the following terms are used to describe MIIS 2003 concepts but might also help give you a broader understanding of how metadirectories function in general:

. Management agent (MA)—A MIIS 2003 MA is a tool used to communicate with a specific type of directory. For example, an Active Directory MA enables MIIS 2003 to import or export data and perform tasks within Active Directory.

. Connected directory (CD)—A connected directory is a directory that MIIS 2003 communicates with using a configured MA. An example of a connected directory is a Microsoft Exchange Server 5.5 directory database.

. Connector namespace (CS)—The connector namespace is the replicated information and container hierarchy extracted from or destined to the respective connected directory.

. Metaverse namespace (MV)—The metaverse namespace is the authoritative directory data created from the information gathered from each of the respective connector namespaces.

. Metadirectory—Within MIIS 2003, the metadirectory is made up of all the connector namespaces plus the authoritative metaverse namespace.

. Attributes—Attributes are the fields of information that are exported from or imported to directory entries. Common directory entry attributes are name, alias, email address, phone number, employee ID, or other information.

MIIS 2003 can be used for many tasks, but is most commonly used for managing directory entry identity information. The intention here is to manage user accounts by synchronizing attributes, such as logon ID, first name, last name, telephone number, title, and department. For example, if a user named Jane Doe is promoted and her title is changed from manager to vice president, the title change could first be entered in the HR or Payroll databases; then through MIIS 2003 MAs, the change could be replicated to other directories within the organization. This ensures that when someone looks up the title attribute for Jane Doe, it is the same in all the directories synchronized with MIIS 2003. This is a common and basic use of MIIS 2003 referred to as identity management. Other common uses of MIIS 2003 include account provisioning and group management.

NOTE

MIIS 2003 is a versatile and powerful directory synchronization tool that can be used to simplify and automate some directory management tasks. Because of the nature of MIIS 2003, it can also be a very dangerous tool as MAs can have full access to the connected directories. Misconfiguration of MIIS 2003 MAs could result in data loss, so careful planning and extensive lab testing should be performed before MIIS 2003 is released to the production directories of any organization. In many cases, it might be prudent to contact Microsoft consulting services

and certified Microsoft solution provider/partners to help an organization decide whether MIIS 2003 is right for its environment, or even to design and facilitate the implementation.

Exploring MIIS 2003 Account Provisioning

MIIS enables administrators to easily provision and deprovision users’ accounts and identity information, such as distribution, email and security groups across systems, and platforms. Administrators will be able to quickly create new accounts for employees based on events or changes in authoritative stores such as the human resources system. In addition, as employees leave a company, they can be immediately deprovisioned from those same systems.

Account provisioning in MIIS 2003 enables advanced configurations of directory MAs, along with special provisioning agents, to be used to automate account creation and deletion in several directories. For example, if a new user account is created in Active Directory, the Active Directory MA could tag this account. Then, when the respective MAs are run for other connected directories, a new user account could be automatically generated.

One enhancement of MIIS 2003 over MMS is that password synchronization is now supported for specific directories that manage passwords within the directory. MIIS 2003 provides an application programming interface (API) accessed through the Windows Management Instrumentation (WMI). For connected directories that manage passwords in the directory’s store, password management is activated when a MA is configured in MA Designer. In addition to enabling password management for each MA, Management Agent Designer returns a system name attribute using the WMI interface for each connector space object.

Outlining the Role of Management Agents (MAs) in MIIS 2003

A MA links a specific connected data source to the metadirectory. The MA is responsible for moving data from the connected data source and the metadirectory. When data in the metadirectory is modified, the MA can also export the data to the connected data source to keep the connected data source synchronized with the metadirectory. Generally, there is at least one MA for each connected directory. MIIS 2003, Enterprise Edition, includes MAs for the following identity repositories:

Active Directory

Active Directory Application Mode (ADAM) Attribute-value pair text files

Comma-separated value files Delimited text files

Directory Services Markup Language (DSML) 2.0 Exchange Server 5.5

Exchange Server 2000/2003 and Exchange Server 2007 Global Address List (GAL) synchronization

Fixed-width text files

LDAP Directory Interchange Format (LDIF) Lotus Notes/Domino 4.6/5.0

Novell NDS, eDirectory, DirXML

Sun/iPlanet/Netscape directory 4.x/5.x (with “changelog” support) Microsoft SQL Server 2005/2000/7.0

Microsoft Windows NT 4.0 domains Oracle 8i/9i

Informix, dBase, ODBC, and OLE DB support via SQL Server Data Transformation Services

NOTE

Service Pack 2 for MIIS introduced integrated support for synchronization with additional directories such as Service Advertising Protocol (SAP). In addition, it also introduced the ability for end users to reset their own passwords via a web management interface.

MAs contain rules that govern how an object’s attributes are mapped, how connected directory objects are found in the metaverse, and when connected directory objects should be created or deleted.

These agents are used to configure how MIIS 2003 will communicate and interact with the connected directories when the agent is run. When a MA is first created, all the configuration of that agent can be performed during that instance. The elements that can be configured include which type of directory objects will be replicated to the connector namespace, which attributes will be replicated, directory entry join and projection rules, attribute flow rules between the connector namespace and the metaverse namespace, plus more. If a necessary configuration is unknown during the MA creation, it can be revisited and modified later.

Defining MIIS 2003 and Group Management

Just as MIIS 2003 can perform identity management for user accounts, it also can perform management tasks for groups. When a group is projected into the metaverse namespace, the group membership attribute can be replicated to other connected directories through their MAs. This enables a group membership change to occur in one directory and be replicated to other directories automatically.

Installing MIIS 2003 with SQL 2000/2005

Both versions of MIIS 2003 require a licensed version of SQL Server 2000 with SP3 or greater or SQL Server 2005 to run, and an install of the product will prompt for the location of a SQL server.

It is not necessarily required to install a new instance of SQL because an existing SQL 2000 SP3 or greater system can be used as well. If an existing SQL 2000/2005 server is not available, SQL can be installed on the same system as MIIS 2003. This particular system must be running Windows Server 2003 as MIIS requires this version of the OS.