Extending the value of the directoryMark Cribben

Consultant

Agenda

Extending the schema

ADAM

IIFP / GALSync

Extending the schema

Why modify the schema?

Rules for schema modification

Process for schema changes

What if it goes wrong?

Why modify the schema?

New AD aware, commercial applications

–Usually have their schema changes integrated into the setup programme

–Should have followed the AD schema rules

In house applications that are AD aware

Additional attributes to help business or IT

Rules for schema modification

Documenting the existing schema–You can use the schemadoc program available from here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnactdir/html/schemadoc.asp

Valid OIDs. – Importance cannot be stressed enough.

–http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ad/ad/obtaining_an_object_identifier.asp

Who can perform the modification?

Where the modification can be performed

Demo

Viewing the Schema

Process for schema changes

Identify the Schema FSMO

Identify the administrator to perform the operation

Test!!

Take Schema FSMO offline plus one other DC that is a direct replication partner

Verify successful application of changes

Re-introduce the Schema FSMO

What if it goes wrong?

Remember ~ Schema changes cannot be rolled back via authoritative restore!

During change:

– Is Schema FSMO still offline?

– If not, why not?!

–Remove permanently from forest

–Seize FSMO role to another functioning DC

Post change

–What do you need to change?

–Defunct schema classes / attributes?

Current field experiences

Most customers have had a trouble free upgrade experience specifically in going from Windows 2000 to Windows Server 2003 (adprep /forestprep)

Most common situation is the mangled attribute problemhttp://support.microsoft.com/default.aspx?scid=kb;en-us;314649

Some reports of third party applications that have caused schema conflicts.

– No real workaround. Contact application vendor and get them to fix the problem.

– Changes to Adprep in Windows Server 2003 Sp1

ADAM

ADAM background

ADAM in the field

ADAM Background

Same programming model as Active Directory

– Supports ADSI, LDIF files, LDAP APIs, System.DirectoryServices

Replication & Administration model similar to AD

Same store as AD - DIT file and Log file layout is same

Differences from NOS AD:

– No locator via DNS SRV records – instead uses Service Connection Points

– No MAPI protocol support

– Does not integrate with LSASS

ADAM Architecture

Same code base as Active Directory in Windows 2003

Familiar tool set and capabilities

Infrastructure Active Directory Active Directory in Application Mode

LSASSLSASS

DSADSA

LDAPLDAP

SAMSAM

MAPIMAPI REPLREPL KDCKDC LanmanLanman

DNSDNS FRSFRS

dependencies

ADAMADAM

DSADSA

LDAPLDAP REPLREPL

(traditional AD minus infrastructure mgmt)

ADAM in the field

Core uses of ADAM so far:

–Developers needing an LDAP directory

–Supplementary LDAP directory for internal employee information

–Application directory

– Internet / Intranet application directory service

Example use of ADAM

Financial Services organisation

Using ADAM to supplement online banking authentication:

–Authentication performed by third party product

–Uses ADAM as the repository for customer authentication data and account information

–Currently hosting approximately 3 million user objects

Example use of ADAM

Migrated from Site Server

ADAM is used to store the user account information and authentication criteria

Schema extended to support third party authentication server

Stores information about the online accessible accounts the customer has and how to retrieve the necessary info for the customer

Essentially one active ADAM instance although there are 3 instances in the configuration set

Auditing was critical to this scenario and they are using the R2 version of mgmt tools to provide explicit ACLs on objects in ADAM

IIFP / GALSync

IIFP refresher

Common scenarios

GALsync

Examples from the field

IIFP Background

The “free” version of MIIS

–Available as a download from microsoft.comhttp://www.microsoft.com/downloads/details.aspx?FamilyID=d9143610-c04d-41c4-b7ea-6f56819769d5&DisplayLang=en

Requires Windows Sever 2003 Enterprise Edition, SQL Server 2000 sp3+

Provides synchronisation between AD, ADAM and Exchange

–No external or third party products

Common Scenarios

Autonomy and Isolation Requirements

Mergers & Acquisitions

Divestitures

Grass Roots Deployments

Test/Pilot Environment

Autonomy and Isolation

Service Isolation

– Critical AD-enabled app must have high availability.

– Compromise of one DC must not affect entire forest

Service Autonomy

– Org specific apps require schema extension

Data Isolation

– Legal requirements of Financial institutions or Defense contractors to limit access to data

See “Delegation of Administration in AD “

– http://www.microsoft.com/technet/prodtechnol/ad/windows2000/plan/addeladm.asp

Fabrikam, Inc.

corp.fabrikam.com

mf.corp.fabrikam.com rd.corp.fabrikam.com

na.corp.contoso.com

Contoso, Ltd.corp.contoso.com

ap.contoso.corp.com

jpn.ap.contoso.corp.com

Mergers and Acquisitions

After a merger or acquisition an organization may be in a multiple forest environment for some time.

Mergers

Look at the current landscape of mergers:

–Financial Services ~ LloydsTSB, HBoS, RBS

–Retail ~ Morrisons, ASDA

– IT ~ HP/Compaq, Microsoft, IBM, Quest

–Services ~ PWC

Increasingly these organisations now have their own AD forests and messaging infrastructures

How do we get the value of the merged organisations in the shortest time?

Divestitures

Before - IT group may create a separate forest with it’s own messaging infrastructure

After the spin off - The IT group will manage a multi-forest Windows network for some time.

We have seen some decidedly unsupported methods to handle divestitures!

Grass Roots Deployments

Business unit deploys forest w/out central IT sanction.

The central IT may:

–Merge existing forest into central IT forest

– Implement a multi-forest deployment

However, organization has multiple forests for some time.

Also known as skunkworks projects! More common than you would anticipate.

Test/Pilot Forest

Forest with limited number of users and resources

Used to test deployment of new operations, procedures and applications before introducing them into the main production forest

Multiple Forests and Increased TCO?

Headcount to train, design, deploy and operate each forest

Configuration to enable key cross-forest functionality

Multiple Forest Considerations:

–http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/windowsserver2003/plan/mtfstwp.asp

Exchange across forests

GALsync has assumed a significant role in helping organisations that are either merging, acquiring or are operating in a federated / franchised model.

This key scenario has been deployed by a number of customers in the UK.

Forest 1Forest 1No ExchangeNo Exchange

Forest 3Forest 3ExchangeExchange

Resource Forest Model

Forest 2Forest 2No ExchangeNo Exchange

A single Exchange Org is deployed in a A single Exchange Org is deployed in a single AD Forestsingle AD Forest

Multiple Forests Model

Forest 1Forest 1ExchangeExchange

Forest 3Forest 3ExchangeExchange

Exchange is in each forestExchange is in each forest

Forest 2Forest 2ExchangeExchange

Cross-forest Collaboration

Exchange and the Global Address List

–Multiple Forest Model

– Synchronize Address Book using MIIS

–Resource Forest Model

– If address book info is updated in Account Forest then sync it to Exchange forest using MIIS

– If address book info is updated in Exchange Forest - no additional sync is required

GAL Sync – The Solution

Exchange Exchange Server/GCServer/GC

Outlook Outlook ClientClient

ExchangExchange e

Server/GServer/GCC

Outlook Outlook ClientClient

MIIS Server

MIIS will get object information for every MIIS will get object information for every user in a forest, user in a forest,

Forest 1 Exchange

Forest 3 Exchange

Users, contacts and groups in source forest will Users, contacts and groups in source forest will become contacts in target forestbecome contacts in target forestExchange will populate Address List (s) with Exchange will populate Address List (s) with the contactsthe contacts

GAL Sync – The Solution

Forest 1Forest 1ExchangeExchange

Forest 3Forest 3ExchangeExchange

Exchange Exchange Server/GCServer/GC

Outlook Outlook ClientClient

ExchangExchange e

Server/GServer/GCC

Outlook Outlook ClientClient

User in forest 1 wants to send mail to user in User in forest 1 wants to send mail to user in forest 3forest 3User in forest 1 looks up user in forest 3 in the address book.User in forest 1 looks up user in forest 3 in the address book.

Mail sent to the contact is routed to the mailbox of the user in Mail sent to the contact is routed to the mailbox of the user in forest 3forest 3

User sees a contact in forest 1 representing the user in forest 3User sees a contact in forest 1 representing the user in forest 3

GAL Sync ADMA is a preconfigured Active Directory Management Agent released with MIIS 2003– Uses the LDAP DIRSYNC control

– Handles rename and moves of objects

– Detects and uses AD forest schema

Available on the MIIS feature pack (free) and MIIS Enterprise versions

Documentation– Step by step scenario document

– User’s Guide

GAL Sync – The Solution

Synchronization Logic Reference

Users are synced as contacts

Mail Enabled Distribution and Security Groups are synced as contacts

Group membership is not synced

Authoritative Contacts are synced per OU as contacts

Authoritative Contacts may be routed through the source forest

Data is synced in the target forest into a single MIIS Sync OU

GAL Sync Deployment

Step1: Gathering data– Determine Source and Target forest information

Step2: Setup GAL Sync ADMA– Setup one GAL Sync AD Management Agent per Exchange

forest with source and target forest information

Step3: Verify configuration– Type of objects, rules, run profiles

Step 4: Run Sync

Free Busy Synchronization

User in one forest may need to look up free-busy data for user in another forest

Free-Busy Info is stored on the exchange servers (not in AD)

Solution - PF Replication Utility

–KB Q238573 : Installing, Configuring, and Using the InterOrg Replication Utility

–GAL Sync needed for F/B data to be linked to mail recipients cross forest

Additional considerations

Name resolution between forests

Firewalls and NAT?

Sizing

Scheduling

Number of domains in source forest

Customer scenario

Company operating a global brand image but each country was a franchise

Each had their own AD forest

– Most countries had also designed their AD as a “global” AD infrastructure so had placeholder domain!

– NAT between country boundaries even though the Wan was managed by another arm of the global organisation

The initial problem was addressing email between executives across the company

– Perception from senior management was that the company was disjointed and segregated

Customer scenario (2)

Preparation work

– Identify countries involved in the project

–Set up the team to do the work

–Get information from each of the country units about their AD design

– Identify required accounts

–Define how address lists were to be published

– Initially instigated a manual process to at least get the ball rolling and show progress

Customer scenario (3)

Design approach

– Establish DNS resolution

– Pre Sp1 so had to ensure that a number of firewall ports were open including rpc! This did not go down well and is fixed in Sp1.

– Registered NAT address on the target DC allowing it to auto register in DNS (Could have also got around this by configuring the MA with the target IP address)

– Configured an account in each forest which was managed by the hosting forest admins

– Granted AD permissions

– Create a target OU in each forest for the incoming contacts

Customer scenario (4)

Design approach (continued)– Create run profiles

– Test initially between 2 companies

– Roll out across the rest of the estate

Problems– Firewall rules

– Admin cooperation ~ especially when it came to configuring an admin level account for the synchronisation

– Aligning AD infrastructures as some companies had scattered admin accounts throughout their domain!

– The WAN team were a pain to work with. Generally they time slotted each company and allocated one day per month for WAN config

– Troubleshooting was problematic due to the distributed nature of the various networking owners

Beyond GALsync

IIFP will support AD to AD as well as AD to ADAM sync

The customer scenario just discussed has a next step of integrating printing between the two forests:

–Use IIFP to synchronise sites, subnets and printers

–Allow the use of printer location tracking

–Meets the requirement of making it easy for roaming users to print in other offices

What other objects could be synchronised between forests?

Welcome to this TechNet Event

FREE bi-weekly technical newsletter

FREE regular technical events hosted across the UK

FREE weekly UK & US led technical webcasts

FREE comprehensive technical web site

Monthly CD / DVD subscription with the latest technical tools & resources

FREE quarterly technical magazine

We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK:

To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break

http://www.microsoft.com/uk/technet