This chapter describes how to validate the implemented solution scenarios from the previous chapter. It also provides some troubleshooting steps to help with common implementation challenges. Comprehensive guidance for testing the end-to-end user and administrator experience is not provided. On This PageValidating the Implementation Prerequisites
Before you start to test the implementation guidance in this paper, there are a few basic verification tests that you should perform to ensure correct configuration of the solution infrastructure. These prerequisite tests are designed to provide you with a means to quickly check that your network setup complies with the “Implementation Prerequisites” section in Chapter 5, “Implementing the Solution,” before undergoing further implementation testing.
Tests to validate the prerequisites include: | • | Basic Test 1: Verify the Functionality of Domain Controllers | | • | Basic Test 2: Verify Functionality of Non-Microsoft Application Servers | | • | Basic Test 3: Verify Microsoft Exchange Server Configuration | | • | Basic Test 4: Verify Domain Name Lookups from the MIIS 2003 with SP1 Server | | • | Basic Test 5: Verify Network Connectivity |
Basic Test 1: Verify the Functionality of Domain ControllersComplete the following tests to verify that both intranet and extranet domain controllers are working properly and not generating any errors. To verify that the domain controllers are working correctly 1. | Log on to the intranet and extranet domain controllers with administrative privileges. | 2. |
At a command prompt, type dcdiag.exe and then press ENTER.
The dcdiag utility executes a series of tests. All tests should pass. |
To check the domain controllers' event logs for errors 1. | Log on to the intranet and extranet domain controllers with administrative privileges. | 2. |
At a command prompt, type eventvwr.msc and then press ENTER to open the Event Viewer Manager console.
| 3. |
Browse to the Directory Service node and then click it to display the event logs in the right pane of the console.
There should not be any errors in the logs. |
Basic Test 2: Verify Functionality of Non-Microsoft Application ServersComplete the following tests to verify that the Lotus Notes and Sun ONE Directory Server 5.1 (formerly iPlanet Directory Server) servers are working properly. To verify the Lotus Notes server is working correctly 1. | Log on to the Lotus Notes server by using the Lotus Domino Administrator client. | 2. |
On the Administration menu, select Server and check Status. The user interface (UI) should display the server status as Listening for TCP/IP connections. | 3. |
At a command prompt, type eventvwr.msc and then press ENTER to open the Event Viewer Management Console. Browse to the Application node and then click it to display the event logs in the right pane of the console. There should not be any errors in the logs.
|
To verify the Sun ONE Directory Server is working correctly 1. | Log on to the Sun ONE Directory Server by using iPlanet Console 5.1. | 2. |
In the Server and Applications tree, navigate to "Directory Server" (<server name>). The UI should display server status as Started. | 3. |
At a command prompt, type eventvwr.msc and then press ENTER to open the Event Viewer Management Console. Click the Application node to display the Application event log in the right pane of the console. There should not be any errors in the log.
|
Basic Test 3: Verify Microsoft Exchange Server ConfigurationComplete the following steps to confirm that SMTP addresses end in @contoso.com. To verify the Exchange server is configured correctly 1. | Log on to the Microsoft® Exchange server with Exchange administrator privileges. | 2. |
Click Start, point to All Programs, click Microsoft Exchange, and then click System Manager. | 3. |
Double-click Contoso, double-click Recipients, and then double-click Recipient Policies. | 4. |
Right-click Default policy and then click Properties. | 5. |
On the E-mail Addresses (Policy) tab, ensure SMTP type has an address value of @contoso.com
The Exchange server must have an SMTP type with an address value of @contoso.com |
Basic Test 4: Verify Domain Name Lookups from the MIIS 2003 with SP1 Server
Complete the following steps to confirm that domain name lookups to both the intranet and extranet domains work properly from the Microsoft Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1) server.
To verify domain name lookups 1. | Log on to the MIIS 2003 with SP1 server. | 2. |
Open a command prompt, type nslookup na.corp.contoso.com and then press ENTER. The result should be similar to the following:
Name: na.corp.contoso.com Address: 192.168.0.202 | 3. | Repeat for perimeter.contoso.com. NSLOOKUP must succeed when it uses the fully qualified domain names (FQDN) of the intranet and extranet domains. |
Basic Test 5: Verify Network Connectivity
Complete the following steps to verify network connectivity to the intranet and extranet domain controllers, the Sun ONE Directory Server, and the Lotus Domino server.
To verify network connectivity 1. | Log on to the MIIS 2003 with SP1 server. | 2. |
Open a command prompt, type ping <Intranet Domain Controller hostname> and then press ENTER. The MIIS 2003 with SP1 server should receive a response from the intranet domain controller.
| 3. | Ping the Lotus Domino server and Sun ONE Directory servers. Responses should be received from each of these servers. | 4. |
Open a command prompt, type telnet <Extranet Domain Controller hostname> 53 and then press ENTER. A Telnet connection should be made to the extranet domain controller.
All network connectivity tests should pass without failure. |
Validating the Implementation
After the “Contoso Baseline Preparation” and “Intranet Firewall Configuration” sections in Chapter 5, “Implementing the Solution,” have been completed in your environment, you are ready to validate your implementation to ensure that the base environment meets the Contoso requirements. Executing the tests in this section will help ensure smooth implementation of the scenarios.
Validating the Base EnvironmentUse the information in the following sections to ensure that the base environment you established in a test lab environment is a valid representation of the Contoso scenario. Tests to validate the base environment include: | • | Baseline Test 1: Verify Exchange Server Storage Groups and Mailbox Stores | | • | Baseline Test 2: Verify Intranet Domain Organizational Units and User Accounts | | • | Baseline Test 3: Verify Extranet Domain OUs and User Accounts | | • | Baseline Test 4: Verify User Accounts on Non-Microsoft Application Servers | | • | Baseline Test 5: Verify Intranet Firewall Configuration |
Baseline Test 1: Verify Exchange Server Storage Groups and Mailbox StoresComplete the following steps to verify that the required Storage Groups and Mailbox stores exist on the Microsoft Exchange server. To verify Exchange server Storage Groups and Mailbox stores 1. | Log on to the Exchange server intranet domain controller with Exchange administrative privileges. | 2. |
Click Start, point to All Programs, click Microsoft Exchange, and then click System Manager. | 3. |
Expand Administrative Groups, First Administrative Group, Servers, and then <Server Name>. | 4. |
Verify that the Storage Groups First Storage Group and Second Storage Group are present.
| 5. |
Expand First Storage Group. | 6. |
Verify that the Mailbox stores First Mailbox Store (SG1) and Second Mailbox Store (SG1) are present.
| 7. |
Expand Second Storage Group. The specified Storage Groups and Mailbox stores should be present and mounted. |
Baseline Test 2: Verify Intranet Domain Organizational Units and User AccountsComplete the following steps to verify that organizational units (OU) and user accounts have been created in the intranet domain na.corp.contoso.com. To verify intranet OUs and user accounts 1. | Log on to the intranet domain controller with domain administrator privileges. | 2. |
Click Start, click Run, type dsa.msc and then press ENTER to open the Active Directory Users and Computers MMC (Microsoft Management Console) snap-in.
| 3. | Verify that the following OU structure has been created: OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com OU=Disabled,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com OU=Groups,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com OU=Solaris Workstation,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com | 4. | Verify that user accounts have been created in the following OU: OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com |
The specified OUs and user accounts should exist in the intranet domain. Baseline Test 3: Verify Extranet Domain OUs and User AccountsComplete the following steps to verify that OUs and user accounts have been created in the extranet domain perimeter.contoso.com. To verify extranet OUs and user accounts 1. | Log on to the extranet domain controller with domain administrator privileges. | 2. |
Click Start, click Run, type dsa.msc and then press ENTER to open the Active Directory Users and Computers MMC (Microsoft Management Console) snap-in.
| 3. | Verify that the following OU structure has been created: OU=Accounts,DC=perimeter,DC=contoso,DC=com OU=Employees,OU=Accounts,DC=perimeter,DC=contoso,DC=com OU=Disabled,OU=Accounts,DC=perimeter,DC=contoso,DC=com OU=Groups,OU=Accounts,DC=perimeter,DC=contoso,DC=com OU=Internal,OU=Accounts,DC=perimeter,DC=contoso,DC=com OU=Trial Users,OU=Accounts,DC=perimeter,DC=contoso,DC=com | 4. | Verify that user accounts have been created in the following OU: OU=Employees,OU=Accounts,DC=perimeter,DC=contoso,DC=com |
The specified OUs and user accounts should exist in the extranet domain. Baseline Test 4: Verify User Accounts on Non-Microsoft Application ServersComplete the following tests to verify that user accounts have been created in the Lotus Notes and Sun ONE Directory Server 5.1 servers. To verify user accounts on a Lotus Notes server 1. | Log on to the Lotus Notes server by using Lotus Domino Administrator. | 2. |
On the Administration menu, click People and Groups. The UI should display Lotus Notes user accounts with a Company attribute of Fabrikam. |
To verify user accounts in Sun ONE Directory Server 5.1 1. | Log on to the Sun ONE Directory server by using iPlanet Console 5.1. | 2. |
In the iPlanet Console, select Users and Groups and then click Search. The UI should display Sun ONE Directory user accounts with an SMTP mail address attribute equal to @fabrikam.com. |
Baseline Test 5: Verify Intranet Firewall ConfigurationComplete the following steps to verify that an intranet firewall rule has been configured to allow the MIIS 2003 with SP1 server to communicate with the extranet domain controller. To verify configuration of the intranet firewall 1. | Log on to the intranet firewall computer. | 2. |
Ensure that a firewall rule exists based on the ports listed in Table 5.8 in Chapter 5, “Implementing the Solution.”
| 3. |
Ensure that a firewall rule exists based on the ports listed in Table 5.9 in Chapter 5, “Implementing the Solution.”
The specified firewall rules should exist and have been properly configured. |
Validating Aggregation and Synchronization
Use the information in the following sections to test that aggregation and synchronization of identity data is correctly configured. Additionally, these tests validate that the scenario is working according to the requirements defined by Contoso.
Tests to validate aggregation and synchronization include: | • | Test 1: Verify Installation of Microsoft SQL Server 2000 | | • | Test 2: Verify Installation of VS.NET | | • | Test 3: Verify Installation of MIIS 2003 with SP1 | | • | Test 4: Verify kdcWaitTime | | • | Test 5: Verify Management Agent Assemblies | | • | Test 6: Verify Aggregation of Identity Attribute Information | | • | Test 7: Verify Synchronization of Identity Attribute Information | | • | Test 8: Verify Configuration of Synchronized Lotus Notes Accounts | | • | Test 9: Verify Synchronization of Intranet Active Directory Exchange Users in Lotus Notes | | • | Test 10: Verify Changes Are Propagated to Lotus Notes | | • | Test 11: Verify Certificate Mapping |
Test 1: Verify Installation of Microsoft SQL Server 2000Complete the following steps to verify the installation of Microsoft SQL Server™ 2000 on the MIIS 2003 with SP1 server. To verify the installation of SQL Server 2000 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges and open the service's MMC snap-in. | 2. | Ensure that the SQL Server service is running. | 3. | Open Enterprise Manager to connect to SQL Server. SQL Server 2000 should be running. |
Test 2: Verify Installation of Visual Studio.NETComplete the following steps to verify the installation of the Visual Studio.NET development environment. To verify the installation of Visual Studio.NET 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. | Open the Visual Studio.NET development environment. The Visual Studio.NET development environment should open without any errors. |
Test 3: Verify Installation of MIIS 2003 with SP1Complete the following steps to verify the installation of MIIS 2003 with SP1. To verify the installation of MIIS 2003 with SP1 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. | Open Identity Manager. Identity Manager should open without any errors. |
Test 4: Verify kdcWaitTimeComplete the following steps to verify the kdcWaitTime registry key setting. To verify the kdcWaitTime setting 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. |
At a command prompt, type regedit and then press ENTER, and browse to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Kerberos\Parameters
key.
| 3. | Check the KdcWaitTime value. There should be a REG_DWORD value named KdcWaitTime and its value should be set to 30 (decimal value). |
Test 5: Verify Management Agent Assemblies
Complete the tests in this section to verify the creation of management agent (MA) assemblies, that they are copied to the appropriate folder, that the configuration settings in the IDMGTExtranet.xml file are correct, and that the MAs are created in Identity Manager.
To verify MA assembly creation The management agent solutions should compile and create the following MA assemblies without any errors: | • | IntranetDirectoryADMA.dll | | • | ExtranetDirectoryADMA.dll | | • | Lotus Notes MAExtension.dll No errors should occur while building the solutions. |
To verify that the MA assemblies are copied to the appropriate folder 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. |
Browse to the folder <MIIS installation path>\Extensions\ | 3. | Verify the presence of the following assemblies: | • | IntranetDirectoryADMA.dll | | • | ExtranetDirectoryADMA.dll | | • | Lotus Notes MAExtension.dll |
All the assemblies should exist in the \Extensions folder of the MIIS 2003 with SP1 server. |
To verify the configuration settings in IDMGTExtranet.xml 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. |
Browse to the folder <MIIS installation path>\Extensions\ | 3. |
Verify the presence of the configuration file IDMGTExtranet.xml. | 4. |
Verify that the settings in the configuration file match the settings in Table 5.10 in Chapter 5, “Implementing the Solution.”
The configuration file IDMGTExtranet.xml should be present in the MIIS 2003 with SP1 server's \Extensions folder and have the correct settings. |
To verify that MAs are created in Identity Manager 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. | Open Identity Manager. | 3. |
In Identity Manager, on the Tools menu, click Management Agents. | 4. | The following MAs should be present in the Identity Manager: | • | Intranet Directory MA | | • | Extranet Directory MA | | • | SunONE Directory MA | | • | Lotus Notes MA |
All the specified MAs should exist in Identity Manager. |
Test 6: Verify Aggregation of Identity Attribute InformationComplete the tests in this section to verify aggregation of identity attribute information from various groups of users to the metaverse. Each of the searches performed in these tests should return an instance of a person object in the metaverse. To verify aggregation of information from users in the intranet Active Directory 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. | Open Identity Manager. | 3. |
In Identity Manager, on the Tools menu, click Metaverse Search. | 4. |
Search for object type “person” with sAMAccountname equal to sAMAccountname of an existing user in the intranet Active Directory.
|
To verify aggregation of information from users in the extranet Active Directory 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. | Open Identity Manager. | 3. |
In Identity Manager, on the Tools menu, click Metaverse Search. | 4. |
Search for object type “person” with sAMAccountname equal to sAMAccountname of an existing user in the extranet Active Directory.
|
To verify aggregation of information from Sun ONE users 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. | Open Identity Manager. | 3. |
In Identity Manager, on the Tools menu, click Metaverse Search. | 4. | Search for object type “person” with mail equal to the e-mail address of an existing user in the Sun ONE Directory Server. |
To verify aggregation of information from Lotus Notes users 1. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 2. | Open Identity Manager. | 3. |
In Identity Manager, on the Tools menu, click Metaverse Search. | 4. | Search for object type “person” with mail equal to the Internet e-mail address of an existing user in Lotus Notes. |
Test 7: Verify Synchronization of Identity Attribute InformationComplete the tests in this section to verify the synchronization of identity attribute information from persons in the metaverse to users in the organization. To verify synchronization of information to users in the intranet Active Directory 1. | Log on to the intranet domain controller with domain administrator privileges. | 2. |
Click Start, click Run, type adsiedit.msc and then press ENTER to open the ADSI Edit MMC snap-in.
| 3. |
Verify that users in OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com have the following attributes populated:
| • | employeeID | | • | telephoneNumber |
User objects should have the specified attributes populated in the intranet Active Directory. |
To verify synchronization of information to users in the extranet Active Directory 1. | Log on to the extranet domain controller with domain administrator privileges. | 2. |
Click Start, click Run, type adsiedit.msc and then press ENTER to open the ADSI Edit MMC snap-in.
| 3. |
Verify that users in OU=Employees,OU=Accounts, DC=perimeter,DC=contoso,DC=com have the following attributes populated:
| • | employeeID | | • | telephoneNumber |
User objects should have the specified attributes populated in the extranet Active Directory. |
To verify synchronization of information to Lotus Notes Person records 1. | Log on to the Lotus Notes server with Lotus Domino Administrator. | 2. |
On the Administration menu, select People and Groups. | 3. | Verify that Person records have the following attributes populated: | • | Employee ID | | • | Office Phone |
The Person records should have the specified attributes populated in Lotus Notes. |
To verify synchronization of information to Sun ONE inetOrgPerson records 1. | Log on to the Sun ONE server with iPlanet Console 5.1. | 2. |
In the iPlanet Console, select Users and Groups, and then click Search. | 3. | Verify inetOrgPerson records have the following attributes populated: | • | EmployeeNumber | | • | TelephoneNumber |
The inetOrgPerson records should have the specified attributes populated in Sun ONE Directory Server 5.1. |
Test 8: Verify Configuration of Synchronized Lotus Notes AccountsComplete the following steps to verify that synchronized Lotus Notes accounts for users in the intranet Active Directory have contoso.com e-mail addresses. To verify the configuration of synchronized Lotus Notes accounts 1. | Log on to the Lotus Notes server with Lotus Domino Administrator. | 2. |
On the Administration menu, select People and Groups. | 3. | Verify that some Person records have the Internet address attribute populated with <mailalias>@contoso.com. Synchronized Lotus Notes accounts for intranet Active Directory users should have the Internet address attribute populated as specified. |
Test 9: Verify Synchronization of Intranet Active Directory Exchange Users in Lotus NotesComplete the following steps to verify that intranet Active Directory Exchange users are synchronized as Person records in Lotus Notes with the Internet address attribute properly set. To verify synchronization of intranet Active Directory Exchange users 1. | Log on to the intranet domain controller with domain administrator privileges. | 2. |
Click Start, click Run, type dsa.msc and then press ENTER to open the Active Directory Users and Computers MMC snap-in.
| 3. |
Verify that some users in OU=Employees,OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com have the mail attribute populated with <mailalias>@fabrikam.com.
Intranet Active Directory Exchange users should be synchronized as Person records in Lotus Notes. |
Test 10: Verify Changes Are Propagated to Lotus NotesComplete the following steps to verify that telephone number changes to intranet Active Directory users are propagated to the Lotus Notes server. To verify changes are propagated to Lotus Notes 1. | Log on to the intranet domain controller with administrator privileges. | 2. |
Click Start, click Run, type dsa.msc and then press ENTER to open the Active Directory Users and Computers MMC snap-in.
| 3. |
Browse to OU=Employees, OU=ContosoCorp,DC=na,DC=corp,DC=contoso,DC=com.
| 4. |
Right-click the user dbradley, and then click Properties. | 5. |
Change the telephone number to a different value and click OK. | 6. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 7. | Open Identity Manager. | 8. |
On the Tools menu, click Management Agents. | 9. | Select Intranet Directory MA. | 10. |
On the Actions menu, click Run. | 11. |
Select Delta Import (Stage Only) and click OK. | 12. |
After the state of the Intranet Directory MA returns to Idle, on the Actions menu, click Run again.
| 13. |
Select Delta Synchronization and click OK. | 14. |
After the state of the MA returns to Idle, run a Delta Synchronization on all other MAs.
| 15. | Run an Export on all MAs. | 16. | Log on to the Lotus Notes server with Lotus Domino Administrator. | 17. |
On the Administration menu, select People and Groups. | 18. |
Double-click the Bradley, David Person object.
| 19. |
Click the Work/Home tab.
| 20. | Verify that the telephone number is changed appropriately. The telephone number of the person should be changed in the Lotus Notes server. |
Test 11: Verify Certificate MappingComplete the following steps to verify certificate mapping for extranet users. To verify certificate mapping 1. | Log on to the extranet domain controller with domain administrator privileges. | 2. |
Click Start, click Run, type dsa.mscand then press ENTER to open the ADSI Edit MMC snap-in.
| 3. |
Browse to OU=Emploees,OU=Accounts, DC=perimeter,DC=contoso,DC=com.
| 4. |
Right-click the object CN=dbradley and then click Properties. | 5. |
In the Attributes list box select altSecurityIdentities and click Edit. | 6. |
Select the value and click Remove. | 7. |
Click OK twice to exit the dialog box.
| 8. | Log on to the MIIS 2003 with SP1 server with MIIS administrative privileges. | 9. | Open Identity Manager. | 10. |
On the Tools menu, click Management Agents. | 11. |
Select Extranet Directory MA. | 12. |
On the Actions menu, click Run. | 13. |
Select Delta Import (Stage Only) and then click OK. | 14. |
After the state of the MA returns to Idle, run a Delta Synchronization.
| 15. |
After the run completes, run an Export on the Extranet Directory MA.
| 16. | Log on to the extranet domain controller with domain administrator privileges. | 17. |
Click Start, click Run, type adsiedit.mscand then press ENTER to open the ADSI Edit MMC snap-in.
| 18. |
Browse to OU=Employees,OU=Accounts, DC=perimeter,DC=contoso,DC=com.
| 19. |
Right-click the object CN=dbradley and then click Properties. | 20. |
In the Attributes list box, verify the value of altSecurityIdentities. The value for the altSecurityIdentities attribute should be populated by the MA of the directory used for certificate mapping. |
Troubleshooting
This section of the chapter provides information about some common errors that you may encounter while testing this scenario and how to most likely resolve them. However, the information provided in the following tables is not an exhaustive list of errors and troubleshooting procedures.
Table 6.1. Troubleshooting Baseline Procedures Cannot open dsa.msc. | Ensure that the account being used to open dsa.msc has administrative privileges. | Cannot connect to the Lotus Notes server using Lotus Domino Administrator from the MIIS 2003 with SP1 server. | Verify that the Lotus Notes server is running and listening for TCP/IP connections.
Verify that the latest Cert.id and User.id files are updated in the <Lotus Installation folder>\Notes\Data folder. | Cannot open Identity Manager. | Ensure that the account used to open Identity Manager is a member of the MIIS Admins group. |
Table 6.2. Troubleshooting Aggregation and Synchronization Status: "Stopped-extension-dll-file-not-found." While trying to run Full Synchronization for any MA and the state of the MA returns to Idle | Check if the following DLL files are present in the <MIIS 2003 with SP1 Installation folder>\Extensions folder.
• IntranetDirectoryADMA.dll
• ExtranetDirectoryADMA.dll
• Lotus Notes MAExtension.dll | Error: Permission-issue Connected data source error: Insufficient access rights to perform the operation |
Verify the MIISADIntranet and MIISADExtranet accounts are given adequate permissions as described in the “Service Account Configuration” section in Chapter 5, “Implementing the Solution.”
| Error: Missing-DN While running Full Import (Stage Only) of Lotus Notes MA |
Verify the properties of Lotus Notes users are populated in the manual process as described in the “Populate Lotus Notes” task in the “Contoso Baseline Preparation” section of Chapter 5, “Implementing the Solution.”
|
| |
