information in this document is subject to change without notice. the names of companies, products, people, characters,

Designing a Management and Security Strategy During the MMS planning phase, you created a list of functional requirements for the proposed metadirectory.. # Overview of the Metadirectory

Contents

Overview 1

Overview of the Metadirectory Design and

Determining the Naming Structure 11

Determining the Physical Topology 13

Designing a Management and Security

Metadirectory

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles The publications specialist replaces this example list with the list of trademarks provided by the copy editor Microsoft is listed first, followed by all other Microsoft trademarks

in alphabetical order > are either registered trademarks or trademarks of Microsoft Corporation

in the U.S.A and/or other countries

<The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor>

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

Instructor_notes.doc

Overview

! Overview of the Metadirectory Design and Development Process

! Defining a Data Model

! Developing a Join Strategy

! Determining the Naming Structure

! Determining the Physical Topology

! Designing a Management and Security Strategy

During the MMS planning phase, you created a list of functional requirements for the proposed metadirectory The next phase in the MMS planning and design process is to apply the results from the planning into the design and development of a metadirectory implementation that meets the functional requirements for the proposed metadirectory During design and development,

you create a blueprint, called a data model, which specifies how information

will flow in and out of the metadirectory You will then configure and test management agents to verify that the information flows as defined in the data model Additionally, during this phase you will define the metadirectory namespace, the physical topology, and the metadirectory’s management and security requirements

After completing this module, you will be able to:

! Describe the process of designing and developing a metadirectory that meets the functional requirements of an organization

! Design a data model of the metadirectory, metaverse-connector space relationship, and attribute flows

! Design and develop a strategy to join connected directories to the metadirectory

In this module, you will learn

about designing and

developing a metadirectory

based on a set of functional

requirements

# Overview of the Metadirectory Design and

Development Process

Designing and Developing a Metadirectory Solution is an Iterative Process

Define a Data Model

Define a Data Model Naming Structure Determine a

Determine a Naming Structure

Develop a Join Strategy

Develop a Join Strategy

Determine the Physical Topology

Determine the Physical Topology

Develop and Test MAs

Develop and Test MAs

Design Management and Security Strategy

Design Management and Security Strategy

The metadirectory planning phase produced a set of function requirements that specify the content, behavior, management, and security requirements of a metadirectory that meets the needs of an organization By working with the deliverables from the planning phase the next step is to design and develop the metadirectory During this process, you will perform the following:

! Define a data model

This consists of a detailed data model for the proposed metadirectory The data model includes specifying the metadirectory to connected directory relationships and designing the flow of attributes between the metadirectory and connected directories

! Develop a strategy for joining connected directories to the metadirectory This includes planning and testing the joining of connected directories to the metadirectory A good join strategy reduces the number of entries that must

be manually joined to the metadirectory

! Create a naming structure for the metadirectory

Defining the correct naming structure for your organization is critical because it affects the manageability, security, performance, and usability of the metadirectory

! Define a physical metadirectory topology

The physical topology of the metadirectory determines where to interconnect management agents to connected directories, and where to physically locate MMS servers to support access and management needs

Topic Objective

To introduce the process of

designing and developing a

metadirectory

Lead-in

! Develop and test management agents

To meet the functional requirements of the proposed metadirectory, you may need to customize the management agents included with MMS or develop new management agents MAs You will also have to test managements to verify whether they produce the expected metadirectory behavior and whether information flows properly among connected directories

! Develop a management and security strategy

You will need to determine the appropriate access controls that will enforce your administrative model

The design and development of a metadirectory implementation consists a set

of related processes; it is not a linear set of tasks Therefore, approach the design phase as an iterative prototyping, learning, and development process You should experiment with metadirectory concepts, the connected directory environments, and the tools and functionality MMS provides to validate and then implement a solution that best addresses the functional requirements for your metadirectory

Mapping the Functional Requirements to Design and Development

Design Phase Functional Requirement

Define a Data Model

$ The attributes stored in each metadirectory entry

$ The directory from where each attribute initially originates

$ The directory that will be authoritative for each attribute

Develop a Join Strategy

Develop a Join Strategy

$ A list of directories to be integrated in the metadirectory

$ The metadirectory entry types

$ The naming convention for metadirectory entries

Determine a Naming Structure

Determine a Naming Structure

Determine the Physical Topology

Determine the Physical Topology

Design Management and Security Strategy

Design Management and Security Strategy

$ The metadirectory management method

$ The metadirectory security policy

$ The metadirectory entry types

$ The metadirectory management method

$ The metadirectory security policy

$ The metadirectory management method

$ The metadirectory security policy

Each of the functional requirements that you identified during the metadirectory planning phase will be used during the design and development of the

metadirectory The following table identifies the phase in the design and development process in which each the functional requirement is used:

Design Phase Functional Requirement from Planning Phase

Define a Data Model • The attributes stored in each metadirectory entry

• The directory from where each attribute initially originates

• The directory that will be authoritative for each attribute

Develop a Join Strategy • A list of directories to be integrated in the

metadirectory

• The metadirectory entry types

• The naming convention for metadirectory entries Determine a Naming

Structure

• The metadirectory management method

• The metadirectory security policy

• The metadirectory entry types Determine the Physical

Topology

• The metadirectory management method

• The metadirectory security policy Design Management and

Security Strategy

• The metadirectory management method

• The metadirectory security policy

Topic Objective

To identify which design

phase addresses the

functional requirements

developed during the

planning process

Lead-in

# Defining a Data Model

! The Data Model Is a Blueprint for the Metadirectory

% Defines how MAs should be configured and operated

% Defines how MAs function together to flow data into and out of the metadirectory

! The Data Model Specifies:

% The strategy for initially populating the metadirectory

% The mode in which each management agent is run

% The attribute flow rules

The metadirectory data model defines how management agents need to be configured and operated to meet the content and behavior requirements that you determined during the metadirectory planning phase When defining the data model, you will determine how the management agents function together to flow information into and out of the metadirectory The data model provides a blueprint that guides you through the development and testing of management agents

The metadirectory data model specifies the following:

! A strategy for how to initially populate the metadirectory with data from each connected directory

! The mode in which each management agent is run to initially populate the metadirectory and to maintain the relationships between entries in the metadirectory and entries in each connected directory

! The attribute flow rules that define how information flows between connected directories and the metadirectory You must also design attribute flow in a way that defines and enforces which connected directory is authoritative for each attribute

Topic Objective

To introduce the

metadirectory data model

Lead-in

Assigning Modes to MAs

! Use Reflector Mode To:

% Initially populate the metaverse namespace

% Create foreign entries in connected directories

! Use Creator Mode To:

% Populate a connected directory with entries from the metadirectory

% Create foreign entries in connected directories

! Use Association Mode To:

% Import attributes, but not entire entries, into the metaverse namespace

% Add selective, unique attributes to entries in the metaverse namespace

Because a metadirectory system consists of two or more connected directories and their corresponding management agent, you must define how to configure and when to operate each management agent so that collectively, all

management agents work together to meet the content and behavior requirements of the proposed metadirectory

Use the following guidelines to determine the appropriate mode to assign to each management agent:

! Use the Reflector mode to initially populate the metadirectory with the entries and attributes that were defined during the planning phase For example, to build the metadirectory from an existing human resources (HR) database, operate the HR management agent in Reflector mode to populate the metadirectory with the HR data

You can also use the Reflector mode if your metadirectory requirements specify directory synchronization with email systems In this scenario, you would use Reflector mode to create entries in the metadirectory from one email system, and then run the management agent for different email systems in Creator mode to create a foreign entry that originates in the first email system

! Use the Creator mode to create native entries in a connected directory that correspond to entries in the metadirectory Some directories, such as a simple phone list, can be populated by exporting entries from the metadirectory into a flat file However, creating native entries in an email system or directory service database usually requires invoking management utilities outside the connected directory to create applications resources, such as a mailbox or user account

Topic Objective

To describe how to

collectively configure the

mode for each management

agent in the metadirectory

system

Lead-in

! Use the Association mode if you want to import attributes from a connected directory, but do not want to create entries in that connected directory or import entire entries from it into the metaverse namespace Association mode is also useful for importing a unique attribute that you want to include

in metadirectory entries

For example, you may want to merge account information, such as a logon name, from a Windows NT directory into the metaverse namespace, but not create an entry in the metaverse namespace for every user account

Designing Attribute Flow

! The Attribute Flow Design Starts During the Planning Phase Where You:

% Determined which attributes will be stored in each metadirectory entry

% Identified the connected directory in which each attribute originates

% Identified the connected directory that will be authoritative for each attribute

! Configure and Operate Each Management Agent To Ensure that MAs Work Together to Meet the Metadirectory Requirements

After you assign modes to management agents, you will join entries from the connected directories into the metaverse namespace After that, you will set up attribute flows to move information between the metadirectory and the connected directories

During the planning phase, you established the design of the attribute flow by:

! Determining which attributes will be stored in each metadirectory entry

! Identifying the connected directory in which each attribute originates

! Identifying the connected directory that will be authoritative for each attribute

In the design phase, you need to configure and operate each management agent

in a way that satisfies the metadirectory content and behavior requirements Meeting these information flow requirements may simply a matter of copying the contents of one attribute from one directory to another, perhaps under a different name To achieve this type of attribute flow, you can set up the flow

by using MMS Compass to configure attribute flow

However, if the flow involves calculating attribute values, such as unique IDs for new employees, then you will have to configure management agent templates

Topic Objective

To describe how to design

attribute flow that meets the

information flow

requirements for the

metadirectory

Lead-in

Developing a Join Strategy

To Develop a Join Strategy

Determine Which Directory Will Be the Prime Connector

Join One or More of the Remaining Directories to the Prime Connector

Customize One or More of the Mas to Use More Information

Manually Join the Remaining Ambiguous Entries

During the planning phase, you identified the connected directories to integrate with the metadirectory, and what entry types to include You will use these elements when you create a strategy to join connected directories When creating a join strategy, the key is to select the best prime connector as the first directory to be reflected into the metaverse namespace, and then look for ways

to match attributes from the other connected directories against attributes in the prime connector

To avoid including ambiguous, or unmatched, entries in the metadirectory, carefully plan and test your strategy for joining connected directories to the metadirectory This is especially beneficial if your directory data is not clean Clean directory data exists where the logical entries are unique across multiple systems Additionally, perform trial runs of your join strategy to further refine the process By developing a strategy for joining connected directories, you will minimize the number of manual joins that you will have to perform

To develop a join strategy:

! Identify the prime connector

The prime connector is the first directory you reflect into the metadirectory

To select the prime connector, identify the directory that best represents

Topic Objective

To describe the principles

for developing a strategy to

join connected directories to

the metadirectory

Lead-in