DOC

new_MIIS_2003_GAL_synchronization_Step_By_Step

By Annette Fox,2014-05-06 15:49
22 views 0
new_MIIS_2003_GAL_synchronization_Step_By_Step

    Identity Integration Feature Pack for Microsoft? Windows Server? Active

    Directory?

GAL Synchronization

    Step-By-Step

    The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

    This White Paper is for informational purposes only. MICROSOFT MAKES NO

    WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN

    THIS DOCUMENT.

    Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

    Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.

    ? 2003 Microsoft Corporation. All rights reserved.

    Active Directory, Microsoft, MS-DOS, Visual Studio, Windows, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

    The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

    Table of Contents

    Overview ......................................................................................................................... 4 Reviewing Active Directory Forest Design ................................................................... 4

    Review Active Directory Organizational Unit Structure .............................................. 5

    Review Schema Extensions ...................................................................................... 8 Setting Up the Scenario ................................................................................................ 8

    Knowledge Prerequisites .......................................................................................... 8

    Lab Requirements .................................................................................................... 8

    Setting Up the Scenario Computers .......................................................................... 9 Populating and Configuring Active Directory Objects ................................................ 15

    Configure the Mail Addresses in Exchange Server 2003 ........................................ 18

    Create Exchange Mailboxes for the Active Directory User Accounts ....................... 19 Extending the Metaverse Schema .............................................................................. 20 Creating and Running the Management Agents ........................................................ 22

    Creating the Contoso GALMA .................................................................................. 22

    Creating the Fabrikam GALMA ................................................................................ 25

    Using Management Agent Run Profiles................................................................... 27

    Running the Management Agents .......................................................................... 27 Administering the GAL Synchronization Infrastructure ............................................. 31

    Overview

    This Identity Integration Feature Pack for Microsoft? Windows Server? Active Directory? global address list (GAL) synchronization scenario document provides a procedural implementation of the Identity Integration Feature Pack GAL synchronization solution. In this document, you will create two Active Directory forests, configure them with Microsoft Exchange Server 2003 and Identity Integration Feature Pack, and then synchronize the global address lists of the two forests to create a GAL synchronization infrastructure.

    You will perform the following tasks to configure the Identity Integration Feature Pack GAL synchronization infrastructure:

    ; Review the Active Directory? directory service forest design

    ; Set up the scenario

    ; Populate Active Directory and configure the Active Directory objects

    ; Extend the metaverse schema

    ; Create the management agents

    ; Administer the GAL synchronization infrastructure

    This document provides a step-by-step walkthrough to set up and run a GAL Sync scenario consisting of two Active Directory forests that contain users, contacts and groups. Use this document to familiarize yourself with how GAL Sync works. To provide an example of a GAL synchronization solution, this document also includes prescriptive steps for creating and synchronizing objects in the forests for two fictitious organizations, Contoso and Fabrikam. Before you set up a GAL synchronization solution in your own environment, read Identity

    Integration Feature Pack for Microsoft? Windows Server? Active Directory? Global Address

    List (GAL) Synchronization. That document outlines the design of the GAL synchronization

    solution, including the rules and preconfigured values of the management agent, and the deployment and extension of a GAL synchronization infrastructure.

    Reviewing Active Directory Forest

    Design

    To support this Identity Integration Feature Pack GAL synchronization scenario, you will use command line scripts provided with this scenario to create organizational units in each of the Active Directory forests. Before creating these forest organizational units, understand the organizational unit structure common to all Identity Integration Feature Pack GAL synchronization implementations and the specific implementation for this scenario. In addition, become familiar with metaverse schema extensions that are used to support this Identity Integration Feature Pack GAL synchronization scenario.

    Microsoft Identity Integration Server 2003 GAL Synchronization Step-By-Step 5

    Review Active Directory Organizational Unit

    Structure

    GAL synchronization between Active Directory forests involves a source forest and a target forest. Each forest uses organizational units created specifically for GAL synchronization. In the source forest are Users, Groups, and Contacts organizational units that Identity Integration Feature Pack uses to populate a specific Contacts organizational unit in the target forest. All Active Directory objects used to support GAL synchronization are stored in these organizational units.

    This scenario uses the fictional companies Contoso and Fabrikam, each with their own forest, to demonstrate GAL synchronization. Table 6.1 shows the organizational unit structure required by each Active Directory forest. The indentations in the table indicate the hierarchical organization of the organizational unit structure.

    Table 6.1 OU Structure for GAL Synchronization Scenario

    Contoso Organizational Fabrikam Organizational Description Units Units

    Connoa.concorp.contoso.com Fabnoa.fabcorp.fabrikam.com Active Directory

    domain

     CONNOA-MIIS-01 FABNOA-MIIS-01 Domain

    controller name

     GALSynchronization GALSynchronization Synchronization

    organizational

    unit

     Contoso Fabrikam Local (source)

    domain

    organizational

    unit

     User User User

    organizational

    unit

     Group Group Group

    organizational

    unit

     Contacts Contacts Contacts

    organizational

    unit

     Fabrikam Contoso Remote (target)

    domain

    organizational

    unit

    Microsoft Identity Integration Server 2003 GAL Synchronization Step-By-Step 6

     Contacts Contacts Organizational

    unit for remote

    contacts

    Important

    If you build this scenario by using a different organizational unit structure,

    the example will vary; however, the label of the lowest OU in the OU

    structure (Contacts) for each forest must be named Contacts when you

    deploy the Identity Integration Feature Pack GAL synchronization

    solution.

    Figure 6.1 shows the Connoa forest structure as viewed in the Active Directory Users and Computers snap-in.

    Figure 6.1 Connoa Organizational Unit Structure

    The connoa and fabnoa forests have an organizational unit with the name of the local domain controller (CONNOA-MIIS-01 or FABNOA-MIIS-01) under which a GAL synchronization organizational unit (GALSynchronization) exists. The GALSynchronization OU contains additional organizational units for contacts, groups, and users. Also under the organizational unit named after the domain controller is an organizational unit named after the remote forest

    Microsoft Identity Integration Server 2003 GAL Synchronization Step-By-Step 7

    (Contoso or Fabrikam), which contains an organizational unit called Contacts where the synchronized objects are stored. In the connoa domain, the OU that accommodates the Fabrikam contacts is called Fabrikam. In the fabnoa domain, the OU is called Contoso. Using the computer name of the Active Directory domain controller in the structure of the organizational unit is uncommon in an Active Directory forest; however, by including the computer name, different scenarios within this document can use the same Active Directory forests. For example, the Lightweight Directory Access Protocol (LDAP) string for the Contacts organizational unit in the Connoa forest is:

    ou=Contacts,ou=Fabrikam,ou=GALSynchronization,ou=CONNOA-MIIS-01,DC=connoa,DC=con

    corp,DC=contoso,DC=com

    The computer name parameter (ou=CONNOA-MIIS-01) is replaced by the computer name of the domain controller.

    The LDAP string for the organizational units in the Connoa forest appears as follows: ou=Contacts,ou=Contoso,ou=GALSynchronization,ou=CONNOA-MIIS-01,DC=connoa,DC=conc

    orp,DC=contoso,DC=com

    ou=Users,ou=Contoso,ou=GALSynchronization,ou=CONNOA-MIIS-01,DC=connoa,DC=concorp

    ,DC=contoso,DC=com

    ou=Groups,ou=Contoso,ou=GALSynchronization,ou=CONNOA-MIIS-01,DC=connoa,DC=concor

    p,DC=contoso,DC=com

    ou=Contacts,ou=Fabrikam,ou=GALSynchronization,ou=CONNOA-MIIS-01,DC=connoa,DC=con

    corp,DC=contoso,DC=com

    As stated earlier, the last organizational unit uses the Fabrikam name to indicate that the contacts in its Contacts organizational unit are from the remote (target) Fabrikam forest. The LDAP string for the organizational units in the Fabrikam forest appears as follows: ou=Contacts,ou=Fabrikam,ou=GALSynchronization,ou=FABNOA-MIIS-01,DC=fabnoa,DC=fab

    corp,DC=fabrikam,DC=com

    ou=Users,ou=Fabrikam,ou=GALSynchronization,ou=FABNOA-MIIS-01,DC=fabnoa,DC=fabcor

    p,DC=fabrikam,DC=com

    ou=Groups,ou=Fabrikam,ou=GALSynchronization,ou=FABNOA-MIIS-01,DC=fabnoa,DC=fabco

    rp,DC=fabrikam,DC=com

    ou=Contacts,ou=Contoso,ou=GALSynchronization,ou=FABNOA-MIIS-01,DC=fabnoa,DC=fabc

    orp,DC=fabrikam,DC=com

    Following the convention used in the Contoso organizational units, the last of the Fabrikam organizational units uses the Contoso name to indicate that the contacts in its Contacts organizational unit are from the remote (target) Contoso forest.

    The Active Directory users in this scenario use Exchange mailboxes, and the groups use Exchange e-mail addresses. Both of these are created from the Active Directory Users and Computers snap-in. Contacts are already mail-enabled.

    Microsoft Identity Integration Server 2003 GAL Synchronization Step-By-Step 8

    Review Schema Extensions

    When you create the first management agent (MA) for Active Directory GAL, the metaverse

    schema is extended to include additional attributes for the following metaverse object types: ; Person

    ; Group

    ; contact_Contoso

    ; contact_Fabrikam

    The extensions enable the metaverse to represent user objects from each forest as metaverse

    person objects, Active Directory group objects as metaverse group objects, and Active Directory

    contact objects as separate metaverse contact_forest objects.

    Setting Up the Scenario

    The set up of the GAL synchronization scenario involves specific hardware and software

    requirements. Equally important are the knowledge requirements for running a GAL

    synchronization scenario, as this scenario involves different, and complex, software solutions.

    Knowledge Prerequisites

    It is recommended that the person who is setting up this scenario has an advanced understanding

    of the following:

     ; Installing and configuring Microsoft? Windows?Server 2003, Enterprise Edition

    ; Installing and configuring Microsoft? Exchange? Server 2003

    ; Installing and configuring Active Directory

    ; Identity Integration Feature Pack

    Lab Requirements

    The lab environment required for this scenario involves the following components: ; Computer setup

    ; Hardware requirements

    ; Software requirements

    Computer Setup

    To complete this scenario, you must configure two server computers. The instructions for setting

    up these computers are described later in the scenario computers setup section.

    Microsoft Identity Integration Server 2003 GAL Synchronization Step-By-Step 9

    Hardware

    It is recommended that the hardware used for this scenario match or exceed the following specification:

    ; Pentium II 500

    ; 256 MB of RAM

    ; 8-GB hard disk

    ; 512-KB L2 cache

    ; Network adapter

    ; 4-MB video adapter

    ; SVGA monitor (17 inch)

    ; Microsoft Mouse or compatible pointing device

    All hardware must be on the Microsoft Windows Server 2003, Enterprise Edition, Hardware Compatibility List (HCL), available on the Microsoft web site (http://www.microsoft.com/windows/catalog/server/).

    Software

    Ensure that you have the installation media for the following software available before you begin

    this scenario:

    ; Microsoft Windows Server 2003, Enterprise Edition, which contains the required Internet

    Information Services (IIS) service and ASP.NET components

    ; Microsoft Exchange Server 2003, Standard Edition Server

    ; Microsoft SQL Server 2000 with Service Pack 3

    ; Identity Integration Feature Pack

    Setup Files

    All of the files required for this scenario are located in the \Scenarios\GALSynchronization

    folder on the Identity Integration Feature Pack installation media. You must copy these files into

    a C:\MIIS\GALSynchronization directory on the server running Identity Integration Feature Pack, as described in the following section.

    Setting Up the Scenario Computers The setup of the scenario computers consists of the following steps: ; Setting up the Contoso forest computer

    ; Setting up the Fabrikam forest computer

    ; Creating the scenario folders on the scenario computers

    Microsoft Identity Integration Server 2003 GAL Synchronization Step-By-Step 10

    Set Up the Contoso Forest Computer

    Install the following software on the server computer that you will use to host the Connoa Active Directory forest:

    ; Windows Server 2003, Enterprise Edition

    ; Internet Information Services (IIS) service

    ; ASP.NET

    ; Active Directory

    ; Exchange Server 2003

    ; Identity Integration Feature Pack

    You will also be instructed to create a DNS conditional forwarder for the DNS Server service installed during the Active Directory installation procedure. This conditional forwarder will enable Identity Integration Feature Pack to locate the domain controller for the Fabnoa forest when creating the management agent for Fabrikam.

    To install and configure Windows Server 2003, Enterprise Edition

    1. From the Windows Server 2003, Enterprise Edition installation media, start run Windows

    Server 2003, Enterprise Edition Setup.

    2. Follow the instructions to install Windows Server 2003, Enterprise Edition by using the

    values in Table 6.2. Respond to all other installation instructions with information that is

    appropriate for your computer or location. Unless indicated otherwise, accept the default

    value.

    Table 6.2 Windows Server 2003, Enterprise Edition Installation Options

    Option Value

    Licensing Mode Per Device or Per User

    Computer Name connoa-dc-01

    Administrator password Type a password and write it down.

    Windows Server 2003 Components Management and Monitoring Tools, and

    (optional) then click Network Monitor Tools and

    Terminal Services.

    Remote administration mode Terminal Services Setup (if you

    chose to install this option above)

    Networking Settings Typical

    Workgroup or Computer Domain No, the computer is not on a network, or

    on a network without a domain. (default)

    Note: You configure this computer as

    its own forest and domain when you

    install Active Directory.

Report this document

For any questions or suggestions please email
cust-service@docsford.com