MIIS Interview Preparation Guide

Download PDF

Microsoft identity integration server (MIIS) is an identity management (IdM) product offered by Microsoft. It is a service that aggregates identity-related information from multiple data-sources. The goal of MIIS is to provide organizations with a unified view of a user's/resources identity across the heterogeneous enterprise and provide methods to automate routine tasks.

Microsoft identity integration server manages information by retrieving identity information from the connected data sources and storing the information in the connector space as connector space objects or CS Entry objects. The CS Entry objects are then mapped to entries in the metaverse called metaverse objects or MV Entry objects. This architecture allows data from dissimilar connected data sources to be mapped to the same MV Entry object. All back-end data is stored in Microsoft SQL Server.

MIIS has its origins in two Canadian companies' products, Linkage Software's meta-directory product Link-Age Directory Exchange (LDE) which Microsoft acquired on June 30, 1997 and Zoom-it Corporation's meta-directory product, Via, which Microsoft acquired on July 7, 1999.
LDE was strongly email system oriented but traces of it and its field mapping technology remain through MIIS 2003.

After acquiring Zoom-it Via Microsoft renamed it to MMS (Microsoft Meta-directory Services) and offered this product for free; however they will strongly encourage customers to hire Microsoft Consulting Services to install and configure product.
Microsoft Identity Integration Server 2003 was completely re-written from ground up. No original Zoom-it Via code was moved into MIIS. However Microsoft preserved methodology and original idea of the Via product. MIIS 2003 no longer uses Z Script (proprietary scripting language of Zoom-it Via), instead it offered .NET framework support. With this upgrade Microsoft did not offer a migration path from MMS to MIIS due to the significant differences in the products.

Currently Service Pack 2 is available for MIIS 2003.
IIFP is a slimmed-down version of MIIS that is limited to synchronization between AD, ADAM, and exchange data-stores.
MIIS 2003 was recently (Fall 2007) incorporated into a new offering called Identity Life-cycle Manager 2007. This product was announced at the RSA Conference in February 2007 and made available to customers in May 2007. Identity Life-cycle Manager 2007 includes not only the original MIIS 2003 product, but also a component called Certificate Life-cycle Manager (CLM) which is used to manage X.509 digital certificate and smart card issuance.

Product evaluation documentation:
☛ Classic Metadirectory Walkthrough
☛ Simple Account Provisioning Walkthrough
☛ Global Address List Synchronization Walkthrough
☛ Group Creation and Provisioning Walkthrough
☛ Password Management Walkthrough

Example:
Through the metaverse an organization's e-mail system can be linked to its human resources database to the organization's PBX system to any other data repository containing relevant user information. Each employee's attributes from the e-mail system and the human resources database are imported into the connector space through respective management agents. The e-mail system can then link to individual attributes from the employee entry, such as the employee telephone number. If an employee's telephone number changes, the new telephone number will automatically be propagated to the e-mail system.

Versions of microsoft identity integration server:
☛ Zoomit Via (pre 1999)
☛ Microsoft Metadirectory Server [MMS] (1999-2003)
☛ Microsoft Identity Integration Server 2003 Enterprise Edition [MIIS] (Retired)
☛ Microsoft Identity Integration Server 2003 Feature Pack [IIFP] (Retired)
☛ Microsoft Identity Lifecycle Manager Server 2007 ILM (Retired)
☛ Microsoft Forefront Identity Manager 2010 FIM (Current)

The microsoft identity integration server is extensible through the use of the .NET framework, which allows developers and network administrators to extend out of the box capabilities and perform complex tasks.

The goal of the fictional scenario and walkthrough described here is to ensure that all of the directory information maintained in a number of diverse, separate systems is synchronized and that the information is correct. This scenario and walkthrough describes how to build a Microsoft Identity Integration Server 2003 (MIIS 2003) infrastructure that will make the identity information in these diverse data sources consistent throughout an enterprise.

Before beginning this scenario, become familiar with the basic concepts of MIIS 2003. In This Walkthrough:
☛ Scenario Design
☛ Lab Setup
☛ Implementation Steps
☛ Administering MIIS 2003 Infrastructure

Scenario design describes the fictional company and the specific directory problem you solve in the scenario. This section provides a high-level conceptual and procedural overview of how MIIS 2003 facilitates data flow between connected data sources and Microsoft Identity Integration Server 2003.

This documentation set includes walkthroughs that help you with proof of concepts and detailed analyses of features and functionalities of MIIS 2003. You also get information that helps you make business cases when choosing MIIS 2003.

Implementation steps provides a procedural walkthrough for building the MIIS 2003 management agents (MAs) used to develop the MIIS 2003 infrastructure in the scenario.

Lab setup lists the hardware and software requirements for the scenario walkthrough procedures. Includes detailed instructions for setting up the different connected data sources, as well as setting up MIIS 2003.

Administering MIIS 2003 Infrastructure provides common administrative tasks related to maintaining the MIIS 2003 infrastructure in the scenario.

The following software should be available:
☛ Windows Server 2003, Enterprise Edition
☛ Microsoft Identity Integration Server 2003

You will create the MAs in the following order:
☛ HR MA
☛ LDAP Data Interchange Format (LDIF) MA
☛ AD MA
☛ Sun ONE Directory Server 5.1 MA
☛ Telephone MA

To administer the Microsoft Identity Integration Server 2003 infrastructure, perform the following administration tasks:
☛ Connect connector space objects to the metaverse, which includes:
1. Attribute indexing
2. Connecting disconnector objects
3. Disconnecting connector objects
4. Previewing action on disconnector objects
☛ Manage management agents
☛ Create command scripts for management agents
☛ Use administrative roles

When you run a management agent, you can specify that a join rule be applied to each object in the connector space. By specifying a join rule, Microsoft Identity Integration Server 2003 searches the metaverse and attempts to find a corresponding object to which the connector space object can be joined. When a search returns any results, the resolution rules determine whether:
☛ None of the objects satisfies the join criteria, in which case the next search criteria are evaluated.
☛ Exactly one of the objects satisfies the join criteria, in which case it is joined with the connector object.
☛ More than one of the objects satisfies the join criteria, in which case the join operation fails.

Integration Server (MIIS) 2003 allows you to synchronize identity information from many different directories and services into a single, organization-wide solution. This can help protect your network's security and simplify management.

Some of the major capabilities of MIIS 2003 include:
☛ Directory synchronization
☛ Account provisioning
☛ Certificate publishing
☛ Group management
☛ Management of Global Address Lists (GALs) for diverse e-mail systems
☛ Management and synchronization of passwords

There are four major components of MIIS 2003:
☛ Connected Data Sources
☛ Management Agents
☛ Connector Spaces
☛ The Metaverse

A connected data source is a system that provides information to or receives information from MIIS 2003. Many systems can act as a connected data source including directory services, databases and even individual files. The connected data sources currently supported by MIIS 2003 Service Pack 1.

Every connected data source has a corresponding management agent. Each management agent acts to control the flow of information between its connected data source and MIIS. If you modify synchronized data in either the connected data source or within MIIS, the management agent will keep MIIS 2003 and the connected data sources consistent. Since there is a management agent for each supported connected data source type, the types of management agents are the same as the types of connected data sources supported by MIIS 2003. If you need to connect a data source, MIIS also provides a generic management agent that can be configured to connect to any system that provides programmatic access to its data, called the extensible connectivity management agent.

The connector space is a staging area for information coming into or going out from a given management agent. The information that is staged in a management agent's connector space is used to synchronize with the metaverse or is exported out to its connected data source. Each connected data source has its own reserved logical area within the connector space that is used by its corresponding management agent. The connector space does not actually contain the connected data source as an object itself but rather contains a subset of the connected data source's attributes, as defined on the management agent. MIIS uses the connector space object instead of making direct queries to the connected data source when processing business rules. This improves synchronization speed between the metaverse and the connected data sources.

The following are the minimum hardware requirements for the two servers used in this scenario:
☛ Pentium II 500.
☛ 256 MB of RAM.
☛ 8 GB hard disk.
☛ Network adapter.
☛ 4 MB video adapter.
☛ SVGA monitor (800x600) or greater resolution.
☛ Microsoft Mouse or compatible pointing device.