My current project is using MIIS to assist with an Exchange Resource Forest. The company has decided to run Exchange in the headquarters and each sub-Company would maintain their own Active Directory for login and security. The Exchange forest has placeholder accounts (mailboxes) that the external accounts have rights to.
MIIS is responsible for two things:
It is an interesting project with some intriguing problems.
Access to sub-company AD's: In most cases, the sub-companies do not want to give access to their AD from the central MIIS server. We could certainly refine the access to read-only at certain containers, but there are still firewalls and other political factors that override. In our case, we will likely ask the sub-company to export only the necessary data needed to an ADAM instance that can buffer some of the above issues.
Migration status: Initially, the primary data source for the user data is on the legacy side. Once the users are migrated, my data flow rules need to switch directions for certain attributes. We decided to add a "migration status" field that would be used in our MIIS logic to help customize the attribute flow presedence and direction.
External account IDs/SIDs: In order to permission the mailboxes, we obviously need a trust in place, but we also need the user account and/or the user SID from the sub-company AD. The can prove challenging depending on how you are permissioning. The permission process is also slightly different for a brand spanking new mailbox compared to one that already exists on the store.
Once the migration is over, the whole thing becomes a lot easier. With something this large, it could take a long time....
PingBack from http://maxfeed.ath.cx/item_1720618.html