Microsoft Identity and Access Management Series

Platform and Infrastructure

Chapter 5: Implementing the Infrastructure

Published: May 11, 2004 | Updated: June 26, 2006

The previous chapters in this paper provide you with information about the typical issues, requirements, and design of an infrastructure for identity and access management. This chapter provides guidance on how to prepare the Contoso Pharmaceuticals infrastructure. It also introduces the tools and templates that you can use to establish the baseline environment, which is an implementation prerequisite for the remaining papers in this series.

This guidance was created to help consultants and customers establish the provided Microsoft Identity and Access Management solution scenarios in a lab or proof-of-concept environment.

On This Page
Tools and TemplatesTools and Templates
Infrastructure Services OverviewInfrastructure Services Overview
Baseline ImplementationBaseline Implementation

Tools and Templates

The Identity and Access Management download package includes Identity and Access Management Tools and Templates.msi, which is the Tools and Templates installer file. When you run the installer file, the resulting folder structure will look similar to the one displayed in the following figure, depending on where you install it.

Figure 5.1. The Tools and Templates folder structure

Figure 5.1. The Tools and Templates folder structure

Note   The Tools and Templates MSI package can occasionally produce an error during the installation process. See the Identity and Access Management Series Readme.htm file for more information.

The Tools and Templates that are part of this download include text-based scripts, code samples, and configuration files that are related to identity and access management, but do not include any executable programs or compiled code.

Note   These samples are provided as examples only. Be sure to review, customize, and test these tools and templates before you use them in a production environment.

Folder: Baseline

File NamePurpose

ADBaseline.vbs

A Microsoft® Visual Basic® script that creates several Contoso Pharmaceuticals organizational units (OU), groups, and users in a Microsoft Active Directory® directory service forest, as required by the subsequent papers in this series.

ExchangeBaseline.vbs

A Microsoft Visual Basic script that creates the required Contoso Exchange storage groups and Mailbox stores to support Contoso users in the intranet.

IntranetADData.txt

A file containing the baseline intranet Active Directory OUs, groups, and users in semi-colon delimited format. The ADBaseline.vbs and ExchangeBaselin.vbs scripts use this file.

ExtranetADData.txt

A file containing the baseline extranet Active Directory OUs, groups, and users in semi-colon delimited format. The ADBaseline.vbs script uses this file.

Infrastructure Services Overview

The identity and access management infrastructure of Contoso Pharmaceuticals is built on guidance from the service blueprints in the Windows Server System Reference Architecture (WSSRA) page.

In particular, Contoso has implemented the following Microsoft services to support their identity and access management initiatives:

Network services, including Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services provided by Microsoft Windows Server™ 2003.

Directory services, including an intranet Active Directory forest and an extranet Active Directory forest provided by Windows Server 2003.

Certificate services, including a three-tier public key infrastructure (PKI) provided by Windows Server 2003.

Web application services, provided by Internet Information Services (IIS) 6.0, which is included in Windows Server 2003.

Middleware services, provided by the Microsoft .NET Framework, and running on Windows Server 2003.

Firewall and proxy services, provided by Microsoft Internet Security and Acceleration (ISA) Server 2000, and running on Windows Server 2003.

Note   Contoso Pharmaceuticals has chosen to use shadow accounts in the extranet Active Directory forest rather than implement a trust between the extranet Active Directory forest and the intranet Active Directory forest as described in the WSSRA guidance.

In addition, Contoso has deployed the messaging services lifecycle guidance, part of the Windows Server System Reference Architecture, as described in Introduction to Messaging Services.

For testing purposes, Contoso messaging services are running on one computer that runs the Windows Server 2003 operating system as well as Microsoft Exchange 2003.

Infrastructure Security

All Windows Server 2003 servers in the Contoso environment have been securely configured by following the appropriate guidance in the Windows Server 2003 Security Guide.

Baseline Implementation

Contoso Pharmaceuticals has a number of groups, users, and other baseline configuration details that are required in their environment for subsequent solution scenarios described in this series to work properly.

This section describes how to configure the basic Contoso environment on top of the services described earlier in this paper, including:

A computer in the intranet running Exchange Server 2003 that contains the required intranet domain user mailboxes and storage groups.

An intranet Active Directory forest containing the required OUs, groups, and users.

An extranet Active Directory forest containing the required OUs, groups, and users.

Populating the Contoso Exchange Environment

The Contoso Exchange environment is the primary mail system for Contoso users. Prior to creating any Contoso users, the required Storage Groups and Mailbox Stores must exist. Run this script from an open command prompt by using cscript.exe as the script host.

Using the ExchangeBaseline.vbs Script

Run the ExchangeBaseline.vbs script by using the cscript executable as the script host. Ensure that you run the script as follows at the command prompt:

CSCRIPT.EXE ExchangeBaseline.vbs <param1>

The script takes the following parameter:

/s — Mandatory. Denotes the target Exchange Server to connect to.

The following is an example command line for running this script:

Cscript.exe ExchangeBaseline.vbs /s <hostname>

Note   This script may take a few minutes to run due to the Microsoft Exchange process used to mount mailbox stores.

To configure the Exchange environment

1.

Log on to the Contoso Exchange Server with administrative privileges.

2.

Click Start, click Run, and then, at the Open prompt, type cmd.exe and then click OK.

3.

Run the ExchangeBaseline.vbs file by using cscript.exe as the scripting host.

4.

At the command prompt, ensure that you type the script as follows:

Cscript.exe ExchangeBaseline.vbs /s FFL-NA-MSG-01

Note   Replace FFL-NA-MSG-01 with the name of your Exchange Server.

5.

Ensure that the script returns the following confirmation message for all operations:
Completed Successfully.

If any errors occur after you run the script, correct the problem, and then rerun the script.

Populating the Intranet Active Directory Forest

The Contoso intranet Active Directory na.contoso.com forest is the primary intranet directory for Contoso. The ADBaseline.vbs script will create the required OUs, users, and groups needed for the Contoso solution scenarios in this series.

Using the ADBaseline.vbs Script

Run the ADBaseline.vbs script by using the cscript executable as the scripting host. Ensure that you run the script as follows at the command prompt:

CSCRIPT ADBaseline.vbs <param1> <param2> <param3> <param4>

The script takes the following parameters:

/t — Mandatory. Denotes the target environment to prepare, which must be the intranet for this scenario.

/s — Mandatory. Denotes the domain controller that Active Directory will target.

/m — For the intranet only. Denotes the target Exchange Server to bind to. This parameter is ignored for the extranet.

/f — Optional. Denotes the target data file that contains the Contoso intranet user information. By default, the script uses the IntranetADData.txt file.

The following is an example command line for running this script:

Note   The line has been split into multiple lines for readability.However, while trying it out on a system you must enter it as one line without breaks.

Cscript.exe ADBaseline.vbs /t intranet /s <domain controller> 
/m <Exchange Server> /f IntranetADData.txt

You can also run this script remotely. If you do, ensure that the workstation is a member of the target domain, and that you are logged on as a domain administrator.

To configure the na.corp.contoso.com forest

1.

Log on to the Contoso Exchange Server domain with administrator privileges.

Note   You must run the script from the Exchange Server to access the required Exchange libraries and create the target user mailboxes.

2.

Click Start, click Run, and then at the Open prompt, type cmd.exe, and then click OK.

3.

At the command prompt, run the ADBaseline.vbs script by using the following command:

Note   The line has been split into multiple lines for readability.However, while trying it out on a system you must enter it as one line without breaks.

Cscript.exe ADBaseline.vbs /t intranet /s FFL-NA-DC-01 
/m FFL-NA-MSG-01 /f IntranetADData.txt

Note   Replace FFL-NA-DC-01 with the name of your intranet domain controller and
FFL-NA-MSG-01 with the name of your Exchange Server.

4.

Ensure that the script returns the following confirmation message for all operations:
Completed Successfully.

If any errors occur after you run the script, correct the problem, and then rerun the script.

Populating the Extranet Active Directory Forest

The Contoso Active Directory perimeter.contoso.com domain is the extranet forest for Contoso. As in the previous procedure, use the ADBaseline.vbs script to populate this forest.

To configure the perimeter.contoso.com forest

1.

Log on to the Contoso perimeter.contoso.com domain controller with domain administrator privileges.

2.

Click Start, click Run, and then at the Open prompt, type cmd.exe, and click OK.

3.

At the command prompt, run the ADBaseline.vbs script by using the following command:

Note   The line has been split into multiple lines for readability.However, while trying it out on a system you must enter it as one line without breaks.

Cscript.exe ADBaseline.vbs /t extranet /s FFL-CP-DC-01 /f 
ExtranetADData.txt

Note   Replace FFL-CP-DC-01 with the name of your extranet domain controller.

4.

Ensure that the script returns the following confirmation message for all operations:
Completed Successfully.

If any errors occur after you run the script, correct the problem, and then rerun the script.


**
**

Download

Get the Microsoft Identity and Access Management Series

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions