Tài liệu Module 6: Performing Advanced Management Agent Configuration doc

Processing Foreign Entries a Generic management agent to gather information from a connected directory that is not supported by a specific predefined management agent.. In addition, in a

Contents

Overview 1

Introduction to Advanced MA Configuration 2

Lab A: Creating and Configuring an Active

Review 24

Module 6: Performing Advanced Management Agent Configuration

with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2000 Microsoft Corporation All rights reserved

Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product

names or titles The publications specialist replaces this example list with the list of trademarks provided by the copy editor Microsoft is listed first, followed by all other Microsoft trademarks

in alphabetical order > are either registered trademarks or trademarks of Microsoft Corporation

in the U.S.A and/or other countries

<The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor>

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

Instructor_notes.doc Presentation:

xx Minutes

Lab:

xx Minutes

Overview

! Creating Inclusion and Exclusion Filters

! Processing Foreign Entries

a Generic management agent to gather information from a connected directory that is not supported by a specific predefined management agent In addition, in

a predefined management agent, you can manage changes to metadirectory data, configure inclusion and exclusion filters to process connected directory entries selectively, and process foreign entries

At the end of this module, you will be able to:

! Describe advanced management agent configuration options

! Manage changes to metadirectory data

In this module, you will learn

about performing advanced

management agent

configuration

Introduction to Advanced MA Configuration

Metadirectory

Connector Namespace

Connector Namespace

Connector Namespace

Connector Namespace

Metaverse Namespace

Metaverse

Connector Namespace

Configure MAs for Specific Requirements

Configure MAs for Specific Requirements

Exchange Server 5.5 MA

Active Directory MA

SQL Server

Exchange Server 5.5

Exchange Server 5.5

Active Directory

Active Directory

Generic MA

When creating a management agent, you typically use a predefined management agent A predefined management agent provides the components requiredto extract information from a connected directory (for example, e-mail systems, network operating systems, and other directory systems) into files, synchronize those files with the metadirectory, and produce updated files containing changes that are sent to the connected directory After creating the management agent, you can use the advanced configuration options in that management agent to fine-tune functionality, depending on the requirements of your organization

All management agents consist of a control script that determines what happens when you run the management agent The control script specifies a series of programs that are run on the MMS Server and provides the parameters that management agents need from the metadirectory to update connected directories

There are three phases of management agent operations: discovery, synchronization, and update Each of these phases is under the control of a management agent control script The configuration options in all of these phases vary by management agent type Some of the configuration options, such as Prime Namespace, metaverse namespace renaming, and inclusion and exclusion filters, are common to all types of management agents However, there are other configuration options that are specific to a particular management agent

MMS contains several predefined management agents Some examples of predefined management agents are; Generic, Microsoft Exchange Server 5.5, and Active Directory The following is a brief list of some of the specific configuration options that can be set for Generic, Microsoft Exchange Server 5.5, and Active Directory management agents:

! When configuring Generic management agents, the advanced configuration options include specifying advanced discovery parameters, Foreign Users parameters, and New Users Creation parameters

! When configuring Lightweight Directory Access Protocol (LDAP) management agents, such as Microsoft Exchange Server 5.5, the advanced configuration options include the advanced discovery parameters, such as single-level searches versus subtree searches, and using anti-trawling measures The LDAP management agents also include options for list of display names, managing Exchange Server 5.5 custom recipients, creating new mailboxes, and list of LDAP attributes to discover

! When configuring Active Directory™ directory service-based management agents, the advanced configuration options include specifying a list of domains to discover, and a list of objects to create

Managing Changes to Metadirectory Data

Configure the Management Agent

Connected Directory Specifics Metadirectory Relationships Personal Names Inclusions and Exclusions

Discovery Parameters Mode and Namespace

Management Foreign Users New Users CreationMetaverse Location: o=Focus Inc,c=US

Management Agent Mode Reflector Association Creator

Select this management agent as the “Prime Namespace”

Configure the Management Agent

Connected Directory Specifics Metadirectory

Relationships Personal Names Inclusions and ExclusionsConfiguration Metaverse Renaming Configure The Join

Effect of CD Name Changes

Don’t reflect CD name changes in the metaverse

Normally, a CD name change in a reflector management agent updated the metaverse name accordingly This option suppresses this behavior.

Connected Directory Anchor Attribute

Name of your CD Anchor Attribute:

The Connected Directory Anchor Attribute is used to recognize Connected Directory namespace changes (it remains constant when, for example, a surname changes or a person moves from one organization to another)

Determines the Location

of an Entry Creation in the Metaverse

Determines the Location

of an Entry Creation in the Metaverse

Disables the Default Behavior of MA

Disables the Default Behavior of MA Ties Together the Object Entries in a Connector Namespace and a Connected Directory

Ties Together the Object Entries in a Connector Namespace and a Connected Directory

The location of an entry in the connector namespace can differ from the location of the corresponding entry in the metaverse namespace due to a difference in the organizational structure MMS allows you to configure management agent options, such as Prime Namespace and Metaverse Renaming, to handle the task of matching the entries in the metaverse namespace and the connector namespace

Designating a Prime Namespace

Designating a management agent that operates in Reflector mode as Prime Namespace allows the management agent to take precedence over the other management agents when naming entries in the metaverse namespace For example, if you have two management agents operating in Reflector mode that have different metaverse namespace naming rules that are used to establish the distinguished name, the Prime Namespace management agent determines where the entry is created in the metaverse namespace

Prime Namespace creates the same organizing structure in the metaverse namespace that is in the connector namespace If the organizing structure changes, or if an object’s distinguished name changes in the connector namespace, the changes will also occur in the metaverse namespace

You can also designate Prime Namespace if you have other management agents

that use the function $SET_REFLECTION(“ON/OFF”) in their Construction

templates, and you want to override management agents’ distinguished name rules for placing object entries in the metaverse namespace and a join is not possible

Enabling Metaverse Renaming

If a person in a connected directory changes his or her name (due to marriage or

a data entry error) or changes another distinguished name component (such as organizational unit), the management agent may treat the entry as representing a different person, this would trigger a deletion of the old record and it would add

a new record It can become difficult or impossible for the management agent to relate that person to an existing entry, based on the old name in the metaverse

namespace The Connected Directory Name Changes and Anchor Attribute options on the Metaverse Renaming tab help solve this problem

! Connected Directory Name Changes The same person may have a different

name in the metaverse namespace and in the connected directory In such a situation, a management agent in Reflector mode normally renames the entry in the metaverse namespace to correspond to the connected directory

name, no matter what the flow rules Selecting the Don't reflect CD name changes in the metaverse option disables this default behavior

The name is the most specific part of the entry's distinguished name, that is, its relative distinguished name Changes to the other parts of a distinguished name are controlled by the Prime Namespace setting

! Anchor Attribute An anchor attribute is used to associate connector

namespace object entries and connected directory object entries A unique attribute in the connected directory, such as an employee ID, is the best candidate to establish as an anchor attribute

Not configuring an anchor attribute to associate the connector namespace and connected directory entries can be problematic Without an anchor attribute, MMS uses the distinguished name to associate the connector namespace entry to the connected directory entry For example, if an employee changes her name (that is, through marriage or divorce), you want the metaverse namespace and connector namespace entries to be renamed Because the distinguished name changed, MMS will delete the connector namespace entry for the old name and then insert a new connector namespace entry for the new name The delete and insert may be problematic because it may result in lost data during the deletion

The anchor attribute for a given connected directory must be a unique identifier with respect to that connected directory The unique identifier must not change throughout the lifetime of an object

Important

Creating Inclusion and Exclusion Filters

Configure the Management Agent

Connected Directory Specifics Metadirectory Relationships Personal Names Inclusions and

Exclusions

Metadirectory Connected Directory Foreign Entries New Accounts

Exclusions Inclusionsmessage 100

$embedded (“groupOfNames’,$v_objClass) = T

$v_ldapObject ! LIST message 101

$embedded (“Remote-Address’,$v_objClass) = T

$MA($zcExchangeExcludeCustomRecipients) = TRUE

Filter is Applied

to the Import File

Filter is Applied

to the Import File

Exclusion Rules

Exclusion Rules

Filter is Applied to the Metaverse Namespace

Filter is Applied to the Metaverse Namespace

Filter is Applied to the Connector Namespace

Filter is Applied to the Connector Namespace

Filter is Applied to Any Metaverse Namespace Portion that is Dragged

The exclusion filter specifies which entries in the import file extracted from the connected directory during the discovery phase must not be included in the metadirectory update The inclusion and exclusion filters can be used in place

of each other, or along with each other

The inclusion and exclusion filters consist of a series of rules that are labeled message # The rules contain one or more conditional statements written in the template language There is an implicit AND between each condition in a condition group, and there is an implicit OR between each group Inclusions are processed before exclusions

There are different filters for each phase of an update cycle The type of entries being updated identifies these filters The following list describes the different filters for each phase of an update cycle:

! Metadirectory This filter is applied to the import file when you update the

metadirectory

! Connected Directory This filter is applied to the connector namespace

when you construct a create file to send to a connected directory

! Foreign Entries This filter is applied to the metaverse namespace when you

create an export file to send to a connected directory

! New Accounts This filter is applied to any portion of the metaverse

namespace that you drag to the connector namespace to create new connected directory accounts

Topic Objective

To create inclusion and

exclusion filters to process

connected directory entries

selectively

Lead-in

Explain briefly what are

foreign entries, if students

want more information about

foreign entries, ask them to

see the “Processing Foreign

Entries” topic in this module

Delivery Tip

Demonstrate how to set

inclusion and exclusion

filters for the metadirectory,

connected directory, foreign

entries, and new accounts

# Configuring Specific Management Agents

! Configuring the Active Directory MA

You can configure a management agent by editing templates and scripts within the predefined management agent After you configure specific options on a particular management agent, you will have a one-of-a kind management agent that works on one server with a specific connected directory

A few examples of the common management agents used by MMS administrators are: Generic, Exchange Server 5.5, and Active Directory

To learn more about the advanced configuration options in the other predefined management agents, see appendix A, “Advanced Configuration Options in Predefined MAs,” on the Student Materials compact disc

Configuring the Generic MA

Configure the Management Agent

Connected Directory Specifics Metadirectory Relationships Personal Names Inclusions and Exclusions

Information on Accessing the Connected Directory Information on Creating New Users in the

Connected Directory

Information on Creating New Users in the Connected Directory

Create Management Agent

Name the Management Agent:

Type of the Management Agent:

Create Cancel

Banyan VINES Management Agent

Generic Management Agent

Lotus cc:Mail Management Agent Lotus NOTES Management Agent

Modifying the Generic Control Script

After creating a Generic management agent, you can enhance the functionality

in the existing Generic management agent by modifying the generic control script A control script controls the directory update and synchronization process It can base its execution sequence on the values of management agent

attributes, such as the options in the Operate the Management Agent dialog

box The control script typically uses management agent attributes to provide parameters, such as the location of the connected directory

The control script is written in the ZScript language and interpreted by ZScript.exe, the ZScript interpreter The ZScript language contains elements, such the IF…THEN…ELSE structure, necessary to control the execution of a management agent's components The ZScript language is not the same as the template language and has no access to template functions The ZScript language allows the control script to access the management agent's attributes

by enclosing the attribute name in percent signs, %attribute% %attribute% is replaced by its current value before running the script

Show the students an

example control script in a

Generic management agent

Explain the code used in the

example

The control script is modified to specify the discovery mechanism the custom management agent will use, create foreign users, and create new users

To view a sample control script, in the Design MA dialog box, click Control MA Operations, and then click MA Control Script

For more information about ZScript, see appendix B, “The ZScript Language”

in the MMS Management Agent Toolkit Manual

Configuring Advanced Options in the Generic Management Agent

The following table describes the advanced parameters that you can set for a Generic management agent

Parameters Description

Discovery Parameters Create a control script to provide the management

agent with all of the information, such as server name, server address, and password it needs to access the connected directory

Foreign Users Create a control script to provide the management

agent with all of the information, such as special domains or post offices to be used, and e-mail address formats it needs to add foreign users to the connected directory

New Users Creation Create a control script to provide the management

agent with all of the information it needs to create new users in the connected directory The information includes where to create users in a multiserver environment, default information for all new users such as admin group, and preferred mailbox

Note

Configuring the Exchange Server 5.5 MA

Create Management Agent

Name the Management Agent:

Type of the Management Agent:

Create Cancel

Microsoft Active Directory Management Agent

Microsoft Exchange (LDAP-based) Management Agent

Microsoft Exchange (MAPI-based) Management Agent Microsoft NT Management Agent

Exchange MA

Create Exchange Server 5.5 Predefined MA

Create Exchange Server 5.5 Predefined MA

Configure the Management Agent

Connected Directory Specifics Metadirectory Relationships Personal Names Inclusions and Exclusions

Discovery Mode and Namespace Management Advanced Display Names Custom Recipients Mailbox Creation Attributes to Discover

Specify Size and Time Limits and the Level of Searches

Specify Size and Time Limits and the Level of Searches

Management of Custom Recipients (foreign users)

Management of Custom Recipients (foreign users)

Limit the LDAP Discovery Task

Limit the LDAP Discovery Task

Create Display Names for Custom Recipients and New Accounts

Create Display Names for Custom Recipients and New Accounts

Configure a New Mailbox

Configure a New Mailbox

You need to create an instance of the Exchange Server 5.5 predefined management agent when you want to integrate information from Exchange Server 5.5 into the metadirectory, or update information in Exchange Server 5.5 from the metadirectory, or both When you create an Exchange Server 5.5 predefined management agent, you need to configure some advanced

parameters by selecting the appropriate tab under the Connected Directory Specifics tab in the Configure the Management Agent dialog box

Configuring Advanced Discovery Parameters

You can configure some advanced discovery parameters, such as size and time limits of the searches, and the scope of searches to simplify the discovery operation The following table describes the advanced parameters that you can set for an Exchange Server 5.5 predefined management agent

Perform sub-tree searches Enable this option to specify entire subtrees in each

search request instead of single-level searches Perform recursive single-

explain all the advanced

configuration options that

are specific to the

predefined Exchange Server

5.5 management agent

(continued)

Parameter Description

Always use anti-trawling Enable this option to specify search requests on the

anti-trawling character set The anti-trawling character set is the sequence of characters that determines how the search operates For example, you can issue search requests for records whose name begins with the specified characters in the order specified

Consider person and list entries as non-leaf nodes

Enable this option to search for records to be included

in the metadirectory that reside below a person entry (for example, contacts) or a list entry in the connected directory By default, an LDAP search stops at a person entry in a subtree

Requested object classes Specify which object classes correspond to the Users,

Tree Structure entries (Orgs), and Lists discovery types

DNs to exclude during the discovery

Specify the distinguished names to exclude from a connected directory The connected directory object and all its children are ignored during discovery

Configuring Display Names

To specify how display names are created for custom recipients and new accounts, you set the display name parameters The following table describes the display name parameters that you can set for an Exchange Server 5.5 predefined management agent

Parameter Description

Display Name Configuration Select one of the display formats to parse Exchange

display names into their components on import Metaverse DN Projection Specify how to create metaverse relative distinguished

names The default is to use the Exchange common name attribute plus the Exchange Rdn attribute

Configuring Exchange Custom Recipient Management

To specify the management of custom recipients (also called foreign users), you set the Exchange Server 5.5 custom recipient management parameters The following table describes the custom recipient management parameters that you