Tài liệu Module 8: Cross- Forest/Multi-Forest pptx

Contents

Overview ................................................................................................................. 1

Lesson 1: The Cross-forest Specification................................................................ 2

MIIS Components ................................................................................................... 8

Lab 8.1: Getting to know MIIS 2003 and GAL Sync Management Agent.......... 26

Lesson 3: Cross-Forest SMTP Mailflow.............................................................. 32

Lesson 4: InterOrg Public Folder Replication....................................................... 35

Lab 8.2: Cross Forest Practice............................................................................. 47

Appendix A GAL Sync Log and Error Messages ................................................. 50

Appendix B: GAL Sync Mapping Types .............................................................. 54

Appendix C: GAL Sync Provisioning Rules......................................................... 67

Acknowledgments................................................................................................. 76

Module 8: Cross￾Forest/Multi-Forest

ii Module 8: Cross-Forest/Multi-Forest

Information in this document, including URL and other Internet Web site references, is subject to

change without notice. Unless otherwise noted, the example companies, organizations, products,

domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,

and no association with any real company, organization, product, domain name, e-mail address,

logo, person, place or event is intended or should be inferred. Complying with all applicable

copyright laws is the responsibility of the user. Without limiting the rights under copyright, no

part of this document may be reproduced, stored in or introduced into a retrieval system, or

transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or

otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property.

 2003 Microsoft Corporation. All rights reserved.

Microsoft, MS-DOS, Windows, Windows NT, Active Directory, ActiveX, Excel, Exchange Server

5.5, Exchange 2000 Server, Exchange Server 2003, Internet Explorer, Internet Information Server,

Word are either registered trademarks or trademarks of Microsoft Corporation in the United States

and/or other countries.

The names of actual companies and products mentioned herein (Groupwise, IBM, Lotus cc:Mail,

Lotus Notes, Netscape, Oracle) may be the trademarks of their respective owners.

Module 8: Cross-Forest/Multi-Forest 1

Overview

„ Topic 1 The cross-forest Specification

„ Topic 2 Microsoft Identity Integration Services (MIIS) 2003 and Global

Address List (GAL) Sync

„ Topic 3 Cross-forest SMTP mail flow

„ Topic 4 Inter-Org public folder replication

At the time of this writing, only RC1 of MIIS 2003 was available for reference.

As such, many of the screenshots may be out of date. Additionally, the MIIS

product name was renamed prior to the Release To Manufacture RTM in July

2003. Thus, any references to MMS or “Microsoft Meta Directory Services”

should be considered MIIS or “Microsoft Identity Integration Services.”

Introduction

2 Module 8: Cross-Forest/Multi-Forest

Lesson 1: The Cross-forest Specification

Introduction

Why do customers deploy multiple forests?

Customers deploy multiple forests because it is more secure. Since an Active

Directory domain was no longer a true security boundary, forests became the

entities in which future topologies were planned.

Customers want administration autonomy and data isolation. They could

achieve this in Exchange 5.5, by simply attaching any new Exchange 5.5 site to

an existing organization, and thus form a chain of peer sites with a common

GAL. Yet trusts were not necessary between each domain that was the realm of

an Exchange 5.5 site. Therefore data could be isolated, and administration could

be left in the hands of each site/Windows NT domain administrator.

Exchange 2000 introduced an architectural regression. Customers could no

longer achieve administration autonomy and data isolation because Exchange

2000 organizations were each bounded by a single forest. This meant that each

Global address list was limited to this same boundary. There was no way to

attach administrative groups to existing organizations outside of the forest to

share a common GAL. Thus, it was extremely difficult to replace traditional

site/domain boundaries with multi-domain, single-forest model. For those that

tried, they found that transitive trusts and Exchange groups were so invasive

that any domain administrators could potentially gain access to other domains’

mailboxes within the forest.

Goals:

The goal is to deploy multiple forests to achieve core messaging functionality

as it works in the single-forest case. This includes

- Basic mail functionality

- Calendaring

Module 8: Cross-Forest/Multi-Forest 3

- Common GAL

Important: There are certain features which are not available in Cross-forest

deployment, such as the ability to view distribution group membership whose

members are stored in another forest. Further, Delegate Access will not be

supported across forests. (Currently, a contact cannot be given delegate access

to a mailbox). Thus, customers should not expect to achieve full full-feature

parity with single-forest installations.

Added benefits:

- Customers have an alternative to using the Active Directory

Connector’s inter-organizational connection agreements, which were not

supported for coexistence between different organizations.

- Provide an administrative model somewhat similar to peer-to-peer

directories as was the case in Exchange 5.5, so that Exchange 5.5 customers

may ease into Exchange 2003 without destroying their existing administrative

model.

The bare requirements to make a multi-forest topology work for just basic

messaging (basically sending messages and no free/busy features) is Directory

Synchronization and mail flow. Essentially, a synchronized global GAL needs

to be available to all forests and a transport route needs to be in place to allow

mail to flow between them.

Since there is no built-in feature to automate sharing of GAL information

between forests, the cross-forest spec combines unrelated technologies to

achieve the goals. These technologies include

ƒ Microsoft Identity Integration Server (MIIS) to achieve directory

synchronization.

ƒ Customized SMTP connectors for mailflow between forests.

ƒ Optional components (IORepl, x-forest movemailbox) may be added to

the cross-forest scenario so that the multi-forest deployments come

closer to parity with a single-forest scenario.

Components

4 Module 8: Cross-Forest/Multi-Forest

MIIS 2003 and GAL Sync

Definition

This topic covers Microsoft Identity Integration Server version 2003 and the

Global Address List Synchronization (Galsync) process, which perform the

directory synchronization. Once set up, users in one forest may look up

recipients in different forests, and the infrastructure for cross-forest mail flow is

established.

History of MIIS

•Previous version bought from Zoomit, Inc.

•Version 2.2 is no longer for “sale.” “Sale” is in quotes because if a customer

has a Windows 2000 Advanced Server license, then this product is available at

no extra cost. However, in order to implement this product they will need to

engage Microsoft Consulting Services (MCS) or an Authorized MIIS Partner.

Version 2.2 is a high-touch, complex, difficult to deploy product. As it is

particularly difficult to setup and configure, in the hands of the untrained, it is

possible to do considerable damage to the connected systems. For this reason

MMS 2.2 was never actually sold as a “product” in the true sense. It did not

have a SKU, and was not on any parts list from Microsoft. However, Microsoft

would license the product to customers who had a Windows 2000 Advanced

Server license (at no additional cost), and took a services engagement from

MCS, or from an Authorized MIIS Partner.

•Version 3.0 (renamed to MMS 2003, then renamed to MIIS 2003) – Rewritten

from the ground-up. There is still an MIIS 2003 partner program, and

http://www.microsoft.com/windows2000/partners/mms2003.asp lists those that

have been trained on MIIS 2003 and are ready to help customers. The 3.0/2003

version is considerably improved, and Microsoft believes customers can use the

information (based on scenarios) that ships on the product CD to conduct their

own evaluation, design, test and deployment.

Module 8: Cross-Forest/Multi-Forest 5

Intro to MIIS 2003

Companies often store data about users and objects in multiple data sources –

some within Active Directory forests, but others within other types of data

repositories. Therefore, the identity of a user could be scattered across several

different locations on several different incompatible platforms. Often,

companies need to aggregate (combine) that information into a logical view that

represents the sum of all the identify information for a given object.

Thus, Metadirectories are utilized for identity management, or for massaging

complex data from multiple data sources so that they may be managed easily.

Because the concept is so universal, IBM®, Oracle®, Netscape®, and others

market their own Metadirectory products. Microsoft’s latest offering is called

Microsoft Integrity Information Services (MIIS) version 2003.

MIIS 2003 is a service that collects information from different data sources

throughout an organization and then combines all or part of that information

into an integrated, unified view. This unified view presents all of the

information about an object, such as a person or network resource, that is

contained throughout the organization. In most organizations, the sources data

is typically stored in different directories, databases, and other data repositories

throughout the Information Technology (IT) infrastructure.

After all of the information about a person or resource is combined in the

metadirectory, rules can be applied to decide how this information is managed

and how changes to this information flow out to all of the directories that are

connected to the metadirectory. Therefore, the metadirectory propagates any

changes that originate in one directory to the other directories in the

organization.