Contents
Overview 1
What is a Metadirectory? 2
The Business Needs for a Metadirectory 3
Overview of Microsoft Metadirectory Services 9
MMS Directory Elements 13
How Information Flows in MMS 17
Centralized vs. Distributed Management of
Data 19
Review 20

Module 1: Introduction
to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any

written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.

 2000 Microsoft Corporation. All rights reserved.

Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product
names or titles. Replace this example list with list of trademarks provided by copy editor.
Microsoft is listed first, followed by all other Microsoft trademarks in alphabetical order. > are
either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other
countries.

<This is where mention of specific, contractually obligated to, third party trademarks, which are
added by the Copy Editor>

The names of companies, products, people, characters, and/or data mentioned herein are fictitious
and are in no way intended to represent any real individual, company, product, or event, unless
otherwise noted.

Other product and company names mentioned herein may be the trademarks of their respective
owners.


Module 1: Introduction to MMS i

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Instructor Notes
Instructor_notes.doc

Presentation:

xx Minutes

Lab:
xx Minutes

Module 1: Introduction to MMS 1

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Overview
!
What is a Metadirectory?
!
The Business Needs for a Metadirectory
!
Overview of Microsoft Metadirectory Services
!
MMS Directory Elements
!
How Information Flows in MMS
!
Centralized vs. Distributed Management of Data


Microsoft
®
Metadirectory Services (MMS) version 2.2 is a centralized service
that stores and integrates identity information from multiple directories in an
organization. The goal of a metadirectory is to provide to an organization with a
unified view of all known identity information about users, applications, and

network resources. A metadirectory solves important business issues that result
from having information being stored in multiple, disparate data repositories
throughout an organization.
The success in planning and implementing a metadirectory solution by using
MMS relies on how well you understand your organization’s business reasons
for a metadirectory, the logical structure of MMS, and how MMS works.
At the end of this module, you will be able to:
!
Describe the purpose of a metadirectory.
!
Describe the business solutions that a metadirectory provides for an
organization's data management requirements.
!
Describe the functions of the components that comprise MMS.
!
Describe the directory elements of MMS, including the directory tree, object
entries, and entry attributes.
!
Describe the flow of information within MMS.
!
Differentiate between managing data in the metadirectory or managing data
in the connected directory.

Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about Microsoft

Metadirectory Services, how
MMS meets the data
management needs of an
organization, the logical
components of MMS, and
how information flows in
MMS. The goal of this
module is to give you a high
level understanding of MMS
upon which subsequent
modules in this course will
build.
2 Module 1: Introduction to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

What is a Metadirectory?
Metadirectory
Metadirectory
Suzan Fine
Logon name
E-mail alias
Cost center
Employee #
Suzan Fine
Logon name
E-mail alias
Cost center
Employee #
ERP

Database
ERP
ERP
Database
Database
Fine, Suzan
Title
Cost center
Manager
Fine, Suzan
Title
Cost center
Manager
Directory
Service
Directory
Directory
Service
Service
Sfine
Logon name
Full Name
DN
Sfine
Logon name
Full Name
DN
E-mail
Directory
E

E
-
-
mail
mail
Directory
Directory
Suzanf
Display name
E-mail alias
Phone #
Suzanf
Display name
E-mail alias
Phone #
HR
Database
HR
HR
Database
Database
Suzan Fine
Title
Employee #
Salary
Suzan Fine
Title
Employee #
Salary



A metadirectory is a service that collects information from different data
sources throughout an organization and then joins all or part of that information
into an integrated, unified view. This unified view presents all of the
information about an object, such as a person or network resource, that is
contained throughout the organization. In most organizations, this information
is typically scattered in different directories, databases, and other data
repositories throughout the Information Technology (IT) infrastructure. The
metadirectory:
!
Joins all the information about each person or resource into a single entry.
!
Removes redundant or conflicting information.
!
Presents back out to the organization the unified view of all known
information about each person or resource.

After all the information about a person or resource is joined together in the
metadirectory, you can apply rules about how this information is managed and
how changes to this information flow back out to all the directories that are
connected to the metadirectory. Therefore, the metadirectory propagates any
changes that originate in one directory to the other directories in the
organization.
Topic Objective
To describe the purpose of
a metadirectory.
Lead-in
A metadirectory is a
repository that contains
identity information about all

people within an enterprise,
even if the identify
information originates from
disparate directories or
databases within that
enterprise.
Module 1: Introduction to MMS 3

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

#
##
#

The Business Needs for a Metadirectory
!
Identity Is the Summary of Information About People,
Applications, or Resources
!
A Metadirectory Manages Identity Information By:
$
Aggregating identity information
$
Managing identity information
$
Managing changes and updates
$
Managing information integrity



A metadirectory solution integrates and manages the identity information for an
entire organization. Identity is the summary of information about people,
applications, and resources that is contained in different and often incompatible
directories and databases throughout the organization.
Most often, organizations acquire disparate systems because each system
provides the best solution to a business need, not because a system works well
together with the other systems. Different systems within an organization make
it difficult, if not impossible, to integrate and manage identity information.
Additionally, the complexity of managing identity information increases each
time the organization deploys an additional application or platform. Therefore,
the primary challenges faced by organizations are the cost and complexity of
supporting many different systems that contain identity information.
A metadirectory meets the business needs by providing the following identity
management solutions:
!
Aggregating identity information.
!
Managing identity information.
!
Managing changes to identity information.
!
Managing the integrity of identity information.


Identity information associated with people includes names, mailboxes,
employee numbers, and job titles. Identity information for applications includes
the network addresses where clients can find servers and lists of services that
applications provide. Identity information for network resources, such as a
printer, includes physical location and the printing capabilities it supports.


Topic Objective
To introduce the business
needs for a metadirectory.
Lead-in

Provide examples of identity
data for people,
applications, and network
resources.
Note
4 Module 1: Introduction to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Aggregating Identity Information
Metadirectory
Metadirectory
Suzan Fine
E-mail alias
Mailbox
Logon name
Phone #
Title
Employee #
Suzan Fine
E-mail alias
Mailbox
Logon name
Phone #
Title

Employee #
E-mail
Directory
E
E
-
-
mail
mail
Directory
Directory
Suzanf
E-mail alias
Mailbox
Suzanf
E-mail alias
Mailbox
HR
Database
HR
HR
Database
Database
Suzan Fine
Title
Employee #
Suzan Fine
Title
Employee #
Directory

Service
Directory
Directory
Service
Service
Sfine
Logon name
Phone #
Sfine
Logon name
Phone #
!
A Metadirectory
Aggregates Identity
Information By:
$
Joining identity
information from
multiple directories
$
Presenting a single
view of all identity
information for users
and resources
$
Providing a single
point of access and
administration



A metadirectory allows you to collect identity information from several
different directories and then join that information into a logical view that
represents the sum of all identity information for a given object.
Business Problem
In most organizations, identity information exists in many different data
repositories. This situation creates the following issues:
!
Duplication of identity information. Different directories often contain
duplicate information about the same person or resource.
!
Incompatibilities between directories that hold identity information. These
incompatibilities include different naming conventions, different directory
schemas, and different data formats.
!
Identify information resides in multiple locations. This creates a situation
where administrators, applications, and users have to access many different
data repositories to manage or obtain information about a single person or
resource. Additionally, the number of places where organizations must
manage identity information increases with the addition of new systems.

Topic Objective
To describe how a
metadirectory aggregates
identity information to solve
the business problems of
multiple, disparate
directories.
Lead-in

Point out in the preceding

illustration how each pair of
attributes from each
directory is concatenated
into the entry in the
metadirectory.
Module 1: Introduction to MMS 5

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Solution
To solve the issues resulting from identity data that resides in multiple
repositories, join the data for a specific person or resource in the metadirectory
to create a single entry that contains some or all of the identity information from
each directory. The result is that the metadirectory presents a single, unified
view that contains some or all of the attributes from the different directories,
regardless of whether the directories are compatible or not. Because it presents
a unified view of identity information, the metadirectory also provides one
place where administrators, applications, and users can access or manage the
identity information for a specific object.
For example, identity information about a user named Suzan Fine is stored in
different directories, and each directory stores different types of identify
information. Additionally, this data about Suzan Fine is stored under a different
name in each directory. The metadirectory solves this issue by joining all the
identity information about Suzan Fine in one entry in the metadirectory.
6 Module 1: Introduction to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Managing Identity Information
!

A Metadirectory
Manages Identity
Information By:
$
Flowing identity
information between
directories
$
Synchronizing
identity information
between directories
$
Establishing rules
that determine the
authoritative source
for identity
information
Metadirectory
Metadirectory
Title
Email alias
Logon name
Title
Email alias
Logon name
Directory
Service
Directory
Directory
Service

Service
Sue Fine
Logon name
Sue Fine
Logon name
E-mail
Directory
E
E
-
-
mail
mail
Directory
Directory
Susan Fine
Email alias
Susan Fine
Email alias
HR
Database
HR
HR
Database
Database
Suzan Fine
Title
Suzan Fine
Title
Suzan Fine

Suzan Fine
Suzan Fine


A metadirectory allows you to manage identity information by controlling the
flow of identity information between directories. This capability enables you to
determine what data from each directory to included in the metadirectory entry.
Business Problem
Different directories often contain conflicting identity information about the
same person or resource. Additionally, the department or IT group that owns
and manages the data in a specific directory usually believes that their data is
authoritative compared to similar data that resides in a different directory. In
these cases, data owners are often reluctant to give up control of their data.
Solution
To solve issues resulting from conflicting identity information, use the
metadirectory to manage the flow of identity information between directories to
resolve conflicts in identity information throughout the organization. For each
metadirectory entry, you can determine what specific identify information from
each directory to import into the metadirectory. To solve data ownership issues,
you can also establish rules to determine which directory contains the
authoritative value for a specific attribute in a metadirectory entry and have the
metadirectory update the other directories with the authoritative value.
For example, the name attribute in the HR database has the value of “Suzan
Fine”, the e-mail directory uses a value of “Susan Fine” and the directory
services database uses a value of “Sue Fine”. After determining that the
metadirectory entry will have a name attribute, you can specify that the value in
the HR database must be used in the metadirectory entry.
Additionally, you can specify that the name attribute value in the HR database
is authoritative and that this value will be used to update the name attributes in
both the e-mail directory and directory services database.

Topic Objective
To describe how a
metadirectory solves the
business problem of
managing identity data that
resides in different
directories.
Lead-in

Module 1: Introduction to MMS 7

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Managing Changes to Identity Information
!
A Metadirectory
Manages Changes to
Identity Information
By:
$
Detecting changes
made to identity
information
$
Propagating
changes to all
directories
HR
Database
HR

HR
Database
Database
Suzan Fine
Title = Consultant
Suzan Fine
Title = Consultant
E-mail
Directory
E
E
-
-
mail
mail
Directory
Directory
Suzan Fine
Title = Consultant
Suzan Fine
Title = Consultant
Directory
Service
Directory
Directory
Service
Service
Suzan Fine
Title = Consultant
Suzan Fine

Title = Consultant
Metadirectory
Metadirectory
Suzan Fine
Title = Consultant
Suzan Fine
Title = Consultant
Title = Sr. Consultant
Title = Sr. Consultant
Title = Sr. Consultant
Title = Sr. Consultant


A metadirectory allows you to manage changes to the identity information that
exists throughout an organization. The metadirectory can detect changes to
identity information and then propagate those changes to the other directories
that should also reflect the change.
Business Problem
Because an organization’s identity information is often contained in different
data repositories, a change made to data in one repository is not automatically
made in any of the other repositories. Making the change throughout the
organization requires an administrator(s) to manually make the change in each
directory. Therefore, updating data in each directory is both costly and
potentially unreliable. Unmanaged identity information quickly becomes
unorganized, which results in identity information that is unsynchronized
throughout the organization.
Solution
To manage changes to identity information, use a metadirectory to detect those
changes, regardless of where the originating change occurs. When a change is
detected, the metadirectory automatically propagates the change to all other

directories. This change detection infrastructure keeps the metadirectory and all
other directories synchronized. Additionally, the metadirectory will also
propagate any new object entries that are created in a directory or in the
metadirectory itself.
For example, assume that Suzan Fine was promoted from Consultant to Senior
Consultant. In the HR database, the value in the Title attribute is changed to
“Senior Consultant.” When the metadirectory detects this change, the value in
the Title attribute in the metadirectory is modified, and that change is then
propagated to all other directories that also contain a Title attribute.
Topic Objective
To describe how a
metadirectory solves the
business problem of
managing changes to
identify information.
Lead-in

8 Module 1: Introduction to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Managing the Integrity of Identity Information
!
A Metadirectory
Manages the Integrity
of Identity Information
By:
$
Enforcing
ownership of

identity information
$
Allowing, blocking,
or reversing
changes made to
identity information
HR
Database
HR
HR
Database
Database
Suzan Fine
Title = Sr. Consultant
Suzan Fine
Title = Sr. Consultant
E-mail
Directory
E
E
-
-
mail
mail
Directory
Directory
Suzan Fine
Suzan Fine
Metadirectory
Metadirectory

Suzan Fine
Title = Sr.Consultant
Suzan Fine
Title = Sr.Consultant
Title = Consultant
Title = Sr. Consultant
E-mail
Directory
E
E
-
-
mail
mail
Directory
Directory
Suzan Fine
Title = Consultant
Suzan Fine
Title = Consultant
Title = Sr. Consultant


Managing the integrity of identity information is the process of ensuring that as
changes occur, data does not become corrupt or out of synchronization between
directories. A metadirectory solution must be able to maintain ownership
relationships by allowing you to apply rules that enforce ownership at the
attribute level.
Business Problem
Political issues often prevent the aggregation of an organization’s identity

information, even though such consolidation is technically possible. Certain
departments, such as human resources, maintain a strong ownership of their
data. While ownership of data is not an issue when directories remain separate,
retaining ownership when data is synchronized among multiple directories
becomes more challenging.
Solution
To address data ownership issues, use a metadirectory so that administrators
can define and enforce ownership relationships at the attribute level. If a change
to data is consistent with the ownership rules, it is allowed to pass through,
otherwise it is blocked or reversed. This capability to enforce ownership
ensures that the departments who own the identity information in a specific
directory maintain that ownership even when that directory is synchronized
with other directories in the organization.
For example, assume that the HR department owns identify information, such
as title, salary, and employee number. If a person changed the title attribute in
the email directory, which is synchronized with the HR database, the
metadirectory would set the attribute back to the value contained in the HR
database.

A metadirectory also supports attributes that have no defined ownership,
which allows anyone to modify the data.

Topic Objective
To describe how a
metadirectory solves the
business problem of
managing the integrity of
identity information.
Lead-in


Note
Module 1: Introduction to MMS 9

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

#
##
#

Overview of Microsoft Metadirectory Services
Metadirectory
Metadirectory
Connector
Namespace
Connected
Directory
Connected
Connected
Directory
Directory
Connected
Directory
Connected
Connected
Directory
Directory
Connected
Directory
Connected
Connected

Directory
Directory
Management
Agent
Management
Management
Agent
Agent
MMS Compass
LDAP-enabled
Applications
Web Browser
Management
Agent
Management
Management
Agent
Agent
Management
Agent
Management
Management
Agent
Agent
Metaverse
Namespace


MMS is a central service, which is installed on a computer running Microsoft
Windows

®
2000 Advanced Server or Windows 2000 Datacenter Server. MMS
stores and integrates identity information from multiple directories into one,
organization-wide directory.
The following components make up the logical structure of MMS:
!
Connected directories. A connected directory is a directory, database, or
other data repository that contains data that is integrated in the
metadirectory. Data in a connected directory must be organized in a
hierarchical structure, and there must be a method for exporting the data
from the connected directory so that it can be imported into the
metadirectory.
!
Management agents. A management agent connects a specific connected
directory to the metadirectory. A management agent takes data from the
connected directory and imports that data into the metadirectory. When data
in the metadirectory is modified, the management agent also exports the
data back out to the connected directory to keep the metadirectory
synchronized with the connected directory. There is one management agent
for each connected directory.
!
Metadirectory. The MMS metadirectory consists of two logical namespaces:
• Connector namespace. The connector namespace in the storage area is
used by management agents to import data from a connected directory.
Each connected directory has its own area within the connector
namespace, which is managed by its corresponding management agent.
The contents in the connector namespace represent the contents of the
connected directory.
• Metaverse namespace. The metaverse is the area of the metadirectory
that contains the integrated identity information from multiple connected

directories. The metaverse presents the integrated view of joined objects.
Topic Objective
To describe the components
that make up the logical
structure of MMS.
Lead-in

Only introduce management
agents as a component in
the MMS system. Discuss
management agents in
detail in the next topic.
10 Module 1: Introduction to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

!
MMS clients. The client component of MMS allows you to view and
administer the contents of the metadirectory. MMS includes a Lightweight
Directory Access Protocol (LDAP)-based administrative tool called MMS
Compass. Because MMS supports the LDAP protocol, you can use other
LDAP-based applications to access the metadirectory. MMS also supports
the Hypertext Markup Language (HTML) protocol, which enables you to
use a Web browser to access and manage the metadirectory.
Module 1: Introduction to MMS 11

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Management Agents
!

Move Data Into and Out of the Metadirectory
!
Connect a Specific Directory to the Metadirectory
!
Synchronize Data from a Connected Directory With the
Metadirectory
$
Synchronize directory entries
$
Synchronize entry attributes
!
Are Controlled by Scripts, Templates, and Other
Configuration Files
!
MMS Provides Predefined Management Agents for
Common Directories


Management agents play a key role in the MMS metadirectory system. A
management agent takes identity information from a connected directory and
then updates the metadirectory with that information. Management agents also
move information back out to the connected directory. Management agents,
therefore, keep all the information in the connected directories and the
metadirectory synchronized. The following list describes the characteristics of
management agents:
!
MMS management agents move data in and out of the metadirectory.
The management agent imports connected directory information into the
connector namespace, and then merges that information with entries in the
metaverse. And when necessary for synchronization, the management agent

sends information back to the connected directory.
!
Management agents are connected-directory specific.
The internal configuration of the management agent is different for each
connected directory. In other words, each management agent connects a
specific external directory to the metadirectory.
!
Management agents synchronized the data between the metadirectory and
the connected directories.
Management agents are scheduled to periodically compare the contents of
the connected directory with the contents of the metadirectory, and if they
are different, the management agent will synchronize them. The connected
directory and the metadirectory can differ in two ways:
• Directory entries may exist in one that do not exist in the other.
• Entries that exist in both may have different attribute values.
The management agent reconciles these differences and keeps the two
directories synchronized according to the configuration and synchronization
rules that you establish.
Topic Objective
To describe the function of
management agents.
Lead-in

12 Module 1: Introduction to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

!
Management agents reside on the computer running the MMS service.
A management agent is controlled by a set of scripts, templates, and other

configuration files that tell the management agent how to interpret and
synchronize data from the connected directory with the metadirectory.
!
MMS provides a number of pre-defined management agents.
MMS includes management agents that will connect the metadirectory to
common directories, such as Windows NT, Active Directory, Exchange,
Lotus Notes, Novell NDS, cc:Mail, and Banyan VINES.
Additionally, MMS includes a generic management agent that you can
customize to work with a proprietary directory.
Module 1: Introduction to MMS 13

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

#
##
#

MMS Directory Elements
!
Object Entries and Attributes
!
The MMS Directory Tree


The MMS implementation of a metadirectory is based on the X.500 series of
international directory recommendations that specify a hierarchical organization
of directory entries that contain information in the form of attributes. MMS also
utilizes the LDAP naming standard to locate and access directory entries.
Understanding the underlying elements of the MMS metadirectory
implementation provides important foundation knowledge that will be useful as

you prepare to implement MMS
.

Topic Objective
To introduce the topics of
MMS directory elements.
Lead-in

14 Module 1: Introduction to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Object Entries and Attributes
Object Class
Examples
Object Class
Object Class
Examples
Examples
Domain
Domain
Organizational Unit
Organizational Unit
Person
Person
Person
Person
Person
cn (common name)
givenName

sn (surname)
mail
title
telephoneNumber
cn (common name)
givenName
sn (surname)
mail
title
telephoneNumber
Suzan Fine
Suzan Fine
Suzan Fine
Suzan
Fine

Sr. Consultant
555-1234
…
Suzan
Fine

Sr. Consultant
555-1234
…
Attribute Value
Examples
Attribute Value
Attribute Value
Examples

Examples
Attribute
Examples
Attribute
Attribute
Examples
Examples


MMS stores identity information about an organization’s people and resources
in objects called object entries (also called entries). Each entry in the
metadirectory belongs to an object class that represent different types of object
entries. An object class identifies a common set of characteristics that are
shared by the instances of an entry of that class. (For example, MMS object
classes include Person, Domain, and Organizational Unit.)
Each object class is defined by a set of attributes that store the information that
describes the entry for that specific object class. Therefore, all entries of a given
object class have the same attributes. These attributes store the data that is
useful in describing the person or resource that is represented in the
metadirectory by the entry. For example, entries in the Person object class
include attributes such as given name, telephone number, and e-mail address.
The actual data that populates an entry attribute is called an attribute value.
Attribute values identify the uniqueness among entries of the same object class.
For example, the values for the givenName, telephoneNumber, and mail
attributes, in the preceding illustration, would be Fine, 555-1234, and

Topic Objective
To define the directory
elements of object entry,
object class, attributes, and

attribute values.
Lead-in

Module 1: Introduction to MMS 15

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

The MMS Directory Tree
Suzan Fine
The Known Universe
msft
nwtraders
metaverse
Accounting
Claims
Investigations
Marketing
Sales
cn=Suzan Fine,ou=Sales,ou=metaverse,dc=nwtraders,dc=msft
cn=Suzan Fine
Root of the
Directory Tree
Root of the
Directory Tree
Relative Distinguished Name
Distinguished Name


MMS organizes the contents of the metadirectory in a hierarchical, inverted tree
structure. The root of this directory tree is located at the top of the tree and

every object represented in the metadirectory exists beneath the root. In MMS,
the root of the directory tree is called The Known Universe, which is in
reference to the fact that every entry in the metadirectory exists below the root.
When you install MMS, you will provide a context prefix, which represents the
highest entry in the directory tree.
MMS uses the LDAP protocol to access the metadirectory and locate entries in
the directory tree. The protocol specification for LDAP specifies that any entry
in the metadirectory must be represented by a series of names, called a naming
path. This LDAP naming path is used to uniquely identify every entry’s exact
position within the MMS directory tree.
Distinguished Names
Every entry in the metadirectory has a distinguished name. The distinguished
name identifies the path of parent entries from the root of the directory tree to a
particular entry. Therefore, the distinguished name corresponds to the complete
path from the root to the entry. This ensures that every entry is unique and easy
to locate. An example of a typical distinguished name is:
CN=Suzan Fine,OU=Sales,OU=metaverse,DC=nwtraders,DC=msft
Topic Objective
To describe the MMS
directory tree.
Lead-in

16 Module 1: Introduction to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Relative Distinguished Names
The relative distinguished name is the portion of the distinguished name that
uniquely identifies an entry from the other entries that are located at the same
level in the directory tree. In the preceding example, the relative distinguished

name of the Suzan Fine entry is
CN=Suzan Fine
For entries that represent people, the relative distinguished name is the full
name of the person.

Both the distinguished name and the relative distinguished name are
attributes of an entry.

Note
Module 1: Introduction to MMS 17

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

How Information Flows in MMS
Metadirectory
Metadirectory
Connector NamespaceMetaverse Namespace
Suzan Fine
Full Name
Title
Employee #
Suzan Fine
Full Name
Title
Employee #
Suzan Fine
Name
Post Office
Location
Suzan Fine

Name
Post Office
Location
HR
Database
HR
HR
Database
Database
Exchange
Directory
Exchange
Exchange
Directory
Directory
1
1
1
1
2
2
3
3
5
5
5
5
5
5
5

5
Full Name
Title
Employee #
Post Office
Location
Common Name
Object Class
Full Name
Title
Employee #
Post Office
Location
Common Name
Object Class
Suzan Fine
Suzan Fine
Suzan Fine
Full Name
Title
Employee #
Full Name
Title
Employee #
Suzan Fine
Suzan Fine
Suzan Fine
Name
Post Office
Location

Name
Post Office
Location
Suzan Fine
Suzan Fine
Suzan Fine
=
Management Agents
4
4


The following describes the process of how information flows between
connected directories and the metadirectory:
1. The management agent for each connected directory creates, or imports,
entries in the connector namespace. The management agents create these
entries (and their attributes) in its portion of the connector namespace. In the
preceding illustration, there is an entry for Suzan Fine in each of the
connected directories. Therefore, there will be two entries in the connector
namespace that represent Suzan Fine.
2. A management agent for one of the connected directories creates an entry in
the metaverse namespace that corresponds to the entry in the connector
namespace. Note that an administrator determines which connected
directory to use to initially create entries in the metaverse namespace.
3. The management agent for a different connected directory then attempts to
match its entry in the connector namespace with the corresponding entry in
the metaverse namespace. This is action is called a join because each entry
in the connector namespace that represents the same real-world object is
joined together, or integrated, as one entry in the metaverse namespace.
At this point, in the preceding illustration, Suzan Fine is represented by an

entry in a connected directory, by an entry in the connector namespace, and
by the integrated entry in the metaverse namespace.
4. Once entries for the same real-world object are joined together in a single
entry in the metaverse namespace, you can determine which attributes the
metaverse namespace entry contains and from which connected directory
the values for these attributes originate. This is determined by something
called attribute flow rules.
Topic Objective
To describe how information
flows between the
metadirectory and
connected directories.
Lead-in

18 Module 1: Introduction to MMS

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

When attribute values differ, an attribute flow rule specifies which attribute
value (from the metadirectory or from the connected directory), takes
precedence.
For example, in the preceding illustration, if the value for a particular
attribute in one of entries for Suzan Fine changes, attribute flow rules
inform the management agents which value takes precedence so that the all
the entries for Suzan Fine can be synchronized with that value.
5. If an attribute does change in the entry in the metaverse namespace, then the
appropriate management agents makes that change in the entry in the
connector namespace and then in the entry in the connected directory.

Module 1: Introduction to MMS 19


BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Centralized vs. Distributed Management of Data
!
Centralized Data Management
$
Entries are created or deleted in the metadirectory
$
Additions or deletions are propagated out to the connected
directories
$
Enables a centralize administrative authority to control
identity data
!
Distributed Data Management
$
Entries are created or deleted only in the connected
directories
$
Additions or deletions are imported into the metadirectory
$
Enables separate administrative authorities to control their
own identity data


Because of the flexibility of MMS, you can implement MMS infrastructure
where data is centrally managed in the metadirectory itself or where data
management is distributed among the administrators of the connected
directories. This allows organizations to implement MMS in a way that matches

their administrative model for managing identity information.
Centralized Data Management
Managing data centrally means that administrators would create and delete
entries in the metadirectory, and those additions and deletions would then be
propagated out to the connected directories. This type of centralized
management scheme means that an centralized administrative authority would
control all identity data throughout the organization.
At the metadirectory level, centralized data management means that
management agents are configured so that entries are created or deleted only in
the metadirectory, and that the management agents then automatically add and
delete the corresponding entry in the connected directories.
Distributed Data Management
Distributed data management means the data is managed in each of the
connected directories. If objects in a connected directory are created or deleted,
then those additions or deletions would be reflected in the metadirectory. This
type of de-centralized management scheme means the administrators for each
connected directory would control the management of their identity data.
At the metadirectory level, distributed data management means that the
management agents are configured so that the addition or deletion of objects
can only originate in a connected directory. The management agents would only
add or delete entries in the metadirectory only if they are first added or deleted
in the connected directory.
Topic Objective
To describe the difference
between centralized and
distributed data
management.
Lead-in

20 Module 1: Introduction to MMS


BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

Review
!
What is a Metadirectory?
!
The Business Needs for a Metadirectory
!
Overview of Microsoft Metadirectory Services
!
MMS Directory Elements
!
How Information Flows in MMS
!
Centralized vs. Distributed Management of Data


1. What are three purposes for a metadirectory?
A metadirectory joins all the identify information about each person or
resource into a single entry. The metadirectory removes redundant or
conflicting information about any one person or resource. And, the
metadirectory presents back out to the organization the unified view of
all known information about each person or resource.


2. What are two solutions that a metadirectory provides to the business
problem of managing changes to identity information?
A metadirectory can detect changes made to identity information, and
then propagate those changes to all directories throughout the

organization.


3. Which component of the logical structure of MMS most accurately
represents the content in any one connected directory?
The connector namespace. Each connected directory has its own area
within the connector namespace, which is managed by its
corresponding management agent. The contents in the connector
namespace represent the contents of the connected directory.


Topic Objective
To reinforce module
objectives by reviewing key
points
Lead-in
The review questions cover
some of the key concepts
taught in the module.
Module 1: Introduction to MMS 21

BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY

4. What is a distinguished name? What is the purpose of distinguished names
in a directory tree?
A distinguished name identifies the path of parent entries from the root
of the directory tree to a particular entry. Therefore, the distinguished
name identifies the complete path from the root to the entry. The
purpose of distinguished names is to ensure that every entry in a
directory is unique and easy to locate.



5. In a metadirectory implementation where an HR database and an e-mail
directory are integrated in the metadirectory, how many entries in the
metadirectory represent any one employee?
Three. One in the portion of the connector namespace managed by the
HR management agent, one in the portion of the connector namespace
managed by the e-mail management agent, and the unified entry in the
metaverse namespace.


6. What data management model should be adopted by an organization whose
identify information is scattered throughout many directories that are
managed and owned by different departments?
A distributed data management model because this model allows the
administrators from each department to manage and control the data
in their directory.