Microsoft Identity and Access Management Series

Identity Aggregation and Synchronization

Chapter 7: Operational Considerations

Published: May 11, 2004 | Updated: June 26, 2006

This chapter describes certain activities required to administer the Contoso identity and access management solution. It includes details on managing the database for Microsoft® Identity Integration Server 2003, Enterprise Edition with Service Pack 1 (MIIS 2003 with SP1), monitoring for errors, and troubleshooting issues.

On This Page
Managing the MIIS 2003 with SP1 DatabaseManaging the MIIS 2003 with SP1 Database
Scheduling and Automating Management Agent RunsScheduling and Automating Management Agent Runs
Monitoring MIIS 2003 with SP1 ErrorsMonitoring MIIS 2003 with SP1 Errors

Managing the MIIS 2003 with SP1 Database

MIIS 2003 with SP1 stores the entire metaverse in a Microsoft SQL Server™ database. This section describes some database management activities.

Managing Database Size

MIIS 2003 with SP1 database sizes will vary based on the number of objects processed through the system, the number of management agents, and the number of multivalued and reference attributes. However, run history data is very expensive in terms of increasing database size.

Managing Run History

Run history information is detailed and consumes a lot of space in the database. To manage the size of the database, it is important to manage run histories information in MIIS 2003 with SP1. It's possible to clear run histories manually with Identity Manager, but the best way of managing this information is to automate the process on a predefined schedule.

You can automate the clearing of run histories by using Windows Management Instrumentation (WMI) or with the MIIS_ClearRunHistory.exe tool, which is part of the MIIS Resource Tool Kit. For more information, download the Resource Tool Kit from the Microsoft Identity Integration Server 2003 Resource Took Kit 2.0 page.

Managing Log Files

Simple versus full recovery mode for a Microsoft SQL Server database affects log file size. The MIIS 2003 with SP1 database is set to simple recovery mode by default. In most of the configuration for MIIS 2003 with SP1, full recovery mode is not required due to the nature of MIIS 2003 with SP1 server data, and the fact that it can be rebuilt from existing connected directory data.

Simple recovery mode sets the log settings to overwrite, which reduces log file sizes during the time between backups. In addition, you may encounter a problem if you do not regularly clear run history information; you may end up having to delete a large number of run histories. MIIS 2003 with SP1 deletes run histories in one delete transaction, which means that even if you are running in simple recovery mode, executing this transaction can take a considerable amount of time — especially if your log files are rapidly increasing in size.

If you do not have the disk capacity to handle such a situation you may run out of disk space on the log file drive, which will require you to truncate the log file using the query analyzer. If the problem becomes significant (for example, if you have a large buildup of run histories and a small drive capacity without resources to increase the size), you can use a batch file to clear the run history in small increments and truncate the log file in between runs.

Scheduling and Automating Management Agent Runs

This section shows how to automatically schedule MA runs. You can schedule a command file to run the management agents regularly using the Windows Scheduler service.

To accomplish this task and schedule the MAs hourly, complete the following tasks on the MIIS 2003 with SP1 server:

To create an account to run scheduled tasks

1.

Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.

2.

Expand Local Users and Computer, then click the Users folder.

3.

Right-click and choose New User.

4.

Add the following information:

Username: MIISScheduler

Description: MIIS Schedule Account

5.

Add a password to the password box.

6.

Clear the User must change password at next logon check box.

7.

Select the User cannot change password and Password never expires check boxes.

8.

Click Create.

9.

Click Close.

To add the MIISScheduler account to the appropriate groups

1.

Click Start, point to All Programs, point to Administrative Tools, and then click Computer Management.

2.

Expand Local Users and Computer, then click the Users folder.

3.

Double click the MIISScheduler user account.

4.

Click the Member Of tab.

5.

Click Add.

6.

In the Enter the object names to select box, type MIISOperators and then click Check Names.

7.

The object should resolve to FFL-NA-MIIS-01\MIISOperators.

8.

In the Enter the object names to select box, type Administrators and then click Check Names.

9.

The object should resolve to FFL-NA-MIIS-01\Administrators.

10.

Click OK twice.

Note   In order to run a command or batch file (because it requires using cmd.exe) you must either be a member of the administrators group or run interactive.  If you only use a VBScript, you can schedule this to run under the context of a non-administrator. Therefore, if you don't want to add the user to the administrator group, you can either modify the existing VBScript to either hardcode the values or to pass them in using alternative method.

To set user rights for the MIISScheduler account on the MIIS Server

1.

Open Local Security Policy on the MIIS Server.

2.

In the console tree, under Security Settings, Local Policies, click User Rights Assignment.

3.

In the details pane, double-click the Log on as a Batch Job user right.

4.

In UserRight Properties, click Add User or Group.

5.

Add the MIISScheduler account, and then click OK.

6.

Repeat steps 3 to 5 to and restrict the following user rights:

Deny log on locally

Deny log on by using Terminal Services

Note   The Access this computer from the Network user right is required for the MIISScheduler account when creating the task. However, after the task has been created it is not required to run the scheduled task. Therefore, you may want to restrict this account further after you have created the scheduled MA run by enabling the Deny access to this computer from the network user right for the MIISScheduler user account.

To set up a scheduled MA run

1.

Click Start, point to All Programs, point to Accessories, point to System Tools and then click Scheduled Tasks.

2.

Double-click Add Scheduled Task. When the Scheduled Task Wizard displays, click Next to continue.

3.

On the second screen of the wizard, click the Browse button.

4.

Navigate the folder structure to the Tools and Templates folder where you extracted the files from the download of this series.

5.

Select MA-Runs.cmd and click Open.

6.

Under Type a name for this task, enter Hourly User Synchronization. Click the Daily button and then click Next.

7.

Under Start time, use the spin controls or type in 7:00AM.

8.

Under Perform this task, select the Every Day radio button. The Start date should default to today. Click Next to continue.

9.

In the Enter the user name field, enter the scheduler account created in the previous section in the format FFL-NA-MIIS-01\MIISScheduler.

10.

Enter the password for the chosen account twice, and then click Next to continue.

11.

Select the Open advanced properties for this task when I click finish check box.

12.

Click Finish to close the wizard.

13.

In the Advanced Properties dialog box, in Hourly User Synchronization, click the Schedule tab.

14.

Click the Advanced button.

15.

Select the Repeat Task check box.

16.

In the Every boxes use the drop down list box to select 1 Hour.

17.

Click the Until section, select the Time radio button, and select 10:00PM.

18.

Click OK to save changes and close the dialog box.

19.

Click OK to close the Hourly User Synchronization dialog box.

For more information about configuring the Windows Scheduling Service, search for “schedule a new task” in Windows Help and Support.

Note   You can use the MASequencer tool in the MIIS 2003 with SP1 Resource Toolkit instead of the MA-runs.cmd file to schedule management agents. For more information, download the Microsoft Identity Integration Server 2003 Resource Took Kit 2.0.

Monitoring MIIS 2003 with SP1 Errors

All error messages in MIIS 2003 with SP1 are recorded in the application event logs and the statistics are displayed when the management agent run completes. You can access these statistics using the Operation view in Identity Manager. You can save each run history into a file and send them to Microsoft Support Services to help diagnose problems on the system.

Saving a Run History

Complete the following steps to accomplish this task:

To save a run history

1.

Open Identity Manager, and then select Operation View.

2.

Right-click the operation you want to save, and then select Save to File.

3.

In the File Name box, type a name to identify the run history.

4.

Expand the Save as Type list box and select the Run Files (*.xml) management agent.

Saving Application Event Logs

Complete the following steps to accomplish this task:

To save an application log

1.

Open Event Viewer, on the main menu, click Action and then click Save Log File As.

2.

In the File Name box, type a name to identify the application event log.

3.

Expand the Save as Type list box, and then choose the Event Log. (*.evt) management agent.

Dropping a Log File

You can drop a log file during the import or export phase of running a call-based management agent. You may want to drop a log file to:

Examine updates before you commit them to MIIS 2003 with SP1 or the connected directory.

Examine performance-related issues.

Creating a Log File

Use this setting to drop a log file while continuing to update either the connector space or the connected directory in MIIS 2003 with SP1. This setting is useful when you are trying to troubleshoot an issue in which you need to see the last object processed before an error. In addition, you can use this setting to track changes to the connector space or the connected directory. However, this setting will increase the management agent processing time slightly, and it will also require disk space for storage.

If you plan to keep log file data for an extended period, you will need a mechanism to archive the files and purge them periodically. Typically, this level of auditing is not required unless you are requesting Microsoft to track an intermittent ongoing issue. However, some organizations may have reasons to track changes at this level.

Configuring Run Profiles with Log File Options

This example implements the full import (stage only) drop log file option. However, you should configure your log file settings for the specific goals you are trying to meet in your troubleshooting process.

Complete the following steps to accomplish this task:

To use the full import (stage only) drop log file option

1.

In Identity Manager, click Management Agents, on the Action menu, click Configure Run Profiles.

2.

Click New Profile, type a profile name, such as Full Import – drop file, and then click Next.

3.

In the Specify step type area, in the type box, select Full Import (Stage Only).

4.

Click Set Log File Options, select Create a Log File, and then type a log file name, such as FullImportDrop.xml.

5.

Click OK to save log files settings, click Next, and then click Finish.

Using the MIIS 2003 with SP1 Preview Function

You can use the Preview function in MIIS 2003 with SP1 to test the effects of synchronization for an object in a connector space before you synchronize it with the metaverse. Preview can be useful for viewing source object details, steps in the synchronization process leading up to an error, connector filters, object deletion, join and projection rules, etc.

To use Preview, you must log on as a member of the MIISAdmins security group. It is a best practice to use Preview to test any changes made to rules in MIIS 2003 with SP1 before executing a synchronization. Use the Preview function after manual processing when you have completed a Delta or Full Import Stage Only run profile.

Note   Microsoft recommends testing all changes in a non-production MIIS 2003 with SP1 environment. If the change is to an MA, you can use the Export Server Configuration and Import Server Configuration functionality in MIIS 2003 with SP1 to update the MA on the production system. Alternatively, for changes to custom extensions, you would move the compiled .DLL file, in which case you should consider using a version control system such as Visual SourceSafe (VSS).

To use the Preview function to test synchronization

1.

On the Tools menu, click Management Agents, and then click a management agent that has an associated connector space.

2.

On the Actions menu, click Search Connector Space.

3.

In Search Results, click a connector space object, and then click Preview.

4.

In Select Preview Mode, choose one of the following options:

To synchronize the object, evaluating all of the attributes on the object and any rules that apply, click Full Synchronization. (The synchronization is simulated: Actual full synchronization does not occur.)

To synchronize the object, evaluating only those attributes that have changed since the last synchronization, click Delta Synchronization. (The synchronization is simulated: Actual delta synchronization does not occur.)

5.

Click Generate Preview, and then in Contents click a page to display details.

6.

To save the Preview results, select the Save Preview Results check box, type a name and define a location for the file, and click OK.


**
**

Download

Get the Microsoft Identity and Access Management Series

Solution Accelerator Notifications

Sign up to stay informed

Feedback

Send us your comments or suggestions