Configure Customer Active Directory for Inbound Automatic Synchronization

  • Article
Cc526381.chm_head_left(en-us,TechNet.10).gif Cc526381.chm_head_middle(en-us,TechNet.10).gif Cc526381.chm_head_right(en-us,TechNet.10).gif

Configure Customer Active Directory for Inbound Automatic Synchronization

This section contains the steps necessary to configure the customer Active Directory domain controller for use with the Customer Directory Integration (CDI) Service.

Network Communication Requirements

You must have either a virtual private network (VPN) or a dedicated network connection between your network and your customer's network. In addition, a network connection must be available between the Customer Active Directory controller, CUSTAD02, and your hosting environment. CUSTAD02 must be able to communicate with both the DNS server (DNS01) and your Active Directory controllers (AD01 and AD02).

Software Requirements

If you already have a Microsoft Windows Server 2003 Active Directory domain controller up and running, you will not need to install Windows Server 2003. However, you should ensure that it is set up in accordance with the other procedures in this section.

CUSTAD02 must have Windows Server 2003 Enterprise Edition as the operating system because both the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory and Microsoft SQL Server 2000 Service Pack 4 (SP4) will both be installed on it.

If you intend to install the Identity Integration Feature Pack 1a for Microsoft Windows Server Active Directory and SQL Server 2000 SP4 on another server instead of on CUSTAD02, you may use Windows Server 2003 Standard Edition for the Operating System on CUSTAD02.

Procedure DCDIA.1: To install Windows Server 2003 Enterprise Edition

  1. Perform a default installation of Windows Server 2003, Enterprise Edition, by using the CD boot or floppy boot method.

    You should use appropriate naming conventions for your environment. However, for the purposes of this guide, the customer Active Directory domain controller is named CUSTAD02.

  2. Install the Support Tools from the Windows Server 2003 CD.

  3. Apply Service Pack 1 and any other released updates to Windows Server 2003 by using Microsoft Update.

  4. Set the Application, Security, and System event logs to 20 megabytes (MB) and configure them to overwrite as needed.

  5. Enable a public-facing interface that will allow outside traffic to communicate with this server.

Procedure DCDIA.2: To set a static IP address for the Active Directory domain controller CUSTAD02

  1. Click Start, then click Network Connections.
  2. Right-click Local Area Connections and click Properties.
  3. Select Internet Protocol (TCP/IP) and click Properties.
  4. Select Use the following IP address and specify appropriate values for static IP address and subnet mask, as provided by the service provider.
  5. Select Use the following DNS server addresses then, for Preferred DNS server, enter the following IP address 127.0.0.1
  6. Click OK and click Close.

Procedure DCDIA.3: To promote CUSTAD02 to a domain controller with Active Directory

  1. Log on to CUSTAD02 as the Local Administrator.
  2. Click the Start button, click Run, and then type dcpromo in the Open text box to start the Active Directory Installation Wizard.
  3. Click Next at the opening screen of the wizard.
  4. In the Operating System Compatibility screen, click Next.
  5. In the Domain Controller Type screen, click the Domain controller for a new domain option, and then click Next.
  6. In the Create New Domain screen, click the Domain in a new forest option.
  7. In the New Domain Name screen, type the full DNS name for the new domain, such as proseware.local. Note This will be the local name of the Active Directory for the Proseware customer organization that corresponds to the hosted organization that is created in the Running Hosted Exchange documentation.
  8. In the NetBIOS Domain Name screen, click Next to accept the default NetBIOS name.
  9. In the Database and Log Folder screen, click Next to accept the default locations for the Database and Log folders.
  10. In the Shared System Volume screen, click Next to accept the default location for the SYSVOL folder.
  11. In the DNS Registration Diagnostics screen, click the Install and configure the DNS server on this computer, and set this computer to use this DNS server as the preferred DNS server option, and then click Next.
  12. In the Permissions screen, click the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option. Click Next.
  13. In the Directory Services Restore Mode Administrator Password screen, type a restore mode password, and then click Next.
  14. Review the information in the Summary screen, and then click Next to accept the configuration.
  15. Allow the Active Directory Installation Wizard to install and configure Active Directory and DNS.
  16. When complete, click Finish and restart the computer.

The base requirement for the customer Active Directory is that the Active Directory forest and domain be at least in native Windows 2000 mode. This procedure raises the forest and domain functional levels to Windows Server 2003.

Procedure DCDIA.4: To raise the domain and forest functional levels to Windows Server 2003

  1. Logon to CUSTAD02 as the Domain Administrator.
  2. Click the Start button, click All Programs, click Administrative Tools, and then click Active Directory Domains and Trusts.
  3. In the right-hand pane of the management console, right-click the proseware.local domain name, and then click Raise Domain Functional Level.
  4. In the Select an available domain functional level drop-down box, select Windows Server 2003, and then click the Raise button.
  5. On the Raise Forest Functional Level message box, click OK.
  6. In the left-hand pane of the management console, right-click the Active Directory Domains and Trusts node (above domain name), and then click Raise Forest Functional Level.
  7. In the Select an available forest functional level drop-down box, select Windows Server 2003, and then click the Raise button.
  8. On the Raise Forest Functional Level message box, click OK.
  9. From the File menu of the Active Directory Domains and Trusts management console, click Exit.

The customer Active Directory and service provider Active Directory need to have a domain name resolution system. You may choose to utilize an alternate method for domain name resolution, however, the next procedure uses Microsoft DNS to set up a zone transfer from the customer Active Directory to the service provider Active Directory.

Procedure DCDIA.5: To allow zone transfers in DNS

  1. Click the Start button, click All Programs, click Administrative Tools, and then click DNS to display the Dnsmgmt management console.
  2. In the left-hand pane of the management console, expand the CUSTAD02 node.
  3. Expand the Forward Lookup Zones folder.
  4. Right-click the proseware.local zone, and then click Properties.
  5. On the Zone Transfers tab, select the Allow zone transfers check box.
  6. Click the Only to the following servers option, enter the IP address of the service provider front-end DNS server (DNS01), and then click Add.
  7. Click OK.

Procedure DCDIA.6: To add a DNS forwarding server

  1. In the left-hand pane of the dnsmgmt management console, right-click the CUSTAD02 machine name, and then click Properties.
  2. Click the Forwarders tab.
  3. Ensure that All other DNS domains is selected in the DNS domains list.
  4. Type the IP address of the DNS01 machine in the Selected domain's forwarder IP address box, and then click Add.
  5. Click New.
  6. In the New Forwarder dialog, type the name of the service provider forest, fabrikam.com, and then click OK.
  7. Type the IP address of the AD01 server in the Selected domain's forwarder IP address box, and then click Add.
  8. Repeat the previous step using the IP address of the AD02 server.
  9. Click Apply, and then click OK.
  10. Close the dnsmgmt management console.

Procedure DCDIA.7: Create an account for the Microsoft Identity Integration Server (MIIS) Service on CUSTAD02

  1. Click the Start button, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
  2. In the left-hand pane of the Active Directory Users and Computers management console, expand the proseware.local node.
  3. Click the Users node.
  4. Right-click the Users node, and then click New and User.
  5. In the First name and User logon name boxes of the New Object - User dialog boxes, type MIISService, then click Next.
  6. Type the password for the account in the Password and Confirm password boxes.
  7. Select the Password never expires check box, and then click Next.
  8. Click Finish.

Procedure DCDIA.8: Create an account for the MIIS Management Agent on CUSTAD02

  1. Click the Start button, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
  2. In the left-hand pane of the Active Directory Users and Computers management console, expand the proseware.local node.
  3. Click the Users node.
  4. Right-click the Users node and then click New and User.
  5. In the First name and User logon name boxes of the New Object - User dialog boxes, type MIISAgentSvc, then click Next.
  6. Type the password for the account in the Password and Confirm password boxes.
  7. Select the Password never expires check box, and then click Next.
  8. Click Finish.

Procedure DCDIA.9: Assign password Change and Reset rights to the MIISAgentSvc account on CUSTAD02

  1. In the Active Directory Users and Computers management console, click the View menu and ensure that the Advanced Features option is selected.
  2. Right-click proseware.local (the domain root), and then click Properties.
  3. Click the Security tab, and then click Add.
  4. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc, click Check Names, and then click OK.
  5. In the Group or User Names pane, ensure that MIISAgentSvc is selected.
  6. In Permissions for MIISAgentSvc, click the Allow check box for Replicate Directory Changes, and then click Apply.
  7. In the Group or User Names pane, ensure that MIISAgentSvc is selected, and then click the Advanced button to display the Advanced Security Settings dialog box.
  8. In the Advanced Security Settings dialog, click Add.
  9. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc, click Check Names, and then click OK.
  10. On the Apply onto drop-down box, select User Objects.
  11. Select the Allow check box for the Change Password and Reset Password properties.
  12. Click OK in the Permission Entry dialog box.
  13. Click Apply in the Advanced Security Settings dialog box and then click OK.
  14. Click OK in the proseware.local Properties dialog box.
  15. Close the Active Directory Users and Computers management console.

Procedure DCDIA.10: Create and configure the MIIS service groups on CUSTAD02

  1. In the left-hand pane of the Active Directory Users and Computers management console, right-click the Users node, click New, and then click Group.
  2. In the Group name box of the New Object - Group dialog box, type MIISAdmins and then click OK.
  3. Repeat steps 1 and 2 to create the following additional MIIS 2003 service groups:
    • MIISBrowse
    • MIISJoiners
    • MIISOperators
  4. In the right-hand pane of Active Directory Users and Computers, double-click the MIISAdmins group.
  5. In the MIISAdmins Properties dialog box, click the Members tab, then click Add.
  6. In the Enter the object names to select box of the Select Users, Contacts, Computers, or Groups dialog box, type Domain Admins, then click Check Names.
  7. Click OK, click Apply, and then click OK.
  8. In the right-hand pane of Active Directory Users and Computers, double-click the MIISBrowse group.
  9. In the MIISBrowse Properties dialog box, click the Members tab, and then click Add.
  10. In the Enter the object names to select box of the Select Users, Contacts, Computers, or Groups dialog box, type Domain Admins;MIISAgentSvc, and then click Check Names.
  11. Click OK, click Apply, and then click OK.
  12. Double-click the MIISJoiners group.
  13. In the MIISJoiners Properties dialog box, click the Members tab, and then click Add.
  14. In the Enter the object names to select box of the Select Users, Contacts, Computers, or Groups dialog box, type Domain Admins, and then click Check Names.
  15. Click OK, click Apply, and then click OK.
  16. Double-click the MIISOperators group.
  17. In the MIISOperators Properties screen, click the Members tab, and then click Add.
  18. In the Enter the object names to select box of the Select Users, Contacts, Computers, or Groups dialog box, type Domain Admins;MIISAgentSvc, and then click Check Names.
  19. Click OK, click Apply, and then click OK.

Procedure DCDIA.11: Secure the MIISAgentSvc and MIISService accounts on CUSTAD02

  1. Click the Start button, click All Programs, click Administrative Tools, and then click Domain Security Policy.
  2. Expand the Local Policies node.
  3. Click User Rights Assignment.
  4. In the right-hand pane of the Default Domain Security Settings management console, double-click Deny log on locally.
  5. Select Define these policy settings.
  6. Click Add User or Group.
  7. In the Add User or Group dialog box, click Browse.
  8. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc; MIISService, then click Check Names.
  9. Click OK to exit each screen.
  10. Repeat steps 4 through 9 for the Deny log on through Terminal Services policy element.
  11. Exit the Default Domain Security Settings management console.
  12. Log off of CUSTAD02.