Classic Metadirectory Walkthrough: Administering MIIS 2003 Infrastructure
Applies To: Windows Server 2003 with SP1
Previous Steps in This Walkthrough
Administering the MIIS 2003 Infrastructure
After you create the Microsoft Identity Integration Server 2003 infrastructure for Fabrikam, use the Identity Manager to refine the infrastructure and make it easier for other Microsoft Identity Integration Server 2003 administrators to manage.
To administer the Microsoft Identity Integration Server 2003 infrastructure, perform the following administration tasks:
Connect connector space objects to the metaverse, which includes:
Attribute indexing
Connecting disconnector objects
Disconnecting connector objects
Previewing action on disconnector objects
Manage management agents
Create command scripts for management agents
Use administrative roles
The administration tasks in this section use the Fabrikam Telephone MA, but you can also use other MAs to perform these tasks. .
Connecting Connector Space Objects to the Metaverse
When the Fabrikam Telephone MA was run, Microsoft Identity Integration Server 2003 imported three objects to the connector space that it could not join to any objects in the metaverse. These three objects were created from the three objects for Smith in the Telephone system data source. When the Telephone MA was run, Microsoft Identity Integration Server 2003 could not resolve which of the employees with the last name of Smith should be joined to the metaverse because the phone system has no givenName or other attribute to use in the join rule.
When you run a management agent, you can specify that a join rule be applied to each object in the connector space. By specifying a join rule, Microsoft Identity Integration Server 2003 searches the metaverse and attempts to find a corresponding object to which the connector space object can be joined. When a search returns any results, the resolution rules determine whether:
None of the objects satisfies the join criteria, in which case the next search criteria are evaluated.
Exactly one of the objects satisfies the join criteria, in which case it is joined with the connector object.
More than one of the objects satisfies the join criteria, in which case the join operation fails.
In the case of the three objects in the Fabrikam Telephone MA, more than one of the objects satisfies the join criteria, and so the join failed.
To refine the Microsoft Identity Integration Server 2003 configuration and resolve this join failure, you will search the metaverse for candidates and then connect the objects in the connector space to the appropriate objects in the metaverse.
Resolving the join failure involves the following steps:
Diagnosing Disconnector objects
Attribute Indexing
Connecting Disconnector objects
Disconnecting Connector objects
Diagnosing Disconnector Objects
The disconnector objects are the result of join rules that were not met when the import operation performed by the Fabrikam Telephone MA occurred. You will view the disconnector object in order to diagnose the cause of the failed join operation.
To diagnose a failed join operation
In Identity Manager, in the Tools menu, click Management Agents.
Click Fabrikam Telephone MA.
On the Actions menu, select Search Connector Space.
In Scope, select Pending Import.
To select the kind of pending import you wish to find in the Fabrikam Telephone MA connector space, click Add.
Click Search.
In DN, select 000042391, and then click Preview.
Click Full Synchronization, and then click Generate Preview.
Click Join and Projection, as shown in the figure below.
Figure 1.17: Join and Projection
The Resolution for the evaluation of the join rules is Multiple Matches. This resolution means that when the synchronization cycle runs again, the connector space object will remain a disconnector object because of the multiple metaverse objects with an sn attribute that matches the name attribute in the Telephone system (Smith). If you click the ellipsis in the Matches column, Microsoft Identity Integration Server 2003 displays the metaverse objects for which this connector space object satisfied the displayed join condition.
10.Click Close, and then click Close again.
Attribute Indexing
To locate the metaverse objects that are appropriate for connecting the three disconnector objects, you will search the metaverse for join candidates. Before searching the metaverse, you can index the metaverse object attributes used for join searches to increase the speed of the search.
The metaverse object attribute used for join searches is indexed because the SQL database used by Microsoft Identity Integration Server 2003 uses indices to identify a unique record and thereby make it faster and to find and sort records.
To index a metaverse object attribute
On the Tools menu, click Metaverse Designer.
In Object types, click person.
In Attributes, click sn.
On the Actions menu, click Edit Attribute.
In the Edit Attribute dialog box, select Indexed to index the attribute in the Microsoft Identity Integration Server 2003 SQL database.
Click OK.
In Metaverse Designer, verify that there is a value of Yes in the Indexed column for the attribute sn.
Connecting Disconnector Objects
The three Telephone data source connector space objects that are not joined to metaverse objects are disconnector objects that you will join to metaverse objects. To join the three disconnector objects, you will use the Smith connector space objects imported to the connector space by the Fabrikam Telephone MA.
The process of joining the three disconnector objects involves the following steps:
To Join Connector Space Objects to Metaverse Objects
Configure column headings in both the connector space and the metaverse displays to provide information relevant to the process of joining the connector space and metaverse objects.
Search for Disconnector objects. Disconnector objects are the connector space objects that are not linked to metaverse objects.
Create a metaverse filter in order to identify potential objects in the metaverse to join to the connector space objects.
Join the connector space objects to the appropriate metaverse objects.
To Configure the Column Headings
Select the Fabrikam Telephone MA.
On the Tools menu, click Joiner.
From Management Agent, click the Fabrikam Telephone MA.
On the Actions menu, click Disconnector Column Settings.
Note
Column settings are configured separately for each management agent in the Joiner.
Verify that NAME, RECID, and TELEPHONE appear under Selected Columns section. If these attribute names do not appear under Selected Columns, select them under Available Columns and click Add.
Under Available Columns, select PAGER, and then click Add so that the attribute name appears under Selected Columns, as shown in the figure below.
Figure 1.18: Connector Space Columns Settings
Next, configure the metaverse column settings. On the Actions menu, click Metaverse Column Settings.
Add the following attributes from Available Columns to the Selected Columns: sn, givenName, and employeeID, as shown in the figure below.
Figure 1.19: Metaverse Search Results Column Settings
Click OK.
To Search for Disconnector Objects
In Disconnector Type, select All Disconnector Types.
On the Actions menu, click Search Disconnectors.
The Connector Space list box displays the three connector space objects that are not joined to the metaverse.
To Create a Metaverse Filter
Click Configure Search Filters.
In the Configure Search Filters dialog box, click Add.
In Add Search Filter, in Name, type mv.sn = cd.name.
For Metaverse Object Type, click person.
For Metaverse Attribute, click sn.
For Operator, click Equals.
For Value, click Datasource Attribute.
From the Datasource Attribute drop-down list, click NAME, as shown in the figure below.
Figure 1.20: Add Search Filter
Click Add.
Click OK, and then click OK again.
In Metaverse Search Filter, click mv.sn = cd.name.
In Disconnectors, click a disconnector object.
On the Actions menu, click Apply Filter.
To Join Connector Space Objects to Metaverse Objects
In Disconnectors, select the object with the RECID 000051371.
The filter you configured is processed for each disconnector object as they are selected. This processing generates the potential matches in the metaverse for the selected connector space object.
In the Metaverse Search Results, click the object with the name Elsbeth Smith.
Click Join, and then click Yes.
You have now joined one of the connector space objects to a metaverse object. The icon next to the connector space object with RECID 000051371 now indicates that a join has occurred. Elsbeth was connected to an object with a different Employee ID than RECID on purpose. Later in this scenario, the objects will be disconnected.
On the Actions menu, click Search Disconnectors.
Now there are only two disconnector connector space objects. RECID 000051371 is now joined to a metaverse object and it no longer qualifies as a disconnector object.
Disconnecting Connector Objects
In situations such as employee retirement or resource reallocation, you will need to disconnect a connector space object from the metaverse. To reconnect the connector space object to the metaverse after a connector space object is disconnected, you can use Joiner in the Identity Manager to join the object. (Typically, you would configure management agent rules to discover these changes during synchronization and perform the disconnection or connection.) The management agent must be run to affect changes.
Note
When disconnecting a reference object, such as distinguished name, you must run the associated management agent for both import and export to affect the change. At minimum, the import run must be in Delta Synchronizationmode. Export runs are always delta mode.
To disconnect a connector space object from the metaverse
In Identity Manager, from the Tools menu, click Metaverse Search.
Select any of the search clauses, and then click Delete Clause.
On the Actions menu, click Add Clause.
For Attribute, click sn.
For Operator, click Equals.
Type Smith as the value, and then press ENTER.
On the Actions menu, click Search. The Search results list box will have three objects with the sn Smith listed.
Select the object with the displayName Elsbeth Smith.
On the Actions menu, select Properties to display the Metaverse Object Properties dialog box.
Select the Connectors tab.
Select the object with the MA name of Fabrikam Telephone MA and connector Distinguished Name of 000051371. The Join Method column indicates that the connector for the Fabrikam Telephone MA was created by an account-joiner-rule.
Click Disconnect.
A dialog box asks if you want to create an Explicit Disconnector or Disconnector. If you choose Disconnector, then the next time rules are run, the disconnector is a candidate for join rules and could potentially join with a metaverse entry. If you choose Explicit Disconnector, the entry will not be a candidate for join or projection even if you create new join rules or add a projection rule for this management agent.
In this scenario, choose Disconnector to change the join rules so that the entry is joined to the correct metaverse entry the next time the rules are run, as shown in the figure below.
Figure 1.21: Disconnect Object Dialog Box
Click Disconnector.
Click OK, and then click the OK again.
Click Close.
On the Tools menu, click Joiner.
In Management Agent, verify that the Fabrikam Telephone MA is selected.
On the Actions menu, click Search Disconnectors.
You will see that all three Smith connector space objects are listed in the connector space. The disconnection was successful.
Administering Management Agents
The greater part of the tasks required to maintain the Microsoft Identity Integration Server 2003 infrastructure involve administering management agents (MAs). It is important that administrators practice the more common Microsoft Identity Integration Server 2003 tasks in order to quickly support changes in the Microsoft Identity Integration Server 2003 infrastructure.
To learn how to quickly support your Microsoft Identity Integration Server 2003 infrastructure, you will perform the following tasks:
Export a management agent
Delete a management agent
Import a management agent from a file
Create command scripts for management agents
Use Microsoft Identity Integration Server 2003 administrative roles
Exporting a Management Agent
Management agents are typically exported for the following practices:
To be imported into another Microsoft Identity Integration Server 2003 system.
To create a similar management agent by first exporting an existing management agent, and then importing it and editing its configuration.
For version control on management agents in order to obtain a management agent in a known state.
To export a management agent, save the configuration information of an MA to a file.
To export a management agent
In Identity Manager, in the Tools menu, click Management Agents.
Click the Fabrikam Telephone MA.
On the Actions menu, select Export Management Agent.
Navigate to the folder where you want to save the file.
Important
You will be deleting the Fabrikam Telephone MA later in the scenario. Do not select the management agent working folder in this step.
In File name, type Fabrikam-Telephone-Ma.xml.
In Save as type, select Management Agent Configuration File (*.xml).
Click Save.
This procedure exports your management agent to an XML file. You can view this file with your preferred XML viewer, such as Microsoft® Internet Explorer. Internet Explorer 6.0 and later versions allows you to expand and collapse the XML data structure that you are viewing. Collapsing the sections of the XML file displays a high-level overview of the structure of the XML file, as shown in the figure below.
Figure 1.22: Management Agent Viewed as an XML File
Deleting a Management Agent
Before deleting a management agent, ensure that you have exported it to a file, as described in the previous section. After you have deleted the management agent, you will import the Fabrikam Telephone MA from the export file.
To delete a Management Agent
On the Tools menu, select Management Agents.
Select the Fabrikam Telephone MA.
On the Actions menu, select Delete.
Click Delete management agent and connector space.
Click OK, and then click Yes.
Both the management agent and the connector space used by that management agent are deleted.
Click OK.
Checking Results of the Management Agent Deletion
After a management agent is deleted, confirm the results of the deletion on the metaverse by searching the metaverse and by examining the local file directory where management agent files are stored.
Important
It is important that the ramifications of deleting any management agent be examined prior to performing the deletion. Deleting a management agent is not reversible.
To confirm management agent deletion by using Metaverse Search
On the Tools menu, select Metaverse Search.
Select any existing clauses and, on the Actions menu, click Delete Clause.
On the Actions menu, click Add Clause.
In the Attribute column, select employeeStatus.
In the Operator column, select Equals.
In the Value column, type active.
On the Actions menu, click Search.
From the search results, double-click Amity Harty.
Any attributes that the Fabrikam Telephone MA contributed to a metaverse object are removed from the metaverse object. In addition, the Telephone MA had reset the area code in the telephoneNumber attribute to 22, but it has reverted to 20, the value imported from the HR system originally.
Attributes contributed to a metaverse object from a connector space object are recalled from the metaverse object when the connector space object is disconnected. If attribute precedence exists for a recalled attribute, the next value in the ranking is promoted to the metaverse; in this case, the value provided by the HR system MA is promoted.
To confirm MA deletion by using Windows Explorer
Open Windows Explorer.
Browse to the following folder:
C:\Program Files\Microsoft Identity Integration Server\MaData
The working folder for the Fabrikam Telephone MA is renamed as deleted and the time and date of this operation is appended to the folder name. If a data file exists in the folder, the folder will be renamed to preserve data; otherwise, the folder will be deleted when the management agent is deleted.
Importing a Management Agent From a File
Management agents are exported as files by using the Extensible Markup Language (XML) format that uses the .xml file name extension. The process of importing a management agent uses the same XML formatted files. Typically, you import a management agent by using an XML file that is the result of an exported management agent; but you can also import a management agent by using a file that was simply written, or scripted, in the XML format by a Microsoft Identity Integration Server 2003 administrator.
When you import a management agent by using this method, you actually create a new management agent. The management agent cannot already exist (except as an exported .xml file) on the server. The new management agent is created with all of the settings and properties that were configured in the exported management agent. A new connector space will be created for the new management agent upon the first run. The new management agent has a new globally unique identifier (GUID), and the exported management agent remains intact. As a result, you can use the exported management agent as a template for creating additional management agents.
When you import a management agent from a file, you need to complete each step of the Management Agent Designer, even though all of the settings that existed in the management agent when it was exported to a file are retained. All run profiles associated with a management agent are also imported with no additional configuration necessary.
Note
To import a management agent from an XML file without creating a new GUID, and without retaining the saved file as a template, you can update a management agent. For more information about updating a management agent, see Microsoft Identity Integration Server 2003 Help.
The following rules apply to the process of creating a management agent by importing it from a file:
Although all of the settings for the management agent that was exported to an XML file are retained in that XML file, it is necessary to completely design the new management agent when importing it from the file.
All run profiles associated with a management agent are imported without additional configuration.
For Active Directory management agents, if Active Directory forest configuration settings are changed, run profile settings are not retained.
To import a management agent from a file
On the Tools menu, click Management Agents.
On the Actions menu, click Import Management Agent.
Browse to the file folder containing the Fabrikam Telephone MA XML export file and select Fabrikam-Telephone-MA.xml.
Click Open.
For each of the pages, click Next to move through the management agent creation process. Do not change the settings.
All of the settings from the original Fabrikam Telephone MA are already set in the property pages.
Click Finish.
On the Actions menu, click Run.
The Fabrikam Telephone MA run profiles were saved and imported during this process. Do not run the run profiles at this time.
Click Cancel.
Note
In order to completely restore the Microsoft Identity Integration Server 2003 environment to a point prior to deleting the Fabrikam Telephone MA, you must reset the attribute precedence flow as it was set before the MA was deleted. You must restore the Microsoft Identity Integration Server 2003 environment in order to see the -value for the telephoneNumber attribute provided by the Fabrikam Telephone MA instead of the value provided by the Fabrikam HR MA. In addition, you must ensure that the import file that is used in the Full Import – Stage to CS run profile for the Telephone MA is in the MaData folder, or the MA will not be able to find the telephone system data.
Creating Command Scripts for Management Agents
Most Microsoft Identity Integration Server 2003 administration can be performed by using the Identity Manager user interface, but you can also administer Microsoft Identity Integration Server 2003 by using Windows Management Interface (WMI) command scripts. These scripts allow you to improve Microsoft Identity Integration Server 2003 administration by providing all administrators in an enterprise with common run profiles at the command line, rather than relying on each administrator to perform tasks by using Identity Manager.
Note
The Scheduled Tasks in Control Panel, or the Schtasks command-line tool, can also be used to schedule management agent runs.
The scripts that you create will be used to run a management agent by using a specified run profile. Scripts are programmed by using the Microsoft Visual Basic Scripting Edition (VBScript). Scripts can also be created by using C#. In the following example, you will work in both the Identity Manager and at the command line while creating the management agent.
Remember that the Fabrikam Telephone MA was created in a two step process: first the data source objects were added to the connector space, and then the Synchronization Only run profile was used to join connector space objects to the metaverse. You will create a VBScript file (.vbs) for each of these processes.
To create and run a management agent script
Stage to the connector space. On the Tools menu, click Management Agents.
Click Fabrikam Telephone MA.
On the Actions menu, click Configure Run Profiles.
Select the Full Import - Stage to CS profile.
Click Script.
Browse to the c:\ directory on the server running Microsoft Identity Integration Server 2003, and then name the file stage.vbs.
In Save as, click VB Script Files (*.vbs).
There is an option to create a C# file. That method is not covered in this scenario.
Click Save.
Apply join rules. Click Fabrikam Telephone MA.
On the Actions menu, click Configure Run Profiles.
Select the Full Import - Delta Synchronization profile.
Click Script.
Browse to the c:\ directory on the server running Microsoft Identity Integration Server 2003, and then name the file apply.vbs.
In Save as, click VB Script Files (*.vbs).
Click Save.
Run the management agent at the command line.
Before you can run the Fabrikam Telephone MA, you will need to copy the telephone system data file back into the working folder for the MA. When you deleted the MA, the folder was renamed in order to save your data. When you imported the Fabrikam Telephone MA from the XML file, the working folder was re-created. You will need the data file in the new working folder.
Copy the fabrikam-telinfo-fw.txt from the following directory:
C:\Scenarios\ClassicMetadirectory
Paste the file fabrikam-telinfo-fw.txt to the following directory:
C:\Program Files\Microsoft Identity Integration Server\MaData\Fabrikam Telephone MA
Now that the VBScript files are created, you will run them to control the management agent through WMI.
At the command line, change to the c:\ drive and root directory, and then type cscript stage.vbs.
In Identity Manager, in the Tools menu, click Operations.
If the data takes longer than a few seconds to process, you should see the status change from in-progress to success. If the status indicated in-progress, wait until it changes to success so you can view the statistics.
Verify that the Staging statistics show 100 Adds to the connector space.
At the command line, type cscript apply.vbs.
In Identity Manager, in Operations, wait for the status indicator to switch to success.
Verify that the Inbound Synchronization statistics show 97 Joins, representing those objects that have joined to metaverse objects, and 3 Disconnectors, representing the three ‘Smith’ objects that failed to join.
Using MIIS 2003 Administrative Roles
Microsoft Identity Integration Server 2003 creates three groups during installation that control which tasks users can perform in the Identity Manager. The following groups are created by Microsoft Identity Integration Server 2003:
MIISAdmins — Members of this group have full access to everything in the Identity Manager.
MIISOperators — Members of this group have access to Operations in the Identity Manager only. Members of MIISOperators can run management agents, view synchronization statistics for each run, and save the run histories to a file.
MIISJoiners — Members of this group have access to Joiner and Metaverse Search in the Identity Manager. Members of MIISJoiners can join or project disconnector objects by using Joiner, and use Metaverse Search to view object properties and disconnect objects from the metaverse.
Microsoft Identity Integration Server 2003 also creates two security groups during installation that do not have access to the Identity Manager, but are used for authentication during password management operations:
MIISBrowse — Members of this group have permission to gather information about a user's lineage when resetting passwords by using Windows Management Interface (WMI) queries.
MIISPasswordSet — Members of this group have permission to perform all operations by using the password management interfaces with WMI.
For the Fabrikam scenario, the current Microsoft Identity Integration Server 2003 user will be moved to the various security groups. To complete this process, you will perform the following actions:
Move the user from MIISAdmins to MIISOperators
Add the user to MIISJoiners
Return the user to MIISAdmins again
To move a user from MIISAdmins to MIISOperators
Close Identity Manager.
Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
Click the domain node (domain controller) and then click Users.
Double-click the MIISAdmins group.
Remove the currently logged on user from that group.
Click OK.
Double-click the MIISOperators group.
Click Add, and then add the current user into the MIISOperators group.
Click OK.
Log off and then log on to Windows Server 2003 again.
This will reset the Windows access token.
To view the available functionality for the user, open Identity Manager.
Only Operations is available.
Close Identity Manager.
To add a user to the MIISJoiners group
Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
Click the domain node (domain controller) and then click Users.
Click the MIISJoiners group.
Click Add, and then add the current user into the MIISJoiners group.
Click OK.
Double-click the MIISOperators group and remove the current user from the MIISOperators group.
Click OK.
Log off and then log on to Windows Server 2003 again.
This will reset the Windows access token.
To view the available functionality for the user, open Identity Manager.
Only the Metaverse Search and Joiner views are available.
Close Identity Manager.
To return the user to the MIISAdmins group
Click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.
Click the domain node (domain controller) and then click Users.
Click the MIISAdmins group.
Click Add, and then return the currently logged on user into the MIISAdmins group.
Click OK.
Close Active Directory Users and Computers.
Log off and then log on to Windows Server 2003 again.
This will reset the Windows access token.
To view the available functionality for the user, open Identity Manager.
All metadirectory views are available.