1.4 How do I become an MIIS expert?
There are a few good steps to take in getting started with MIIS
1. Take time to get trained.
2. Read the FAQ.
3. Join the newsgroup and start lurking, or jump right in an start posting questions. If you skip steps 2 and 3 be prepared to be asked to kindly RTFM.

1.5 Do MIIS experts command high salaries?
Of course:
Average Salary by Microsoft Expertise
MCP Mag Salary Surbeys

1.6 I’m new to MIIS. I have imported objects into the metaverse from system FOO and can’t seem to export new objects to system BAR…
Welcome to the group. You should get started by checking out the Getting Started Walkthrough. Taking time to go through the document and the labs will help give you a better understanding of how MIIS works. Once you're familiar with MIIS concepts you should take the time to go through the Simple Account Provisioning Walkthrough.

1.7 What is Microsoft Provisioning System(MPS)?
Microsoft Provisioning System(MPS) is a provisioning system based on BizTalk for service providers. There is overlap in that both MIIS and MPS claim to do provisioning, but the MPS solution approach is much different. MIIS takes a state-based synchronization approach, while MPS takes the workflow approach using BizTalk. MPS is only available to customers with a Service Provider Licensing Agreement. Using workflow for provisioning is of course a top ask of the MIIS product, and is supposed to be in Gemini when it ships.

1.8 What is Microsoft Zero Touch Provisioning(ZTP)?
Zero Touch Provisioning(ZTP) is a component of the Microsoft Solution Accelerator for Business Desktop Deployment Enterprise Edition. Like MPS it is based on BizTalk, but ZTP is focused on the task of managing desktops. ZTP does not employ MIIS.

2.1 Can the MIIS Identity Manager be run remotely?
No, it must be run on the same server as the MIIS service. If you need to access the Identity Manager remotely then you will need some remote access solution such as terminal services.

The MIIS monitor tool shipped in the MIIS resource kit. It can be used to:
• view agents remotely
• keep track of MIIS/SQL resource usage
• stop and start the service
• see how many UI sessions are open on the MIIS server
• view the MIIS server event log

2.2 How powerful does MIIS hardware need to be?
A well designed MIIS system should be doing deltas, which do not require much horsepower at all. The synchronization engine does a very good job of tracking the state of objects in order to minimize the amount of work it needs to do to converge the changing data on the MIIS synchronization rules.

A beefy MIIS server may be useful for the initial deployment when all of the data is being loaded and the full synchronizations are being run.

Details of the Microsoft internal MIIS deployment configuration can be seen at:
http://www.microsoft.com/technet/itsolutions/msit/deploy/cfimwiis.mspx

2.3 What are the minimum SQL privileges required to install MIIS?
The MIIS installation needs to create and permission a new database in SQL, so it needs SQL administrator access. The installation process will permission the database such that the MIIS service account has sufficient privileges to access the database.

If your DBA demands that they install the database before you run the MIIS setup, and that they will not allow the MIIS setup process to create databases and set permissions in SQL then you can run setup on a different server and supply them with a backup of the database created by setup. When setup runs and detects an existing database it will allow you to use that database, so the setup process will not need to create or permission anything in SQL.

2.4 Should SQL be licensed per processor or user?
You may license SQL either per PROC or by CAL. If by CAL, you need a CAL for each connected directory, one for MIIS, one for each MIIS administrator and one for each end-user that accesses MIIS via the Password Change/Reset web application.

From the FAQ at http://microsoft.com/miis:
Please consult the SQL Server licensing site for up-to-date information on how SQL Server 2000, Enterprise Edition, is licensed, including answers to frequently asked questions. With MIIS 2003, Enterprise Edition, we assume that most customers will simply license "per processor," but there is also the option to license SQL Server 2000, Enterprise Edition, on a device or user CAL basis. If a customer wishes to license on a device or user CAL basis, they must license sufficient CALs to cover any client/administrative access to MIIS/SQL Server along with one CAL for every connected directory.

2.5 Does MIIS Enterprise require SQL Enterprise?
SQL EE was a requirement before MIIS 2003 SP1. After MIIS 2003 SP1 the requirement was reduced to SQL Standard. Keep in mind that Windows Server 2003 EE is still required.

2.6 Why does MIIS require Windows Server 2003 EE?
There is no technical requirement, except that it takes less testing resources (as apposed to testing MIIS against all editions of Windows).

2.7 What version of Visual Studio is required for MIIS 2003?
Technically speaking MIIS does not require Visual Studio at all, but it is a very good development tool choice for developing MIIS 2003 rules extensions.

The minimum requirements to compile rules extensions are the .NET compilers available for free in the .NET Framework SDK at http://msdn.microsoft.com.

2.8 Does MIIS require AD?
MIIS 2003 does not require Active Directory, and it does not extend the Active Directory schema.

For MIIS 2003 to work in a warm standby configuration, Active Directory is required. See the technical overview for MIIS 2003 Planning for High Availability at http://microsoft.com/miis for more details.

2.9 What are those keys I exported used for?
The keys are created during the installation process and stored in the registry. The keys are used by the MIIS service account to encrypt and decrypt data in the MIIS database. If somebody were to access the MIIS database directly (for example, if a database backup were stolen) then they would not have the unprotected data.
Examples of data protected using the keys include:
1. Management agent credentials for call-based and extensible management agents
2. Configuration properties configured as encrypted on extensible management agents
3. Passwords on provisioned objects that have not been exported

2.10 Does MIIS work with SQL Server named instances?
Yes, named instances are supported. Using named instances you can use one SQL Server to support more than one MIIS server.

2.11 Can MIIS be clustered?
No, MIIS does not support clustering today. SQL Server can be clustered, but the MIIS service cannot. For more information on MIIS high availability please see the MIIS 2003 Design and Planning Collection.

2.12 Can I use MIIS with 64 bit SQL Server?
Yes.

2.13 Do I need a license for my cold standby MIIS server?
Please see the following link for more info:
Tools: "Cold" Backups for Disaster Recovery

2.14 Where are the latest MIIS and IIFP Updates?
The latest updates are posted to the following links:

• MIIS Enterprise Edition Updates
• IIFP Updates

3.1 What can I do to improve MIIS synchronization performance?
The most expensive thing MIIS can do is a full synchronization. There are few reasons to run a full synchronization on a regular basis. If you are running frequent full synchronizations then consider changing your rules design to take advantage of delta synchronizations.

3.2 What can I do to improve MIIS import performance?
The easiest way to improve import performance is to import less data either by using delta imports, or by changing the scope of your discovery.

If you have no choice but to do full imports using a file management agent, consider optimizing disk IO like you would for a database server.

If you have no choice but to do full imports using a database management agent, consider using SQL DTS to copy the data to a database on the MIIS server then point the database management agent at the local copy of the data. This will improve performance because the management agent will not need to go across the network to access the data anymore.

3.3 MIIS and SQL are on different servers, why does MIIS keep losing the connection to the database?
A. Oddly enough this has been caused by network cards configured to auto sense. Fixing the card configuration to match the switch did the trick.

3.4 How can my DBA tune SQL Server to run MIIS faster?
Please see the following paper:
Microsoft Identity Integration Server 2003: Planning for High Availability

4.1 What ports does the ADMA require to connect to a domain controller through a firewall?
Check out Port Settings for MIIS 2003 SP1
In MIIS 2003 SP1 the ADMA no longer requires RPC, but it does still need DNS so the ports are:

389 TCP/UDP LDAP
53 TCP/UDP DNS
88 TCP/UDP Kerberos
464 TCP/UDP Kerberos Change Password

4.2 Can I use the ADMA without being domain administrator?
Yes. The ADMA connects to Active Directory using the DirSync Control. Access to the DirSync control is granted using the ‘Replicate Directory Changes’ permission on the Active Directory naming context. Instructions for granting this permission can be found in the following KB article:
http://support.microsoft.com/default.aspx?scid=kb;en-us;303972&Product=idserv2003
More information on the Dirsync control can be found in the MSDN library:
http://msdn.microsoft.com/library/en-us/ad/ad/tracking_changes.asp

4.3 Can the ADMA in MIIS update SID history on AD objects?
Yes, but not easily. SID history cannot be updated using export attribute flow in the ADMA because SID history cannot be modified using LDAP. For more information please see the ADMT documentation, or the Domain Migration Cookbook. There are tricks to making MIIS do this, but they are not the faint hearted.

4.4 What does the ADMA use as the anchor attribute?
The ADMA uses objectGUID as the anchor attribute. This is not configurable.

4.5 If I move an object from domain A to domain B will it be imported as a delete/add or a rename?
This will be imported as a rename thanks to objectGUIDs.

4.6 Does the ADMA support SSL?
No. The ADMA only supports protecting data transfer using Kerberos Sign and Seal. Note that the ADAM MA supports both.

4.7 How Do I Set the AccountExpires Attribute?
The DateTime.ToFileTime method can be used to populate the AccountExpires attribute in AD.
For example:
csentry("accountExpires").Value = Date.Now.ToFileTime

4.8 Can the ADMA Connect to AD Without RPC and DNS?
In MIIS 2003 SP1 the ADMA was changed such that it no longer requires RPC to connect to Active Directory. It may work without DNS if you use an IP address instead of a forest name (I've tested it and seen it work), but this is not tested or supported yet.

5.1 What ports are required for the ADAM MA?
389 TCP/UDP LDAP
639 TCP/UDP LDAP over SSL
Check out Port Settings for MIIS 2003 SP1

5.2 How do I provision userProxy objects in ADAM?
The trick to this is the objectSID attribute, as it must be set in the provisioning extension. ObjectSID cannot be set during EAF because the value cannot change on the ADAM object once it has been provisioned. 1. Flow ObjectSID from AD into a binary metaverse attribute
2. Set ObjectSID on the ADAM object in the provisioning code

Here's some sample provisioning code:
Public Sub Provision(ByVal mventry As MVEntry) Implements IMVSynchronization.Provision
If mventry.ObjectType.ToLower = "person" and mventry("EmployeeID).IsPresent Then

If mventry("objectSid").IsPresent And mventry.ConnectedMAs("ADAMMA").Connectors.Count = 0 Then
Dim newCS As CSEntry
newCS = mventry.ConnectedMAs("ADAMMA").Connectors.StartNewConnector("userproxy")
newCS.DN = mventry.ConnectedMAs("ADAMMA").CreateDN("CN=" & mventry("employeeID").StringValue).Concat("DC=toronto,DC=ca")
newCS("objectSid").BinaryValue = mventry("objectSid").BinaryValue
newCS.CommitNewConnector()
End If
End If
End Sub

Be sure to read the ADAM reviewer guide. It has more detail on how bind proxy works in ADAM.

6.1 Can I synchronize Exchange 5.x using MIIS?
With MIIS Enterprise Edition, yes, but not with the IIFP because the IIFP does not include the Exchange 5.5 management agent.

6.2 Can I synchronize Exchange Free and Busy Data?
No. Free/busy information that is shown in Outlook calendars is stored in Exchange public folders and must be synchronized with a different tool. See the paper titled “Multiple Forest Considerations in Windows 2000 and Windows Server 2003” for more information:
Also check out XADM: Installing, Configuring, and Using the InterOrg Replication Utility.

7.1 Can I use the GAL Sync MA to synchronize Exchange 5.x with Active Directory?
No, for this you will need the Exchange 5.5 MA which only comes in MIIS Enterprise Edition.

7.2 Does the GAL Sync MA synchronize free/busy data?
No. Free/busy information that is shown in Outlook calendars is stored in Exchange public folders and must be synchronized with a different tool. See the paper titled “Multiple Forest Considerations in Windows 2000 and Windows Server 2003” for more information:
Also check out XADM: Installing, Configuring, and Using the InterOrg Replication Utility.

7.3 Are Trusts Required for GAL Sychronization
Not for strict GAL synchronization, but some scenarios may require trusts (independent of MIIS or the IIFP).

7.4 How Many Forests Can the IIFP Handle?
30 are supported, but over 100 have been tested.

7.5 Can the IIFP be used to Sync Groups as Groups Instead of Groups as Contacts?
Yes, but customization is required. More information is available in the MIIS 2003 Walkthrough for GAL Synchronization.

7.6 Can the IIFP Synchronize Certificates?
Yes. This is done by default using the GAL Sync MA.

7.7 What Permissions Does the GAL Sync MA Require?
The MIIS 2003 Walkthrough for GAL Synchronization has more info.

8.1 Can I synchronize the password using the Sun MA?
MIIS can send passwords to Sun, but cannot read passwords from the Sun directory because the passwords are hashed, and MIIS does not capture password changes from the Sun Directory.
MIIS can be used to send password changes to the Sun Directory. For more information on MIIS password management see the Password Management overview document at http://microsoft.com/miis.
MIIS can be used to set passwords on objects as they are provisioned. For more information on provisioning see the Simple Account Provisioning walkthrough document at http://microsoft.com/miis.

8.2 What versions of the DS does the Sun MA support?
You connect to a server running Sun ONE Directory Server 5.0, 5.1, or 5.2 (formerly iPlanet Directory Server), Sun ONE Directory Server 4.12 or 4.13, or Netscape Directory Server 4.1 or 6.01.

8.3 What is the anchor attribute used by the Sun MA?
nsUniqueID.

8.4 Can I change the anchor attribute in the Sun MA?
For version 5.x, the anchor attribute cannot be changed, but for version 4.x the anchor attribute can be manually chosen.

8.5 Do we support attribute value options in Sun directories?
Not yet.

9.1 Can I do full exports with file management agents?
Management agents in MIIS 2003 always do delta exports, they cannot be configured to do full exports. To achieve full export functionality, consider using a SQL MA to populate a SQL table, then use DTS to drop that table to a file.

10.1 Can I use the Notes MA to connect to Notes 6.5?
Yes. If using the R6 client then you may need to add the MIIS service account to the local administrators group on the MIIS server.

10.2 Can I read anything other than Names.NSF?
Yes, just supply a different path to the .NSF file.

10.3 Can I use custom attributes in Notes?
Yes, but they are not discovered automatically as the Notes MA does not do schema discovery (it doesn’t scan the NSF to learn the schema). The custom attributes can be added to the MA using the MA configuration screens.

10.4 Does the Lotus Notes MA support Recertification?
No

10.5 Does the Lotus Notes MA use AdminP?
Yes, for exporting additions and deletions

10.6 What functionality is in the Notes MA?
In Domino terms, there are a set of things that can’t be done at present 1) recertification 2) renames 3) PKI certification 4) setting mail file template 5) dynamic schema discovery 6) setting mail file quota and warning level 7) client ID file password reset/change

10.7 What are the minimum permissions required to access the NAB?
In order to access the NAB, the user must not be in any “Deny List Only” groups. No administrative privileges are required for read-only access to the NAB.

11.1 Can the Oracle MA create Oracle logins?
Not really. The Oracle agent connects to tables or views. Provisioning identities into Oracle using the Oracle agent means inserting rows into those tables or views. Though it is possible to make this work with stored procedures, it is not out-of-the-box functionality and is probably easier with the XMA.

11.2 How do I configure a delta table or view?

11.3 Can the Oracle MA connect to OID (Oracle Internet Directory)?
No, you will need to use the LDIF MA or the XMA.

11.4 What Version of the Oracle Client Should I Install on the MIIS Server?
Oracle Client version 9, release 2, choosing the Administrator option.

11.5 Does the Oracle MA Support the Oracle 10 Client?
Currently the Oracle MA does not support 10i, but 10i support is being considered for the future releases of MIIS.

12.1 Can the SQL MA create SQL logins?
Not really. The SQL agent connects to tables or views. Provisioning identities into SQL using the SQL agent means inserting rows into those tables or views. Though it is possible to make this work with stored procedures, it is not out-of-the-box functionality and is probably easier with the XMA.

12.2 How do I configure a delta table or view?

12.3 Can I use the SQL MA to Connect to Access, Excel, dBase, etc?
Sort of, by using SQL Linked Servers to connect to other data sources. To MIIS this will then look like just another SQL table. You can read more about this by opening the SQL Books Online and looking up ‘Linked Servers’ in the index.

12.4 Exported-change-not-reimported error for SQL MA , etc?
Keep at the formatting, it should pay off.  I have had success doing this.  What you might want to do is import a date into MIIS and see ‘exactly’ what format it is in, then repro that format with the AF code.  Try something like this:

    '///
    '/// Convert the date to a format that can be reconsumed without error
    '///    Source:  " 5/02/1988"
    '///    Becomes: "1988-05-02 00:00:00"
    '///
    Function ConvertDateForSQL(ByVal strSourceDate As String) As String
        Dim dateComponents() As String = strSourceDate.TrimStart.Split("/")
        Dim strTargetDate As String
        strTargetDate = dateComponents(2)

        Dim i As Integer
        For i = 0 To 1
            If dateComponents(i).Length = 1 Then
                strTargetDate += "-0" & dateComponents(i)
            ElseIf dateComponents(i).Length = 2 Then
                strTargetDate += "-" & dateComponents(i)
            End If
        Next

        strTargetDate += " 00:00:00"
        ConvertDateForSQL = strTargetDate
    End Function

Craig Owen
Oxford Computer Group

13.1 Does the new DB2 MA support DB2 on OS390?
No. It was not supported because of problems with the IBM code supporting OS390 that IBM was not going to fix in time for MIIS 2003 SP1.

13.2 What are the DB2 client install requirements for the DB2 MA; does it require DB2 connect, or just the DB2 runtime to be installed?
You only need the Administration Runtime to connect the DB2 MA to DB2 on Windows or Linux. DB2 Connect is not required.

14.1 How do I connect to this system for which we don’t have a management agent?
When there is not a specific management agent for the system you are trying to connect to, the general approach is to use a file or database agent to integrate.
MIIS 2003 SP1 introduced the Extensible Connectivity MA which allows partners and customers to build new management agents so in the SP1 timeframe we can look to partners to provide management agents for systems we do not connect to out of the box.
SAP and PeopleSoft are popular examples of systems MIIS does not have management agents for yet (but they are due this year). Though these agents are frequently requested, the experience is that call-based management agents are politically difficult to deploy. HR system owners tend to prefer the file or database integration approach in which case the file or database agents in MIIS can be used.

15.1 When does support for MMS 2.2 SP1 end?
September 30th, 2004. To verify, see: http://support.microsoft.com/default.aspx?id=fh;pl;LifeProdm http://www.microsoft.com/windowsserver2003/techinfo/overview/miisfaq.mspx

15.2 Is there an upgrade process to get MMS 2.2 SP1 to MIIS 2003?
There is no upgrade from MMS 2.2 SP1 to MIIS, it is considered a migration since the products are so different. For more information on migrations, please see the migration paper at http://microsoft.com/miis.

15.3 Is there a tool to convert ZScript and Template language scripts to MIIS rules?
No. If there were a tool to convert MMS 2.2 templates to MIIS 2003 rules and run profiles, it would not result very efficient or intuitive rules. The code produced in MMS 2.2 templates is usually a reflection of the language constraints, so directly migrating the code would not take advantage of the vastly improved rules in MIIS 2003.

15.4 Is MMS 2.2 SP1 supported on Windows Server 2003?
No.

16.1 What is Polyarchy?
Polyarchy is a new information structure composed of multiple intersecting hierarchies. For more information try http://www.research.microsoft.com/users/marycz/IV2002poly.pdf

16.2 Where Can I Get Polyarchy?
Beta versions of MIIS 2003 SP1 contained a preview release of polyarchy. The release came complete with working bits and labs to demonstrate polyarchy. Unfortunately it did not make it to SP1 RTM.

If you are interested in participating, please sign in using your passport account to BetaPlace (you may need to create a passport account if you don’t have one already setup). Once signed in, use this special guest account information below to access a nomination survey. Note: Using a personal or previously-assigned BetaID will not grant you access to the survey.
Select: “Sign in as Guest” from the top menu.
Guest Beta ID: miisguest

Next, fill out the survey form which can be accessed by clicking on the left menu navigation bar.

16.3 Does Polyarchy Work With Windows 2003 SP1?
There is an issue with Polyarchy running on Windows 2003 SP1. Here is a workaround:
This is in the event log:
Event Type: Error
Event Source: DCOM
Event Category: None
Event ID: 10016
Date: 4/27/2005
Time: 1:33:56 PM
User: NT AUTHORITY\NETWORK SERVICE
Computer: COMPUTERNAME
Description:
The machine-default permission settings do not grant Local Activation permission for the COM Server application with CLSID {C9E717CA-B85F-41C5-8102-29A672A583D9} to the user NT AUTHORITY\NETWORK SERVICE SID (S-1-5-20). This security permission can be modified using the Component Services administrative tool.

Looks like this fixes the issue. In the Component services tool:
Component Services->
My Computer ->
DCOM Config ->
polysvc <- Right-click and choose Properties

On the Security Tab ->
Choose "customize" for the “Launch and Activation Permissions” item
-> Edit
Add the account that is referenced in your event log entry and make sure it has "Local Activation" allowed

17.1 Can I build MIIS rules with Java or Perl?
Any language that compiles down to MSIL can be used to create MIIS rules extensions. Building MIIS rules extensions in VB.NET or C# is easier since the developer reference code samples are in those languages.

17.2 Do I need to install Visual Studio .NET 2003 on the MIIS server?
No. Rules extensions can be built and compiled on a separate computer, then copied to the extensions folder on the MIIS server. Installing the debugger on the MIIS computer is a good idea, since it will improve the troubleshooting experience.

17.3 How Do I Test and Debug MIIS Rules Extensions?
This topic is covered very well in the MIIS Developer Reference.

17.4 When Does 'Terminate' Get Called?
Terminate gets called after five minutes of inactivity, or if the contents of the \extensions folder change. The MIIS service monitors that folder for changes, and will unload the extensions when it notices changes. It will also stop any running management agents!

18.1 Why aren’t IAF or EAF rules called when attributes are deleted?
IAF and EAF scripts are only called when at least one source attribute for the mapping is not empty. A trick is to change the mapping to include from the CS.

18.2 Can I query the MIIS metaverse directly using database access?
This is often a hotly debated topic in MIIS rules design. Querying the metaverse database table is not recommended or supported. If you decide to do it anyway, you should at least use no-lock queries. Some things to consider if you query the metaverse table:
Support: There is no guarantee that the MIIS database will remain unchanged. An update to MIIS could break any applications developed against the MIIS database.

Extensibility: An application tied to the MIIS database must rely solely on the existing data as modifying the MIIS database is not supported.

The second you need something more, then you will be evaluating data storage options (directory, database, file, etc). Maintenance: Should your application require maintenance (database restore, etc) then it relies on the MIIS maintenance windows.

Performance: MIIS gets pretty busy during full synchronizations. Your application could experience timeouts when these are running.

18.3 Can I modify the MIIS database?
Yes because MIIS uses SQL Server, but this is not supported or recommended.

18.4 What does ObjectAlreadyExistsException mean?
This means the provisioning rule tried to create a new CS object but an object with the same DN already exists there.
This is the reverse-join scenario.
To simply handle the exception, check out the MIIS developer reference:
(SNIP)
Catching Exceptions During the synchronization process, both expected and unexpected exceptions can occur. You can determine which exceptions are non-critical and can be safely ignored, and which exceptions are critical and should stop the synchronization process. (/SNIP)

If you're seeing this error, chances are you are trying to provision an object that already exists in the CD. Wouldn't it be cool of you could first check for the existence by trying to join? Unfortunately at provision time there is no opportunity to do joins. Furthermore, you can't simply rely on the ObjectAlreadyExistsException because you'll only hit that if you try to create an object with the same name and location as an existing object.

Your provisioning logic can check the CD directly. If a match is found, then leave the object in the MV and wait for the other MA to join to the MV object. If a match is not found, then provision the object to the CS. The pseudocode would look like this:

Check the CD directly by searching for an existing object
If a match is found
We can assume the object already exists in the CD, so do nothing but leave the MV object in the MV
The MV object will not get joined to the existing object until the MA runs a sync to perform the join.
If a match is not found
we can assume the object does not exist in the CD, so provision a new object into the CS

18.5 What does ProvisionOrphan mean?
This means the provisioning rule tried to create an object in a container that does not exist in the connector space yet. Chances are this can be resolved by running a full import on the management agent for that connector space.

18.6 How do I provision hierarchy on the fly?
Also called dynamic OU provisioning, this feature did not make it into MIIS 2003. To create hierarchy on the fly, there are a couple of approaches:
1. Catch the MissingParentObjectException and use MIIS to provision new objects. This approach will work but all of the children will be joined to the first object that hit the exception.
2. Catch the MissingParentObjectException and use System.DirectoryServices to create the object directly in the CD. This approach requires an import run on the MA to stage the newly created objects from the CD to the CS.

18.7 What is the difference between indexible and non-indexible attributes?
MIIS creates columns in the mms_metaverse database table when new attributes are created in the metaverse using the Identity Manager. The maximum length of an indexible string is 450 nvarchars. The maximum length of a non-indexible string is 2^30 characters.

18.8 What is the maximum attribute length for a metaverse attribute?
SQL Server tables have a maximum row length that imposes constraints on MIIS metaverse designs. See the Metaverse Planning document in the MIIS Design and Planning Collection for a thorough discussion of this important design issue.

18.9 What is the difference between ‘delta syncrhonization’ and ‘import (delta/full) and synchronize delta’?
Short answer below. See Understanding run profiles in MIIS 2003 for more detail.
Delta Import and Delta Sync does not evaluate disconnectors. It only processes the deltas resulting from the import.
Delta Sync does evaluate disconnectors, hence the extra time to process.

18.10 What does unsupported-container-delete mean?
MIIS does not support deleting non-leaf-nodes using rules extensions.
To get around the unsupported-container-delete I can think of two scenario design approaches:
Scenario 1: “chaos”
Use System.DirectoryServices in the provisioning code to remove the parent and children. The next import on the MA will reconcile the connector space. This is not a clean way of doing it, and quite far from best practice!

Scenario 2: “the orphanage scenario”
Make use of a holding container in the directory you’re impacting. For example, create an OU called “orphanage”. When you detect that a non-leaf-node needs to be deleted, flag it in the MV and use the provisioning code to move the children into the orphanage. Once the children have evacuated, the parent will be removed without hitting the unsupported-container-delete.

19.1 What is Password Management?
Password Synchronization is a subset of Password Management. Password Management includes
1. password security & policy
2. password change
3. password reset
4. password synchronization
5. password expiry notification
6. reporting

19.2 Does MIIS Provide Password Synchronization?
Yes, mostly AD centric since OOB MIIS will only capture passwords from AD. MIIS 2003 SP1 introduced password propagation from Active Directory to any management agent, including file and database management agents. The password is captured from AD using password filters on the AD domain controllers. The passwords are sent to MIIS, which then propagates the passwords to connected systems.

What does mean to MIIS and AD customers? They can change passwords using CTRL-ALT-DEL like they normally do, and have MIIS propagate that password to any other system we can connect to with any of our management agents.

MIIS 2003 RTM provided some initial password management functionality in the following form:
• A WMI interface for submitting password changes through MIIS to some connected directories
• An ASP.NET application for users to change their password if they were already logged on with their Active Directory account. The password change would go through to MIIS using WMI then to the systems the users were connected to with MIIS joins.
• An ASP.NET application for administrators to reset user passwords. The password reset would go through to MIIS using WMI then to the systems the users were connected to with MIIS joins.

19.3 How does MIIS Password Management compare to partners?
The password management functionality in MIIS provides a very good start in password management. Partner products from companies such as M-Tech and Proginet fill in the functionality gap by providing the following:
• agent software to capture clear text passwords in systems other than AD
• self service password reset applications
• self service profile building applications
• password complexity profiles

19.4 Does MIIS Provide User Self-Service Password Reset?
No. This functionality is not in MIIS yet but is likely to be in MIIS 2003 SP2

19.5 What MIIS management agents support password management agent?
From http://www.microsoft.com/windowsserver2003/techinfo/overview/miispass.mspx:
Management agents for the following data sources support password management in Microsoft Identity Integration Server 2003:
• Active Directory® directory service
• Active Directory Application Mode (ADAM)
• Lotus Notes Releases 4.6 and 5.0
• Sun and Netscape directory servers (formerly iPlanet Directory Server)
• Windows NT® 4.0
• Novell eDirectory 8.6.2 and 8.7
With MIIS 2003 SP1 more management agents support password management, including the new Extensible MA, database agents such as the Oracle, SQL and DB2 agents, and even file agents.

19.6 Is password management included in both IIFP and MIIS EE?
In short, the functionality is there but the web applications are not.

20.1 Does PCNS Require Forest Trusts?

PCNS connects to MIIS over an RPC channel using Kerberos authentication. It explicitly requires mutual authentication, meaning PCNS must trust where it send the password, and MIIS must trust that is is receiving the passwords only from a DC. If PCNS and MIIS live in the same forest, the trust is implicit. If PCNS lives in a separate forest from MIIS, then a forest trust must be established before passwords will flow.
If PCNS and MIIS are in Froest A, and you want to syncrhonize the passwords to Forest B, then no explicit trusts need to be defined. MIIS uses the credentials on the MA to connect and set the password.
On the other hand, if PCNS is in Forest A, and MIIS is in Forest B, and you want to synchronize passwords from Forest A to other CDs, then a forest trust is required before PCNS wil flow passwords into MIIS. Again, once the passwords are in MIIS, MIIS uses the credentials on each MA to connect and set the password.