Difficult MIIS Interview Preparation Guide

Download PDF

The metaverse is a collection of tables that contains information about connected identities from the connected data sources. These tables are stored in a SQL Server database and contain all the aggregated information about a specific entity as it exists in all of the connected data sources. Attributes and objects flow into and out of the metaverse. Updates flowing in are used to update the metaverse, updates going out are used to update the connected data sources through their respective connector space. The metaverse contains its own schema, which defines which object types and attributes the metaverse can contain. All objects in the metaverse must be of one of the types defined in the metaverse schema.

The Microsoft Identity Integration Server 2003 technical reference is an in-depth documentation collection about identity information management concepts. It is not intended as an operations or implementation guide. Instead, it provides information managers, system architects and IT generalists with the necessary background they will need to analyze and develop their own identity management solutions.

Microsoft Identity Integration Server 2003 is most commonly employed to integrate data between connected data sources. The design of this scenario involves the following three components:
☛ Five incongruent data sources that use different data formatting methods.
☛ Microsoft Identity Integration Server 2003.
☛ Different Microsoft Identity Integration Server 2003 management agent (MA) types that are used to flow data between a data source and Microsoft Identity Integration Server 2003.

Microsoft Identity Integration Server 2003 technical reference provides information about:
☛ State-based and event-based architecture
☛ Directories and identity management solutions
☛ Core components of MIIS 2003
☛ Architecture and internal structure of MIIS 2003
☛ Objects and data flow in MIIS 2003
☛ Updated system port information for MIIS 2003 Service Pack 1 (SP1)
☛ Updated information for management agent minimum rights and permissions

Instructions to install Microsoft Identity Integration Server 2003:
☛ Click the file you want to download.
☛ Do one of the following:
1. To start the installation immediately, click Run.
2. To save the download to your computer for installation at a later time, click Save.
3. To cancel the installation, click Cancel.

The individual responsible for setting up the lab for this scenario should have a complete knowledge of the following:
☛ Installing and configuring Active Directory.
☛ Installing and configuring Sun ONE Directory Server 5.1 Directory Server.
☛ Installing Microsoft® Windows® Server 2003, Enterprise Edition.
☛ Installing and configuring Microsoft® SQL Server 2000, Enterprise Edition, with Service Pack 3 (SP3).

By implementing Microsoft Identity Integration Server 2003, company hopes to accomplish the following two goals:
☛ Aggregate employee identity data from its five data sources while maintaining data source ownership over specific employee identity characteristics.
☛ Use data from the Exchange Server data source to populate distribution lists in the Active Directory data source.

As a result of your design efforts, you have identified the data flow for both attributes and objects. If your design requires creating or deleting objects in connected data sources, you will need to develop a method of provisioning and deprovisioning these objects. In MIIS 2003 this means implementing that logic in a metaverse rules extension. Rules extensions are implemented as DLLs and stored in the Extensions subfolder of the MIIS root folder.

As you begin to tackle an identity management project, the first challenge you are likely to run into is determining where you should start. Typically, identity management solutions are strategic. Translating that strategy into concrete activities requires some experience. To address this challenge, Microsoft has developed the MIIS 2003 Design and Planning Collection. A series of documents and worksheets that can aid in scoping your project, gathering requirements and configuring a solution based on MIIS 2003. It is especially useful if you are new to this type of project.
The design and planning collection contains an introductory document that explains how to use the series, seven separate documents that address particular design components, templates to be used in conjunction with the documents and completed sample templates so you can see what the finished templates should look like.

Identity and access management are important issues as your business implements systems that provide corporate information to employees, business partners and customers.
Each solution introduces new applications with their own authorization requirements and potentially their own authentication mechanisms. As these disparate systems proliferate throughout an organization, managing digital identity determining when users are on-boarded, when they are off-boarded, and what privileges and access they have while active in the environment becomes an increasingly complicated process.

There are 5 essential tools for MIIS:
☛ MIIS 2003 Design and Planning Collection
☛ MIIS Provisioning Assistant
☛ MIIS Preview
☛ Oxford MIIS Documentor
☛ MIIS Service Monitor

The management of passwords is a costly and time-consuming process for many administrators. Fortunately, this process has been greatly enhanced with a new feature in MIIS 2003 SP1-the Password Change Notification Service (PCNS). This new service allows for the secure updating of password resets to be sent to an MIIS 2003 server. When a password reset is initiated on a domain controller, either by a user who presses Ctrl+Alt+Del or by an administrator, the request is intercepted. The intercepted request is encrypted and then forwarded on to the MIIS 2003 server and from there to all connected data sources (that are configured for password management) through synchronization. To see how to install the PCNS and configure a management agent.

The password management and synchronization capabilities help you control passwords and reduce administrative efforts:
☛ Auditing features let you track changes to or setting of passwords through the use of entries written to the Event Log.
☛ Developers have the ability to perform password management functions through an API.
☛ An administrator or a user can reset passwords through a central point or through a Web services application.
☛ Integrated third-party solutions can be used to extend the capabilities of MIIS 2003.
☛Password policies as defined in Active Directory, for example, can be enforced across other systems.

Passwords are one of the weakest security points in a network but the use of secure passwords can become a source of contention between administrators and users. Users would rather have nice, easy-to-remember passwords, whereas administrators want to implement more restrictive password requirements. This is of even more concern on networks with disparate directories where users may have several accounts with varying levels of password requirements to access each of these directories or services. MIIS 2003 SP1 has a number of new password management and synchronization features that can help.

The metaverse schema contains the following default objects, but can be easily extended:
☛ Ccomputer
☛ Domain
☛ Group
☛ Locality
☛ Organization
☛ Organizational unit
☛ Person
☛ Printer
☛ Role

The following are the minimum hardware requirements for the two servers used in this scenario:
☛ Pentium II 500.
☛ 256 MB of RAM.
☛ 8 GB hard disk.
☛ Network adapter.
☛ 4 MB video adapter.
☛ SVGA monitor (800x600) or greater resolution.
☛ Microsoft Mouse or compatible pointing device.

The connector space is a staging area for information coming into or going out from a given management agent. The information that is staged in a management agent's connector space is used to synchronize with the metaverse or is exported out to its connected data source. Each connected data source has its own reserved logical area within the connector space that is used by its corresponding management agent. The connector space does not actually contain the connected data source as an object itself but rather contains a subset of the connected data source's attributes, as defined on the management agent. MIIS uses the connector space object instead of making direct queries to the connected data source when processing business rules. This improves synchronization speed between the metaverse and the connected data sources.

Every connected data source has a corresponding management agent. Each management agent acts to control the flow of information between its connected data source and MIIS. If you modify synchronized data in either the connected data source or within MIIS, the management agent will keep MIIS 2003 and the connected data sources consistent. Since there is a management agent for each supported connected data source type, the types of management agents are the same as the types of connected data sources supported by MIIS 2003. If you need to connect a data source, MIIS also provides a generic management agent that can be configured to connect to any system that provides programmatic access to its data, called the extensible connectivity management agent.

A connected data source is a system that provides information to or receives information from MIIS 2003. Many systems can act as a connected data source including directory services, databases and even individual files. The connected data sources currently supported by MIIS 2003 Service Pack 1.

There are four major components of MIIS 2003:
☛ Connected Data Sources
☛ Management Agents
☛ Connector Spaces
☛ The Metaverse

Some of the major capabilities of MIIS 2003 include:
☛ Directory synchronization
☛ Account provisioning
☛ Certificate publishing
☛ Group management
☛ Management of Global Address Lists (GALs) for diverse e-mail systems
☛ Management and synchronization of passwords

Integration Server (MIIS) 2003 allows you to synchronize identity information from many different directories and services into a single, organization-wide solution. This can help protect your network's security and simplify management.

When you run a management agent, you can specify that a join rule be applied to each object in the connector space. By specifying a join rule, Microsoft Identity Integration Server 2003 searches the metaverse and attempts to find a corresponding object to which the connector space object can be joined. When a search returns any results, the resolution rules determine whether:
☛ None of the objects satisfies the join criteria, in which case the next search criteria are evaluated.
☛ Exactly one of the objects satisfies the join criteria, in which case it is joined with the connector object.
☛ More than one of the objects satisfies the join criteria, in which case the join operation fails.

To administer the Microsoft Identity Integration Server 2003 infrastructure, perform the following administration tasks:
☛ Connect connector space objects to the metaverse, which includes:
1. Attribute indexing
2. Connecting disconnector objects
3. Disconnecting connector objects
4. Previewing action on disconnector objects
☛ Manage management agents
☛ Create command scripts for management agents
☛ Use administrative roles

You will create the MAs in the following order:
☛ HR MA
☛ LDAP Data Interchange Format (LDIF) MA
☛ AD MA
☛ Sun ONE Directory Server 5.1 MA
☛ Telephone MA