Contents Overview 1 Introduction to TAMA 2 How TAMA Works 3 Using TAMA and Active Directory MA to Create Users 11 Implementing a Central Account Scenario 15 Lab A: Implementing a Central Account Scenario Using TAMA 25 Best Practices 26 Review 27 Module 8: Managing Enterprise Identity Using TAMA BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2000 Microsoft Corporation. All rights reserved. Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product names or titles. The publications specialist replaces this example list with the list of trademarks provided by the copy editor. Microsoft is listed first, followed by all other Microsoft trademarks in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. <The publications specialist inserts mention of specific, contractually obligated to, third-party trademarks, provided by the copy editor> Other product and company names mentioned herein may be the trademarks of their respective owners. Module 8: Managing Enterprise Identity Using TAMA i BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Instructor Notes Instructor_notes.doc Presentation: xx Minutes Lab: xx Minutes Module 8: Managing Enterprise Identity Using TAMA 1 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Overview ! Introduction to TAMA ! How TAMA Works ! Using TAMA and Active Directory MA to Create Users ! Implementing a Central Account Scenario ! Best Practices Business organizations spend a significant amount of time and effort ensuring that recently hired employees are provided with the accounts needed to access the resources they need to successfully complete their jobs. Similarly, there is also a business need to remove all accumulated accounts from employees who leave the organization. The Together Administration management agent (TAMA) in Microsoft ® Metadirectory Services version 2.2 (MMS), with its ability to integrate and manage identity information, enables administrators in the account provisioning process. TAMA helps organizations to lower their total cost of ownership of account resources by automating many common administrative functions required to provision new accounts. TAMA also helps organizations reduce the risks associated with unauthorized data access and automating the deletion process of defunct accounts. At the end of this module, you will be able to: ! Describe the purpose of TAMA in managing enterprise identity. ! Describe how TAMA works. ! Describe how to create users by using TAMA and Active Directory management agent. ! Implement a central account scenario by using TAMA. ! Identify the best practices for implementing TAMA. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about using TAMA to automate the creation and deletion of user accounts in each connected directory. 2 Module 8: Managing Enterprise Identity Using TAMA BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Introduction to TAMA Connected Directory Connected Connected Directory Directory Active Active Directory Directory Connected Directory Connected Connected Directory Directory HR HR Connected Directory Connected Connected Directory Directory Exchange Exchange Metadirectory Metaverse Metaverse Metaverse Connector Namespace Connector Namespace Connector Namespace Connector Namespace Connector Namespace Connector Namespace N e w O b j e c t s N e w O b j e c t s N e w O b j e c t s Reflector Mode MA New Objects New Objects New Objects Update Update Update Update Update Update Management Agent's Run U p d at e U pd at e U p d at e Update Update Update TAMA TAMA TAMA TAMA is a special kind of management agent. TAMA constructs a connector namespace entry that is propagated to the connected directory by another management agent, regardless of the management agent’s operating mode. Unlike traditional management agents that use a connected directory as a data source, TAMA uses the metaverse namespace as its data source. You can configure TAMA to scan a portion of the metaverse namespace, identify new or deleted entries, and then send the additions or deletions to the connector namespaces of the appropriate management agents. For example, when an organization hires a new employee, the Human Resources administrator adds an entry to the Human Resources connected directory. The following tasks occur when you add an entry to a connected directory: 1. A Human Resources management agent reflects that entry in the metaverse namespace. 2. When the Human Resources administrator runs TAMA, TAMA locates the new entry in the metaverse namespace and then creates corresponding connector entries in the applicable connector namespaces. 3. When the management agent is run, the management agent adds the new entry to the other connected directories. After the completion of these tasks, TAMA enables you to administer all of your directories together. You can delete an object created by TAMA. For example, if you delete an object in a Human Resources connected directory, the corresponding object in the Active Directory ™ directory service is also deleted (that is, if you configure it to be deleted when the corresponding entry in the connected directory is deleted). Topic Objective To explain the purpose of TAMA in managing enterprise identity. Lead-in Delivery Tip This graphic is a build-up graphic. The first slide illustrates how new objects are imported into the metaverse namespace through a management agent operating in Reflector mode. The second slide illustrates how TAMA performs multiple updates to the connector namespace. The third slide illustrates that the connected directories are updated the next time their associated management agents are run. Note Module 8: Managing Enterprise Identity Using TAMA 3 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY # ## # How TAMA Works ! TAMA Components ! Flat and Complex Resources ! TAMA Attributes ! The TAMA Process TAMA is used primarily to manage multiple connector namespaces according to the defined TAMA resources and account profiles. TAMA functions by examining directory entries in the metaverse namespace. Each entry in the metaverse namespace can have one or more TAMA resources associated with it in a TAMA account profile. TAMA account profiles contain attributes that determine where new connectors should be created. A knowledge about TAMA resources and account profiles, and how TAMA uses resources and account profiles is essential for understanding the TAMA process. Topic Objective To introduce the topics related to how TAMA works. Lead-in 4 Module 8: Managing Enterprise Identity Using TAMA BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY TAMA Components TAMA Enables You to Administer All Connected Directories Together Resource Is an Object in the Metadirectory That Is Associated with a Particular Management Agent Account Profile Is an Object in the Metadirectory That Contains One or More Resources When MMS is installed, a sample instance of TAMA, called the provisioning agent, is created. TAMA enables you to administer all connected directories together. TAMA acts globally, unlike other management agents that manage a specific instance of a specific connected directory. TAMA examines directory entries in the metaverse namespace (or a specified branch of the metaverse namespace) to determine if those entries require corresponding entries in one or more connector namespaces under particular management agents. TAMA does this by determining whether any resources or account profiles apply to an object in the metaverse namespace. ! Resource. A resource is an object in the metadirectory that is associated with a particular management agent. All resources have an object class of zcTaAccountResource. A resource is associated with a single management agent. An attribute of the resource contains the distinguished name of its associated management agent. Attributes associated with a resource indicate where in that particular management agent's connector namespace a connector entry should be created. This allows you to specify where in a connected directory, objects created by TAMA should be located. You can define two types of resources: flat and complex. A flat resource specifies that the new connectors will be added immediately below the entry you specify. The entry and the connectors are all at the same level. A complex resource creates a hierarchy in the connector namespace. The complex resource allows you to define how much of the metaverse namespace structure you want to recreate in connector namespace. ! Account profile. An account profile is an object in the metadirectory that contains one or more resources. Each entry in the metaverse namespace can have one or more resources associated with it in an account profile. An account profile has an object class of msMMS-ProvisioningProfile, and is usually created in a folder called Together Administration. There is also a multivalued attribute, called zcTaAccountResourceDNs, for the account profile entry that lists the distinguished names of all resources associated with that account profile. Topic Objective To identify the TAMA components. Lead-in Module 8: Managing Enterprise Identity Using TAMA 5 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Flat and Complex Resources Resource Information Object Class Type of Resource ComplexFlat Resource Description: Management Agent: Location Under MA (Optional): Select the MA Select a location Resource Information Object Class Type of Resource ComplexFlat Resource Description: Management Agent: Location Under MA (Optional): Tree Information Metaverse Boundary Mode Maximum Number Of Levels Select the MA Select a location Creates a hierarchy in the connector namespace Creates a hierarchy in the connector namespace Specifies that the new accounts will be added immediately below the entry you specify, all at the same level Specifies that the new accounts will be added immediately below the entry you specify, all at the same level A TAMA resource defines the hierarchical structure used to create objects in a connected directory. You create the TAMA resource to manage the entry creation in the connector namespace of management agents. Using Flat Resources You should use flat resources whenever possible. By defining several account profiles containing different flat resources for the same management agent, you can create new connectors in a complex hierarchy that already exists in the connector namespace. Flat resources only create leaf entries. Flat resources create all entries in the same place. For example, you can put all new additions into a New Hires organizational unit in connector namespace initially. By doing this, you create one resource and put it in an account profile that is attached to an entry in the directory tree that is high enough to cause the resource to be applied to all of the relevant entries. You can also create multiple flat resources for the same management agent. Each flat resource will specify a different location for new connectors under the management agent. For example, an organization has several organizational units, including Accounts Payable and Accounts Receivable, which exist in the metaverse namespace. When you create new entries below these organizational units, either centrally or by using another management agent, you need to have TAMA add them to the corresponding organizational units under the Email management agent in the Payable and Receivable organizational units. In this scenario, each organizational unit in the metaverse namespace has an account profile that includes a flat resource record pointing to a corresponding container entry in the connector namespace. That corresponding container is not required to have the same name or the same object class as its metaverse namespace equivalent. Topic Objective To identify differences between flat and complex resources. Lead-in 6 Module 8: Managing Enterprise Identity Using TAMA BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Using Complex Resources Though you should use flat resources whenever possible, you can use complex resources when you want to automatically recreate an entry’s metaverse namespace hierarchy in a connector namespace. Due to the fact that complex resources can be used to create parent containers as well as leaf entries, the necessary parent entries do not have to already exist in the connector namespace. When you use complex resources, you should always specify a metaverse namespace boundary node and select All Parents in Maximum Number of Levels for the number of parents to be counted. The metaverse namespace boundary node defines how much of the metaverse namespace tree structure you might want to recreate in the connector namespace. When processing complex resources, TAMA first looks at the metaverse namespace hierarchy starting just below the boundary node you specify. Then, TAMA accepts the number of parents you specify, counting down from the metaverse namespace boundary node when it adds a connector to the connector namespace of the management agent. [...]... PURPOSES ONLY Module 8: Managing Enterprise Identity Using TAMA 11 # Using TAMA and Active Directory MA to Create Users Topic Objective To introduce the topics related to using TAMA and Active Directory MA to create users Lead-in ! Using the MMS Compass to Create Users ! Using Scripts to Create Users The Active Directory management agent in a TAMA scenario presents a special case When using TAMA and the... ONLY 26 Module 8: Managing Enterprise Identity Using TAMA Best Practices Topic Objective To identify best practices for managing enterprise identify by using TAMA Run TAMA When No Other MAs or Replication Operations Are Run TAMA When No Other MAs or Replication Operations Are Running Running Lead-in Review this checklist before you create and configure TAMA Test Construction Before Running TAMA Test... use TAMA to update ! Create resource assignment scripts to assign TAMA resources to entries in a metaverse namespace ! Create and configure TAMA ! Identify how to process disconnectors in MMS BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 16 Module 8: Managing Enterprise Identity Using TAMA Creating and Configuring TAMA Resources Topic Objective Create a TAMA Create a TAMA. .. questions cover some of the key concepts taught in the module ! Introduction to TAMA ! How TAMA Works ! Using TAMA and Active Directory MA to Create Users ! Implementing a Central Account Scenario ! Best Practices 1 What role does TAMA play in the in managing enterprise identity? TAMA performs the following tasks in managing enterprise identity: Identifies new or deleted entries Sends the additions or deletions... not written to the database They exist only for the duration of TAMA' s operation and are reapplied each time you run TAMA BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 8: Managing Enterprise Identity Using TAMA 21 Creating and Configuring TAMA Topic Objective To illustrate how to create and configure TAMA Lead-in Operate the Together Administration MA Management Agent.. .Module 8: Managing Enterprise Identity Using TAMA 7 TAMA Attributes Topic Objective To explain the purpose of the attributes involved in the TAMA process, and their function within the process TAMA Attribute TAMA Attribute Description Description msMMS-ManagedByProfile msMMS-ManagedByProfile Set to a value... is assumed to have a value of 0 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 8: Managing Enterprise Identity Using TAMA 9 The TAMA Process Topic Objective To identify how account profiles and resources are processed when you run TAMA Lead-in Metadirectory TAMA TAMA ts ts jjec ec Ob Ob w Ne w Ne Metaverse Update Metaverse Up Upd dat ate e Claims Claims Exchange Exchange... TRAINER PREPARATION PURPOSES ONLY Module 8: Managing Enterprise Identity Using TAMA 23 Processing Disconnectors Topic Objective To identify how to specify when disconnectors will be processed Lead-in ! TAMA To Create Disconnectors, and to Remove Objects From Connected Directories ! TAMA Follows a Specific Process to Automatically Delete Entries From the Connected Directories ! TAMA Uses Two Attributes to... from enabled to disabled BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY Module 8: Managing Enterprise Identity Using TAMA 25 Lab A: Implementing a Central Account Scenario Using TAMA Topic Objective To introduce the lab Lead-in In this lab, you will implement a business scenario by using the Together Administration management agent in conjunction with an Active Directory management... delete resources BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY 18 Module 8: Managing Enterprise Identity Using TAMA Creating and Configuring TAMA Account Profiles Topic Objective To illustrate how to create and configure TAMA account profiles for each management agent that you want to use TAMA to update Lead-in Entry Administration Operational References Virtual Nodes Joined To . Implementing a Central Account Scenario Using TAMA 25 Best Practices 26 Review 27 Module 8: Managing Enterprise Identity Using TAMA BETA MATERIALS FOR MICROSOFT. Module 8: Managing Enterprise Identity Using TAMA 3 BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY # ## # How TAMA Works ! TAMA