extending the value of the directory mark cribben consultant
TRANSCRIPT
Extending the schema
Why modify the schema?
Rules for schema modification
Process for schema changes
What if it goes wrong?
Why modify the schema?
New AD aware, commercial applications
–Usually have their schema changes integrated into the setup programme
–Should have followed the AD schema rules
In house applications that are AD aware
Additional attributes to help business or IT
Rules for schema modification
Documenting the existing schema–You can use the schemadoc program available from here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/schemadoc.asp
Valid OIDs. – Importance cannot be stressed enough.
–http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/obtaining_an_object_identifier.asp
Who can perform the modification?
Where the modification can be performed
Process for schema changes
Identify the Schema FSMO
Identify the administrator to perform the operation
Test!!
Take Schema FSMO offline plus one other DC that is a direct replication partner
Verify successful application of changes
Re-introduce the Schema FSMO
What if it goes wrong?
Remember ~ Schema changes cannot be rolled back via authoritative restore!
During change:
– Is Schema FSMO still offline?
– If not, why not?!
–Remove permanently from forest
–Seize FSMO role to another functioning DC
Post change
–What do you need to change?
–Defunct schema classes / attributes?
Current field experiences
Most customers have had a trouble free upgrade experience specifically in going from Windows 2000 to Windows Server 2003 (adprep /forestprep)
Most common situation is the mangled attribute problemhttp://support.microsoft.com/default.aspx?scid=kb;en-us;314649
Some reports of third party applications that have caused schema conflicts.
– No real workaround. Contact application vendor and get them to fix the problem.
– Changes to Adprep in Windows Server 2003 Sp1
ADAM Background
Same programming model as Active Directory
– Supports ADSI, LDIF files, LDAP APIs, System.DirectoryServices
Replication & Administration model similar to AD
Same store as AD - DIT file and Log file layout is same
Differences from NOS AD:
– No locator via DNS SRV records – instead uses Service Connection Points
– No MAPI protocol support
– Does not integrate with LSASS
ADAM Architecture
Same code base as Active Directory in Windows 2003
Familiar tool set and capabilities
Infrastructure Active Directory Active Directory in Application Mode
LSASSLSASS
DSADSA
LDAPLDAP
SAMSAM
MAPIMAPI REPLREPL KDCKDC LanmanLanman
DNSDNS FRSFRS
dependencies
ADAMADAM
DSADSA
LDAPLDAP REPLREPL
(traditional AD minus infrastructure mgmt)
ADAM in the field
Core uses of ADAM so far:
–Developers needing an LDAP directory
–Supplementary LDAP directory for internal employee information
–Application directory
– Internet / Intranet application directory service
Example use of ADAM
Financial Services organisation
Using ADAM to supplement online banking authentication:
–Authentication performed by third party product
–Uses ADAM as the repository for customer authentication data and account information
–Currently hosting approximately 3 million user objects
Example use of ADAM
Migrated from Site Server
ADAM is used to store the user account information and authentication criteria
Schema extended to support third party authentication server
Stores information about the online accessible accounts the customer has and how to retrieve the necessary info for the customer
Essentially one active ADAM instance although there are 3 instances in the configuration set
Auditing was critical to this scenario and they are using the R2 version of mgmt tools to provide explicit ACLs on objects in ADAM
IIFP Background
The “free” version of MIIS
–Available as a download from microsoft.comhttp://www.microsoft.com/downloads/details.aspx?FamilyID=d9143610-c04d-41c4-b7ea-6f56819769d5&DisplayLang=en
Requires Windows Sever 2003 Enterprise Edition, SQL Server 2000 sp3+
Provides synchronisation between AD, ADAM and Exchange
–No external or third party products
Common Scenarios
Autonomy and Isolation Requirements
Mergers & Acquisitions
Divestitures
Grass Roots Deployments
Test/Pilot Environment
Autonomy and Isolation
Service Isolation
– Critical AD-enabled app must have high availability.
– Compromise of one DC must not affect entire forest
Service Autonomy
– Org specific apps require schema extension
Data Isolation
– Legal requirements of Financial institutions or Defense contractors to limit access to data
See “Delegation of Administration in AD “
– http://www.microsoft.com/technet/prodtechnol/ad/windows2000/plan/addeladm.asp
Fabrikam, Inc.
corp.fabrikam.com
mf.corp.fabrikam.com rd.corp.fabrikam.com
na.corp.contoso.com
Contoso, Ltd.corp.contoso.com
ap.contoso.corp.com
jpn.ap.contoso.corp.com
Mergers and Acquisitions
After a merger or acquisition an organization may be in a multiple forest environment for some time.
Mergers
Look at the current landscape of mergers:
–Financial Services ~ LloydsTSB, HBoS, RBS
–Retail ~ Morrisons, ASDA
– IT ~ HP/Compaq, Microsoft, IBM, Quest
–Services ~ PWC
Increasingly these organisations now have their own AD forests and messaging infrastructures
How do we get the value of the merged organisations in the shortest time?
Divestitures
Before - IT group may create a separate forest with it’s own messaging infrastructure
After the spin off - The IT group will manage a multi-forest Windows network for some time.
We have seen some decidedly unsupported methods to handle divestitures!
Grass Roots Deployments
Business unit deploys forest w/out central IT sanction.
The central IT may:
–Merge existing forest into central IT forest
– Implement a multi-forest deployment
However, organization has multiple forests for some time.
Also known as skunkworks projects! More common than you would anticipate.
Test/Pilot Forest
Forest with limited number of users and resources
Used to test deployment of new operations, procedures and applications before introducing them into the main production forest
Multiple Forests and Increased TCO?
Headcount to train, design, deploy and operate each forest
Configuration to enable key cross-forest functionality
Multiple Forest Considerations:
–http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/plan/mtfstwp.asp
Exchange across forests
GALsync has assumed a significant role in helping organisations that are either merging, acquiring or are operating in a federated / franchised model.
This key scenario has been deployed by a number of customers in the UK.
Forest 1Forest 1No ExchangeNo Exchange
Forest 3Forest 3ExchangeExchange
Resource Forest Model
Forest 2Forest 2No ExchangeNo Exchange
A single Exchange Org is deployed in a A single Exchange Org is deployed in a single AD Forestsingle AD Forest
Multiple Forests Model
Forest 1Forest 1ExchangeExchange
Forest 3Forest 3ExchangeExchange
Exchange is in each forestExchange is in each forest
Forest 2Forest 2ExchangeExchange
Cross-forest Collaboration
Exchange and the Global Address List
–Multiple Forest Model
– Synchronize Address Book using MIIS
–Resource Forest Model
– If address book info is updated in Account Forest then sync it to Exchange forest using MIIS
– If address book info is updated in Exchange Forest - no additional sync is required
GAL Sync – The Solution
Exchange Exchange Server/GCServer/GC
Outlook Outlook ClientClient
ExchangExchange e
Server/GServer/GCC
Outlook Outlook ClientClient
MIIS Server
MIIS will get object information for every MIIS will get object information for every user in a forest, user in a forest,
Forest 1 Exchange
Forest 3 Exchange
Users, contacts and groups in source forest will Users, contacts and groups in source forest will become contacts in target forestbecome contacts in target forestExchange will populate Address List (s) with Exchange will populate Address List (s) with the contactsthe contacts
GAL Sync – The Solution
Forest 1Forest 1ExchangeExchange
Forest 3Forest 3ExchangeExchange
Exchange Exchange Server/GCServer/GC
Outlook Outlook ClientClient
ExchangExchange e
Server/GServer/GCC
Outlook Outlook ClientClient
User in forest 1 wants to send mail to user in User in forest 1 wants to send mail to user in forest 3forest 3User in forest 1 looks up user in forest 3 in the address book.User in forest 1 looks up user in forest 3 in the address book.
Mail sent to the contact is routed to the mailbox of the user in Mail sent to the contact is routed to the mailbox of the user in forest 3forest 3
User sees a contact in forest 1 representing the user in forest 3User sees a contact in forest 1 representing the user in forest 3
GAL Sync ADMA is a preconfigured Active Directory Management Agent released with MIIS 2003– Uses the LDAP DIRSYNC control
– Handles rename and moves of objects
– Detects and uses AD forest schema
Available on the MIIS feature pack (free) and MIIS Enterprise versions
Documentation– Step by step scenario document
– User’s Guide
GAL Sync – The Solution
Synchronization Logic Reference
Users are synced as contacts
Mail Enabled Distribution and Security Groups are synced as contacts
Group membership is not synced
Authoritative Contacts are synced per OU as contacts
Authoritative Contacts may be routed through the source forest
Data is synced in the target forest into a single MIIS Sync OU
GAL Sync Deployment
Step1: Gathering data– Determine Source and Target forest information
Step2: Setup GAL Sync ADMA– Setup one GAL Sync AD Management Agent per Exchange
forest with source and target forest information
Step3: Verify configuration– Type of objects, rules, run profiles
Step 4: Run Sync
Free Busy Synchronization
User in one forest may need to look up free-busy data for user in another forest
Free-Busy Info is stored on the exchange servers (not in AD)
Solution - PF Replication Utility
–KB Q238573 : Installing, Configuring, and Using the InterOrg Replication Utility
–GAL Sync needed for F/B data to be linked to mail recipients cross forest
Additional considerations
Name resolution between forests
Firewalls and NAT?
Sizing
Scheduling
Number of domains in source forest
Customer scenario
Company operating a global brand image but each country was a franchise
Each had their own AD forest
– Most countries had also designed their AD as a “global” AD infrastructure so had placeholder domain!
– NAT between country boundaries even though the Wan was managed by another arm of the global organisation
The initial problem was addressing email between executives across the company
– Perception from senior management was that the company was disjointed and segregated
Customer scenario (2)
Preparation work
– Identify countries involved in the project
–Set up the team to do the work
–Get information from each of the country units about their AD design
– Identify required accounts
–Define how address lists were to be published
– Initially instigated a manual process to at least get the ball rolling and show progress
Customer scenario (3)
Design approach
– Establish DNS resolution
– Pre Sp1 so had to ensure that a number of firewall ports were open including rpc! This did not go down well and is fixed in Sp1.
– Registered NAT address on the target DC allowing it to auto register in DNS (Could have also got around this by configuring the MA with the target IP address)
– Configured an account in each forest which was managed by the hosting forest admins
– Granted AD permissions
– Create a target OU in each forest for the incoming contacts
Customer scenario (4)
Design approach (continued)– Create run profiles
– Test initially between 2 companies
– Roll out across the rest of the estate
Problems– Firewall rules
– Admin cooperation ~ especially when it came to configuring an admin level account for the synchronisation
– Aligning AD infrastructures as some companies had scattered admin accounts throughout their domain!
– The WAN team were a pain to work with. Generally they time slotted each company and allocated one day per month for WAN config
– Troubleshooting was problematic due to the distributed nature of the various networking owners
Beyond GALsync
IIFP will support AD to AD as well as AD to ADAM sync
The customer scenario just discussed has a next step of integrating printing between the two forests:
–Use IIFP to synchronise sites, subnets and printers
–Allow the use of printer location tracking
–Meets the requirement of making it easy for roaming users to print in other offices
What other objects could be synchronised between forests?
Welcome to this TechNet Event
FREE bi-weekly technical newsletter
FREE regular technical events hosted across the UK
FREE weekly UK & US led technical webcasts
FREE comprehensive technical web site
Monthly CD / DVD subscription with the latest technical tools & resources
FREE quarterly technical magazine
We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK:
To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break