Contents
Overview 1
Introduction to Advanced MA Configuration 2
Managing Changes to Metadirectory Data 4
Creating Inclusion and Exclusion Filters 6
Configuring Specific Management Agents 7
Lab A: Creating and Configuring an Active
Directory Management Agent 15
Processing Foreign Entries 16
Lab B: Processing Foreign Entries 22
Best Practices 23
Review 24

Module 6: Performing
Advanced Management
Agent Configuration

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product
names or titles. The publications specialist replaces this example list with the list of trademarks
provided by the copy editor. Microsoft is listed first, followed by all other Microsoft trademarks
in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation
in the U.S.A. and/or other countries.

<The publications specialist inserts mention of specific, contractually obligated to, third-party
trademarks, provided by the copy editor>

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 6: Performing Advanced Management Agent Configuration i

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Instructor Notes
Instructor_notes.doc

Presentation:
xx Minutes


Lab:
xx Minutes

Module 6: Performing Advanced Management Agent Configuration 1

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Overview
!
Introduction to Advanced MA Configuration
!
Managing Changes to Metadirectory Data
!
Creating Inclusion and Exclusion Filters
!
Configuring Specific Management Agents
!
Processing Foreign Entries
!
Best Practices


Management agents are the key to the metadirectory because they integrate the
data in each connected directory through synchronization. The overall process
of synchronization using a management agent is controlled by the management
agent control scripts.
Microsoft
®
Metadirectory Services version 2.2 (MMS) includes a number of

predefined management agents, each of which is configured to integrate
information in a specific type of connected directory. You create and configure
a Generic management agent to gather information from a connected directory
that is not supported by a specific predefined management agent. In addition, in
a predefined management agent, you can manage changes to metadirectory
data, configure inclusion and exclusion filters to process connected directory
entries selectively, and process foreign entries.
At the end of this module, you will be able to:
!
Describe advanced management agent configuration options.
!
Manage changes to metadirectory data.
!
Create inclusion and exclusion filters to process connected directory entries
selectively.
!
Configure directory-specific options in a particular management agent.
!
Configure a management agent to process foreign entries.
!
Identify best practices for performing advanced management agent
configuration.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about performing advanced

management agent
configuration.
2 Module 6: Performing Advanced Management Agent Configuration

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Introduction to Advanced MA Configuration
Metadirectory
Connector
Namespace
Connector
Namespace
Connector
Namespace
Connector
Namespace
Metaverse
Namespace
Metaverse
Metaverse
Namespace
Namespace
Connector
Namespace
Connector
Namespace
Configure MAs for
Specific
Requirements
Configure MAs for

Configure MAs for
Specific
Specific
Requirements
Requirements
Exchange Server
5.5 MA
Active Directory
MA
SQL Server
SQL Server
SQL Server
Exchange
Server 5.5
Exchange
Exchange
Server 5.5
Server 5.5
Active
Directory
Active
Active
Directory
Directory
Generic MA


When creating a management agent, you typically use a predefined
management agent. A predefined management agent provides the components
required


to extract information from a connected directory (for example, e-mail
systems, network operating systems, and other directory systems) into files,
synchronize those files with the metadirectory, and produce updated files
containing changes that are sent to the connected directory. After creating the
management agent, you can use the advanced configuration options in that
management agent to fine-tune functionality, depending on the requirements of
your organization.
All management agents consist of a control script that determines what happens
when you run the management agent. The control script specifies a series of
programs that are run on the MMS Server and provides the parameters that
management agents need from the metadirectory to update connected
directories.
There are three phases of management agent operations: discovery,
synchronization, and update. Each of these phases is under the control of a
management agent control script. The configuration options in all of these
phases vary by management agent type. Some of the configuration options,
such as Prime Namespace, metaverse namespace renaming, and inclusion and
exclusion filters, are common to all types of management agents. However,
there are other configuration options that are specific to a particular
management agent.
Topic Objective
To describe advanced
management agent
configuration options.
Lead-in

Module 6: Performing Advanced Management Agent Configuration 3

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


MMS contains several predefined management agents. Some examples of
predefined management agents are; Generic, Microsoft Exchange Server 5.5,
and Active Directory. The following is a brief list of some of the specific
configuration options that can be set for Generic, Microsoft Exchange Server
5.5, and Active Directory management agents:
!
When configuring Generic management agents, the advanced configuration
options include specifying advanced discovery parameters, Foreign Users
parameters, and New Users Creation parameters.
!
When configuring Lightweight Directory Access Protocol (LDAP)
management agents, such as Microsoft Exchange Server 5.5, the advanced
configuration options include the advanced discovery parameters, such as
single-level searches versus subtree searches, and using anti-trawling
measures. The LDAP management agents also include options for list of
display names, managing Exchange Server 5.5 custom recipients, creating
new mailboxes, and list of LDAP attributes to discover.

!
When configuring Active Directory
™
directory service-based management
agents, the advanced configuration options include specifying a list of
domains to discover, and a list of objects to create.

4 Module 6: Performing Advanced Management Agent Configuration

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Managing Changes to Metadirectory Data
Configure the Management Agent
Connected Directory
Specif ics
Metadirectory Relationships Personal Names Inclusions and Exclusions
Discovery Parameters
Mode and Namespace
Management
Foreign Users New Users Creation
Metaverse Location: o=Focus Inc,c=US
Management Agent Mode
Reflector
Association
Creator
Select this management agent as the “Prime Namespace”
Configure the Management Agent
Connected Directory Specifics
Metadirectory
Relationships
Personal Names Inclusions and Exclusions
Configuration
Metaverse Re naming
Configure The Join
Effect of CD Name Changes
Don’t reflect CD name changes in the metaverse
Normally, a CD name change in a reflector management agent updated the
metaverse name accordingly. This option suppresses this behavior.
Connected Directory Anchor Attribute
Name of your CD Anchor Attribute:
The Connected Directory Anchor Attribute is used to recognize Connected

Directory namespace changes (it remains constant when, for example, a
surname changes or a person moves from one organization to another)
Determines the Location
of an Entry Creation in the
Metaverse
Determines the Location
of an Entry Creation in the
Metaverse
Disables the Default
Behavior of MA
Disables the Default
Behavior of MA
Ties Together the Object
Entries in a Connector
Namespace and a
Connected Directory
Ties Together the Object
Entries in a Connector
Namespace and a
Connected Directory


The location of an entry in the connector namespace can differ from the
location of the corresponding entry in the metaverse namespace due to a
difference in the organizational structure. MMS allows you to configure
management agent options, such as Prime Namespace and Metaverse
Renaming, to handle the task of matching the entries in the metaverse
namespace and the connector namespace.
Designating a Prime Namespace
Designating a management agent that operates in Reflector mode as Prime

Namespace allows the management agent to take precedence over the other
management agents when naming entries in the metaverse namespace. For
example, if you have two management agents operating in Reflector mode that
have different metaverse namespace naming rules that are used to establish the
distinguished name, the Prime Namespace management agent determines where
the entry is created in the metaverse namespace.
Prime Namespace creates the same organizing structure in the metaverse
namespace that is in the connector namespace. If the organizing structure
changes, or if an object’s distinguished name changes in the connector
namespace, the changes will also occur in the metaverse namespace.
You can also designate Prime Namespace if you have other management agents
that use the function $SET_REFLECTION(“ON/OFF”) in their Construction
templates, and you want to override management agents’ distinguished name
rules for placing object entries in the metaverse namespace and a join is not
possible.
Topic Objective
To manage changes to
metadirectory data.
Lead-in

Delivery Tip
Demonstrate how to
designate Prime
Namespace and enable the
Metaverse Renaming
options in MMS Compass.
Module 6: Performing Advanced Management Agent Configuration 5

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY


Enabling Metaverse Renaming
If a person in a connected directory changes his or her name (due to marriage or
a data entry error) or changes another distinguished name component (such as
organizational unit), the management agent may treat the entry as representing a
different person, this would trigger a deletion of the old record and it would add
a new record. It can become difficult or impossible for the management agent to
relate that person to an existing entry, based on the old name in the metaverse
namespace. The Connected Directory Name Changes and Anchor Attribute
options on the Metaverse Renaming tab help solve this problem.
!
Connected Directory Name Changes. The same person may have a different
name in the metaverse namespace and in the connected directory. In such a
situation, a management agent in Reflector mode normally renames the
entry in the metaverse namespace to correspond to the connected directory
name, no matter what the flow rules. Selecting the Don't reflect CD name
changes in the metaverse option disables this default behavior.
The name is the most specific part of the entry's distinguished name, that is,
its relative distinguished name. Changes to the other parts of a distinguished
name are controlled by the Prime Namespace setting.
!
Anchor Attribute. An anchor attribute is used to associate connector
namespace object entries and connected directory object entries. A unique
attribute in the connected directory, such as an employee ID, is the best
candidate to establish as an anchor attribute.
Not configuring an anchor attribute to associate the connector namespace
and connected directory entries can be problematic. Without an anchor
attribute, MMS uses the distinguished name to associate the connector
namespace entry to the connected directory entry. For example, if an
employee changes her name (that is, through marriage or divorce), you want
the metaverse namespace and connector namespace entries to be renamed.

Because the distinguished name changed, MMS will delete the connector
namespace entry for the old name and then insert a new connector
namespace entry for the new name. The delete and insert may be
problematic because it may result in lost data during the deletion.

The anchor attribute for a given connected directory must be a
unique identifier with respect to that connected directory. The unique identifier
must not change throughout the lifetime of an object.

Important
6 Module 6: Performing Advanced Management Agent Configuration

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Creating Inclusion and Exclusion Filters
Configure the Management Agent
Connected Directory Specifics Metadirectory Relationships Personal Names
Inclusions and
Exclusions
Metadirectory Connected Directory Foreign Entries New Accounts
Exclusions
Inclusions
message 100
$embedded (“groupOfNames’,$v_objClass) = T
$v_ldapObject ! LIST
message 101
$embedded (“Remote-Address’,$v_objClass) = T
$MA($zcExchangeExcludeCustomRecipients) = TRUE
Filter is Applied
to the Import

File
Filter is Applied
to the Import
File
Exclusion
Rules
Exclusion
Rules
Filter is Applied to the
Metaverse Namespace
Filter is Applied to the
Metaverse Namespace
Filter is Applied to the
Connector Namespace
Filter is Applied to the
Connector Namespace
Filter is Applied to Any Metaverse
Namespace Portion that is Dragged
to Connector Namespace
Filter is Applied to Any Metaverse
Namespace Portion that is Dragged
to Connector Namespace


The inclusion and exclusion filters define the directory namespace boundaries
within which a management agent locates entries. The inclusion filter specifies
which entries in the import file extracted from the connected directory during
the discovery phase must be included in the metadirectory update.
The exclusion filter specifies which entries in the import file extracted from the
connected directory during the discovery phase must not be included in the

metadirectory update. The inclusion and exclusion filters can be used in place
of each other, or along with each other.
The inclusion and exclusion filters consist of a series of rules that are labeled
message #. The rules contain one or more conditional statements written in the
template language. There is an implicit AND between each condition in a
condition group, and there is an implicit OR between each group. Inclusions are
processed before exclusions.
There are different filters for each phase of an update cycle. The type of entries
being updated identifies these filters. The following list describes the different
filters for each phase of an update cycle:
!
Metadirectory. This filter is applied to the import file when you update the
metadirectory.
!
Connected Directory. This filter is applied to the connector namespace
when you construct a create file to send to a connected directory.
!
Foreign Entries. This filter is applied to the metaverse namespace when you
create an export file to send to a connected directory.
!
New Accounts. This filter is applied to any portion of the metaverse
namespace that you drag to the connector namespace to create new
connected directory accounts.

Topic Objective
To create inclusion and
exclusion filters to process
connected directory entries
selectively.
Lead-in


Explain briefly what are
foreign entries, if students
want more information about
foreign entries, ask them to
see the “Processing Foreign
Entries” topic in this module.
Delivery Tip
Demonstrate how to set
inclusion and exclusion
filters for the metadirectory,
connected directory, foreign
entries, and new accounts.
Module 6: Performing Advanced Management Agent Configuration 7

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

#
##
#

Configuring Specific Management Agents
!
Configuring the Generic MA
!
Configuring the Exchange Server 5.5 MA
!
Configuring the Active Directory MA



You can configure a management agent by editing templates and scripts within
the predefined management agent. After you configure specific options on a
particular management agent, you will have a one-of-a kind management agent
that works on one server with a specific connected directory.
A few examples of the common management agents used by MMS
administrators are: Generic, Exchange Server 5.5, and Active Directory.

To learn more about the advanced configuration options in the other
predefined management agents, see appendix A, “Advanced Configuration
Options in Predefined MAs,” on the Student Materials compact disc.


Topic Objective
To introduce topics related
to configuring specific
management agents.
Lead-in

Note
8 Module 6: Performing Advanced Management Agent Configuration

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Configuring the Generic MA
Configure the Management Agent
Connected Directory Specifics
Metadirectory Relationships Personal Names Inclusions and Exclusions
Discovery Parameters
Mode and Namespace
Management

Foreign Users New Users Creation
Information on Adding Foreign
Users to the Connected Directory
Information on Adding Foreign
Users to the Connected Directory
Information on Accessing
the Connected Directory
Information on Accessing
the Connected Directory
Information on Creating
New Users in the
Connected Directory
Information on Creating
New Users in the
Connected Directory
Create Management Agent
Name the Management Agent:
Type of the Management Agent:
C
reate Cancel
Banyan VINES Management Agent
Generic Management Agent
Lotus cc:Mail Management Agent
Lotus NOTES Management Agent
SQL MA
Create Generic MA
Create Generic MA
Create Generic MA
Modify ZScript
Modify

Modify
ZScript
ZScript


The simplest way to build a custom management agent is to modify an existing
management agent by creating an instance of it and editing its templates and
script. The Generic management agent is a starting point to build a management
agent. The Generic management agent has no templates and a limited control
script.
Modifying the Generic Control Script
After creating a Generic management agent, you can enhance the functionality
in the existing Generic management agent by modifying the generic control
script. A control script controls the directory update and synchronization
process. It can base its execution sequence on the values of management agent
attributes, such as the options in the Operate the Management Agent dialog
box. The control script typically uses management agent attributes to provide
parameters, such as the location of the connected directory.
The control script is written in the ZScript language and interpreted by
ZScript.exe, the ZScript interpreter. The ZScript language contains elements,
such the IF…THEN…ELSE structure, necessary to control the execution of a
management agent's components. The ZScript language is not the same as the
template language and has no access to template functions. The ZScript
language allows the control script to access the management agent's attributes
by enclosing the attribute name in percent signs, %attribute%. %attribute% is
replaced by its current value before running the script.
Topic Objective
To configure the Generic
management agent.
Lead-in


Delivery Tip
Show the students an
example control script in a
Generic management agent.
Explain the code used in the
example.