Condividi tramite


Classic Metadirectory Walkthrough: Implementation Steps

Applies To: Windows Server 2003 with SP1

Previous Steps in This Walkthrough

  1. Classic Metadirectory Overview

  2. Scenario Design

  3. Lab Setup

Scenario Walkthrough

This scenario walkthrough describes how to use Microsoft Identity Integration Server 2003 to create the management agents (MAs) used in the scenario, run the MAs to import data into Microsoft Identity Integration Server 2003, and then check the results in the metaverse.

The steps in this walkthrough use the Identity Manager to administer the MAs and view the contents of the metaverse. You will create the MAs in the following order:

  1. Fabrikam HR MA

  2. Fabrikam LDAP Data Interchange Format (LDIF) MA

  3. Fabrikam AD MA

  4. Fabrikam Sun ONE Directory Server 5.1 MA

  5. Fabrikam Telephone MA

The steps involved in creating and using each MA in this scenario demonstrate features of Microsoft Identity Integration Server 2003 and the Identity Manager. The steps for the different MAs adhere to the following outline:

  1. Configure the MA.

  2. Create a profile to run the MA.

  3. Review the results of the MA process to verify that the MA configuration is correct.

The Fabrikam HR MA

The purpose of the Fabrikam HR MA is to manage the flow of data from the Fabrikam HR system into Microsoft Identity Integration Server 2003. No data from the HR system will be directly exported to the other connected data sources.

You do not need to set the attribute precedence on the Fabrikam HR MA because it is the first MA to import data into Microsoft Identity Integration Server 2003. Attribute precedence will be set when you create the Fabrikam LDAP Data Interchange Format (LDIF) MA. The HR system is authoritative for all its attributes except telephoneNumber and displayName.

In this step of the walkthrough, you will perform the following tasks:

  1. Create the Fabrikam HR MA and run profile.

  2. Run the Fabrikam HR MA using the run profile.

  3. Verify the results of the Fabrikam HR MA run.

Create the Management Agent

When you create the Fabrikam HR MA you will use the management agent for SQL Server 7.0 or 2000. Using this management agent to create the Fabrikam HR MA involves the following steps:

  1. Create a management agent

  2. Connect to database

  3. Configure columns

  4. Configure a connector filter

  5. Configure join and projection rules

  6. Configure attribute flow

  7. Configure deprovisioning

  8. Configure extensions

Creating the Fabrikam HR MA does not require that you configure MA settings for each of these steps.

To create the Fabrikam HR MA

  1. Open Identity Manager.

  2. On the Tools menu, click Management Agents.

  3. On the Actions menu, click Create.

  4. In Create Management Agent, in Management agent for, select SQL Server 7.0 or 2000.

  5. In Name, type Fabrikam HR MA.

  6. In Description, type a description for the management agent.

  7. Click Next.

  8. In Connect to Database, in Server, type the SQL server name or the IP address and port number.

  9. In Database, type the database name MIIS_Scenario_CM.

  10. In Table/View, type the table name EmployeeData.

  11. In Authentication mode, select SQL authentication or Windows integrated authentication, and then type a user account, password and logon domain. You may use the Domain Admin account. For Windows integrated authentication, you may substitute the computer name of the server for the domain.

  12. Click Next.

  13. In Configure Columns, under Columns, verify that all of the attributes that are contained in the database table/view appear in the list.

    The table below lists the attributes that should be contained in the database table EmployeeData.

Name Native Type Limit Nullable Type

c

DBTYPE_WSTR

3

No

String

co

DBTYPE_WSTR

50

No

String

company

DBTYPE_WSTR

50

No

String

branchID

DBTYPE_WSTR

5

No

String

displayName

DBTYPE_WSTR

50

No

String

employeeID

DBTYPE_WSTR

10

No

String

fileAs

DBTYPE_WSTR

50

No

String

givenName

DBTYPE_WSTR

50

No

String

samAccountName

DBTYPE_WSTR

20

No

String

sn

DBTYPE_WSTR

50

No

String

telephoneNumber

DBTYPE_WSTR

20

No

String

title

DBTYPE_WSTR

30

No

String

hireDate

DBTYPE_DBTIMESTAMP

16

No

String

employeeType

DBTYPE_WSTR

20

No

String

employeeStatus

DBTYPE_WSTR

10

No

String

manager

DBTYPE_WSTR

10

Yes

String

  1. In Configure special attributes, click Set Anchor.

  2. In Set Anchor dialog, in Available attributes, click the employeeID attribute, and then click Add.

    The employeeID attribute is the only attribute from the HR system that is unique and immutable. It is the primary key for the table and will be the only anchor attribute for this MA.

  3. Click OK.

  4. Scroll down the list of attributes until you locate the manager attribute.

  5. Click Edit.

  6. Select Reference (DN), then click OK.

  7. Click Next.

  8. On the Configure Connector Filter page, you are not required to modify any settings.

  9. Click Next.

  10. On the Configure Join and Projection Rules page, click New Projection Rule.

  11. In the Projection dialog box, in Projection type, select Declared.

  12. In Metaverse object type, click person, as shown in the figure below.

    6cfdd939-8a37-491c-a524-9dee9ff1d77cFigure 1.5   Projection Type Dialog Box

  13. To add the projection rule, click OK.

  14. Click Next.

  15. On the Configure Attribute Flow page, in Build Attribute Flow, in Data source object type, select person.

  16. In Data source attribute, select the branchID as the connected directory attribute that you want to map.

  17. To specify a simple attribute flow where the connected directory attribute is mapped to a metaverse attribute as a whole, click Direct (default setting).

  18. In Metaverse object type, click the metaverse object type person.

  19. In Metaverse attribute, click the metaverse attribute department.

  20. In Flow Direction, to specify the connected directory attribute to have precedence over the metaverse attribute, click Import.

  21. Click New.

  22. Continue mapping the attributes until you have completed all of the mappings shown in the table below.

HR System (Employee Data object) Metaverse (person object) Mapping Type Flow

branchID

department

Direct

Import

c

c

Direct

Import

co

co

Direct

Import

company

company

Direct

Import

employeeID

employeeID

Direct

Import

employeeStatus

employeeStatus

Direct

Import

employeeType

employeeType

Direct

Import

fileAs

displayName

Direct

Import

givenName

givenName

Direct

Import

manager

manager

Direct

Import

sn

sn

Direct

Import

telephoneNumber

telephoneNumber

Direct

Import

title

title

Direct

Import

  1. Click Next.

  2. On the Configure Deprovisioning page, you are not required to modify any settings. Click Next.

  3. On the Configure Extensions page, you are not required to modify any settings.

  4. Click Finish to create the Fabrikam HR MA.

Run the Management Agent

Before running the Fabrikam HR MA, you will create a run profile. The Fabrikam HR MA will be performing a full import and delta synchronization of the data from the HR system, and therefore you will use the Full Import and Delta Synchronization step in the run profile. The Full Import and Delta Synchronization step will run a full import of all objects included in the connected data source import file you specify.

To create the Fabrikam HR MA run profile

  1. On the Tools menu, click Management Agents.

  2. In Management Agents, click Fabrikam HR MA.

  3. On the Actions menu, click Configure Run Profiles.

  4. On the Configure Run Profiles for Fabrikam HR MA page, click New profile.

  5. In Configure Run profile, on the Profile name page, in Name, type Full Import for the name of the run profile, and then click Next.

  6. In Configure Run Profile, on the Configure Step page, in Specify step type, in Type, click Full Import and Delta Synchronization.

  7. In Threshold, ensure that Specify number of objects to process is not selected.

    The threshold number of objects to process is used for testing. It will let you import a portion of a table and verify the results before importing the entire table. When the option is not selected, Microsoft Identity Integration Server 2003 will process the entire table.

  8. Click Next.

  9. On the Management agent configuration page, in Partition, select default.

  10. Click Finish, and then click OK.

To run the Fabrikam HR MA

  1. On the Tools menu, click Management Agents.

  2. In the Management Agents, click the Fabrikam HR MA management agent.

  3. On the Actions menu, click Run.

  4. On the Run Management Agent page, in Run profiles, click the Full Import run profile, and then click OK.

    While the MA is running, the status in the State column in the Management Agents view will indicate Running. After the MA is finished running, the status will switch to Idle.

Verify Results

After the Fabrikam HR MA has run the Full Import run profile, you can verify that the import has performed correctly by using Operations and Metaverse Search in Identity Manager.

Use Operations to Verify Run Profile Results

Operations is used to display and keep status on each run of a management agent. For every management agent run, information is logged, including the time of the run, the success of the run, synchronization statistics and errors. You will use Operations to view the run history of the Fabrikam HR MA and confirm that the import operation performed correctly.

To view the run history of the Fabrikam HR MA

  1. On the Tools menu, click Operations.

  2. In Management Agent Operations, click the Fabrikam HR MA management agent.

  3. In Synchronization Statistics, under Staging, the Adds statistic should be 100.

    This indicates that the 100 new objects were added to the connector space.

  4. Under Inbound Synchronization, the Projections and Connectors with Flow Updates statistics should each be 100.

    This indicates that 100 new objects were added to the Microsoft Identity Integration Server 2003 metaverse.

Use Metaverse Search to Verify Run Profile Results

By using Metaverse Search, you can search the metaverse for objects, attributes, or values. All metaverse attributes can be used as search criteria in Metaverse Search. You will use Metaverse Search to search for the 100 objects that should now be in the metaverse.

Additionally, a search filter is provided in the files that came with this scenario. The file name is CM emp active.qry.

To use Metaverse Search to verify that a MA operation has performed correctly:

  • Identify the object attributes you want to see in the search results.

  • Set up the criteria for your search.

  • Execute the search and review the results.

To create a Metaverse Search query

  1. On the Tools menu, click Metaverse Search.

  2. In Metaverse Search, in Scope by Object Type, select person.

  3. On the Actions menu, click Column Settings.

  4. In Search Result Columns Settings, in Available Columns, add the following attributes to the Selected Columns by selecting the attribute from the list on the left and clicking Add (as shown in the figure below):

    • givenName

    • sn

    • telephoneNumber

    • employeeID

    • employeeStatus

    • mail

    • description

    • comment

      afd6a526-308a-4aab-9549-24f2443c096fFigure 1.6: Fabrikam HR MA Metaverse Search Columns Settings

  5. Click OK.

  6. On the Actions menu, click Add Clause.

  7. In Attribute, click employeeStatus.

  8. In Operator, click Equals.

  9. In Value, type active.

  10. On the Actions menu, click Search.

  11. After the search is completed, you should see 100 objects listed in Search Results.

  12. To sort the results by their givenName attribute, click the givenName column heading.

  13. To view the details of any object in the search results, double-click the object in the Search Results.

  14. In Metaverse Object Properties, click the Connectors tab, as shown in the figure below.

74bd126a-e36c-4e60-8a12-9bc7926cb497

Figure 1.7: Connectors Tab

The Connectors tab shows information about the connector space objects that exist for this metaverse object. This shows that the Fabrikam HR MA has a connector object.

Note

In the object properties dialog box, you can see that the displayName attribute has the syntax lastname, firstname. In this scenario, you want the displayName to have firstname lastname as its syntax. This will be corrected later in the scenario.

The Fabrikam LDAP Data Interchange Format MA

The Fabrikam LDAP Data Interchange Format MA is configured for both group and person object types. The LDAP Data Interchange Format file from the Fabrikam Exchange system contains both distribution lists and mailboxes. The distribution lists will be imported to the metaverse as group objects, and the mailboxes will be imported as person objects.

In this step of the walkthrough, you will perform the following tasks:

  1. Create the Fabrikam LDAP Data Interchange Format MA.

  2. Configure attribute precedence for the Fabrikam LDAP Data Interchange Format MA.

  3. Run the Fabrikam LDAP Data Interchange Format MA run profile.

  4. Verify the results.

During the configuration of the Fabrikam LDAP Data Interchange Format MA, you will also learn how to set up join rules to join import objects to objects in the metaverse. In this scenario, you will join objects from the Exchange system to objects that were projected to the metaverse from the HR system.

The Fabrikam LDAP Data Interchange Format MA configuration is different than the Fabrikam HR MA configuration performed previously. In the Fabrikam LDAP Data Interchange Format MA configuration, you will configure attribute precedence to establish the rules that determine whether the values of the HR or Exchange system take precedence in the event of a conflict.

Create the Management Agent

When you create the Fabrikam LDAP Data Interchange Format MA, you will use the management agent for LDAP Data Interchange Format (LDIF) to perform the following tasks:

  1. Create a management agent

  2. Select template input file

  3. Configure attributes

  4. Map object types

  5. Define object types

  6. Configure partitions

  7. Configure a connector filter

  8. Configure join and projection rules

  9. Configure attribute flow

  10. Configure deprovisioning

  11. Configure extensions

To create the Fabrikam LDAP Data Interchange Format MA

  1. On the Tools menu, click Management Agents.

  2. On the Actions menu, click Create.

  3. In Management agent for, click LDAP Data Interchange Format (LDIF).

  4. In Name, type Fabrikam LDAP Data Interchange Format MA.

  5. Click Next.

  6. In Template Input File, click Browse.

  7. Locate and select the fabrikam-exchange-sample-file.ldif sample file provided with the scenario.

    If you copied the scenario files from the Microsoft Identity Integration Server 2003 installation media, the file should be located in the following directory:

    C:\Scenarios\ClassicMetadirectory

  8. Click Next.

  9. Under Attributes, verify that all of the attributes that are contained in the template file appear in the list, as shown in the table below.

Name Type Multi-valued

Company

String

No

Extension-Attribute-1

String

No

Extension-Attribute-2

String

No

Home-MTA

String

No

MAPI-Recipient

String

No

Cn

String

No

Co

String

No

department

String

No

distinguishedName

String

No

facsimileTelephoneNumber

String

No

givenName

String

No

Mail

String

No

mailPreferenceOption

String

No

memberOf

String

No

mobile

String

No

otherMailbox

String

Yes

pager

String

No

Rdn

String

No

rfc822Mailbox

String

No

Sn

String

No

telephoneNumber

String

No

textEncodedORaddress

String

No

Title

String

No

Uid

String

No

Report-To-Originator

String

No

Report-To-Owner

String

No

member

String

Yes

  1. Click Set anchor.

  2. Select the Use distinguished name as anchor attribute check box.

  3. In this scenario, the mailbox is never moved and always stays in the Recipient container. Therefore, you can use the distinguished name (DN) as an anchor. When a template file contains a DN that you want to use as an anchor attribute, you select the Use distinguished name as anchor attribute option.

  4. Click OK.

  5. On the Configure Attributes page, scroll down the list of attributes and select the member attribute from the Attributes list.

  6. Click Edit to open the Edit Attribute dialog box, as shown in the following figure.

    fd6d4fe2-4f62-467c-9262-b4c87e8a7cf8Figure 1.8: Edit Attribute Dialog Box

  7. From Type, select Reference (DN).

  8. Ensure that Attribute is multi-valued check box is selected.

  9. Click OK, and then click Next.

  10. Do not modify the settings on the Map Object Types page.

  11. Click Next.

  12. Do not modify the settings on the Define Object Types page.

  13. Click Next.

  14. On the Configure Partitions page, in Manage partitions, click Add.

    The LDAP Data Interchange Format MA will have two partitions. One for individual mailboxes and one for the distribution lists.

  15. In the Add Partition dialog box, in Partition Name, type mailboxes.

  16. Click OK.

  17. In Manage Partitions page, click Add again.

  18. In the Manage Partition dialog box, in Partition Name, type distributionlists.

  19. Click OK.

  20. In the Partition column, configure the following:

    • For organizationalPerson, select mailboxes from the partition drop-down list.

    • For groupOfNames, select distributionlists from the partition drop-down list.

  21. On the Configure Partitions page, in Manage partitions, select default, and then click Remove.

  22. Click Next.

  23. Do not modify the settings on the Configure Connector Filter page.

  24. Click Next.

  25. On the Configure Join and Projection Rules page, in the Data Source Object Type column, click the groupOfNames connected directory object.

    This step is performed to configure the MA to handle both projection to the metaverse and to join data where appropriate. In this scenario, groupOfNames represents the Exchange distribution lists. You will project all of the Exchange distribution lists into the metaverse.

  26. Click New projection rule.

  27. Select Declared.

  28. In Metaverse object type, select group.

  29. Click OK.

  30. In Data Source Object Type, click organizationalPerson.

    The HR system will have information that is duplicated in the Exchange server. For example, both systems have givenName included in the attributes list. In this scenario, you want to join the information from these two systems in the metaverse. This join will be done by using the organizationalPerson object type from the Exchange import. You will set up the rule to match givenName and sn to the corresponding attributes in the metaverse.

  31. Click New Join Rule.

  32. From Metaverse object type, click person.

  33. In Mapping Type, click Direct.

  34. In both Data source attribute and Metaverse attribute, click sn.

  35. Click Add Condition. A dialog will appear, warning that you are attempting a join mapping with a non-indexed metaverse attribute. Click OK to continue.

  36. In both Data source attribute and Metaverse attribute, click givenName.

  37. Click Add Condition (and click OK when the same warning dialog appears).

  38. On Join Rule for organizationlPerson, click OK.

  39. Click the plus sign (+) next to Mapping Group 1 to view details.

  40. Click Next.

  41. On the Configure Attribute Flow page, in Build Attribute Flow, in Data source object type, click the organizationalPerson data source object type.

    As you did with the Fabrikam HR MA, you will map the attribute flow for the LDAP Data Interchange Format (LDIF) MA. The LDAP Data Interchange Format MA has two types of attributes to map: those that appear on organizationalPerson objects (mailboxes) and those that appear on groupOfNames objects (distribution lists). By having two types of attributes to map, the Fabrikam LDAP Data Interchange Format MA requires that you perform the step twice.

  42. In Mapping Type, click Direct.

  43. In Metaverse object type, click person.

  44. In Data source attribute, click rdn.

  45. In Flow Direction, click Import.

  46. In Metaverse attribute, click displayName.

  47. Click New.

  48. Continue mapping the person attributes until you have completed all of the mappings listed in the table below.

Exchange Attribute Metaverse Attribute Mapping Type Flow Direction

rdn

displayName

Direct

Import

Mail

mail

Direct

Import

uid

mailNickname

Direct

Import

uid

uid

Direct

Import

  1. From Metaverse attribute, click comment. This will flow the DN part selected to the metaverse comment attribute.

  2. In Mapping Type, click Advanced.

  3. Click New to create the new mapping.

    Saving the name of the container, or some other part of the hierarchy, in a metaverse attribute can reduce the complexity of programming code required to parse the DN in rules extensions, or in other cases where the hierarchy determines some action to be taken. The mapping of DN parts solves the problem of saving container names without requiring a rules extension.

    Next, you will map DN parts to save the name of the Exchange container where each recipient exists to the comment attribute of their metaverse entry.

  4. Click Distinguished name, and then in Component, click the location number 2 where the name of the container object recipients exists in the distinguished name (DN) string.

    The second DN part, Recipients, is where the mailbox exists in the Exchange system.

  5. Click OK.

  6. In Data source object, click groupOfNames.

  7. In Mapping Type, click Direct.

  8. In Flow Direction, click Import.

  9. In Metaverse object type, click group.

  10. Complete the mapping of the group attributes by using the Exchange group mapping in the table below (refer to the above section for the DN part mapping).

Exchange Attribute Metaverse Attribute Mapping Type Flow Direction

rdn

displayName

Direct

Import

Mail

mail

Direct

Import

member

member

Direct

Import

uid

mailNickname

Direct

Import

uid

uid

Direct

Import

 

description

Advanced – Distinguished name Component 2

Import

  1. Click Next.

  2. Do not modify the settings on the Configure Deprovisioning page.

  3. Click Next.

  4. On the Configure Extensions property page, click Finish to create the Fabrikam LDAP Data Interchange Format (LDIF) MA.

Establish Attribute Flow Precedence

Because information in the HR and Exchange systems is duplicated, the attributes in the metaverse have more than one potential source. Both the HR and Exchange systems contain the displayName attribute. Consequently, in this part of the Fabrikam LDAP Data Interchange Format MA configuration, you will establish rules in Microsoft Identity Integration Server 2003 that determine which of the systems take precedence when there is a conflict.

To establish the attribute flow precedence

  1. On the Tools menu, click Metaverse Designer.

  2. In Metaverse Designer, in Object types, click the person object, which contains the displayName attribute.

    The metaverse attributes listed under Attributes are scoped by the Metaverse Object Type selected in the upper pane.

    The Import Flow column under Attributes indicates the number of connected directories that can potentially flow values into a given attribute.

  3. In Object Types, click person.

  4. Under Attributes, click displayName.

  5. On the Actions menu, click Configure Attribute Flow Precedence.

    You will establish attribute flow precedence rules that allow you to specify that the Exchange server is the authoritative source for displayName and will overwrite values in the metaverse.

  6. Select either of the MAs listed in the dialog box.

  7. Click the up or down arrow to move the MAs to the order in the table below.

Metaverse Attribute Management Agent Name Rank

displayName

Fabrikam LDAP Data Interchange Format MA

1

Fabrikam HR MA

2

  1. Click OK.

Run the Management Agent

The completed Fabrikam LDAP Data Interchange Format MA and the attribute precedence rules you created can now be used to create run profiles for importing the data from the Exchange LDIF files into Microsoft Identity Integration Server 2003. Before running the Fabrikam LDAP Data Interchange Format (LDIF) MA, you must copy the Exchange LDIF files to the Fabrikam LDAP Data Interchange Format MA working folder.

Every MA has its own working folder that is created when the MA is created. MAs process input and audit drop files in MA working folders. The working folder has the same name as the MA. If the MA is renamed, the working folder is also renamed. If the MA is deleted and the working folder contains data, it is renamed to mark it as a deleted directory.

All MA working folders are located in the Microsoft Metadirectory Services installation folder, under the MaData directory. For example, if you installed Microsoft Identity Integration Server 2003 on the C drive of the local server, the MA working folders are located in the following folder:

C:\Program Files\Microsoft Identity Integration Server\MaData

You must copy two Exchange LDIF files to the LDAP Data Interchange Format MA working folder:

  • Exchange mailboxes: fabrikam-exchange-users.ldif

  • Exchange distribution lists: fabrikam-exchange-groups.ldif

The first two files are used to import data into the two partitions of the Fabrikam LDAP Data Interchange Format MA.

If you followed the setup instructions for this scenario, the required files are located in the following directory on the server running Microsoft Identity Integration Server 2003:

C:\Scenarios\ClassicMetadirectory

Copy these files to the following directory on the server running Microsoft Identity Integration Server 2003:

C:\Program Files\Microsoft Identity Integration Server\MaData\Fabrikam LDAP Data Interchange Format MA.

Create the Run Profiles

To create the Fabrikam LDAP Data Interchange Format MA run profiles, perform the following tasks:

  1. Create the run profile to supervise the import of mailboxes.

  2. Create the run profile to supervise the import of distribution lists.

To create the Fabrikam LDAP Data Interchange Format MA run profiles

  1. First, create the Fabrikam LDAP Data Interchange Format MA mailboxes run profiles. On the Tools menu, click Management Agents.

  2. In Management Agents, click the Fabrikam LDAP Data Interchange Format MA.

  3. On the Actions menu, click Configure Run Profiles.

  4. Click New profile.

  5. In Configure run profile, on the Profile name page, in Name, type the name Full Import Mailboxes for the run profile, and then click Next.

  6. On the Configure Step page, in Specify step type, in Type, click Full Import and Delta Synchronization.

  7. Ensure that Set log file options is None and that the Specify number of objects to process checkbox is not selected.

  8. Click Next.

  9. In Partition, click mailboxes.

  10. In Input file name, type fabrikam-exchange-users.ldif or click Select to locate the file.

  11. Click Finish, and then click OK.

    After you create the Fabrikam LDAP Data Interchange Format MA mailboxes run profile, create the distribution lists run profile.

  12. On the Tools menu, click Management Agents.

  13. In Management Agents, click the Fabrikam LDAP Data Interchange Format MA.

  14. On the Actions menu, click Configure Run Profiles.

  15. Click New profile.

  16. In Configure run profile, on the Profile name page, in Name, type the name Full Import DLs for the run profile, and then click Next.

In Configure Run Profile, on the Configure Step page, in Specify step type, in Type, click Full Import and Delta Synchronization.

  1. Click Next.

  2. In Partition, click distributionlists.

  3. In Input file name, type fabrikam-exchange-groups.ldif or click Select to locate the file.

  4. Click Finish, and then click OK.

Run the Management Agent

After you create the run profiles associated with the Fabrikam LDAP Data Interchange Format (LDIF) MA, import your Exchange data by running the run profiles. After you run the run profiles, use Operations to check the results.

To run the Fabrikam LDAP Data Interchange Format MA run profiles

  1. First, run the Full Import Mailboxes run profile. In Management Agents, under Management Agents, click Fabrikam LDAP Data Interchange Format MA.

  2. On the Actions menu, click Run.

  3. In the Run Management Agent dialog box, click the Full Import Mailboxes run profile.

  4. To run the run profile with the Fabrikam LDAP Data Interchange Format MA, click OK.

  5. Running a run profile from the client user interface (UI) will cause the Run Management Agent dialog box to close and return you to the Management Agents view.

  6. Now run the Full Import DLs run profile. In the Management Agents view, under Management Agents, wait until the Fabrikam LDAP Data Interchange Format MA State column switches to Idle.

  7. The status will switch to Idle when the Full Import mailboxes run profile has finished running.

  8. In the Management Agents view, click the Fabrikam LDAP Data Interchange Format MA.

  9. On the Actions menu, click Run.

  10. Click the Full Import DLs run profile, and the click OK.

Verify Results

To verify the run profile results for the Fabrikam LDAP Data Interchange Format (LDIF) MA, use Operations and Metaverse Search in the Identity Manager.

Use Operations to Verify Run Profile Results

By using Operations, you can see how many objects were added to the connector space and how many objects were added to the metaverse. You will verify the mailboxes and distribution lists (DLs) run profile results.

To verify the mailboxes and DLs run profiles by using Operations

  1. On the Tools menu, click Operations.

  2. Click the Fabrikam LDAP Data Interchange Format MA with the run profile name Full Import Mailboxes.

    The Staging section of Synchronization Statistics should show 50 Adds.

    This indicates that 50 new objects were added to the connector space when you ran the Full Import Mailboxes profile. The number 50 and the word Adds are both hyperlinks. Click either of the hyperlinks. The links display the Object Details dialog box, which shows the distinguished names of the objects that were added in this run.

    The Inbound synchronization statistics should show 50 Joins and 50 Connectors with Flow Updates.

    This indicates that all of the 50 imported mailboxes were joined to an object in the metaverse.

  3. Click the Fabrikam LDAP Data Interchange Format MA with the run profile name Full Import DLs.

    The Staging synchronization statistics should show 4 Adds.

    This indicates that 4 new objects were added to the connector space.

    The Inbound synchronization statistics should show 4 Projections and 4 Connectors with Flow Updates.

    This indicates that all 4 of the imported distribution lists have been created as new objects in the metaverse.

  4. Click the underlined 4 or Connector with Flow Updates to activate the hyperlink. This shows the 4 groups that were processed.

  5. Click the entry that has cn=dep001,cn=Recipients,ou=MIIS,o=MS as its Distinguished Name and then click the Properties button. This displays the connector space object that corresponds to this entry.

  6. Click the ellipsis () button in the Value column for the member attribute.

    Because this is a multi-valued attribute, the multiple values of the member attribute do not appear in the list with the other attribute values. Clicking the ellipsis displays the members of this group.

    The View attribute values dialog box shows the values for this attribute.

  7. Click Close to close the View Attribute Values dialog box.

  8. Click Close to close the Connector Space Object Properties dialog box.

  9. Click Close to close the Object Details dialog box.

Use Metaverse Search to Verify Run Profile Results

By using Metaverse Search, you can search the metaverse for objects that were added by using the Fabrikam HR MA, and then verify that the attributes for those objects display the data and relationships introduced by using the Fabrikam LDAP Data Interchange Format (LDIF) MA.

The Metaverse Search filter settings for the search that you performed after running the Fabrikam HR MA are stored in the user profile of the user currently logged into Microsoft Identity Integration Server 2003. When you restart the Identity Manager, the last filter is loaded from the profile of the user. Additionally, Metaverse Search filters can be saved to a file.

Note

To save a Metaverse Search query, from the Actions menu, click Export Query.

  1. In the Microsoft Identity Integration Server 2003 Identity Manager, in the Tools menu, click Metaverse Search.

    You should still see the search filter and search results from the Fabrikam HR MA. If not, refer to the search steps in the Fabrikam HR MA section to re-create it.

  2. Beneath the Actions menu, click Search.

    After the search is completed, you should see 100 objects listed in the Search Results list box.

  3. Doubleclick the entry with the displayName of Amity Harty.

The mail and mailNickname attribute values for this object are now set on the objects for individuals who have a mailbox in the Fabrikam Exchange system. 50 individuals have mailboxes in Exchange and 50 individuals have mailboxes in the Sun ONE Directory Server 5.1 system. The values for the mail and mailNickname attributes reach their joined objects based on the attribute flow that you configured while creating the Fabrikam LDAP Data Interchange Format (LDIF) MA.

You can also see that the displayName attribute now has the desired syntax of firstname lastname. This syntax is a result of the attribute precedence rules configured when creating the Fabrikam LDAP Data Interchange Format (LDIF) MA. The Fabrikam LDAP Data Interchange Format MA took precedence over the existing displayName attribute that was imported by using the Fabrikam HR MA. As with the mail and mailNickname attributes, displayName was only corrected for the 50 users that have mailboxes in the Exchange system.

Finally, notice that the comment attribute now shows the name of the container from the Exchange system in which this mailbox of the user is located (Recipients).

View Connector Objects

To obtain a thorough understanding of the data flow involved in Microsoft Identity Integration Server 2003, view the connector space objects from which the metaverse attributes are derived.

To view the connector objects and the connector space objects for a metaverse object

  1. In the Metaverse Object Properties dialog box for Amity Harty, click the Connectors tab.

    There are now two connector objects for this metaverse object: one connector object from the Fabrikam HR MA connector space and one connector object from the Fabrikam LDAP Data Interchange Format MA connector space.

    You can also see how the connector objects were created. The connector object for the Fabrikam HR MA was created as a result of a projection rule, and the connector object for the Fabrikam LDAP Data Interchange Format MA was created as a result of a join rule.

  2. Under Management Agent, select Fabrikam LDAP Data Interchange Format MA.

  3. Click Properties.

  4. Under Value, click the ellipsis button next to the otherMailbox attribute.

    The View Attribute Values dialog box shows all values for multi-valued attributes.

  5. Click Close until all dialog boxes are closed.

The Fabrikam AD MA

The Fabrikam AD MA will be used to import user objects into the metaverse from the Fabrikam Active Directory. After the user objects are in the metaverse, that data will be used to populate group memberships in Active Directory by using the Microsoft Identity Integration Server 2003 export feature. You will also configure attribute precedence for the Fabrikam AD MA because it maintains authority for the uid attribute, which is also used by the Exchange system.

In this step of the walkthrough, you will perform the following tasks:

  1. Create the Fabrikam AD MA.

  2. Configure attribute precedence flow for an Active Directory attribute.

  3. Monitor Microsoft Identity Integration Server 2003 performance by using Performance Monitor.

  4. Run the Fabrikam AD MA.

  5. Verify the results.

Create the Management Agent

When you create the Fabrikam AD MA, you will use the management agent for Active Directory. To use this management agent to create the Fabrikam AD MA, perform the following tasks:

  1. Create a management agent

  2. Connect to an Active Directory forest

  3. Configure directory partitions

  4. Select object types

  5. Select attributes

  6. Configure a connector filter

  7. Configure join and projection rules

  8. Configure attribute flow

  9. Configure deprovisioning

  10. Configure extensions

You will create and configure the Fabrikam AD MA so that information can flow from Active Directory into Microsoft Identity Integration Server 2003 without the use of a dump file. In addition, the Fabrikam AD MA is unique to this scenario in that it is the only MA that exports an attribute to a connected directory.

To create the Fabrikam AD MA

  1. In Identity Manager, from the Tools menu, click Management Agents.

  2. On the Actions menu, click Create.

  3. From Management agent for, click Active Directory.

  4. In Name, type Fabrikam AD MA.

  5. Click Next.

  6. In Forest name, type fabnoa.fabcorp.fabrikam.com.

    If you named your Active Directory forest something other than fabnoa.fabcorp.fabrikam.com, type your forest’s name in the text box.

  7. Type the Administrator’s credentials for the fabnoa.fabcorp.fabrikam.com forest.

  8. Click Next.

  9. Under Directory Partition, select the Fabrikam directory partition DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com from the list.

Note

If you click Show All, you will see the DomainDNSZones and ForestDNSZones application directory partitions. In Windows Server 2003, these partitions are used to limit the replication scope of DNS zones stored in Active Directory. Application directory partitions are a new feature available only in Windows Server 2003 forests. The DNS zone for the fabnoa.fabcorp.fabrikam.com domain name is stored in the application directory partition DomainDNSZones, which will replicate its DNS data to only those domain controllers running the DNS Server service in the Active Directory domain fabnoa.fabcorp.fabrikam.com.

  1. Under Select Containers, click Containers.

  2. In Select Containers, clear the checkbox for the topmost entry, which will clear the checkboxes next to all containers shown.

  3. Expand the container that matches the local server name.

  4. Expand the container named ClassicMetadirectory under the name of the local server name.

  5. Expand the Fabrikam container to view its Groups and Users containers created earlier during the lab setup for this scenario.

  6. Click the checkbox next to the Fabrikam container, as shown in the figure below.

    d2767589-1b01-4adc-9267-9eab53cc8280Figure 1.9   Select Containers

  7. Click OK.

  8. Click Next.

  9. From the Object types list, click group and user object types.

  10. Microsoft Identity Integration Server 2003 preselects domain DNS,organizationalUnit, and container because they are required to provide the hierarchy context for the objects the MA will discover.

  11. Click Next.

  12. Click Show All.

  13. Select the following attributes from the list: cn, employeeid, mail, member, sAMAccountName

  14. Click Next.

  15. Do not make any changes to the Configure Connector Filter settings. Click Next.

  16. Under Data Source Object Type, click user.

  17. Click New Join Rule.

    The following steps create a join rule for the User object type. After you complete this rule, you will then create a join rule for the Group object type.

  18. From Metaverse object type, click person.

  19. In both the Data source attribute and Metaverse attribute lists, click employeeid.

  20. Click Add Condition.

  21. Click OK.

  22. On Configure Joins and Projection Rules, from Data Source Object Type, click group.

  23. Click New Join Rule.

  24. From Metaverse object type, click group.

  25. In both the Data source attribute and Metaverse attribute lists, click mail.

  26. Click Add Condition.

  27. Click OK.

  28. Click Next.

    Because this MA imports both Person object types and Group object types, you will need to map attributes in two steps. First perform the Person object type mapping.

  29. On the Configure Attribute Flow page, in Data source object type, click user.

  30. From Metaverse object type, click person.

  31. In Mapping Type, click Direct.

  32. In Flow Direction, click Import.

  33. Create the attribute mappings indicated in the table below.

Data Source Attribute Metaverse Attribute Mapping Type Flow Direction

sAMAccountName

uid

Direct

Import

cn

cn

Direct

Import

  1. For both the Data source object type and Metaverse object type, click group.

  2. Verify that Direct is selected for the Mapping Type and that Import is selected for the Flow Direction.

  3. Create the attribute mappings indicated in the table below.

Data Source Attribute Metaverse Attribute Mapping Type Flow Direction

cn

cn

Direct

Import

sAMAccountName

uid

Direct

Import

member

member

Direct

Export

Note

The Flow Direction for the member attribute should be Export rather than import. Group memberships are managed in the Exchange system and exported to Active Directory.

  1. Click Next.

  2. Do not make any modifications to the Configure Deprovisioning settings, and then click Next.

  3. Do not make any modification to the Configure Extensions settings, and then click Finish.

Establish Attribute Flow Precedence

Attribute flow precedence will be set for the uid metaverse attribute because the attribute is used by both the Active Directory and Exchange connected data sources. Active Directory is the authoritative source for this attribute, and attribute flow precedence will be assigned to Active Directory to ensure that the value from Active Directory is used regardless of whether the Fabrikam LDAP Data Interchange Format MA has already imported the attribute.

To configure attribute flow precedence for Active Directory

  1. In Metaverse Designer, in Object types, click person.

  2. In Attributes, click uid.

  3. In Actions, click Configure attribute flow precedence.

  4. In the Configure attribute flow precedence dialog box, click a management agent with the source attribute, and then click the up or down arrow to adjust the ranking of the Management Agents to match the ranking listed in the table below

Metaverse Attribute Management Agent Name Rank

uid

Fabrikam AD MA

1

saMAccountName

Fabrikam LDAP Data Interchange Format MA

2

  1. Click OK.

Use Performance Logs and Alerts

Windows Server 2003 obtains performance data from components in your server. As a system component performs work on your system, it generates performance data. That data is described as a performance object and is typically named for the component generating the data. For example, the Processor object is a collection of performance data about processors on your system.

Before running the Fabrikam AD MA, configure the Performance console to view MA performance.

To configure the Performance console to view Fabrikam AD MA performance

  1. To open the Performance console, click Start, point to Administrative Tools, and then click Performance.

  2. With System Monitor selected, click the View Report button, or type Ctrl+R.

  3. Click + (add), or type Ctrl+I.

  4. In Performance object, click Microsoft Identity Integration Server.

  5. Click All Counters.

  6. Click Select Instances from list.

  7. From the list of instances, click Fabrikam AD MA.

  8. Click Close.

  9. Do not close the Performance console.

Once the Fabrikam AD MA is run, you will use the Performance console to view the activity of the performance counters.

Run the Management Agent

The Fabrikam AD MA run profile will perform two actions:

  • Import attributes from Active Directory into the metaverse

  • Export the member attribute from the metaverse and use that attribute to populate Active Directory

You will create a single run profile to perform both of these actions.

Create the Run Profile

To create the Fabrikam AD MA run profile, perform the following tasks:

  1. Configure the import from Active Directory to the metaverse.

  2. Configure the export from the metaverse to Active Directory.

  3. Run the Full Import-Export run profile.

To create the Fabrikam AD MA run profile

  1. On the Tools menu, click Management Agents.

  2. In Management Agents, click Fabrikam AD MA.

  3. On the Actions menu, click Configure Run Profiles.

  4. In Configure Run Profiles for Fabrikam AD MA, click New profile.

  5. In Configure Run Profile, on the Profile name page, in Name, type Full ImportExport, and then click Next.

  6. In Configure Run Profile, on the Configure Step page, in Specify step type, in Type, click Full Import and Delta Synchronization.

  7. Click Next.

  8. On the Management agent configuration page, in Partition, select the distinguished name (DN) for the Active Directory domain fabnoa.fabcorp.fabrikam.com (for example, DC=fabnoa,DC=fabcorp,DC=fabrikam,DC=com).

  9. Click Finish.

    After you configure the import, configure the export for the same run profile.

  10. In Configure Run Profiles for Fabrikam AD MA, in Management agent run profiles, click the Full ImportExport run profile, and then click New step.

  11. In Configure Run Profile, on the Configure Step page, in Specify step type, in Type, click Export.

  12. Click Next.

  13. On the Management agent configuration page, in Partition, select the distinguished name (DN) for the Active Directory domain fabnoa.fabcorp.fabrikam.com.

  14. Click Finish. Verify that the run profile is configured as shown in the figure below.

    e43257bb-4ebe-4a5d-8c69-8567e00f9e1a

    Figure 1.10   Run Profiles for Fabrikam AD MA

  15. Click OK.

Run the Management Agent

After you create the Fabrikam AD MA run profile, import your Active Directory data into the metaverse and export the metaverse data by running the run profile. While the run profile is running, use the Performance console to view the activity of the performance counters. After running the run profile, use Operations to check the results.

To run the Fabrikam AD MA run profile

  1. On the Tools menu, click Management Agents.

  2. In Management Agents, click Fabrikam AD MA.

  3. On the Actions menu, click Run.

  4. In Run Management Agent, in Run profiles, click the Full ImportExport run profile, and then click OK.

  5. Switch to Performance to view the activity of the performance counters while the Fabrikam AD MA is running.

Verify Results

You will use Operations in the Identity Manager to verify the run profile results for the Fabrikam AD MA.

Use Operations to Verify Run Profile Results

By using Operations, you can see how many objects were imported to and exported from the metaverse. First, verify the statistics for the import step of the run profile. Next, verify the statistics for the export step of the run profile.

To verify the run profile by using Operations

  1. On the Tools menu, click Operations.

  2. Click Fabrikam AD MA with the run profile name Full ImportExport.

In the lower pane, you can see two steps to this profile: Step 1, which runs the full import; and step 2, which runs an export.

The results of the Step 1 should show the following:

  • The Staging synchronization statistics for Step 1 should show 110 Adds. This indicates 110 new objects are added to the connector space. There are 100 users, 4 groups, 5 organizationalUnit objects, and one domainDNS object that remain disconnector objects, but are required to complete the namespace hierarchy used by the Active Directory connected data source.

  • The Inbound Synchronization statistics for Step 1 should show 104 Joins. This indicates 104 connector space objects were joined to metaverse objects and that import attribute flow rules were used on these objects.

The results of the Step 2 should show the following:

  • The Export statistics for Step 2 should show 4 Updates. This indicates that the 4 member attributes were exported from Microsoft Identity Integration Server 2003 and that the Active Directory groups were successfully populated with the members metaverse attribute.

To view the successful membership information update

  1. Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. Navigate to the Groups container under the container that matches the local server name.

  3. Double-click one of the groups to confirm that it was populated with members.

    dff94288-bb1d-4824-a6c8-b767c0dfc820

    Figure 1.11: Active Directory Users and Computers

    The four Active Directory groups were created during the setup of the scenario. After running the Fabrikam AD MA profile, the groups are no longer empty.

The Fabrikam Sun ONE Directory Server 5.1 MA

The Sun ONE Directory Server 5.1 connected data source maintains mailboxes for 50 of the 100 employees at Fabrikam. Mailboxes for the remaining 50 employees are in the Exchange connected data source. Earlier in this walkthrough, you configured the Fabrikam LDAP Data Interchange Format MA to contribute attributes for its 50 mailbox holders. You will now configure the Fabrikam Sun ONE Directory Server 5.1 MA to import inetOrgPerson objects and their attributes to the connector space and then join them to objects in the metaverse.

The addition of the Fabrikam Sun ONE Directory Server 5.1 MA results in two metaverse attributes having three potential data sources. To remedy this situation, you will set attribute precedence flow for the two attributes after you create the Fabrikam Sun ONE Directory Server 5.1 MA.

In this step of the walkthrough, you will perform the following tasks:

  1. Create the Fabrikam Sun ONE Directory Server 5.1 MA

  2. Configure attribute precedence flow for the Fabrikam Sun ONE Directory Server 5.1 MA

  3. Run the Fabrikam Sun ONE Directory Server 5.1 MA run profile

  4. Verify Results

Create the Management Agent

When you create the Fabrikam Sun ONE Directory Server 5.1 MA, you will use the management agent for Sun ONE Directory Server 5.1. To use the management agent for Sun ONE Directory Server 5.1 to create the Fabrikam Sun ONE Directory Server 5.1 MA, perform the following tasks:

  1. Create a management agent

  2. Specify logon information

  3. Naming context configuration

  4. Select object types

  5. Select attributes

  6. Select anchor attributes (Sun ONE Directory Server 5.1 version 4.0 only)

  7. Configure a connector filter

  8. Configure join and projection rules

  9. Configure attribute flow

  10. Configure deprovisioning

  11. Configure extensions

To create the Sun ONE Directory Server 5.1 MA

  1. On the Tools menu, click Management Agents.

  2. On the Actions menu, click Create.

  3. In Create Management Agent, in Management agent for, click Sun and Netscape directory servers.

  4. In Name, type Fabrikam Sun ONE Directory Server 5.1 MA.

  5. Click Next.

    Specify logon information.

  6. In Create Management Agent, on the Specify Logon Information page, in Server, type the name of the Sun ONE Directory Server 5.1 server that you want to connect to, and then type a port number, user name, and password.

  7. Click Next.

    Naming context configuration.

  8. In Select a partition, select the partition for the naming context.

  9. If you are using the scenario default setup this will be dc=fabrikam,dc=com.

  10. Click Containers.

    Select containers.

  11. In Select Containers page, clear the checkboxes for all containers except the container where the scenario data was imported during setup. If you are using the scenario default setup, this will be People.

  12. Click OK, and then click Next.

    Select object types.

  13. In Object Types, click inetOrgPerson.

  14. Click Next.

    Select attributes.

  15. In Attributes, select Show All, and then select the following attributes:

    description

    displayName

    givenName

    mail

    sn

    uid

  16. Click Next.

  17. Do not modify the settings on the Configure Connector Filter page.

  18. Click Next.

    Configure join and projection rules.

  19. In Data Source Object Type, select inetOrgPerson.

  20. Click New Join Rule.

  21. In Metaverse object type, select person.

  22. In Mapping Type, click Direct.

  23. In both the Data source attribute and the Metaverse attribute lists, select sn.

  24. Click Add Condition.

  25. In both the Data source attribute and the Metaverse attribute lists, click givenName.

  26. Click Add Condition.

  27. Click OK. Verify that the join and projection rules are configured as shown in the figure below.

    ea6b01ea-4884-4426-8ea0-3d1598e4590d

    Figure 1.12: inetOrgPerson Object Mapping

  28. Click Next.

    Configure attribute flow.

  29. In Data source object type, select inetOrgPerson.

  30. In Metaverse object type, select person.

  31. In Mapping Type, click Direct.

  32. In Flow Direction, click Import.

  33. Create the attribute mappings as indicated in the table below.

Sun ONE Directory Server 5.1 attribute Metaverse attribute Mapping Type Flow Direction

description

description

Direct

Import

displayName

displayName

Direct

Import

mail

mail

Direct

Import

uid

mailNickname

Direct

Import

uid

uid

Direct

Import

comment

Advanced – DN component 2

Import

  1. From Metaverse attribute, select comment.

    This will flow the DN part selected to the metaverse comment attribute.

  2. In Mapping Type, select Advanced.

  3. Click New.

  4. In Advanced Import Attribute Flow Options, click Distinguished name.

  5. In Component, select the location number 2, as shown in the figure below.

    2edafa3e-b864-4cbe-b9ed-780cd24dd8f1Figure 1.13: Advanced Import Attribute Flow Options

  6. Click OK.

  7. Click Next.

  8. Do not modify the settings of the Configure Deprovisioning page.

  9. Click Next.

  10. Do not modify the settings of the Configure Extensions page.

  11. Click Finish.

Establish Attribute Flow Precedence

The attribute precedence flow must be modified to give the Fabrikam Sun ONE Directory Server 5.1 MA second place in the ranking order. By adding the Fabrikam Sun ONE Directory Server 5.1 MA, the displayName and uid metaverse attributes now have three potential sources. For example, the displayName attribute could come from the HR, Exchange, or Sun ONE Directory Server 5.1 systems.

Currently, the ranking order of the HR, Exchange, and Sun ONE Directory Server 5.1 MAs follows the order in which the MA for each data source was created:

  1. HR MA

  2. LDAP Data Interchange Format (LDIF) MA

  3. Sun ONE Directory Server 5.1 MA

You will reset the ranking order of the HR, Exchange, and Sun ONE Directory Server 5.1 MAs to support the correct attribute precedence flow.

Note

If the three MAs were created in an order that suited the attribute flow precedence, you would not need to modify the rank. With multiple systems contributing attributes, the order in which MAs are created can become complex. To mitigate this problem, you can specify the ranking order in which you want to process values for the same attribute from different connected directories.

To create the attribute precedence flow for the Fabrikam Sun ONE Directory Server 5.1 MA

  1. Configure attribute precedence flow for the displayName attribute. In Identity Manager, from the Tools menu, click Metaverse Designer.

  2. In Object Types, click person.

  3. In Attributes, click displayName.

  4. On the Actions menu, click Configure Attribute Flow Precedence.

  5. Use the up or down arrow to match the ranking indicated in the table below.

Metaverse Attribute Management Agent Name Rank

displayName

Fabrikam LDAP Data Interchange Format (LDIF) MA

1

Fabrikam Sun ONE Directory Server 5.1 MA

2

Fabrikam HR MA

3

  1. Click OK.

  2. Configure attribute precedence flow for the uid attribute.

  3. In Object types, click person.

  4. In Attributes, select uid.

  5. On the Actions menu, click Configure Attribute Flow Precedence.

  6. In Configure Attribute Flow Precedence, use the up or down arrow to ensure that the uid attribute flow precedence matches the ranking listed in the table below.

Metaverse Attribute Management Agent Name Rank

uid

Fabrikam AD MA

1

Fabrikam LDAP Data Interchange Format (LDIF) MA

2

Fabrikam Sun ONE Directory Server 5.1 MA

3

  1. Click OK.

Run the Management Agent

The Fabrikam Sun ONE Directory Server 5.1 MA will import data directly from the Sun ONE Directory Server 5.1 server into Microsoft Identity Integration Server 2003, unlike the Fabrikam LDAP Data Interchange Format (LDIF) MA, which imported data from an input file. You will create a run profile that will enable the Fabrikam Sun ONE Directory Server 5.1 MA to import directly from Sun ONE Directory Server 5.1.

Create the Run Profile

To create the Fabrikam Sun ONE Directory Server 5.1 MA run profile, perform the following tasks:

  1. Configure the Sun ONE Directory Server 5.1 MA run profile to import from the Sun ONE Directory Server 5.1 server.

  2. Run the Full Import run profile.

To create the Fabrikam Sun ONE Directory Server 5.1 MA run profile

  1. In Identity Manager, from the Tools menu, click Management Agents.

  2. In Management Agents, click Fabrikam Sun ONE Directory Server 5.1 MA.

  3. From the Actions menu, click Configure Run Profiles.

  4. Click New Profile.

    Name the run profile.

  5. In Name, type Full Import.

  6. Click Next.

    Configure the run profile.

  7. In Type, click Full Import and Delta Synchronization.

  8. Click Next.

    Configure the partition for the management agent.

  9. In Partition, select the Sun ONE Directory Server 5.1 LDAP suffix dc=fabrikam,dc=com.

  10. Click Finish, and then click OK.

    Run the run profile.

  11. In the Actions menu, click Run.

  12. Select the Full Import run profile.

  13. Click OK.

Verify Results

Use Operations in the Identity Manager to verify the run profile results for the Fabrikam Sun ONE Directory Server 5.1 MA.

Use Operations to Verify Run Profile Results

By using Operations, you can see how many objects were imported to the metaverse.

To verify the run profile by using Operations

  1. In the Tools menu, click Operations.

  2. In Name, click Fabrikam Sun ONE Directory Server 5.1 MA.

    Operations should display the following results:

    • The Staging synchronization statistics should show 50 Adds. This indicates 50 new objects were added to the connector space.

    • The Inbound synchronization statistics should show 50 Joins. This indicates that all of the 50 imported inetOrgPerson objects have been joined to an object in the metaverse.

    Of the 100 users in the Fabrikam scenario, 50 have mailboxes in Exchange and 50 have mailboxes in Sun ONE Directory Server 5.1. The Fabrikam LDAP Data Interchange Format MA imported and joined 50 objects to Microsoft Identity Integration Server 2003. The Fabrikam Sun ONE Directory Server 5.1 MA imported and joined the remaining 50 objects from Sun ONE Directory Server 5.1.

The Fabrikam Telephone MA

The Fabrikam Telephone MA is used to populate the person object in the metaverse with their various telephone numbers (telephone, mobile, pager, and fax). As with the HR system, the telephone system is emulated by a file dump of the data in the Telephone system. For the Fabrikam Telephone MA, you will be importing a fixed width text file.

In this step of the walkthrough, you will perform the following tasks:

  1. Create the Fabrikam Telephone MA

  2. Run the Fabrikam Telephone MA run profile

  3. Verify Results

Create the Management Agent

Use the management agent for fixed width text file to create the Fabrikam Telephone MA. To use this management agent to create the Fabrikam Telephone MA, perform the following steps:

  1. Create a management agent

  2. Connect to the database

  3. Configure columns

  4. Configure a connector filter

  5. Configure join and projection rules

  6. Configure attribute flow

  7. Configure deprovisioning

  8. Configure extensions

Creating the Fabrikam Telephone MA does not require that you perform each of these steps.

To create the Fabrikam Telephone MA

  1. Open Identity Manager.

  2. On the Tools menu, click Management Agents.

  3. On the Actions menu, click Create.

  4. In Management agent for, click Fixed-width text file.

  5. In Name, type Fabrikam Telephone MA.

  6. Click Next.

    Select template input file.

  7. Select the fabrikam-telinfo-fw.txt sample file provided with the scenario.

  8. Click Next.

  9. Confirm fixed-width text format, as shown in the figure below.

    caeb6488-3a17-4f79-bf26-ff413efede86

    Figure 1.14: Confirm Fixed-Width Text Format

  10. Click Use first row for header names.

  11. Click Next.

    Configure attributes.

  12. Click Set Anchor.

    Set anchor.

  13. In Set Anchor, click RECID and then click Add.

  14. Click OK, and then click Next.

  15. Do not modify the settings on the Define Object Types page.

  16. Click Next.

  17. Do not modify the settings on the Configure Connector Filter page.

  18. Click Next.

    Configure join and projection.

  19. In Data Source Object Type, click person.

  20. Click New Join Rule.

  21. In the Metaverse object type drop-down list, click person.

  22. In the Data source attribute list, click name.

  23. In Metaverse attribute, click sn.

  24. Click Add Condition, and verify that the join rule for the person object is configured as shown in the figure below.

    1ef28cfa-2fc6-4a63-a75b-d906fe11ffb1

    Figure 1.15: Join Rule for Person Object

  25. Click OK, and then click Next.

    Configure attribute flow.

  26. For both Data source object type and the Metaverse object type, click person.

  27. In Mapping Type, click Direct.

  28. In Flow Direction, click Import.

  29. Using Data source attribute and Metaverse attribute, create the attribute mappings indicated in the table below.

Data Source Attribute Metaverse Attribute Mapping Type Flow Direction

FAX

facsimileTelephoneNumber

Direct

Import

MOBILE

mobile

Direct

Import

PAGER

pager

Direct

Import

TELEPHONE

telephoneNumber

Direct

Import

  1. Click Next.

  2. Do not modify the settings on the Configure Deprovisioning page, and then click Next.

  3. Do not modify the settings on the Configure Extensions page, and then click Next.

  4. Click Finish.

Establish Attribute Flow Precedence

The Fabrikam Telephone system is the authoritative source for the telephoneNumber attribute. You will create the attribute precedence flow for this attribute so that the Fabrikam Telephone MA maintains authority for this attribute over the Fabrikam HR MA, which also uses this attribute.

To create the attribute precedence flow for the Fabrikam Telephone MA

  1. Configure attribute precedence flow for the telephoneNumber attribute. In the Identity Manager, from the Tools menu, click Metaverse Designer.

  2. In Object Types, click person.

  3. In Attributes, click telephoneNumber.

  4. On the Actions menu, click Configure Attribute Flow Precedence.

  5. Use the up or down arrow to match the ranking listed in the table below.

Metaverse Attribute Management Agent Name Rank

telephoneNumber

Fabrikam Telephone MA

1

Fabrikam HR MA

2

  1. Click OK.

Run the MA in Drop Audit File Mode

Microsoft Identity Integration Server 2003 allows you to import objects in stages in order to preview the data added to the connector space before connector space objects are joined to objects in the metaverse. First create a run profile that imports the telephone system objects into the connector space and creates a log file known as a drop audit file. This file allows you to preview the data added to the connector space.

After the integrity of the data is verified by using the drop audit file, run the synchronization run profile to join connector space objects with the metaverse objects. To implement this staged import, create two run profiles for the Fabrikam Telephone MA.

Note

As with the Fabrikam HR MA and the Fabrikam LDAP Data Interchange Format (LDIF) MA, you will need to copy the import file into the working folder for the MA.

Create Run Profiles

The Fabrikam Telephone MA run profiles will be created in the following steps:

  • Configure the Telephone MA run profile to import data from the fixed-width text file

  • Configure the drop audit file sub-step and enable staging

  • Create the Full ImportDelta Synchronization run profile

  • Run the Full ImportStage to CS run profile

To create the Fabrikam Telephone MA run profile

  1. Copy the data file from the following location on the Microsoft Identity Integration Server 2003 installation media:

    Scenarios\ClassicMetadirectory\fabrikam-telinfo-fw.txt

    If you copied the file during the scenario setup instructions, this file will be located in the C:\Scenarios\ClassicMetadirectory folder on the Microsoft Identity Integration Server 2003 server. Note that depending on your Windows settings, the .txt extension may not be visible.

  2. Copy the data file to the following location:

    C:\Program Files\Microsoft Identity Integration Server\MaData\Fabrikam Telephone MA

  3. Create the run profile. In Identity Manager, from the Tools menu, click Management Agents.

  4. Click Fabrikam Telephone MA.

  5. On the Actions menu, click Configure Run Profiles.

  6. Click New Profile.

    Name the run profile.

  7. In Name, type Full ImportStage to CS, and then click Next.

    Configure Step.

  8. From the Type list, click Full Import (Stage Only).

  9. Click Set log file options.

    Set Log File Options.

  10. In Set Log File Options -- Import, click Create a log file.

    This will create an XML file of the data imported into the connector space when this run profile is run.

  11. In Type or select Log file name, type full-import-staging.xml, as shown in the figure below.

    a7a627e7-6388-4776-b81f-3f8a2c6dfd3f

    Figure 1.16: Set Log File Options

  12. Click OK and then click Next.

    Management agent configuration.

  13. In Partition, select default.

  14. In Input file name, type fabrikam-telinfo-fw.txt,or click Select to select it.

  15. Click Finish, and then click OK.

    Run the connector space staging profile.

  16. On the Actions menu, click Run.

  17. Select Full Import – Stage to CS, and then click OK.

    Examining the XML file.

  18. From the Management Agents view, wait until the status of the Fabrikam Telephone MA indicates Idle, meaning that the profile run has completed.

  19. Open Windows Explorer and view the Fabrikam Telephone MA’s working folder in the following location:

    C:\Program Files\Microsoft Identity Integration Server\MaData\Fabrikam Telephone MA

  20. Open the full-import-staging.xml file.

    You can see that all of the data imported to the connector space has been exported to the XML drop file. This data was imported to the connector space only. It has not been joined to the metaverse.

    Create the Full ImportDelta Synchronization run profile.

  21. In Identity Manager, in the Management Agents view, click Fabrikam Telephone MA.

  22. On the Actions menu, select Configure Run Profiles.

  23. Click New Profile.

    Name the run profile.

  24. In Name, type Delta Synchronization, and then click Next.

  25. Configure Step.

  26. In Specify step type list, from the Type list, click Delta Synchronization.

    When the Delta Synchronization option is enabled, Microsoft Identity Integration Server 2003 examines all normal disconnector objects in the connector space to determine if they should be joined to objects in the metaverse, and applies attribute precedence flow rules for those objects. In this mode, Microsoft Identity Integration Server 2003 will only evaluate attribute flow rules for those previously connected objects that have pending delta imports and exports. Delta imports and exports are attribute flows consisting only of the data that has been changed since the last synchronization.

  27. Click Next.

    Management agent configuration.

  28. In Partition, select default.

  29. Click Finish, and then click OK.

    Run the Delta Synchronization run profile.

  30. Click Run.

  31. Select the Delta Synchronization run profile, and then click OK.

Verify Results

Use Operations and Metaverse Search in the Identity Manager to verify the run profile results for the Fabrikam Telephone MA.

Use Operations to Verify Run Profile Results

Operations displays how many objects were imported to the connector space.

To verify the run profile by using Operations

  1. In Identity Manager, from the Tools menu, click Operations.

  2. Click the Fabrikam Telephone MA with Full Import – Stage to CS.

    The Staging synchronization statistics should show 100 Adds. This indicates that 100 new objects were added to the connector space. Unlike the other MAs you have created in this scenario, the Fabrikam Telephone MA shows only Staging statistics. No Inbound Synchronization statistics are shown because the Full Import – Stage to CS run profile only staged the objects in the connector space. When the profile Delta Synchronization is run, the objects from the connector space will be joined to metaverse objects, and then activity will be reported.

  3. Click the Fabrikam Telephone MA with the Profile name Delta Synchronization.

    The Inbound synchronization statistics should show 97 Joins and 3 Disconnectors. This indicates that 97 of the 100 telephone objects were joined to objects in the metaverse. Three of the objects have been left as disconnector objects.

    The phone system has 3 objects for Smith and Microsoft Identity Integration Server 2003 could not resolve which of the employees with the last name of Smith should be joined to the metaverse because the phone system has no givenName or other attribute to use in the join rule. Therefore, Microsoft Identity Integration Server 2003 maintains the 3 phone system objects for Smith as normal disconnector objects in the connector space. Later in the scenario, you will learn how to join these normal disconnector objects to the appropriate metaverse objects.

Use Metaverse Search to Verify Run Profiles

Metaverse Search displays the number of objects that were imported to the metaverse.

To use Metaverse Search to verify run profiles

  1. In Identity Manager, from the Tools menu, click Metaverse Search.

  2. On the Actions menu, click Import Query.

  3. Browse to the folder where you copied the scenario files:

    C:\Scenarios\ClassicMetadirectory

  4. Open the file CM emp active.qry.

  5. On the Actions menu, click Search.

  6. After the search is complete, you should see 100 objects listed in the Search Results list box.

  7. In the search results, select Amity Harty, and then, from the Actions menu, click Properties.

    The Metaverse Object Properties dialog box shows you all of the attributes and their set values. It also shows you the management agent that set the value (Contributing MA), and the time it was set (Last Modified).

    Notice that the object has all the telephone number attributes set. This occurred when you ran the Delta Synchronization run profile with the Fabrikam Telephone MA. Prior to running this profile, the employee telephone numbers had an area code of 20 that was imported from the HR system. This value was overwritten with values that have an area code of 22 because the telephone system is the authoritative source for telephone numbers.

  8. Click Close.

Next Step