HMC Resource Management - Part #2 - HMC Resource Management and Active Directory

This article was original posted by Kip.Ng on http://blogs.technet.com/provtest/archive/2009/09/28/hmc-resource-management-part-2-hmc-resource-management-and-active-directory.aspx

The best way to explain this, in my humble opinion is to walk through the provisioning process. As we walk through them, I will explain how the data is being stored in the database and then I will provide some examples and discuss about some of the tables and their purpose.

As you all know, the first thing you need to do before mailbox enable a user, or enabling the user for OCS or creating the appropriate SharePoint site for the organization is to create the organization itself and the appropriate users for that organization. In the HMC world, an Organization means a company and all the users and groups in that organization are grouped under an Active Directory container or Organizational Unit (OU).

So, let's take a closer look and see what is being inserted into the database. Note:

Creating Organization

Procedure: To create an organization, you called Hosted Active Directory::CreateOrganization.

1.       What is created in Active Directory? When this procedure is called,

a.       It creates the Organization OU container in the Hosting container.

b.      it will also create some of the system container and objects such as,

_Private

Allusers@<org>

Admins@<org>

CSRAdmins@<org>

c.       AD object creation is one thing; the procedure will also stamp the appropriate permissions to ensure that only users in this Org should have access to objects underneath this OU.

2.       What you should know about otherWellKnownObjects? OtherWellKnownObjects are heavily used in HMC to 'extend' the Active Directory schema to link with other objects. For example, MPS will use otherWellKnownObjects to link the _Private folder, the Admins, the CSRAdmins, the parent folder to this organization. This is important to know because a number of the procedures in MPS will use this reference.

Note: You should know that however Allusers@<org> are not 'linked' in this otherWellKnownObjects. This is one of the common issues where renaming of Org will cause problem.

3.       What is in the database then? There aren't many things being put into the database during Org creation. Because otherWellKnownObjects are used to link most of the things like Admins, CSRAdmins and _Private folder, there is no reason to keep any one of those in the database. Hence, you won't any record of those admins account in the database.

PlanManager is the only database that you need to look at this point. When an organization is created, it will create a record in the Customers table in the PlanManager database. Say if you create a new Organization called TestOrg, if you perform a query like this,

SELECT * FROM [PlanManager].[dbo].[Customers] WHERE CommonName = 'TestOrg'

You will one record being retrieved showing you the following fields,

CustomerID -> This will match it to the objectGUID of the OU container or the object.

ParentID -> This will match it to the object GUID of the Parent OU or holding OU

StatusTypeCode -> This will tell you if this Org or object is still active or enabled.

CustomerTypeCode -> This will tell you the type of Object is this. For example,

        - BU is business user

        - BZ is business organization

        - CT is contact object

        - GP is group object

        - CU is consumer user

        - RO is Reseller organization

        - IR is Information Worker

CommonName -> This stores the name of the organization. If it is a user, it will store the user email or contact email for Contact object or group name if it is a group object.

Note: You should know that Customer table does not just contain the Organization OU object. It consists of almost everything that is created in the Active Directory, such as OU, User, Contact, Distribution Groups.

Also, the database has been designed to cater for customization and extension. You can define your own type if necessary and you can find out all the types that are available from the CustomerTypes table.

The above doesn't cover in detail everything is being executed by the procedure and it also does not cover some of the hidden things written into the database. For example, there is difference between creating a reseller organization and a normal business organization. A consumer organization is also different compared to a business organization. You can see they are being differentiated by the CustomerTypeCode. You should also know when you create a Business Org for example, it will also subscribe the Organization to a BusinessPlan which is a default plan for Business.

In short, the mapping is by GUID and it creates only the OU record and subscribed the OU to a business plan if it is a business Org. Now, in the later parts, I will also go a little bit deeper into the plans in the database and how each service like Exchange has Org plan as well as user plan. For now, from Active Directory standpoint, it is quite straightforward and it won't touch ResourceManager database at all.

Creating a User

1.       What is created in Active Directory? When this procedure is called,

a.       It creates the user object in the Organization OU. Obviously prior to executing the creation, it will perform some checks such as whether the path being passed in is correct or not.

b.      It doesn't create anything else other than the user object but what it does do is that will insert this user to the appropriate security groups such as the AllUsers group created during the Org creation.

c.       It will then perform the appropriate permissions hardening.

2.       What is in the database then? Creation of the AD user object will create a record on the Customer table in the PlanManager database.

Creating a Group

1.       What is created in Active Directory? When this procedure is called,

a.       It creates the group object in the Organization OU. Obviously prior to executing the creation, it will perform some checks such as whether the path being passed in is correct or not.

b.      It will create a group object in the Active Directory.

c.       It will then perform the appropriate permissions hardening.

2.       What is in the database then? Creation of the AD group object will create a record on the Customer table in the PlanManager database.

Creating a Contact

1.       What is created in Active Directory? When this procedure is called,

a.       It creates the contact object in the Organization OU. Obviously prior to executing the creation, it will perform some checks such as whether the path being passed in is correct or not.

b.      It doesn't create anything else other than the contact object but what it does do is that will insert this user to the appropriate security groups such as the AllUsers group created during the Org creation.

c.       It will then perform the appropriate permissions hardening.

2.       What is in the database then? Creation of the AD contact object will create a record on the Customer table in the PlanManager database.

So, there you go. I think it is pretty straightforward. As you can see, creation of objects in Active Directory, from MPS standpoint does not create anything outside of PlanManager database. It does not touch the ResourceManager database at all. You should also see that all the records created, uses the Active Directory object GUID as the primary reference in the MPS's PlanManager database.