Contents Overview 1 Introduction to Active Directory Interforest Synchronization 2 Using the Active Directory MA and TAMA in Implementing an Active Directory Interforest Synchroniza
Trang 1Contents
Overview 1
Introduction to Active Directory Interforest
Synchronization 2
Using the Active Directory MA and TAMA in
Implementing an Active Directory
Interforest Synchronization Scenario 8
Lab A: Implementing Active Directory
Interforest Synchronization 13
Review 15
Module 9: Performing Active Directory
Interforest Synchronization
Trang 2to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property
2000 Microsoft Corporation All rights reserved
Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles The publications specialist replaces this example list with the list of trademarks provided by the copy editor Microsoft is listed first, followed by all other Microsoft trademarks
in alphabetical order > are either registered trademarks or trademarks of Microsoft Corporation
in the U.S.A and/or other countries
<The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor>
Other product and company names mentioned herein may be the trademarks of their respective owners
Trang 3Instructor Notes
Instructor_notes.doc Presentation:
xx Minutes
Lab:
xx Minutes
Trang 5Overview
! Introduction to Active Directory Interforest Synchronization
! Using the Active Directory MA and TAMA in Interforest Synchronization
! Implementing an Active Directory Interforest Synchronization Scenario
! Best Practices
The Microsoft® Active Directory™ management agent integrates Active Directory into a distributed network environment and manages Active Directory in multiple forests The Together Administration management agent (TAMA) is a tool that automates and extends the ability of an MMS administrator to automate the addition of new entries in the metaverse namespace to all the other specified connector namespaces in the metadirectory Microsoft Metadirectory Services (MMS) version 2.2 allows administrators to use the Active Directory management agent and TAMA together to integrate and synchronize entries in multiple Active Directory forests
At the end of this module, you will be able to:
! Describe the purpose of Active Directory interforest synchronization
! Describe the role that the Active Directory management agent and TAMA play in Active Directory interforest synchronization
! Use the Active Directory management agent and TAMA to implement an Active Directory interforest synchronization scenario
! Identify best practices for implementing the Active Directory management agent and TAMA to support interforest synchronization
Topic Objective
To provide an overview of
the module topics and
objectives
Lead-in
In this module, you will learn
about managing enterprise
data by using an Active
Directory management
agent and TAMA to
synchronize data between
multiple Active Directory
forests
Trang 6Introduction to Active Directory Interforest
Synchronization
Domain Domain
Domain Domain
Domain
Domain
Forest A
Domain Domain
Domain Domain
Domain
Domain
Forest B
Interforest Synchronization
MMS
! Integrate Active Directory with Older Applications
! Reduce Time Spent on Setting Up User Accounts
! Reduce Effort of Deploying Active Directory
! Provide Microsoft Exchange 2000 Integration
! Support Microsoft Exchange GAL Synchronization
! Synchronize Site and Subnet Information
An Active Directory forest is a group of one or more trees that contain one or more domains All domains in a forest share a common schema, configuration partition, and global catalog A forest acts as a boundary, such that two or more forests do not share any information Not being able to share information between forests can present some difficulties in the following situations:
! Acquisitions If one organization acquires another organization, and both
organizations have their own forests, there is no simple way to retain both forests and have them interoperate
! Active Directory Enabled Applications Applications, such as Microsoft
Exchange 2000, that are Active Directory-enabled, are restricted by the forest boundary For example, an Active Directory forest can only contain a single Exchange 2000 organization
! Business Requirements There may be business requirements, or rules, that
require an organization to maintain separate forests while still requiring some level of interaction between the forests
Topic Objective
To identify the purpose of
Active Directory interforest
synchronization
Lead-in
Trang 7By implementing MMS in a multiple forest environment, you can achieve a level of interoperation between discrete forests that previously was unavailable This interoperability can include the following:
! Integrating Active Directory with older applications that are critical to the business
! Reducing the amount of time spent in setting up user accounts
! Reducing the effort of deploying Active Directory
! Providing Microsoft Exchange 2000 integration
! Supporting Microsoft Exchange Server global address list (GAL) synchronization
! Synchronizing site and subnet information
Trang 8# Using the Active Directory MA and TAMA in
Interforest Synchronization
! Active Directory MA Controls Which Type of Object Is Created in Active Directory
! TAMA Controls Which Objects and Where Those Objects Are Created in Active Directory
Metadirectory
TAMA
User Computer Contact
User Computer Contact
Active Directory
Domain
Active Directory MAs
User
Computer
Contact
Active Directory MAs
The two key components of MMS in an Active Directory interforest synchronization scenario are the Active Directory management agent and TAMA
The Active Directory management agent controls the type of object that is created, users or contacts, while TAMA controls which objects are created and where those objects are created
Topic Objective
To introduce the roles of the
Active Directory
management agent and
TAMA in Active Directory
interforest synchronization
Lead-in
Trang 9Examining the Role of the Active Directory MA in Interforest
Synchronization
Object Types
Active Directory MA can create the objects, such as users, contacts, universal
distribution groups, and organizational units,
in Active Directory
Active Directory MA can create the objects, such as users, contacts, universal
distribution groups, and organizational units,
in Active Directory
User and Contact Configuration
User and Contact Configuration
Active Directory MA is configured to create contacts by default Use the
msMMS-ManagedByMA attribute to create user objects, rather than contacts
Active Directory MA is configured to create contacts by default Use the
msMMS-ManagedByMA attribute to create user objects, rather than contacts
Group Management
Group Management
Active Directory MA creates universal distribution groups in Active Directory A group is created as a contact if the hideDLMembership attribute is set to true in
a forest
Active Directory MA creates universal distribution groups in Active Directory A group is created as a contact if the hideDLMembership attribute is set to true in
a forest
The Active Directory management agent is responsible for the discovery of a particular forest, as well as for object creation and attribute flow
Object Types
The Active Directory management agent can create the following objects in Active Directory:
! Users
! Contacts
! Universal distribution groups
! Organizational units
! Sites and subnets
User and Contact Configuration
The Active Directory management agent is configured to create contacts by default If you want to create user objects, rather than contacts, you need to
assign the msMMS-ManagedByMA attribute to entries that are created as user
objects The msMMS-ManagedByMA attribute is a multivalued attribute that can be assigned the distinguished name of one or more Active Directory management agents When an Active Directory management agent processes an entry and determines that the msMMS-ManagedByMA attribute contains its distinguished name, it will create a user object, rather than a contact, if required When creating user and contact objects in Active Directory, you can configure the Active Directory management agent, if required, to modify the following properties:
! User's full name
! User's display name
Topic Objective
To describe the role of the
Active Directory
management agent in Active
Directory interforest
synchronization
Lead-in
Trang 10! User's logon name
! User's initial password
! Contact's full name
! Contact's display name When creating user objects, you can also configure the Active Directory management agent to create the users as either disabled or enabled users If you choose to create enabled users, you can also set the following options:
! Assign an initial password
! Require the user to change the password the first time they log on
! Prevent the password from being changed
! Set the password to never expire
If you want to use the password generation feature for enabled accounts, Secure Sockets Layer (SSL) must be enabled
Group Management
By default, the Active Directory management agent creates universal distribution groups in Active Directory In interforest environments, any group
in a forest, regardless of scope or type, is created as a distribution group in other forests The Active Directory management agent can synchronize distribution group membership information between forests
If a group in a forest has the hideDLMembership attribute set to True, the group
is created as a contact, rather than a universal distribution group, when it is created in another forest
For native-mode Windows domains, you can convert groups from security to distribution groups after you create them The group scope and type cannot be converted in mixed-mode domains
By default, the Active Directory management agent does not flow the groupType attribute to groups Not flowing the groupType attribute to groups ensures that accidental changes in group scope and type do not occur The Active Directory management agent does not allow you to convert group scope and type in its initial configuration process
When you set the hideDLMembership attribute to FALSE for a group that has already been created as a contact in another forest, the Active Directory management agent does not convert the contact to a universal distribution group In this case, you have to delete the contact and the connector and recreate the connector by using TAMA, which then converts the connector to a group
MMS also supports Microsoft Exchange 2000 and other messaging systems, contacts, distribution lists, and memberships In addition, MMS supports the use of Exchange 2000 connectors to Novell GroupWise, Lotus Notes, and Lotus cc:Mail
Note
Trang 11Examining the Role of TAMA in Interforest Synchronization
TAMA account resources are used to determine where those objects are created
TAMA account profiles are used to determine which objects are created
Determining Which Objects to Create
Determining Where to Create Objects
While the Active Directory management agent is responsible for determining the type of object to be created, TAMA is responsible for determining which objects are created and where those objects are created TAMA account profiles are used to determine which objects are created, while TAMA account
resources are used to determine where those objects are created
Determining Which Objects to Create
When a TAMA management agent is operated, it examines the metaverse namespace to determine which objects in the metaverse namespace TAMA should process Whether or not TAMA should process an object in the metaverse namespace is determined by a TAMA account profile A TAMA account profile contains one or more TAMA account resources When a TAMA management agent is operated, it examines the entries in the metaverse
namespace and if a TAMA account profile is found, the entry, or entries, is processed by TAMA If no account profile is found, the entry, or entries, is skipped
Determining Where to Create Objects
When a TAMA management agent locates an account profile, it examines the account resource, or resources, that are contained within the profile The account resource contains attributes that indicate to TAMA which management agent’s connector namespace the object should be created in and where in that connector namespace the object should be created
For information about TAMA, see module 8, “Managing Enterprise
Identity Using TAMA” in course 2062A, Implementing Microsoft
Metadirectory Services 2.2
Topic Objective
To describe the role of
TAMA in Active Directory
interforest synchronization
Lead-in
Note
Trang 12# Implementing an Active Directory Interforest
Synchronization Scenario
! Overview of the Active Directory Interforest Synchronization Scenario
! Examining the Implementation Requirements
! Implementing the Active Directory Interforest Synchronization Scenario
You can use the Active Directory management agent, in conjunction with TAMA, to solve various directory management issues involving
Active Directory Depending on the Active Directory infrastructure, the Active Directory management agent and TAMA are used together to implement the following types of scenarios in an enterprise:
! Enterprise integration scenario Active Directory is integrated in a
distributed multidirectory environment
! Central account scenario Active Directory is integrated in a centralized
environment
! Peer forests scenario Active Directory is the only directory
! Site and subnet synchronization scenario Synchronization between site and
subnet information between multiple peer forests
You will examine how to implement and configure MMS to meet the needs of
an Active Directory interforest synchronization scenario, such as peer forests scenario Once you have an understanding of the fundamental requirements, you can adapt the procedures and processes for implementing peer forests scenario to match your particular needs
Topic Objective
To introduce topics related
to using the Active Directory
management agent and
TAMA to implement usage
scenarios
Lead-in