Microsoft Metadirectory Services - an overview
by John Loomes
BackgroundThe introduction of Active Directory in Windows 2000 presents organisations with a unique challenge and opportunity: the ability to consolidate and centralise directory information.
The introduction of Active Directory in Windows 2000 presents organisations with a unique challenge and opportunity: the ability to consolidate and centralise directory information. The fact that Active Directory is LDAP based and includes a standard set of API's (Application Programming Interfaces), only this makes this prospect more attractive. Schema updates allow companies to put whatever information they like in the Active Directory.
However, many companies already have some or all of this directory information stored in various systems throughout the enterprise, and not all of these systems will expose their data through an interfect such as LDAP. Also some information may be duplicated across several systems, creating synchronisation problems.
Making use of all this information is difficult when it is spread around like this, and as time goes by the problem can only get worse......
So, in an ideal world, all this directory information would be held in one place. A single, extensible Enterprise level directory that is all things to all people. Obviously, this is not as easy as all that - getting applications from various 3rd parties to all share data and keep things in sync is to say the least difficult, and in many cases will be neither possible, or even desireable.
Therefore the answer to this problem is to create a central directory management entity- a META Directory, that manages and controls all the data from all the other systems. This, in a nutshell, is what Microsoft Metadirectory Services (MMS) is all about......
Typically, such a solution needs to be able to access, synchronise and update data in the following types of system:
- Standard LDAP Directories
- Popular Non-LDAP directories
- Enterprise Resource Planning (ERP) applications
- Databases, such as SQL and Oracle
- Applications only accessible via an applications programming interfact (API)
In order to effectively manage directory information across the Enterprise, the Metadirectory Service must be able to adress the following:
Change Event Processing - the Metadirectory must be able to detect and track changes in any of the systems it is managing.
Data Aggregation - the Metadirectory must be able to join data from different sources, in order to create a central directory.
Object Tracking - the Metadirectory must be able to track directory objects as they move through the system. A user moving departments for example, must be recognisable by the system as being the SAME user, and not someone else with the same name...
Integrity Management - the Metadirectory must ensure that data is kept in sync and doesnt become corrupt.
Ownership - the Metadirectory must be able to determine which system OWNS a particular piece of data, in order to ensure that updates to certain fields within the directory can ONLY be made by that application that OWNS that particular element. For example you would want an email application to own the email address of a user, so that the email adress can only be updated by the email application.
Failure Management - the Metadirectory must be able to detect when a directory update has failed, and provide a mechanism such that data can be returned to a 'known state'.
Referential Integrity - the Metadirectory must be able to ensure that the relationships between related peices of data are maintined. For example, a persons job title and salary level may be related, and as such, a change in job title could also update the salary information.
Microsoft Metadirectory Services (MMS)
In July 1999, Microsoft purchased ZOOMIT Corporation, a well known supplier of Metadirectory solutions. ZOOMIT VIA 2.1 has evolved, over the last year or so, into Microsoft Metadirectory Services (MMS), the lastest version being MMS 2.2.
MMS consists of the following components:
Connector Namespace - an area where the connected namespaces are first imported.
Metaverse - the Metaverse presents the integrated view of joined objects from multiple connected directories.
Management Agents - Management agent contains all the configuration parameters, scripts, rules, attribute ownership and other items that define how directories will be joined in the Metadirectory.
Operating Mode - The operating mode determines at which point an object is managed. This can be either in the connected directory (local management) or in the Metadirectory (central management). The modes available are as follows:
Reflector - Changes made in the connected directory are reflected in the namespace and metaverse.
Creator - Chnages in the Metaverse are made in the connected directory as well
Association - Changed in the connected directory appear in the namescpae but dont get merged with the metaverse...
Management Agents exist for well know directory types such as LDAP, Windows NT, Novell NDS, Lotus Notes etc etc..
New MA's can be written using the Management Agent Toolkit, in order to provide connectivity to other systems.
MMS may be just the thing large organisations need in order to make best use of Active Directory. MMS is intended to enhance Active Directory by allowing organisations to integrate existing directory services with Active Directory, in order to provide a comprehensive Enterprise level source of information. A typical use of this would be to integrate user accounts, email addresses, with HR information.