Configure Customer Active Directory for Outbound Manual Synchronization

  • Article
Cc526383.chm_head_left(en-us,TechNet.10).gif Cc526383.chm_head_middle(en-us,TechNet.10).gif Cc526383.chm_head_right(en-us,TechNet.10).gif

Configure Customer Active Directory for Outbound Manual Synchronization

This section contains the steps necessary to configure the customer Active Directory domain controller for use with the Customer Directory Integration (CDI) Service. This process requires either a virtual private network (VPN) or dedicated network connection between the customer and service provider premises.

If you already have a Microsoft Windows Server 2003 Active Directory domain controller up and running, you will not need to install Windows Server 2003, Enterprise Edition. However, you should ensure that it is set up in accordance with the other procedures in this section.

Perform the procedures that follow to set up the customer Active Directory domain controller.

Perform a default installation of Windows Server 2003, Enterprise Edition, by using the CD boot or floppy boot method.

You should use appropriate naming conventions for your environment. However, for the purposes of this guide, the customer Active Directory domain controller is named CUSTAD01.

Procedure DCDOM.1: To set a static IP address for the Active Directory domain controller CUSTAD01

  1. Install the Support Tools from the Windows Server 2003 CD.
  2. Apply Service Pack 1 and any other released updates to Windows Server 2003 by using Microsoft Update.
  3. Set the Application, Security, and System event logs to 20 megabytes (MB) and configure them to overwrite as needed.
  4. Enable a public-facing interface that will allow outside traffic to communicate with this server.

Procedure DCDOM.2: To promote CUSTAD01 to a domain controller with Active Directory

  1. Click the Start button and select Network Connections to display the Network Connections dialog box.
  2. Right-click the Local Area Connections icon and click Properties.
  3. Select Internet Protocol (TCP/IP), and then click Properties.
  4. Select the Use the following IP address option and specify appropriate values for static IP address and subnet mask, as provided by the service provider.
  5. Select the Use the following DNS server addresses option then, for Preferred DNS server, specify an IP address value of 127.0.0.1.
  6. Click OK, and then click Close.

Procedure DCDOM.3: To raise the domain and forest functional levels to Windows Server 2003

  1. Log on to CUSTAD01 as the Local Administrator.

  2. Click the Start button, click Run, and then type dcpromo in the Open text box to start the Active Directory Installation Wizard.

  3. Click Next at the opening screen of the wizard.

  4. In the Operating System Compatibility screen, click Next.

  5. In the Domain Controller Type screen, click the Domain controller for a new domain option, then click Next.

  6. In the Create New Domain screen, click the Domain in a new forest option.

  7. In the New Domain Name screen, type the full DNS name for the new domain, such as alpineskihouse.local.

    Note

    This will be the local name of the Active Directory for the AlpineSkiHouse customer organization that corresponds to the hosted organization that is created in the Running Hosted Exchange documentation.

  8. In the NetBIOS Domain Name screen, click Next to accept the default NetBIOS name.

  9. In the Database and Log Folder screen, click Next to accept the default locations for the Database and Log folders.

  10. In the Shared System Volume screen, click Next to accept the default location for the SYSVOL folder.

  11. In the DNS Registration Diagnostics screen, click the Install and configure the DNS server on this computer, and set this computer to use this DNS server as the preferred DNS server option, then click Next.

  12. In the Permissions screen, click the Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems option. Click Next.

  13. In the Directory Services Restore Mode Administrator Password screen, type a restore mode password, then click Next.

  14. Review the information in the Summary screen and click Next to accept the configuration.

  15. Allow the Active Directory Installation Wizard to install and configure Active Directory and DNS.

  16. When complete, click Finish and restart the computer.

The base requirement for the customer Active Directory is that the Active Directory forest and domain be at least native Windows 2000 mode. This procedure raises the forest and domain functional levels to Windows Server 2003.

Procedure DCDOM.4: To raise the domain and forest functional levels to Windows Server 2003

  1. Logon to CUSTAD01 as the Domain Administrator.
  2. Click the Start button, click All Programs, click Administrative Tools, and then click Active Directory Domains and Trusts.
  3. In the right-hand pane of the management console, right-click the alpineskihouse.local domain name, and then click Raise Domain Functional Level.
  4. In the Select an available domain functional level drop-down box, select Windows Server 2003, then click the Raise button.
  5. Click OK to the Raise Domain Functional Level message box.
  6. In the left-hand pane of the management console, right-click the Active Directory Domains and Trusts node (above domain name), and then click Raise Forest Functional Level.
  7. In the Select an available forest functional level drop-down box, select Windows Server 2003, then click the Raise button.
  8. Click OK to the Raise Forest Functional Level message box.
  9. From the File menu of the Active Directory Domains and Trusts management console, click Exit.

Note

The customer Active Directory and service provider Active Directory need to have a domain name resolution system. You may choose to use an alternate method for domain name resolution, however, the following procedure uses Microsoft DNS to set up a zone transfer from the customer Active Directory to the service provider Active Directory.

Procedure DCDOM.5: Allow zone transfers in DNS

  1. Click the Start button, click All Programs, click Administrative Tools, and then click DNS to display the Dnsmgmt management console.
  2. In the left-hand pane of the management console, expand the CUSTAD01 node.
  3. Expand the Forward Lookup Zones folder.
  4. Right-click the alpineskihouse.local zone and then click Properties.
  5. On the Zone Transfers tab, select the Allow zone transfers check box.
  6. Click the Only to the following servers option, enter the IP address of the service provider front-end DNS server (DNS01), then click Add.
  7. Click OK.

Procedure DCDOM.6: To add a DNS forwarding server

  1. In the left-hand pane of the dnsmgmt management console, right-click the CUSTAD01 machine name and click Properties.
  2. Click on the Forwarders tab.
  3. Ensure that All other DNS domains is selected in the DNS domains list.
  4. Type the IP address of the DNS01 machine in the Selected domain's forwarder IP address box and click Add.
  5. Click Apply, then click OK.
  6. Close the dnsmgmt management console.

Procedure DCDOM.7: To create an account for the Microsoft Identity Integration Server (MIIS) 2003 Management Agent on CUSTAD01

  1. Click the Start button, click All Programs, click Administrative Tools, and then click Active Directory Users and Computers.
  2. In the left-hand pane of the Active Directory Users and Computers management console, expand the alpineskihouse.local node.
  3. Click the Users node.
  4. Right-click the Users node and then click New and User.
  5. In the First name and User logon name boxes of the New Object - User dialog boxes, type MIISAgentSvc, then click Next.
  6. Type the password for the account in the Password and Confirm password boxes.
  7. Select the Password never expires, then click Next.
  8. Click Finish.

Procedure DCDOM.8: To assign password Change and Reset rights to the MIISAgentSvc account on CUSTAD01

  1. In the Active Directory Users and Computers management console, click the View menu and ensure that the Advanced Features option is selected.
  2. Right-click alpineskihouse.local (the domain root), and then click Properties.
  3. Click on the Security tab, and then click Add.
  4. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc, click Check Names, and then click OK.
  5. In the Group or User Names pane, ensure that MIISAgentSvc is selected.
  6. In Permissions for MIISAgentSvc, click the Allow check box for Replicate Directory Changes, and then click Apply.
  7. In the Group or User Names pane, ensure that MIISAgentSvc is selected, and then click the Advanced button to display the Advanced Security Settings dialog box.
  8. In the Advanced Security Settings dialog, click Add.
  9. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISAgentSvc, click Check Names, and then click OK.
  10. On the Apply onto drop-down box, select User Objects.
  11. Select the Allow check box for the Change Password and Reset Password properties.
  12. Click OK in the Permission Entry dialog box.
  13. Click Apply in the Advanced Security Settings dialog box and then click OK.
  14. Click OK in the alpineskihouse.local Properties dialog box.
  15. Close the Active Directory Users and Computers management console.

Procedure DCDOM.9: To secure the MIISAgentSvc account

  1. Click the Start button, click All Programs, click Administrative Tools, then click Domain Security Policy.
  2. Expand the Local Policies node.
  3. Click on User Rights Assignment.
  4. In the right-hand pane of the Default Domain Security Settings management console, double-click on Deny log on locally.
  5. Select Define these policy settings.
  6. Click Add User or Group.
  7. In the Add User or Group dialog box, click Browse.
  8. In the Enter the object names to select box of the Select Users, Computers, or Groups dialog box, type MIISService;MIISAgentSvc, then click Check Names.
  9. Click OK to exit each screen.
  10. Repeat steps 4 through 9 for the Deny log on through Terminal Services policy element.
  11. Exit the Default Domain Security Settings management console.
  12. Log off of CUSTAD01.