แชร์ผ่าน


Simple Account Provisioning Walkthrough: Administering the Account Provisioning Infrastructure

Applies To: Windows Server 2003 with SP1

Previous Steps in This Walkthrough

  1. Overview

  2. Simple Account Provisioning: Scenario Design

  3. Lab Setup

  4. Implementation Steps

  5. Scenario Rules Extensions

Running the Fabrikam HR MA

As the first step in administering the account provisioning infrastructure, you need to run the Fabrikam HR MA run profile that you configured earlier. To run the Fabrikam HR MA run profile, perform the following tasks:

  • Stage the HR objects in the connector space

  • Use Search Connector Space and Preview to investigate staged operations

  • Use the audit file to investigate staged operations

  • Project the user objects from the connector space to the metaverse

  • Use Search Connector Space to investigate the projections into the metaverse

  • Use Metaverse Search to check for an object

Note

Before you run this management agent, you ensure that any metaverse rules extensions are not enabled. To do this, in Identity Manager, on the Tools menu, click Rules Extensions, clear the Enable metaverse Rules Extension check box, and then click OK

Staging the HR Objects in the Connector Space

First stage the HR objects in the connector space so that you can investigate the staging operation before projecting the objects to the metaverse.

To stage the HR objects into the connector space

  1. Click Start, point to Programs, point to Microsoft Identity Integration Server, and then click Identity Manager.

  2. On the Tools menu, click Management Agents.

  3. In Management Agents, under Name, click Fabrikam HR MA, and then click Run.

  4. In the Run Management Agent dialog box, under Run profiles, click Full Import, and then click OK.

    While the MA is running, the screen should indicate its status as Running, and the Adds counter in the Staging Synchronization Statistics should increase from 0 to 100.

    When the MA has completed its run, the status will change to Idle, and the counter will reflect the 100 additions. 100 objects are added to the connector space of the Fabrikam HR MA. Staging statistics show all of the changes that were staged from the connected data source to the connector space of the management agent, as shown in Figure 2.47.

aab3aa8c-8797-49f7-9e17-f62061324bef

Using Search Connector Space and Preview to Investigate Staged Operations

Before projecting objects from the connector space to the metaverse, use Search Connector Space to investigate the staged operations and Preview to see how the connector space objects will appear in the metaverse after they are projected.

To use Search Connector Space and Preview to investigate staged operations

  1. To determine the objects that were staged in the connector space of the Fabrikam HR MA, click Search Connector Space.

  2. Choose Pending Import as the search criteria and limit the search to add operations by selecting the Add check box.

  3. Click Search to list all staged add operations in the Search result list box. You should see 100 records listed, as shown in Figure 2.48.

    5ca629c4-3d06-42fb-a7da-43e87c4c2126

  4. Select the first object in the list box and click Properties. The detailed view of the connector space object and its state information is displayed. The operation on the connector space object was an add, and all attributes are additions (the changes column is set to add) to the connector space object, as shown in Figure 2.49.

    0cffaee0-395d-4d94-97d7-c5877e425798

  5. Click the Lineage tab. Lineage indicates the current state of the object when it was changed and what rule caused the change. The connector space object is a Normal Disconnector.

  6. Click Preview.

  7. On Start Preview, under Select preview mode, select Full synchronization, and then click Generate Preview,as shown in Figure 2.50.

In the Preview dialog box, the rules applied to this object in the Microsoft Identity Integration Server 2003 synchronization process are displayed. The details pane shows the results of the rules applied to this object.

  1. To see the connector filter rule, under Contents, click Connector Filter.

    74f68fc7-8f41-4cb9-accf-5f447b9588c6

  2. To see the results of the projection rule (declared projection rule for person object type), click Join and Projection.

  3. To see the import attribute flow rules applied to the metaverse, click Import Attribute Flow.

  4. Click Close.

  5. Click Close.

Using the Audit File to Investigate Staged Operations

The audit file is another method used to investigate the operations associated with a connected system. Audit files are stored in the working directory for an MA.

To use the audit file to investigate staged operations

  1. Open Windows Explorer, and browse to the Fabrikam HR MA working directory.

  2. Open the file audit-full-import.xml.

The contents of the audit file are displayed in Microsoft Internet Explorer.

Projecting the HR Objects from the Connector Space to the Metaverse

All the objects from the HR system are in the connector space. The next step is to project them into the metaverse.

Because all the information needed to create the metaverse objects is in the Microsoft Identity Integration Server 2003 connector space, no import is necessary again. A special Microsoft Identity Integration Server 2003 run to apply all staged changes to the metaverse is used.

To project the HR objects from the connector space to the metaverse

  1. Click Fabrikam HR MA, and then click Run.

  2. In the Run Management Agent dialog box, under Run profile, click Delta Synchronization (this action projects the user objects from the connector space to the metaverse).

  3. Click OK.

    While the MA is running, the screen indicates its status as Running, and the Projections counter in the Inbound Synchronization Statistics increases from 0 to 100.

    When the MA run is complete, the status changes to Idle, and the counter reflects the 100 projections into the metaverse, indicating that 100 objects are added or created in the metaverse by the Delta Synchronization run. Inbound Synchronization Statistics show all changes that were applied from the connector space to the metaverse, as shown in Figure 2.51.

15042b07-8639-453f-8eb9-37f9dada1aac

Using Search Connector Space to Investigate the Projections into the Metaverse

By using Search Connector Space, you can investigate the results of any operation on connector space objects.

Using Search Connector Space to investigate the projections into the metaverse

  1. To see the objects that were projected from the connector space of the Fabrikam HR MA to the metaverse, click Search Connector Space, choose Connected Since, and then set the current date and time to a time before the MA was run.

  2. Click Search.

    100 records appear in the list. The Connection Method column shows that the join of the connector space object to the metaverse was a result of a Microsoft Identity Integration Server 2003 join or projection rule. All values of the Connection Method column show the value projection-rules. The Connection Time column displays the time when the connection to the metaverse object occurred, as shown in Figure 2.52.

963924c5-c1a8-44e4-aa36-3054a4ffd20c

Using Metaverse Search to Check for an Object

You can also check the results of a management agent run profile by using Metaverse Search. Metaverse Search allows you to examine metaverse objects to verify that the run profile completed the operations successfully.

  1. In Identity Manager, click Metaverse Search.

  2. Click Add Clause.

  3. Select sn as the Attribute, Equals as the Operator, and then type ange as the value.

  4. Click Search.

    One object with the displayName of Rosa Ange appears in the Search results list, as shown in Figure 2.53.

    a399fa43-b0bd-4c1d-abdc-755134a224b2

  5. Right-click this object and then click Properties.

    Figure 2.54 shows the object, all of its values and from which management agent they are derived. Also, all of the connected objects for this metaverse object are displayed.

    c65a6d68-7917-4e36-a7d2-39f8600ee659

    Note

    Queries in Metaverse Search are not stored on the server running Microsoft Identity Integration Server 2003. Queries can be saved to files and later opened.

Joining Fabrikam Telephone MA Data

Join the data from Fabrikam Telephone MA to the metaverse objects that were projected by the Fabrikam HR MA run profile. To join the data from Fabrikam Telephone MA to the metaverse objects, perform the following tasks:

  • Stage the Telephone system objects in the connector space

  • Use Search Connector Space and Preview to investigate possible joins to the metaverse

  • Apply the join to the staged objects

  • Use Search Connector Space to examine the joins to the metaverse

  • Use Metaverse Search to verify attribute sources

Staging Telephone System Objects in the Connector Space

First stage the Telephone system objects in the connector space so that you can investigate the staging operation before joining to the objects to the metaverse.

To stage the Telephone system objects in the connector space

  1. In Identity Manager, on the Tools menu, click Management Agents.

  2. Under Name, click Fabrikam Telephone MA, and then click Run.

  3. In the Run Management Agent dialog box, click Full Import, and then click OK.

    When the MA run is finished, the counters display that 100 new objects were created in the connector space for the Telephone MA, as shown in Figure 2.55.

    89de7f93-b776-46ff-b929-cd2831179f80

    Note

    When the hyperlink on a statistic is selected, the list of objects that were processed for this statistic appears

Using Search Connector Space and Preview to Investigate Possible Joins to the Metaverse

Before joining objects from the connector space to the metaverse, use Search Connector Space to investigate the staged operations and Preview to see how the connector space objects will appear in the metaverse after they are joined.

To use Search Connector Space and Preview to investigate possible joins to the metaverse

  1. To see which objects are staged in the connector space of the Fabrikam Telephone MA, click Search Connector Space, choose Pending Import as the search criteria and limit the search to add operations by selecting the Add check box.

  2. Click Search to list all staged add operations in the Search result list box. 100 records are listed.

  3. Click the first record in the Search Results list box.

  4. In Search connector space, click Preview.

  5. On Start Preview, under Select preview mode, select Full synchronization, and then click Generate Preview

  6. In Preview, click Join and Projection to identify the join rule that joined the connector space object to the metaverse object, as shown in Figure 2.56.

    3d5fc52e-53ee-43b5-b22e-1636cd253453

  7. Click the matches “…” button to display the metaverse object to which this connector space object.

  8. Click Close.

  9. Click Close.

Applying the Join to the Staged Objects

All the objects from the Fabrikam Telephone system are in the connector space. The next step is to apply the join to the staged objects. Because all the information needed to join the metaverse objects is in the Microsoft Identity Integration Server 2003 connector space, no import is necessary again.

To apply a Join to staged objects

  1. In Identity Manager, from the Tools menu, click Management Agents, click the Fabrikam Telephone MA, and then click Run.

  2. Click Delta Synchronization.

  3. Click OK.

    While the MA is running, the screen indicates its status as Running, and the Joins counter in the Synchronization Statistics increases from 0 to 100.

    The 100 connectors with flow updates show that the 100 objects with telephone data in the fixed width telephone system file were joined with the 100 objects from the HR system in the metaverse, as shown in Figure 2.57.

    6f5922c6-ab64-4345-baf6-18869beda5b8

Using Search Connector Space to Investigate the Joins into the Metaverse

By using Search Connector Space, you can investigate the results of the join into the metaverse.

To use Search Connector Space to investigate joins in the metaverse

  1. To see which objects were joined from the connector space of the Fabrikam Telephone MA to the metaverse, click Search connector space, choose Connected Since as the search criteria and set the current date and time to a time before the MA was run.

  2. Click Search.

    100 records appear in the list. The Connection Method column shows that the join of the connector space object to the metaverse was a result of a Microsoft Identity Integration Server 2003 join rule or projection rule. All values of the Connection Method column should show the value join-rules. The Connection Time column displays the time when the connection to the metaverse object occurred, as shown in Figure 2.58.

    2de28ed2-e01a-4adc-b7f7-148e74226e4e

Using Metaverse Search to Verify Attribute Sources

You can also verify attribute by using Metaverse Search. Metaverse Search allows you to examine metaverse objects to verify that the run profile completed the operations successfully.

To use metaverse search to verify attribute sources

  1. Switch to Metaverse Search.

  2. Verify that the telephone system information was applied to the objects in the metaverse by searching for Rosa Ange again.

  3. Return to the Metaverse Search window and double-click the Rosa Ange object, as shown in Figure 2.59.

    8372deee-f8b2-4966-aab3-9e96bcc8cfa8

The facsimileTelephoneNumber, mobile, pager, and telephoneNumber attributes show Fabrikam Telephone MA as the source of the data. The Fabrikam HR MA provided the remainder of the attributes.

  1. Click the Connectors tab.

    Note that this metaverse object now has two connectors, one in the connector space of the Fabrikam HR MA and another one in connector space of the Fabrikam Telephone MA.

Enabling Provisioning

After you review the data that imported into Microsoft Identity Integration Server 2003, you need to provision the user accounts into Active Directory. To provision the user accounts into Active Directory, perform the following tasks:

  • Change the server configuration

  • Configure the Fabrikam HR MA run profile for provisioning

Change Server Configuration

Change the server configuration so that you can configure rules extensions that will be used to provision the accounts in Active Directory.

To change the server configuration

  1. In Identity Manager, on the Tools menu, click Configure Extensions.

  2. On the Configure Extensions dialog box, click Enable Metaverse Rules Extensions, as shown in Figure 2.60.

    Note

    Ensure that you have a copy of the HRProvisioning.dll file in the Extensions subfolder under the Microsoft Identity Integration Server 2003 installation location

  3. To pick the name of the Rules Extension from the list of files in the Extensions folder, click Browse, as shown in Figure 2.61.

    bf130b42-207f-4f73-ba83-47d72f1590c9

  4. Select HRProvisioning.dll from the list of file names.

  5. Click OK.

    In the Rules Configure Extensions dialog box, you should see the filename HRProvisioning.dll that you selected in the Assembly name field.

  6. Click Enable Provisioning Rules Extension, as shown in Figure 2.62.

    41c4fc5c-f811-4c6b-8b37-d2f469f406b5

  7. Click OK.

Configure the Fabrikam HR MA Run Profile for Provisioning

Next you will create a Full Synchronization run profile for the HR MA to provision accounts.

When this run profile is used, the provisioning extension configured in the previous step will be used to create connector space objects for export to Active Directory by using the Fabrikam AD MA.

To perform HR MA provisioning

  1. From Management Agents, click Fabrikam HR MA, and then click Configure Run Profiles.

  2. Click New profile.

  3. In Profile Name, in Name, type Provisioning.

  4. Click Next.

  5. In Type, select Full Synchronization.

  6. Click Next.

  7. In Partition, select default.

  8. Click Finish. Verify that your screen appears as shown in Figure 2.63.

    35aa9426-c01b-414f-b772-fabfdc4b70fe

  9. Click Apply,and then click OK.

Provisioning Accounts to Active Directory

After you enable provisioning, provision the accounts to Active Directory.

To provision accounts to Active Directory

  1. On the server running Microsoft Identity Integration Server 2003, open Command Prompt.

  2. Switch to the directory where the scenario files are copied.

  3. Run the command file run-provisioning-cycle.cmd.

  4. This file performs the following operations by using the Microsoft Identity Integration Server 2003 WMI Instance provider:

    1. Runs the Fabrikam AD MA with the Full Import run profile. This operation is for an initial discovery of the containers (Microsoft Identity Integration Server 2003 does not create a container hierarchy automatically during provisioning).

    2. Runs the Fabrikam HR MA with the Provisioning run profile. This operation applies rules to the metaverse objects and provisions user accounts into the Fabrikam AD MA connector space.

    3. Runs the Fabrikam AD MA with the Export run profile. This operation puts the objects from the Fabrikam AD MA connector space into Active Directory.

    4. Opens the audit-export.xml file in the MA working directory of the Fabrikam AD MA by using Microsoft Internet Explorer to see the changes that Microsoft Identity Integration Server 2003 sent to Active Directory.

    5. Opens the audit-delta-import file in the MA working directory of the Fabrikam AD MA by using Microsoft Internet Explorer to see the changes that Microsoft Identity Integration Server 2003 received from Active Directory after running the Export run profile.

    After this point, 100 active users should be provisioned into Active Directory.

  5. Log on to Active Directory with a user name of range-miis and a password of UK0122999. If you are logging onto an Active Directory domain controller, you need to enable the Allow user to logon locally user right for this user account.

  6. In Identity Manager, on the Tools menu, click Operations.

  7. Verify that the management agents run profiles were successful by reviewing the Status column, as shown in Figure 2.64.

089afd69-b81d-49c1-bf0d-5f8b95adbb8f

Backing Up and Restoring Microsoft Identity Integration Server 2003

In this section, you will backup and restore the server running Microsoft Identity Integration Server 2003. You can perform this step at any point in this scenario.

To backup and restore Microsoft Identity Integration Server 2003

  1. Close Identity Manager.

  2. Open the Command Prompt and browse to the Microsoft Identity Integration Server 2003 bin directory, (InstallationPath\Microsoft Identity Integration Server\bin).

  3. At the command prompt, type:

    miiskmu /e mymiiskey.bin /u:<miis-service-account> <password> /q

    Replace the information after /u with your Microsoft Identity Integration Server 2003 service account credentials.

  4. The Microsoft Identity Integration Server 2003 key management utility, miiskmu, should start and write the file mymiiskey.bin into this directory.

  5. Copy this file to a secure location. You need it for the restore.

    Note

    You can start miiskmu without any parameters. This will start the user interface (UI) of the Microsoft Identity Integration Server 2003 key management utility. It is recommended that you back up the Microsoft Identity Integration Server 2003 Key Set immediately after setup of Microsoft Identity Integration Server 2003.

  6. To open SQL Server Enterprise Manager, click Start, click Programs, click Microsoft SQL Server, and then click Enterprise Manager.

  7. Use the SQL Server Enterprise Manager to browse to the Microsoft Identity Integration Server 2003 database, as shown in Figure 2.65.

    6daab7df-fcde-49f2-a8cf-50ee280cdbf9

  8. Right-click the Microsoft Identity Integration Server 2003 database, click All Tasks, and then click Backup Database.

  9. Ensure that Database – complete is selected, as shown in Figure 2.66.

    b6852834-9395-475e-ada5-09b2a20d6b2c

  10. Click Add to add the destination of the backup file.

  11. In the Select Backup Destination dialog box, type MIISdb-complete after the SQL Backup path, as shown in Figure 2.67.

    5e6fa1a5-9ab4-4cb8-ad5e-d26f87fa40a2

  12. Click OK.

  13. To start backing up the Microsoft Identity Integration Server 2003 database, click OK. After the backup is complete, the SQL Server Enterprise Manager message box should appear as shown in Figure 2.68.

    df5de837-d6f7-4436-ab36-44455604c18d

  14. Click OK.

Do not close the SQL Server Enterprise Manager at this point.

  1. In Add or Remove Programs, uninstall Microsoft Identity Integration Server 2003.

  2. In SQL Server Enterprise Manager, right-click Microsoft Identity Integration Server database, and then click Delete.

    Important

    Ensure that the Delete backup and restore history for the database check box is not selected, as shown in Figure 2.69.

    5dbefaa9-32bf-4fb1-b22e-7a29dcc6e355

  3. Click Yes (after verifying that the check box is not selected).

This will delete the database in SQL Server.

  1. Right-click Databases, click All Tasks, and then click Restore Database.

  2. In Restore as database, type MicrosoftIdentityIntegrationServer.

    37bcd620-3ec2-4429-b364-22274dc324b1

  3. In Restore database, ensure that you select the right location in the Restore From column (the location that you typed earlier).

If you followed the naming convention, this location is MIISdb-complete.

  1. Click OK.

    Verify that the message box shown in Figure 2.71 appears, indicating the successful restore of the Microsoft Identity Integration Server 2003 database.

    65783022-3086-468a-a231-a521cb587adf

  2. Click OK.

  3. Close SQL Enterprise Manager.

  4. Start Microsoft Identity Integration Server 2003 Setup from the Microsoft Identity Integration Server 2003 installation media.

  5. Continue with all the setup options and ensure that you point to the SQL Server where the Microsoft Identity Integration Server 2003 database was just restored.

    After confirming all setup options and starting the installation you will be prompted with the dialog box shown in Figure 2.72.

    e24e1775-6752-4d90-a1f5-549741b17629

  6. Click Yes to indicate that this is a restore installation.

    You are prompted with a dialog box asking if you want to import the encryption key.

  7. Click Yes to indicate that you want to import the Encryption Key file now.

  8. Specify the encryption key file that you saved earlier (e.g. mymiiskey.bak).

    Note

    The prompt for the key file name will not occur if the restore setup detects a valid key set exists on the system. This is the case in this scenario and setup will continue without prompting for the file name. By deleting the user profile of the service account, the encryption keys will get deleted and the prompt will occur.

  9. Click OK to finalize the restore installation process.

  10. Start Identity Manager.

    You will see that all steps you ran before are available in Operations. Also verify that all three management agents are available.

    Note

    If you installed Microsoft Identity Integration Server 2003 in a different directory, the MA working directories no longer contain the scenario files. Do not forget to copy the scenario files into the new MA working directories.

Running HR MA and introduce changes

To run the HR MA and introduce changes

  1. Use each Run Profile created earlier in this document.

    You need to follow each of the run profiles with a run of the Export run profile for the Fabrikam AD MA. Running this profile causes the changes made by running the HR MA to flow to the Active Directory data source.

  2. You can run each delta change as described in the following sections. This will make you more familiar with the Search connector space and audit file features in Microsoft Identity Integration Server 2003.

    Important

    Note that the results of the Preview and connector space Object Viewer will vary for the different changes.

  3. After you run each of the run profiles listed below, return to the command prompt opened earlier and run the run-export-AD.cmd file to export your changes from Microsoft Identity Integration Server 2003 to Active Directory.

Delta Import Changes 1: Set Active to Inactive

The first delta import changes the value of the employeeStatus attribute of an object in the Fabrikam HR MA connector space from Active to Inactive.

To stage changes into the Fabrikam HR connector space

  1. Run the HR MA Delta Import Changes 1 Run Profile.

  2. Using Microsoft Internet Explorer, open the audit-delta-import file in the MA working directory of the Fabrikam HR MA to see the changes Microsoft Identity Integration Server 2003 imported from the delta file.

    Use Search Connector Space and Preview to investigate the changes from the first delta import.

To use Search Connector Space and Preview to investigate changes and export attribute flow on the Fabrikam HR MA

  1. To see the objects that were changed in the connector space of the Fabrikam HR MA, click Search connector space, chose Import Delta as the search criteria and set the current date and time to a time before the MA was run.

  2. Click Search.

    You will see 1 record listed. Note that the Operations column signals that this object was an update.

  3. Click this record, and then click Properties.

    The Connector Space Object Properties dialog box appears. On the Import tab, you should see that the employeeStatus attribute is marked with the change of modify. The Old Value and New Value columns show the value changes of the attribute.

  4. Click Preview.

  5. On Start Preview, under Select preview mode, select Delta synchronization, and then click Generate Preview

  6. Click Import attribute flow.

    Note that the employeeStatus metaverse attribute also has changes applied.

  7. Click to expand Connector Updates, click to expand CN=Angel,Rosa…, and then click Export Attribute Flow.

    Note that the userAccountControl data source attribute also has changes applied.

  8. Click Close.

    After using Search Connector Space and Preview to investigate changes and export attribute flow, apply the staged changes from the Fabrikam HR MA connector space.

To apply the staged changes from the Fabrikam HR MA connector space

  1. Run the HR MA Delta SynchronizationRun Profile.

    After you apply the staged changes from the Fabrikam HR MA connector space, use Search Connector Space and Preview to investigate export changes to the Fabrikam AD MA connector space.

To use Search Connector Space and Preview to investigate export changes to the Fabrikam AD MA

  1. To see the objects that were changed in the connector space of the Fabrikam AD MA, click Search connector space, choose Pending Export as the search criteria and check Modify.

  2. Click Search to list all connector space objects with pending modification exports in the Search result list box.

    You will see 1 record listed. The operation column indicates that the modification is an update.

  3. Click this record, and then click Properties.

    On the Pending Export tab, the object has new department and userAccountControl attributes, and they are marked with the change of modify.

  4. Click OK, and then click Close.

    For the final step, export the changes to Active Directory.

To export changes to Active Directory

  1. Run the AD MA Export Run Profile.

    This operation will move and disable the user Rosa Ange (range) in Active Directory. You can verify this operation by noting the move of the Rosa Ange object from ou=Users to ou=Disabled Users on the Active Directory domain controller.

  2. Using Microsoft Internet Explorer, open the audit-export.xml file in the MA working directory of the Fabrikam AD MA to see the changes Microsoft Identity Integration Server 2003 sent to Active Directory.

Delta Import Changes 2: Set Inactive to Active

This operation will reverse the actions taken above and return the value of the employeeStatus attribute of the Rosa Ange user from inactive back to active, triggering the move of that object back into the ou=Users container on the Active Directory domain controller.

To set user from inactive to active

  1. Run the HR MA Delta Import Changes 2 Run Profile.

  2. Run the Delta Synchronization Run Profile.

  3. Run the AD MA Export Run Profile.

Delta Import Changes 3: Rename by Changing CN (last name changes)

This operation renames the user by changing cn (last name changes) for the Auro Bachelu user. Note that Bachelu is changed to Bachelu-Butterflier.

To rename the user by changing the cn attribute

  1. Run the HR MA Delta Import Changes 3 Run Profile.

  2. Run the Delta Synchronization Run Profile.

  3. Run the AD MA Export Run Profile.

Delta Import Changes 4: Terminate an Account

This operation deletes Chee Baillon and remove that user from the system.

To terminate an account

  1. Run the HR MA Delta Import Changes 4 Run Profile.

  2. Run the Delta Synchronization Run Profile.

  3. Run the AD MA Export Run Profile.

Delta Import Changes 5: Change Title, Manager, branchID

This operation will change the Title, Manager, and branchID for Sheelah Basarah. You can verify this operation by searching for Sheelah in the metaverse and looking at the properties of the metaverse object.

To change Title, Manager, BranchID

  1. Run the HR MA Delta Import Changes 5 Run Profile.

  2. Run the Delta Synchronization Run Profile.

  3. Run the AD MA Export Run Profile.

Full Import Zero Bytes: Checking the Windows Event Viewer

This operation demonstrates some problems that can occur after a run profile completes and how you can investigate the problem.

Checking the Windows Event Viewer

  1. Open Event Viewer.

  2. In Event Viewer, open the Application folder.

  3. Run the HR MA Full Import Zero Bytes Run Profile.

    The profile does not start. Instead, it logs an event with the event category Microsoft Identity Integration Server 2003 Run Profile and the Event ID 6013 to the application event log. When you double-click this object, you can see details regarding why the run failed, as shown in Figure 2.73.

    a3e81bce-68ed-489a-9405-39e9e7bd559d

  4. In Identity Manager, click Operations.

There you also see run failures. In this example a no-start-file-empty is reported, as shown in Figure 2.74.

9207868a-7daa-4336-b069-b7fac59afa22

Full Import Obsolete: Deletes Records

This section shows the usage of the Stage objects to connector space and stop run import run sub-step, along with WMI, to determine if imported changes are applied to the metaverse.

Full import obsolete

  1. Open Command Prompt.

  2. Run the import-stage-check-for-deletions.cmd file to start following process:

    1. The command batch file starts the Fabrikam HR MA with the Run Profile Full Import Obsolete.

    2. Then it verifies that the Fabrikam HR MA if the deletion ratio is over 20%.

    3. The command file stops the cmd-batch file because the number of deletions is 99. Because there are 100 objects in the connector space, this is 99%, which is over the 20% limit set in the batch file.

    4. If the ratio had been under 20% the command batch file would have continued applying the changes by activating the Delta Synchronization Run Profile on the Fabrikam HR MA. Take a moment to open the command file using Notepad and see how it is organized.

    5. For this scenario the 99% of the deletions are OK.

    6. To apply these deletions, switch to the Management Agents view in Identity Manager and run the Delta Synchronization run profile on the Fabrikam HR MA.

    7. Run the Fabrikam AD MA export profile. This will delete all of the users in Active Directory except Rosa Ange.

    Note

    Recovering from this state of unwanted deletions is easy. A correct full import file needs to be provided and a Full Import run profile activated. This cleans the unwanted deletions. As an alternative to applying the deletions in this section, run the Full Import profile on the HR MA.

Running the Fabrikam Telephone MA

As with the Fabrikam HR MA changes, you should run the Fabrikam Telephone MA with the change in telephone number so that it can be exported to the Fabrikam AD MA. When you run this profile, you will see a warning dialog box. The warning is because you enabled metaverse rules extensions after you created the run profile, and in some situations, an synchronization only-full synchronization run would be required. In this case, though, you can safely ignore the warning and proceed.

Delta Import Changes: changes a phone number on employee Rose Ange, ID UK0122999.

Using Search and Preview

To make yourself more familiar with Microsoft Identity Integration Server 2003, try the following troubleshooting scenarios:

  • Provoke a provisioning error. For example, adjust the simpleprov.xml <root /> node value to have an invalid root (parent) DN constructed. Use the connector space error in Operations view to identify this and use connector space Search and Preview mode to see the connector space object fail provisioning.

  • Provoke an export error by adjusting the simplprov.xml <sam-suffix /> node value to have more than 20 characters. Use connector space search and Validate export to find the schema violation.

Using Import and Export Server Configuration

Import and Export server configuration enables you to save a complete Microsoft Identity Integration Server 2003 server configuration and restore all configurations to another server running Microsoft Identity Integration Server 2003 or to the same, original server running Microsoft Identity Integration Server 2003. By restoring a server configuration to the original server, you can restore earlier settings. Note that no data is imported or exported. Just the server configuration of Microsoft Identity Integration Server 2003 is imported or exported (for example, MAs, MA rules, metaverse schema, metaverse deletion rules, and so on).

To export server configuration

  1. Using Windows Explorer, create the new file directory folder C:\MIIS30Export.

  2. In Identity Manager, from the File menu, click Export Server Configuration.

    Verify that the message shown in Figure 2.75 appears.

    be85ebae-8ff9-4b77-bff6-b63df9ddf804

This message indicates that MA runs will be disabled during the export operations and that no further configuration will be allowed until the export is completely done.

  1. Click OK.

  2. Click Browse to folder, and select C:\MIIS30Export.

  3. Click OK.

The Export Server Configuration starts and displays a dialog box that contains information about the progress of the export operation, as shown in Figure 2.76.

4e793510-92b4-43f6-b05d-da8055853a9f

  1. After the completion of the export, click OK.

Import server configuration

  1. Install Microsoft Identity Integration Server 2003 on another server.

  2. Ensure this server has access to all connected data sources as with the initial server on which you installed and configured Microsoft Identity Integration Server 2003.

    In this scenario, the connected data source is the Fabrikam Active Directory.

  3. Copy all exported files from the previous step (in C:\MIIS30Export) to the new server running Microsoft Identity Integration Server 2003 in a separate directory (C:\MIIS30Import).

  4. Open Identity Manager on the new server running Microsoft Identity Integration Server 2003.

  5. From the File menu, click Import Server Configuration.

    Verify that the message shown in Figure 2.77 appears.

    86d1a67a-1d8c-47b5-8417-d7607c0ca604

  6. Click OK.

  7. From the Browse for folder dialog box, select the folder with the import files (C:\MIIS30Import), and then click OK.

    The Import Server Configuration starts and displays a dialog box that contains information about the progress of the import operation.

  8. After the import is complete, click OK.

  9. Verify that the new server running Microsoft Identity Integration Server 2003 has the same configurations as the server running Microsoft Identity Integration Server 2003 from which you exported the configuration.

  10. Rerun the scenario to verify that the system is fully functional and the numbers are correct.

    Note

    As credentials are not preserved in the Import/Export server configuration, you will be prompted to enter new credentials for call-based management agents. Also, copy over all extension DLLs into the extensions folder and, for the file based management agents, the scenario files into the MA working directories. Extensions and MA working directories are not saved and restored by this feature.

Next