Contents Overview 1 Introduction to Active Directory Interforest Synchronization 2 Using the Active Directory MA and TAMA in Interforest Synchronization 4 Implementing an Active Directory Interforest Synchronization Scenario 8 Lab A: Implementing Active Directory Interforest Synchronization 13 Best Practices 14 Review 15 Module 9: Performing Active Directory Interforest Synchronization BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles. The publications specialist replaces this example list with the list of trademarks provided by the copy editor. Microsoft is listed first, followed by all other Microsoft trademarks in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. <The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor> Other product and company names mentioned herein may be the trademarks of their respective owners. Module 9: Performing Active Directory Interforest Synchronization i BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Instructor Notes Instructor_notes.doc Presentation: xx Minutes Lab: xx Minutes Module 9: Performing Active Directory Interforest Synchronization 1 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Overview ! Introduction to Active Directory Interforest Synchronization ! Using the Active Directory MA and TAMA in Interforest Synchronization ! Implementing an Active Directory Interforest Synchronization Scenario ! Best Practices The Microsoft ® Active Directory ™ management agent integrates Active Directory into a distributed network environment and manages Active Directory in multiple forests. The Together Administration management agent (TAMA) is a tool that automates and extends the ability of an MMS administrator to automate the addition of new entries in the metaverse namespace to all the other specified connector namespaces in the metadirectory. Microsoft Metadirectory Services (MMS) version 2.2 allows administrators to use the Active Directory management agent and TAMA together to integrate and synchronize entries in multiple Active Directory forests. At the end of this module, you will be able to: ! Describe the purpose of Active Directory interforest synchronization. ! Describe the role that the Active Directory management agent and TAMA play in Active Directory interforest synchronization. ! Use the Active Directory management agent and TAMA to implement an Active Directory interforest synchronization scenario. ! Identify best practices for implementing the Active Directory management agent and TAMA to support interforest synchronization. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about managing enterprise data by using an Active Directory management agent and TAMA to synchronize data between multiple Active Directory forests. 2 Module 9: Performing Active Directory Interforest Synchronization BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Introduction to Active Directory Interforest Synchronization DomainDomain Domain DomainDomain Domain Forest A DomainDomain Domain DomainDomain Domain Forest B Interforest Synchronization MMS MMS ! Integrate Active Directory with Older Applications ! Reduce Time Spent on Setting Up User Accounts ! Reduce Effort of Deploying Active Directory ! Provide Microsoft Exchange 2000 Integration ! Support Microsoft Exchange GAL Synchronization ! Synchronize Site and Subnet Information An Active Directory forest is a group of one or more trees that contain one or more domains. All domains in a forest share a common schema, configuration partition, and global catalog. A forest acts as a boundary, such that two or more forests do not share any information. Not being able to share information between forests can present some difficulties in the following situations: ! Acquisitions. If one organization acquires another organization, and both organizations have their own forests, there is no simple way to retain both forests and have them interoperate. ! Active Directory Enabled Applications. Applications, such as Microsoft Exchange 2000, that are Active Directory-enabled, are restricted by the forest boundary. For example, an Active Directory forest can only contain a single Exchange 2000 organization. ! Business Requirements. There may be business requirements, or rules, that require an organization to maintain separate forests while still requiring some level of interaction between the forests. Topic Objective To identify the purpose of Active Directory interforest synchronization. Lead-in Module 9: Performing Active Directory Interforest Synchronization 3 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY By implementing MMS in a multiple forest environment, you can achieve a level of interoperation between discrete forests that previously was unavailable. This interoperability can include the following: ! Integrating Active Directory with older applications that are critical to the business. ! Reducing the amount of time spent in setting up user accounts. ! Reducing the effort of deploying Active Directory. ! Providing Microsoft Exchange 2000 integration. ! Supporting Microsoft Exchange Server global address list (GAL) synchronization. ! Synchronizing site and subnet information. 4 Module 9: Performing Active Directory Interforest Synchronization BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY # ## # Using the Active Directory MA and TAMA in Interforest Synchronization ! Active Directory MA Controls Which Type of Object Is Created in Active Directory ! TAMA Controls Which Objects and Where Those Objects Are Created in Active Directory Metadirectory TAMA TAMA TAMA User Computer Contact User Computer Contact Active Active Directory Directory Domain Domain Active Directory MAs User User Computer Computer Contact Contact Active Directory MAs The two key components of MMS in an Active Directory interforest synchronization scenario are the Active Directory management agent and TAMA. The Active Directory management agent controls the type of object that is created, users or contacts, while TAMA controls which objects are created and where those objects are created. Topic Objective To introduce the roles of the Active Directory management agent and TAMA in Active Directory interforest synchronization. Lead-in Module 9: Performing Active Directory Interforest Synchronization 5 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Examining the Role of the Active Directory MA in Interforest Synchronization Object Types Object Types Active Directory MA can create the objects, such as users, contacts, universal distribution groups, and organizational units, in Active Directory Active Directory MA can create the objects, such as users, contacts, universal distribution groups, and organizational units, in Active Directory User and Contact Configuration User and Contact Configuration Active Directory MA is configured to create contacts by default. Use the msMMS-ManagedByMA attribute to create user objects, rather than contacts Active Directory MA is configured to create contacts by default. Use the msMMS-ManagedByMA attribute to create user objects, rather than contacts Group Management Group Management Active Directory MA creates universal distribution groups in Active Directory. A group is created as a contact if the hideDLMembership attribute is set to true in a forest Active Directory MA creates universal distribution groups in Active Directory. A group is created as a contact if the hideDLMembership attribute is set to true in a forest The Active Directory management agent is responsible for the discovery of a particular forest, as well as for object creation and attribute flow. Object Types The Active Directory management agent can create the following objects in Active Directory: ! Users ! Contacts ! Universal distribution groups ! Organizational units ! Sites and subnets User and Contact Configuration The Active Directory management agent is configured to create contacts by default. If you want to create user objects, rather than contacts, you need to assign the msMMS-ManagedByMA attribute to entries that are created as user objects. The msMMS-ManagedByMA attribute is a multivalued attribute that can be assigned the distinguished name of one or more Active Directory management agents. When an Active Directory management agent processes an entry and determines that the msMMS-ManagedByMA attribute contains its distinguished name, it will create a user object, rather than a contact, if required. When creating user and contact objects in Active Directory, you can configure the Active Directory management agent, if required, to modify the following properties: ! User's full name ! User's display name Topic Objective To describe the role of the Active Directory management agent in Active Directory interforest synchronization. Lead-in 6 Module 9: Performing Active Directory Interforest Synchronization BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY ! User's logon name ! User's initial password ! Contact's full name ! Contact's display name When creating user objects, you can also configure the Active Directory management agent to create the users as either disabled or enabled users. If you choose to create enabled users, you can also set the following options: ! Assign an initial password. ! Require the user to change the password the first time they log on. ! Prevent the password from being changed. ! Set the password to never expire. If you want to use the password generation feature for enabled accounts, Secure Sockets Layer (SSL) must be enabled. Group Management By default, the Active Directory management agent creates universal distribution groups in Active Directory. In interforest environments, any group in a forest, regardless of scope or type, is created as a distribution group in other forests. The Active Directory management agent can synchronize distribution group membership information between forests. If a group in a forest has the hideDLMembership attribute set to True, the group is created as a contact, rather than a universal distribution group, when it is created in another forest. For native-mode Windows domains, you can convert groups from security to distribution groups after you create them. The group scope and type cannot be converted in mixed-mode domains. By default, the Active Directory management agent does not flow the groupType attribute to groups. Not flowing the groupType attribute to groups ensures that accidental changes in group scope and type do not occur. The Active Directory management agent does not allow you to convert group scope and type in its initial configuration process. When you set the hideDLMembership attribute to FALSE for a group that has already been created as a contact in another forest, the Active Directory management agent does not convert the contact to a universal distribution group. In this case, you have to delete the contact and the connector and recreate the connector by using TAMA, which then converts the connector to a group. MMS also supports Microsoft Exchange 2000 and other messaging systems, contacts, distribution lists, and memberships. In addition, MMS supports the use of Exchange 2000 connectors to Novell GroupWise, Lotus Notes, and Lotus cc:Mail. Note [...]... CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 9: Performing Active Directory Interforest Synchronization 15 Review Topic Objective To reinforce module objectives by reviewing key points ! Introduction to Active Directory Interforest Synchronization ! Using the Active Directory MA and TAMA in Interforest Synchronization ! Implementing an Active Directory Interforest Synchronization Scenario ! Best Practices... ONLY Module 9: Performing Active Directory Interforest Synchronization 13 Lab A: Implementing Active Directory Interforest Synchronization y Topic Objective To introduce the lab Lead-in In this lab, you will implement a peer forests scenario Explain the lab objectives Lab.doc BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 14 Module 9: Performing Active Directory Interforest Synchronization. .. Requirements ! Lead-in Overview of the Active Directory Interforest Synchronization Scenario Implementing the Active Directory Interforest Synchronization Scenario You can use the Active Directory management agent, in conjunction with TAMA, to solve various directory management issues involving Active Directory Depending on the Active Directory infrastructure, the Active Directory management agent and TAMA... that changes in a distribution group are set properly in Active Directory BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 12 Module 9: Performing Active Directory Interforest Synchronization Implementing the Active Directory Interforest Synchronization Scenario Topic Objective To implement the Active Directory interforest synchronization scenario Scenario Implementation Steps... see module 8, “Managing Enterprise Identity Using TAMA” in course 2062A, Implementing Microsoft Metadirectory Services 2.2 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 8 Module 9: Performing Active Directory Interforest Synchronization # Implementing an Active Directory Interforest Synchronization Scenario Topic Objective To introduce topics related to using the Active Directory. .. the MMS Active Directory Management Agent Administration Manual BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 10 Module 9: Performing Active Directory Interforest Synchronization Examining the Implementation Requirements Topic Objective Implementation Requirements Implementation Requirements To identify the requirements for implementing the Active Directory interforest synchronization. . .Module 9: Performing Active Directory Interforest Synchronization 7 Examining the Role of TAMA in Interforest Synchronization Topic Objective To describe the role of TAMA in Active Directory interforest synchronization Lead-in Determining Which Objects to Create TAMA account profiles are used to determine... taught in the module 1 During the interforest synchronization, the Active Directory management agent and TAMA are run What specific roles do the Active Directory management agent and TAMA accomplish during the Active Directory object creation? Active Directory management agent controls the creation of the type of object, user or contact TAMA controls which objects are created in Active Directory and... Active Directory Create Objects in Active Directory To identify best practices for implementing the Active Directory management agent and TAMA to support interforest synchronization Limit the Use of Multivalued Relative Distinguished Names Limit the Use of Multivalued Relative Distinguished Names Lead-in Use Naming Attributes Supported by Active Directory Use Naming Attributes Supported by Active Directory. .. their corresponding entries in Active Directory before object expiration ! Configure and run each management agent for initial discovery of connected directory objects and synchronize interforest site and subnet information to support locator services BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 9: Performing Active Directory Interforest Synchronization 11 ! Synchronize . the Active Directory management agent in Active Directory interforest synchronization. Lead-in 6 Module 9: Performing Active Directory Interforest Synchronization. of the Active Directory management agent and TAMA in Active Directory interforest synchronization. Lead-in Module 9: Performing Active Directory Interforest