Escolar Documentos
Profissional Documentos
Cultura Documentos
PA P ER
5099 Preston Ave. L i ve r more, C A 94551 . Tel : 925-371-3 00 0 Fa x: 9 25 -371-3001 . www.i ma n a mi .co m
Introduction
Is your organization meeting its goals? Many arent, and although sometimes the reasons for failure may be varied and complex, sometimes the reasons are very simple. Some organizations are not flexible enough. Some cant make decisions fast enough. Sometimes the competition is quicker, or perhaps the costs of change are too high. Perhaps, after a round of making efficiency savings, you find you have cut too far and now your key people are overworked and unable to keep up. In todays fast-moving world success is dependent on an organizations ability to respond quickly to change. This in turn requires swift, accurate and effective communication. Email is the communication vehicle and the corporate directory is the brain of the system. Unfortunately, in many organizations, email is part of the problem not the solution. Email overload and inaccurate directory information cause communication to get bogged down and responsiveness suffers. Microsoft Exchange is the most popular corporate messaging platform in the world today, with over 50% of organizations using it as their primary messaging server. It is scaleable, reliable and has rich clients such as Outlook and Webmail to support it. Since Exchange 2000, it has been fully incorporated into Active Directory to provide far richer directory services support and lower the Total Cost of Ownership (TCO) of each user. Yet, despite all this, many organizations are still having problems with their Exchange environments. Problems such as inaccurate and out-of-date directory or GAL data are having a significant impact on the organization as a whole, as end users struggle to find accurate contact information. Modern organizations change so often that it would take an army of Exchange administrators to keep up with the changes. Given the cost of highly skilled and experienced MCP or MCSE-qualified Exchange administrators, many organizations simply cannot afford the additional staff. Other typical problems involve the maintenance of distribution lists. For all its strengths, Exchange does not provide an adequate enterprise level group management solution. In even a moderate-sized organization keeping distribution lists up to date manually is an enormous task with a correspondingly large cost. But not managing lists properly can lead to all sorts of problems such as internal spam, information not reaching those who need it, or worst of all, sensitive information reaching those who really should not see it, with potentially disastrous consequences. Synchronizing Exchange with other email systems, directories or databases is also harder and more expensive than it should be. It makes sense to link together your HR system and corporate directory, to ensure both are as accurate as possible. But can you really afford a 9 month metadirectory project, complete with extremely expensive and specialised consultants to do it? What about linking your Exchange Address Book with your partners, or your affiliates? Exchange does not readily synchronize across Active Directory forests, but as your organization grows, shrinks, or merges, the chances of having to do just that grow ever more likely. If any of the above problems sound familiar, or if you just want to understand more about efficient Exchange directory management, then this paper is for you. Imanami have been working with Exchange for years and have developed a range of products designed to overcome all of these problems and more.
Page 2
Contents
Introduction........................................................................................................................................... 1 Contents ............................................................................................................................................... 3 Get your GAL to Earn Its Keep ............................................................................................................. 4 The Problem with GALs................................................................................................................. 4 GALs Get Out of Synch ................................................................................................................. 4 Delegate your GAL Administration................................................................................................. 5 Introducing Imanami WebDir .................................................................................................. 5 WebDir Architecture....................................................................................................................... 8 Configuring WebDir ....................................................................................................................... 9 Counting the Cost ........................................................................................................................ 10 Get Groups and Distribution Lists Under Control ................................................................................ 11 Groups and DLs Are Not Static.................................................................................................... 11 Group Management Needs to Get Dynamic and Smart............................................................... 12 Not All Groups Are Dynamic ........................................................................................................ 12 Imanami SmartDL........................................................................................................................ 13 What About the Static Groups? ................................................................................................... 17 SmartDL Architecture .................................................................................................................. 17 Counting the Cost ........................................................................................................................ 17 Get Exchange in Synch with Other Systems....................................................................................... 18 Reorganization ............................................................................................................................ 18 Address Book Synchronization .................................................................................................... 18 Enter the Metadirectory ............................................................................................................... 19 Introducing Imanami Directory Transformation Manager ............................................................. 19 DTM Architecture......................................................................................................................... 24 Counting the Cost ........................................................................................................................ 25
Page 3
Page 4
soon as it is sent out. Shouldnt these people be concentrating on doing the jobs they were employed to do? Shouldnt there be a simple to use, centrally maintained, accurate database of identity and contact info that anyone can use, even when away from the office? Of course, there should be. And there is. Its called the Exchange GAL, if only it could be kept up to date without having to employ an army of expensive administrators.
Figure 2 The Microsoft Management Console for Active Directory Users and Computers What is needed is a simple to use, preferably web-based, interface that anyone who can use a web browser, or has ever filled in an on-line form, can use. However, such a system must ensure that administrators retain ultimate control. If all fields were left for end-users to fill in free-form, then chaos would ensue. Any such system would need to be fully configurable so that certain fields could be left read-only; some fields could be a choice of entries from a drop-down list; some fields left free-form, and some sensitive fields left excluded altogether.
Page 5
By deploying WebDir you can enable your users to: Search the Directory Users can search multiple directory fields via a web browser and have the results displayed in a simple, intuitive manner. Results can also be exported to Microsoft Excel, or the interface can even be configured to support WAP devices such as cellular phones and Blackberry. Administrators retain the ability to make some fields invisible to these searches.
Page 6
Update Information users can be enabled to update their own information using a simple interface, whilst administrators retain control over which fields can, and cannot, be updated.
Page 7
Carry Out Administrative Tasks WebDir can also be used by administrators to carry out tasks normally done through the Microsoft Management Console, such as creating, updating and deleting users, contacts or groups. This makes the delegation of certain tasks to local administrators possible, and lowers the skill level required to carry out such tasks.
Manage Groups WebDir allows for the management of static distribution lists and groups to also be delegated. Users can publish new groups and allow other users to opt-in, or opt-out of group membership.
WebDir Architecture
Like all Imanami products, WebDir has been designed to leave as small a footprint as possible on the environment in which it operates. Although it can be installed on the server running Active Directory or Exchange, it doesn't have to. It can be installed on any member server running Microsoft Internet Information Server (IIS) that has network access to the Active Directory or Exchange server to be managed. It can even be used to manage multiple domain controllers or Exchange installations if required by using multiple virtual webdir servers. The following diagram shows this principle.
Page 8
Domain Controller 1
Exchange 5.5
Domain Controller 2
Virtual Server 1
Virtual Server 2
Virtual Server 3
WebDir IIS
WebDir Server
PC User
Laptop User
Configuring WebDir
Configuring WebDir couldn't be easier. Once installed, use the WebDir System Manager to create a new virtual server. Just tell it where the Exchange or Active Directory server is located, give it an account to use (with the correct credentials) and away you go it really is that easy.
Page 9
Can you really afford not to manage your directory effectively? Imanami WebDir typically pays for itself within weeks not months, or years.
Page 10
Page 11
directory administrators? Will the directory administrators have the time to add the new users, even if they are informed? The MMC does have the ability to search for users using advanced search criteria, and then to add these users to a group, as shown below. But these tools still rely on the manual intervention of an administrator with access to the MMC, and once created, the groups remain static.
Page 12
Imanami SmartDL
The answer to creating and managing intelligent, dynamic groups is SmartDL from Imanami. SmartDL is a powerful, but easy-to-use, application that dynamically creates and maintains distribution lists and groups based on rules that are applied to your directory data. When the users directory information changes, SmartDL automatically updates the appropriate distribution lists. SmartDL does this by creating and updating Active Directory groups, or Exchange distribution lists, based on user-defined LDAP queries. Also, as SmartDL runs these queries at user-defined intervals, new arrivals will be discovered and automatically added to the list. Creating a new SmartDL is simple, as the following figures illustrate: 1. Open up SmartDL and click on New, SmartDL(managed)
2. Follow the wizard and select the location where the new group will reside in the directory.
3. Open the Query Designer and edit the criteria for the new group. In this case, we're creating a SmartDL that will contain anyone in the directory whose "Department" field starts with the term "Admin" (for Administration).
Page 13
4. SmartDL searches the directory based on the query and shows the results.
5. Back in Active Directory, the new group and its members can now be seen.
Page 14
And thats it the new SmartDL will continue to monitor the directory for changes. Any new entries that meet its query condition will be added to the list, and any entries that are deleted from the directory, or no longer meet the query condition, will be removed from the list. SmartDL can also create Multilevel Dynasties of groups. A Dynasty is a distribution lists that creates and manages other distribution lists. You can create a Dynasty based on any field, and SmartDL will scan the directory for every unique value of the field. It will then create a distribution list for each value and keep it up-to-date, creating new distribution lists and deleting ones that are no longer needed. For example, most organizations need lists for each office location to allow email to be sent to only those people located at that office (like the Detroit car parking problem above). A Dynasty could be created that is based on the location or office field in the directory, and SmartDL will automatically create, and maintain, a group for each location defined in the directory. Creating a new Dynasty is as easy as creating a new SmartDL: 1. Click New, Dynasty (managed)
2. Follow the Wizard and give the Dynasty an appropriate name. In this case, we are creating a Dynasty of groups based on the value of the "City" attribute, but as "City" sounds a little unfriendly, we've decided to call it "Office" instead.
Page 15
3. Tell SmartDL which field you want it to group the new lists by. SmartDL will create a new list for each unique value of that field.
4. SmartDL searches through the directory creating a new group for each value of the City field it finds.
5. In Active Directory, the new groups complete with their members have been created. And, as these are all smart groups, they will manage themselves dynamically from now on.
Page 16
SmartDL Architecture
As with WebDir, SmartDL has a tiny footprint and can be run on any server or workstation on the same network as the Domain Controller or Exchange Server to be managed. If running many dynamic groups or dynasties, it may be worth making sure there is a high-bandwidth connection between the SmartDL server and the Domain Controller, due to the network traffic. Alternatively, SmartDL may be installed on the Domain Controller itself, if resources allow.
Page 17
Reorganization
Almost all organizations reorganize themselves on a fairly regular basis. Sometimes the changes are fairly minor - just a few title and location changes but sometimes half the company moves to a new building in the same city, while the other half scatters across the globe. Whatever the scale of the change, the directory data will need to be changed accordingly. As weve already seen, manual administration of Active Directory or Exchange is a slow and costly business. Imagine how long it would take, and how much it would cost if 5,000 users had to be moved to new organizational units in the directory, given new titles, locations, telephone numbers and addresses. The basic problem here is that directories (and Active Directory is no exception) are designed to be read from not written to and they are optimized that way. But, whereas with a traditional directory, batch changes can be forced through via an LDAPModify task, Active Directory cant always be updated this way due to issues with the Windows security principals. However, in most organizations nowadays, much of the user identity data also exists in other places apart from the directory most commonly in the HR database. Unlike directories, databases are designed to be written to and can be updated very quickly. Also, the HR data is far more likely to be accurate and up to date, due to payroll and other legal implications. If somehow there was a way to dynamically link the HR database, or other corporate databases, to the directory, then changes in one could automatically update the other. In the case of corporate reorganization, to update the location and title fields of 5,000 users in a typical SQL database would take hours, not days. A few simple SQL statements and the job would be done. If the link between the database and the directory were permanent, every time a new user was added to the HR database, they could automatically be added to the directory as well. Directory data accuracy would increase dramatically, and the administrative burden of managing the directory would be decreased commensurately.
Page 18
system, such as Lotus Notes or Novell Groupwise, is just as problematic. What is required is some form of external synchronization application.
2. We want to automatically provision all new arrivals with an account in an Active Directory OU called New Arrivals. As can be seen, this OU is empty at present. (Note: this choice of OU is for demonstration purposes only an is unlikely to be used in a production system)
Page 19
4. Select the source provider, and provide credentials to connect. In this case, were connecting to SQL Server.
Page 20
5. Then select the destination, and provide credentials to connect. In this case, were provisioning new accounts to Active Directory.
6. Next, tell DTM what to do with accounts that exist in the source, but not the provider. In the case we want to create new users, and we want to create them in our ou=new employees.
Page 21
7. We are then asked to decide which fields we wish to populate in AD (in addition to the mandatory ones). In this case, were going to populate email, department, title, city and Display Name as well as the mandatory fields of CN, First Name, userPrincipalName, Last Name and SamAccountName.
8. We then need to connect the fields from the source to those in the destination. This is simply a matter of picking a source field from a drop-down list. We also need to pick a key field for the entry (normally UID or CN) and also inform DTM of those fields that are used for creating new accounts only and arent synchronized after the initial account creation.
Page 22
9. If we dont have a perfect match between source and destination fields, DTM also allows us to transform the source data into a better fit. In the example below, were constructing a Display Name by combining First Name and Last Name, and using a space as a separator.
And thats it! It really is that simple. Now just run the job and see the results in Active Directory.
Page 23
DTM can synchronize both ways with Active Directory as either the source or destination. Also, DTM jobs can be scheduled to run unattended at user-defined intervals, thus reducing the administrative burden even further.
DTM Architecture
As with all Imanami products, DTM's presence goes largely unnoticed within the enterprise IT architecture apart from its impact, that is. It can be installed on either a server or workstation and, unlike MIIS, does not need a discrete SQL database. In fact, as it does not store any data, it needs no database at all: just network connectivity between destination and source. The following diagram illustrates a typical DTM deployment.
Destinations
Active Directory
File
SQL
DTM
DTM Job(s)
DTM Workstation
SQL
File
Sources
Page 24
Page 25
Conclusion
In summary, this paper has shown that many organizations using Microsoft Exchange and Active Directory suffer from problems such as inaccurate and out-of-date directory data, the maintenance of distribution lists and synchronizing Active Directory and Exchange with other systems. The impact of these problems is increasing internal spam, miscommunication, soaring administrative costs and general inefficiency. But this paper has also shown that there is a way for organizations to overcome these problems and reap the rewards of an efficient Exchange and Active Directory infrastructure. That way is deploying software solutions from Imanami. By deploying Imanami WebDir, the costs of mismanaging your directory data are slashed. By deploying Imanami SmartDL internal communications are improved dramatically while the cost of maintaining distribution lists goes down. By deploying Imanami DTM you can synchronize Exchange and Active Directory without the costs and administrative burden of deploying a metadirectory.
Page 26