I MA N A MI W HI T E

PA P ER

Unl o ck the p ower of Ac ti ve D i rec tor y

U pda ted A U GUST 2006

Wr i tte n by Dav id Nes bi tt, E x p e r t in D i re c to r i e s a n d I d e nti t y M ana g ement.

5099 Preston Ave. L i ve r more, C A 94551 . Tel : 925-371-3 00 0 Fa x: 9 25 -371-3001 . www.i ma n a mi .co m

Introduction
Is your organization meeting its goals? Many arent, and although sometimes the reasons for failure may be varied and complex, sometimes the reasons are very simple. Some organizations are not flexible enough. Some cant make decisions fast enough. Sometimes the competition is quicker, or perhaps the costs of change are too high. Perhaps, after a round of making efficiency savings, you find you have cut too far and now your key people are overworked and unable to keep up. In todays fast-moving world success is dependent on an organizations ability to respond quickly to change. This in turn requires swift, accurate and effective communication. Email is the communication vehicle and the corporate directory is the brain of the system. Unfortunately, in many organizations, email is part of the problem not the solution. Email overload and inaccurate directory information cause communication to get bogged down and responsiveness suffers. Microsoft Exchange is the most popular corporate messaging platform in the world today, with over 50% of organizations using it as their primary messaging server. It is scaleable, reliable and has rich clients such as Outlook and Webmail to support it. Since Exchange 2000, it has been fully incorporated into Active Directory to provide far richer directory services support and lower the Total Cost of Ownership (TCO) of each user. Yet, despite all this, many organizations are still having problems with their Exchange environments. Problems such as inaccurate and out-of-date directory or GAL data are having a significant impact on the organization as a whole, as end users struggle to find accurate contact information. Modern organizations change so often that it would take an army of Exchange administrators to keep up with the changes. Given the cost of highly skilled and experienced MCP or MCSE-qualified Exchange administrators, many organizations simply cannot afford the additional staff. Other typical problems involve the maintenance of distribution lists. For all its strengths, Exchange does not provide an adequate enterprise level group management solution. In even a moderate-sized organization keeping distribution lists up to date manually is an enormous task with a correspondingly large cost. But not managing lists properly can lead to all sorts of problems such as internal spam, information not reaching those who need it, or worst of all, sensitive information reaching those who really should not see it, with potentially disastrous consequences. Synchronizing Exchange with other email systems, directories or databases is also harder and more expensive than it should be. It makes sense to link together your HR system and corporate directory, to ensure both are as accurate as possible. But can you really afford a 9 month metadirectory project, complete with extremely expensive and specialised consultants to do it? What about linking your Exchange Address Book with your partners, or your affiliates? Exchange does not readily synchronize across Active Directory forests, but as your organization grows, shrinks, or merges, the chances of having to do just that grow ever more likely. If any of the above problems sound familiar, or if you just want to understand more about efficient Exchange directory management, then this paper is for you. Imanami have been working with Exchange for years and have developed a range of products designed to overcome all of these problems and more.

Page 2

Contents
Introduction........................................................................................................................................... 1 Contents ............................................................................................................................................... 3 Get your GAL to Earn Its Keep ............................................................................................................. 4 The Problem with GALs................................................................................................................. 4 GALs Get Out of Synch ................................................................................................................. 4 Delegate your GAL Administration................................................................................................. 5 Introducing Imanami WebDir .................................................................................................. 5 WebDir Architecture....................................................................................................................... 8 Configuring WebDir ....................................................................................................................... 9 Counting the Cost ........................................................................................................................ 10 Get Groups and Distribution Lists Under Control ................................................................................ 11 Groups and DLs Are Not Static.................................................................................................... 11 Group Management Needs to Get Dynamic and Smart............................................................... 12 Not All Groups Are Dynamic ........................................................................................................ 12 Imanami SmartDL........................................................................................................................ 13 What About the Static Groups? ................................................................................................... 17 SmartDL Architecture .................................................................................................................. 17 Counting the Cost ........................................................................................................................ 17 Get Exchange in Synch with Other Systems....................................................................................... 18 Reorganization ............................................................................................................................ 18 Address Book Synchronization .................................................................................................... 18 Enter the Metadirectory ............................................................................................................... 19 Introducing Imanami Directory Transformation Manager ............................................................. 19 DTM Architecture......................................................................................................................... 24 Counting the Cost ........................................................................................................................ 25

Page 3

Get your GAL to Earn Its Keep

The Problem with GALs
The Exchange Global Address List, especially in later editions when underpinned by Active Directory, is capable of holding extensive user identity data. Fields exist for all types of information of use to the extended organization. Contact information such as names, addresses and telephone numbers and organizational information such as location, title, department and manager. This is because Active Directory was designed to be an enterprise directory, serving up such information to directory-enabled clients such as email address books and web servers. Unfortunately, many organizations dont take advantage of this fact and use Active Directory just to support the Windows 2000 (or 2003) Network Operating System, and somewhere to hold logon account and password information. Whats more, as most organizations use Outlook as their email client, they have a ready-made method of giving every user access to the directory data the Outlook Address Book. But rather than take advantage of this, most people still choose to push around corporate contact lists in excel spreadsheets, or purchase and deploy expensive enterprise directories. The following diagram shows a typical view of a user from inside the Outlook Address Book: empty of all useful information except the bare minimum needed to enable the mail account.

Figure 1 The Outlook Address Book

GALs Get Out of Synch

Often, some data is populated during the initial deployment of the Exchange system, but this data soon becomes stale and out of date. Some people leave, some people arrive. Some people change names, change jobs or change location. Telephone numbers seem to change constantly as people move desks for the third or fourth time that year. The problem is, Exchange administrators are busy people and dont always have the time to manually update the Exchange directory via the Microsoft Management Console every time Jane Doe from Sales gets a new cellphone (always supposing she remembers to inform them in the first place). Exchange administrators are skilled, and expensive, members of staff who need to be focussed on doing the tasks that have the highest value for the organization. So the GAL data becomes more and more stale over time and people learn not to trust it. Instead all sorts of expensive little home grown methods of getting the contact information people need begin to emerge. Some people store all the company contact info in their PDAs or Notebooks. Some people keep their own Excel spreadsheet for important contacts. Often, someone in reception at each location is given the task of maintaining a contact list which is circulated by email and is normally out of date as

Page 4

soon as it is sent out. Shouldnt these people be concentrating on doing the jobs they were employed to do? Shouldnt there be a simple to use, centrally maintained, accurate database of identity and contact info that anyone can use, even when away from the office? Of course, there should be. And there is. Its called the Exchange GAL, if only it could be kept up to date without having to employ an army of expensive administrators.

Delegate your GAL Administration

The answer to keeping GAL data up-to-date, but not at an unacceptably high cost, is to delegate the administration of the data down to the appropriate level. This could mean using local administrators such as reception staff who, although trusted and competent, are not fully qualified MCSEs or MCPs. Or, it could even mean delegating administration down as far as it can go to the end users themselves. Obviously neither users nor local administrators could be given access to the core Exchange server functions. Such a risk would be unacceptable. Nor could they be expected to use a tool such as the Microsoft Management Console just to update their own contact data.

Figure 2 The Microsoft Management Console for Active Directory Users and Computers What is needed is a simple to use, preferably web-based, interface that anyone who can use a web browser, or has ever filled in an on-line form, can use. However, such a system must ensure that administrators retain ultimate control. If all fields were left for end-users to fill in free-form, then chaos would ensue. Any such system would need to be fully configurable so that certain fields could be left read-only; some fields could be a choice of entries from a drop-down list; some fields left free-form, and some sensitive fields left excluded altogether.

Introducing Imanami WebDir

Imanami WebDir is just such a system: a powerful, web-based directory publishing tool. Using WebDir, you can easily delegate the administration of your directory down to the appropriate, and most cost-effective, level. You can administer your directory remotely, allow users to update their own information, provide a simple, read-only, anonymous corporate phonebook, and even enable users to subscribe or unsubscribe from groups and distribution lists. WebDir allows your users to update their own directory information, anytime, anywhere without any assistance from administrators. Yet WebDir keeps the administrators in charge because it allows them to control which fields can be updated, what values can be entered, and even which fields they see. All changes are also tracked in the Event Log, so a full audit trail is maintained.

Page 5

By deploying WebDir you can enable your users to: Search the Directory Users can search multiple directory fields via a web browser and have the results displayed in a simple, intuitive manner. Results can also be exported to Microsoft Excel, or the interface can even be configured to support WAP devices such as cellular phones and Blackberry. Administrators retain the ability to make some fields invisible to these searches.

Page 6

Update Information users can be enabled to update their own information using a simple interface, whilst administrators retain control over which fields can, and cannot, be updated.

Page 7

Carry Out Administrative Tasks WebDir can also be used by administrators to carry out tasks normally done through the Microsoft Management Console, such as creating, updating and deleting users, contacts or groups. This makes the delegation of certain tasks to local administrators possible, and lowers the skill level required to carry out such tasks.

Manage Groups WebDir allows for the management of static distribution lists and groups to also be delegated. Users can publish new groups and allow other users to opt-in, or opt-out of group membership.

WebDir Architecture
Like all Imanami products, WebDir has been designed to leave as small a footprint as possible on the environment in which it operates. Although it can be installed on the server running Active Directory or Exchange, it doesn't have to. It can be installed on any member server running Microsoft Internet Information Server (IIS) that has network access to the Active Directory or Exchange server to be managed. It can even be used to manage multiple domain controllers or Exchange installations if required by using multiple virtual webdir servers. The following diagram shows this principle.

Page 8

Domain Controller 1

Exchange 5.5

Domain Controller 2

Virtual Server 1

Virtual Server 2

Virtual Server 3

WebDir IIS
WebDir Server

PC User

Laptop User

Cellphone/ PDA user

Figure y WebDir Architecture

Configuring WebDir
Configuring WebDir couldn't be easier. Once installed, use the WebDir System Manager to create a new virtual server. Just tell it where the Exchange or Active Directory server is located, give it an account to use (with the correct credentials) and away you go it really is that easy.

Figure z WebDir System Manager

Page 9

Counting the Cost

How much is it costing you, not having effective delegation of directory administration? Here are a few simple calculations to help you think it through. Administration Exchange administrators can be expensive, especially if they are MCP or MCSE trained. Costs of between $50K - $100K per administrator are not uncommon. By using WebDir, basic administration tasks can be delegated to less expensive personnel, leaving the highly-skilled administrators to concentrate on work that really needs their input. Local Schemes - If users dont trust the directory and instead maintain personal address lists, how much is this costing you? If your organization is 10,000 strong with an average hourly cost of $10 per person, and 25% of people spend just one hour a month maintaining local address lists, you are wasting $25K per month! Miscommunication How much does miscommunication cost? How much would you lose if you couldnt find the contact information for your corporate attorney in time to close a deal that is going to make the quarterly target? How will the company share price react? How many millions of dollars might be lost all for the lack of one email address or cellphone number?

Can you really afford not to manage your directory effectively? Imanami WebDir typically pays for itself within weeks not months, or years.

Page 10

Get Groups and Distribution Lists Under Control

Internal spam is becoming a real problem in many organizations today and email overload is a chief cause of complaint amongst many executives and managers. The problem arises when users, unsure exactly who needs to receive their message, send emails to the entire organization. Newsletters about the successes of the Indian volleyball team or reminders about the car parking problems in the Detroit office are very interesting to those people who are interested in corporate volleyball, or who are based in Detroit, but are a major irritation for those who arent. Requests for missing books, cellphones, or peoples contact details abound, interspersed by the occasional flame war between heads of departments who should really know better. Recipients of such messages often make the problem worse by hitting reply to all so that the number of emails sent increases constantly. One impact of email overload are that some busy folks may decide to ignore email altogether, or only look at it when they are not busy, meaning that the important and urgent stuff that needs their input gets lost. Another is that some people, who have more important and urgent tasks to do, spend far too long reading email that has nothing to do with them, rather than doing what they are being paid to do. But simply trying to stop people sending unnecessary email, or trying to make them be more disciplined in the way they use it, is not the answer. After all, people in Detroit do need to know about the car parking problems, just not the whole organization. After internal spam, the second most common email problem is the exact opposite not receiving emails you really need to see. New members of the global sales forces dont get informed about the latest marketing drive, or engineers in France dont receive the latest amendment to product technical support documents. Worst of all, decisions might be made without people who really understand the issue ever being consulted. Finally, there is the issue of security. If an email sent to just the management team about a proposed reduction in the workforce finds its way into general circulation, the damage to staff morale could be enormous. Or imagine the impact on a company if a confidential discussion of a forthcoming IPO is received by a contractor whose contract is about to expire, who then leaks the information to the press. What about if financial documents stored on a supposedly secure shared network folder could be accessed by all staff? What would be the impact if those documents found their way to a competitor? All of these problems have the same root cause inefficient management of distribution lists and security groups within Exchange and Active Directory

Groups and DLs Are Not Static

Security groups and distribution lists, when used correctly, are a tremendously powerful tool. In the above examples, distribution lists for all staff located in Detroit, or anyone who has expressed an interest in corporate volleyball would have helped alleviate some of the internal spam. New salespeople should have been added automatically to the global sales distribution list, and the French engineers should have been on the technical amendments list. If the management teams distribution list was managed properly, or all contractors automatically excluded from the IPO list, the disasters above would never have happened. And, if the financial documents were stored on a share that was only viewable by members of the financial or management security groups, no-one else could ever see them. The problem with groups and DLs is similar to the problems with the GAL and directory. That is, the contents change regularly and administrators are busy and expensive resources. In a medium to large sized organization spread across several locations, many hundreds of distribution lists or groups might be needed for the organization to communicate effectively. Maintaining these lists manually is just not a realistic option. Creating new DLs is a very manually intensive task and can take the Exchange Administrators many hours to complete, depending upon the nature of the DL. A typical DL request might be I need a DL for all sales reps in AsiaPac. Although these requests may be accompanied by a list of names, the administrators still have to manually add the names to the new DL via the MMC. If the list is wrong, then individuals wont get the information they need. And what happens when new salespeople arrive in AsiaPac? Will their managers, or the HR department, remember to inform the

Page 11

directory administrators? Will the directory administrators have the time to add the new users, even if they are informed? The MMC does have the ability to search for users using advanced search criteria, and then to add these users to a group, as shown below. But these tools still rely on the manual intervention of an administrator with access to the MMC, and once created, the groups remain static.

Figure z MMC Users and Groups

Group Management Needs to Get Dynamic and Smart

As shown above, many email, information and security issues arise because groups and distribution lists within Active Directory remain static, whilst the people and data that make up these groups change constantly. What is needed is a system that can create and maintain smart, dynamic groups. Groups become smart when they are constructed by the sort of advanced query shown above: all sales reps in the UK. They become dynamic when they constantly check the directory for changes, and change their membership accordingly. All an administrator needs to do is define the smart group, then sit back and let it manage itself with no more intervention.

Not All Groups Are Dynamic

Although smart dynamic groups would overcome the issues with the Detroit car parking, or the AsiaPac Sales Force, how can you construct a query based on directory fields for the Indian Volleyball team? Unless there is a field called volleyball, which is extremely unlikely, the answer is: you cant. Whats more, you dont need to. There will always be a requirement for static groups. The answer is to make sure that the members of these groups can opt-in, or opt-out as required. Whereas membership of the dynamic groups will normally be mandatory (as these groups support the basic function, or location, of an individual), membership of such static groups can be optional, and control of membership delegated to individuals with responsibility for the function being supported by the group. For example, the captain of the volleyball team could be given ownership of the distribution list. The captain would populate the list and then members would be empowered with the ability to opt-out of all future mailings. Another example might be a temporary list for a particular project: the project manager would own the list and add the initial members. An email could be sent informing potentially interested parties of the existence of the list and offering them the opportunity to opt-in. So, having established the ideal solutions for our list management problems, how do we solve these problems?

Page 12

Imanami SmartDL
The answer to creating and managing intelligent, dynamic groups is SmartDL from Imanami. SmartDL is a powerful, but easy-to-use, application that dynamically creates and maintains distribution lists and groups based on rules that are applied to your directory data. When the users directory information changes, SmartDL automatically updates the appropriate distribution lists. SmartDL does this by creating and updating Active Directory groups, or Exchange distribution lists, based on user-defined LDAP queries. Also, as SmartDL runs these queries at user-defined intervals, new arrivals will be discovered and automatically added to the list. Creating a new SmartDL is simple, as the following figures illustrate: 1. Open up SmartDL and click on New, SmartDL(managed)

2. Follow the wizard and select the location where the new group will reside in the directory.

3. Open the Query Designer and edit the criteria for the new group. In this case, we're creating a SmartDL that will contain anyone in the directory whose "Department" field starts with the term "Admin" (for Administration).

Page 13

4. SmartDL searches the directory based on the query and shows the results.

5. Back in Active Directory, the new group and its members can now be seen.

Page 14

And thats it the new SmartDL will continue to monitor the directory for changes. Any new entries that meet its query condition will be added to the list, and any entries that are deleted from the directory, or no longer meet the query condition, will be removed from the list. SmartDL can also create Multilevel Dynasties of groups. A Dynasty is a distribution lists that creates and manages other distribution lists. You can create a Dynasty based on any field, and SmartDL will scan the directory for every unique value of the field. It will then create a distribution list for each value and keep it up-to-date, creating new distribution lists and deleting ones that are no longer needed. For example, most organizations need lists for each office location to allow email to be sent to only those people located at that office (like the Detroit car parking problem above). A Dynasty could be created that is based on the location or office field in the directory, and SmartDL will automatically create, and maintain, a group for each location defined in the directory. Creating a new Dynasty is as easy as creating a new SmartDL: 1. Click New, Dynasty (managed)

2. Follow the Wizard and give the Dynasty an appropriate name. In this case, we are creating a Dynasty of groups based on the value of the "City" attribute, but as "City" sounds a little unfriendly, we've decided to call it "Office" instead.

Page 15

3. Tell SmartDL which field you want it to group the new lists by. SmartDL will create a new list for each unique value of that field.

4. SmartDL searches through the directory creating a new group for each value of the City field it finds.

5. In Active Directory, the new groups complete with their members have been created. And, as these are all smart groups, they will manage themselves dynamically from now on.

Page 16

What About Static Groups?

As mentioned above, smart dynamic groups can alleviate many Group management issues, but most organizations can still benefit from having static, opt-in groups. So, how does Imanami help to delegate the management of these, and allow users to opt in or out of available groups? Observant readers might recall that in the first section we talked about how Imanami WebDir is designed for just such as job. To delegate control of groups, simply allow group owners to create and manage static groups via a locked-down implementation. This option allows for group management not full administrative control. Then deploy the ability that allows users to search for available groups and choose whether or not to opt in, or out, of these groups.

SmartDL Architecture
As with WebDir, SmartDL has a tiny footprint and can be run on any server or workstation on the same network as the Domain Controller or Exchange Server to be managed. If running many dynamic groups or dynasties, it may be worth making sure there is a high-bandwidth connection between the SmartDL server and the Domain Controller, due to the network traffic. Alternatively, SmartDL may be installed on the Domain Controller itself, if resources allow.

Counting the Cost

How much might not having SmartDL be costing your organization? Here are some simple calculations to help you decide if you need effective list management or not. Internal Spam If you have 10,000 users in your organization costing on average $10 per hour, and each user spends on average just 15 minutes each day reading internal spam, you are wasting $2.50 per user per day. Multiply that by 10,000 users and you are wasting $25K per day. Miscommunication As we said in the introduction, how can you quantify miscommunication? If a member of the Indian Volleyball team misses his game, big deal. If a key member of the global sales force doesnt get the marketing collateral she needs to close her biggest prospect thats potentially a very big deal indeed, right down the drain. Security How much is it worth to you to make sure your confidential information is only seen by those who should see it? What would the costs be if your new product plans ended up in the hands of your competitors? Or if your plans for acquisition or merger were leaked? The cost could be the very existence of your organization.

Page 17

Get Exchange in Synch with Other Systems

So, now we have our directory and email under control, life is good. But wait, whats that we hear on the corporate grapevine? Were re-organising our corporate structure (again)? Were starting a project to share all non-sensitive electronic data with two of our partners? Were merging with another company? As we mentioned in the introduction, the ability to cope with change is one of the keys to success in modern organizations. Whether it is commercial organizations merging or sharing their data with partners, or government departments reorganizing or making their data public, all organizations need to be as flexible as possible. As we have already seen, email and directories are key enablers of organizational success, so it follows that these systems too need to be as flexible as possible. Theres only one slight problem: Exchange and Active Directory cant connect easily to other systems. To understand this problem, lets look a little closer at two specific scenarios: reorganization and address book synchronization.

Reorganization
Almost all organizations reorganize themselves on a fairly regular basis. Sometimes the changes are fairly minor - just a few title and location changes but sometimes half the company moves to a new building in the same city, while the other half scatters across the globe. Whatever the scale of the change, the directory data will need to be changed accordingly. As weve already seen, manual administration of Active Directory or Exchange is a slow and costly business. Imagine how long it would take, and how much it would cost if 5,000 users had to be moved to new organizational units in the directory, given new titles, locations, telephone numbers and addresses. The basic problem here is that directories (and Active Directory is no exception) are designed to be read from not written to and they are optimized that way. But, whereas with a traditional directory, batch changes can be forced through via an LDAPModify task, Active Directory cant always be updated this way due to issues with the Windows security principals. However, in most organizations nowadays, much of the user identity data also exists in other places apart from the directory most commonly in the HR database. Unlike directories, databases are designed to be written to and can be updated very quickly. Also, the HR data is far more likely to be accurate and up to date, due to payroll and other legal implications. If somehow there was a way to dynamically link the HR database, or other corporate databases, to the directory, then changes in one could automatically update the other. In the case of corporate reorganization, to update the location and title fields of 5,000 users in a typical SQL database would take hours, not days. A few simple SQL statements and the job would be done. If the link between the database and the directory were permanent, every time a new user was added to the HR database, they could automatically be added to the directory as well. Directory data accuracy would increase dramatically, and the administrative burden of managing the directory would be decreased commensurately.

Address Book Synchronization

In the event of a merger or acquisition, or even a reorganization where two departments merge, address book synchronization is one of the top priorities of IT management, for all the reasons covered earlier. No address book no effective communications, just at a time when accurate and effective communication is vital. Unfortunately, Exchange and Active Directory have some notable limitations when required to synchronize data with other systems. Most notable is the fact that Exchange 2000 (or later versions) cannot synchronize GALs across Active Directory forests. This means that if synchronization is required, either one end must rename its Active Directory forest, which effectively means a full migration of Active Directory a massively disruptive and expensive undertaking or else another, third party, synchronization solution is required. If Exchange has limitations when synchronizing with other Exchange installations, it should come as no surprise that synchronization with another email

Page 18

system, such as Lotus Notes or Novell Groupwise, is just as problematic. What is required is some form of external synchronization application.

Enter the Metadirectory

Of course, just such an application already exists. Its called a metadirectory. A metadirectory is a directory of directories which is designed to join together different data sources such as email address books, directories and databases. Microsoft itself has just such an application called Microsoft Identity Information Server (formally known as Microsoft Metadirectory Services) the latest version of which has been designed partly with the cross-forest GAL synch issue in mind. MIIS is an extremely capable and robust piece of software, capable of handling hundreds of thousands of entries across many different data sources. The only problem is, like most metadirectories, it can take months to deploy and needs highly skilled (and expensive) consultants to configure it. If you have 9 months and very deep pockets, then something like MIIS is probably the way to go. But what if you dont have the luxury of long timescales or large budgets? Or what if you just dont want highly skilled (and expensive) consultants crawling all over your systems? What if you instead need something that can be deployed by your own staff, with no training, in days, rather than weeks or months? If thats what you want, dont get a metadirectory.

Introducing Imanami Directory Transformation Manager

If you want something that does most of what a metadirectory does, but at a fraction of the cost and time of a metadirectory, you need Imanami Directory Transformation Manager. Directory Transformation Manager (DTM) will synchronize your GAL or Active Directory with various other databases such as Lotus Notes, Oracle, SQL Server, PeopleSoft, iPlanet, SAP or LDAP. It can even take flat files such as Comma-Separated Value (CSV) or an Excel spreadsheet. DTM does not require a separate database and can be installed on any workstation or server with network connectivity the source and destination data sources. The main difference between DTM and traditional metadirectories is its ease of use. Like all Imanami software, DTM has a wizard-based interface that simplifies the whole synchronization process. You can even drag and drop fields required for replication. Creating new accounts in Active Directory takes minutes using DTM as the following figures illustrate: 1. We have a table in SQL server with all new arrivals in it. This could be being populated by an HR system, for example.

2. We want to automatically provision all new arrivals with an account in an Active Directory OU called New Arrivals. As can be seen, this OU is empty at present. (Note: this choice of OU is for demonstration purposes only an is unlikely to be used in a production system)

Page 19

3. To import the new users, simply start a new job in DTM.

4. Select the source provider, and provide credentials to connect. In this case, were connecting to SQL Server.

Page 20

5. Then select the destination, and provide credentials to connect. In this case, were provisioning new accounts to Active Directory.

6. Next, tell DTM what to do with accounts that exist in the source, but not the provider. In the case we want to create new users, and we want to create them in our ou=new employees.

Page 21

7. We are then asked to decide which fields we wish to populate in AD (in addition to the mandatory ones). In this case, were going to populate email, department, title, city and Display Name as well as the mandatory fields of CN, First Name, userPrincipalName, Last Name and SamAccountName.

8. We then need to connect the fields from the source to those in the destination. This is simply a matter of picking a source field from a drop-down list. We also need to pick a key field for the entry (normally UID or CN) and also inform DTM of those fields that are used for creating new accounts only and arent synchronized after the initial account creation.

Page 22

9. If we dont have a perfect match between source and destination fields, DTM also allows us to transform the source data into a better fit. In the example below, were constructing a Display Name by combining First Name and Last Name, and using a space as a separator.

And thats it! It really is that simple. Now just run the job and see the results in Active Directory.

Page 23

DTM can synchronize both ways with Active Directory as either the source or destination. Also, DTM jobs can be scheduled to run unattended at user-defined intervals, thus reducing the administrative burden even further.

DTM Architecture
As with all Imanami products, DTM's presence goes largely unnoticed within the enterprise IT architecture apart from its impact, that is. It can be installed on either a server or workstation and, unlike MIIS, does not need a discrete SQL database. In fact, as it does not store any data, it needs no database at all: just network connectivity between destination and source. The following diagram illustrates a typical DTM deployment.

Destinations
Active Directory

File

SQL

DTM
DTM Job(s)

DTM Workstation

SQL

Oracle Active Directory

File

Sources

Page 24

Counting the Cost

Often, doing directory synchronization is not something that has to be justified in terms of cost benefits and ROI. True, there are massive costs benefits to be had from getting your directory in synch with other enterprise data stores, but the decision to synchronize is often forced by larger organizational decisions such as merger or acquisition. If this is the case, then the calculations to think about are not is this worth doing?, but how can I get best value for this? Having said that, here are some calculations for both cases: Synchronization Savings If there are three databases in the organization with similar identity data, and each has a dedicated administrator who costs $50K per year, that's a total of $150K. However, by cross-synchronization, the administrative task for each database falls, allowing administrators to be reallocated to other tasks. Typical Metadirectory Project To deploy MIIS to synchronize Active Directory with Lotus Notes and two SQL databases would cost approximately $60K for the software alone, plus at least 30 consultancy days at anywhere between $1000 to $1500 per day ($45K), giving a total of over $100K. Doing the project in house could prove even more expensive. The following table shows how this compares to DTM. MIIS DTM Licence Fees $ 60,000 $ 30,000 Consultancy $ 45,000 $0 Total $ 105,000 $ 30,000

Page 25

Conclusion
In summary, this paper has shown that many organizations using Microsoft Exchange and Active Directory suffer from problems such as inaccurate and out-of-date directory data, the maintenance of distribution lists and synchronizing Active Directory and Exchange with other systems. The impact of these problems is increasing internal spam, miscommunication, soaring administrative costs and general inefficiency. But this paper has also shown that there is a way for organizations to overcome these problems and reap the rewards of an efficient Exchange and Active Directory infrastructure. That way is deploying software solutions from Imanami. By deploying Imanami WebDir, the costs of mismanaging your directory data are slashed. By deploying Imanami SmartDL internal communications are improved dramatically while the cost of maintaining distribution lists goes down. By deploying Imanami DTM you can synchronize Exchange and Active Directory without the costs and administrative burden of deploying a metadirectory.

It's as simple as that: reduce costs and increase efficiency.

Page 26