Live@Edu Admin Guide 29jan09

Live@edu Admin Guide
Provisioning Windows Live IDs with Identity Lifecycle

Manager and Windows Live Management Agent v3
NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This
guide does not cover Exchange Labs provisioning
Version 3.0
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise
noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are
fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place, or event is
intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under
copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any
means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
The names of manufacturers, products, or URLs are provided for informational purposes only and Microsoft makes no representations and
warranties, either expressed, implied, or statutory, regarding these manufacturers or the use of the products with any Microsoft technologies.
The inclusion of a manufacturer or product does not imply endorsement of Microsoft of the manufacturer or product. Links are provided to
third party sites. Such sites are not under the control of Microsoft and Microsoft is not responsible for the contents of any linked site or any link
contained in a linked site, or any changes or updates to such sites. Microsoft is not responsible for webcasting or any other form of transmission
received from any linked site. Microsoft is providing these links to you only as a convenience, and the inclusion of any link does not imply
endorsement of Microsoft of the site or the products contained therein.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this
document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you
any license to these patents, trademarks, copyrights, or other intellectual property.
Copyright © 2007 Microsoft Corporation. All rights reserved.
Microsoft are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Table of Contents
Table of Contents....................................................................................................................................3
Section 1: About the Live@edu Program.................................................................................................7
Why Choose Live@edu?......................................................................................................................7
About This Guide.................................................................................................................................7
What if I get stuck?..............................................................................................................................8
Technology Overview..........................................................................................................................8
Live@edu Solution Details...................................................................................................................9
List of Features....................................................................................................................................9
Terms and Definitions........................................................................................................................10
Section 2: Checklist of Items before Deployment..................................................................................12
Section 3: Reserving a Domain with Windows Live Admin Center........................................................13
Select a Domain Name.......................................................................................................................13
Assign a Domain Administrator.........................................................................................................14
Review Settings and Accept Agreement............................................................................................15
Confirm the Administrator Account...................................................................................................15
Section 4: Identity Lifecycle Manager 2007...........................................................................................18
Primary Concepts and Terminology...................................................................................................18
System Requirements........................................................................................................................18
Metadirectory....................................................................................................................................18
Data Aggregation...............................................................................................................................20
Data Synchronization.........................................................................................................................20
Data Enforcement..............................................................................................................................20
Data Source.......................................................................................................................................21
Management Agent...........................................................................................................................21
Metaverse..........................................................................................................................................21
Connector Space................................................................................................................................22
Provisioning.......................................................................................................................................22
Running a Synchronization................................................................................................................22
Extensible Management Agents........................................................................................................23
State Based System...........................................................................................................................23
Operations.........................................................................................................................................23
Disaster Recovery Plan 1 (SQL Outage)..............................................................................................24
Disaster Recovery Plan 2 (ILM Server Outage)...................................................................................24
List of Maintenance Operations........................................................................................................25
Backing up Management Agents.......................................................................................................26
Section 5: Setting up the Environment..................................................................................................29
Installation requirements..................................................................................................................29
Section 6: Creating and Configuring the Data Source Management Agent...........................................31
Configuring the Data Source Management Agent.............................................................................31
Connecting to the Student Data Source............................................................................................31
Database Management Agents.........................................................................................................31
LDAP Management Agents................................................................................................................32
File-based Management Agents........................................................................................................34
Understanding the Student Data Source Schema..............................................................................34
Management Agent Schemas............................................................................................................34
Anchor Attributes..............................................................................................................................35
Object Types and Attributes..............................................................................................................35
Select a Subset of the Source Data....................................................................................................36
Database management agents..........................................................................................................36
LDAP management agents.................................................................................................................36
File-based Management Agents........................................................................................................37
Configure Connector Filter Rules.......................................................................................................37
Refine Further by Using Filters to Select Subsets...............................................................................37
Configure Join Rules..........................................................................................................................38
Configure Projection Rules................................................................................................................39
Configure Import Attribute Flow.......................................................................................................39
Configure Deprovisioning..................................................................................................................42
Configure Extensions.........................................................................................................................43
Section 7: Installing and Configuring the Export Management Agent...................................................44
Installing the Windows Live Management Agent..............................................................................44
Create the Windows Live (Export) Management Agent....................................................................45
Passport User Attributes....................................................................................................................55
Enable Provisioning...........................................................................................................................59
Section 8: Configure XML Files...............................................................................................................63
Configure XML Settings......................................................................................................................63
Configure Offers................................................................................................................................68
Section 9: Additional Settings................................................................................................................69
Managing MX Records.......................................................................................................................69
Section 10: Running the Solution...........................................................................................................70
Data Synchronization.........................................................................................................................70
Run Profiles........................................................................................................................................71
Configure the Full Import and Full Synchronization Run Profile for the Import Management Agent 71
Configure Export Run Profile for the Windows Live Management Agent..........................................72
Delta Import and Delta Synchronization............................................................................................72
Populating the Metaverse.................................................................................................................73
Troubleshooting the Staging of the Student Data.............................................................................73
Creating Windows Live IDs................................................................................................................73
Managing the Output Files................................................................................................................74
Features of the Windows Live Management Agent...........................................................................75
Renaming of E-mail Addresses..........................................................................................................75
Deleting Windows Live IDs................................................................................................................75
Setting an Object Deletion Rule.........................................................................................................76
Attribute Interdependencies.............................................................................................................77
Active vs. Inactive student handling..................................................................................................77
Configuring Multiple Sites.................................................................................................................78
Section 11: Password Management......................................................................................................79
Create Initial Password......................................................................................................................79
Password Reset..................................................................................................................................79
Password limitations..........................................................................................................................79
ILM Password Synchronization..........................................................................................................89
Using Other Systems as the Source for Password Changes...............................................................92
Reset Password Flow.........................................................................................................................93
Recovering from a Forgotten Password.............................................................................................93
Alternate E-mail Addresses................................................................................................................94
Section 12: Troubleshooting..................................................................................................................94
ILM 2007 Failure Analysis Process Flow.............................................................................................97
For “stopped-extension-dll-exception”.............................................................................................98
For “completed-export-errors“..........................................................................................................98
Getting Support.................................................................................................................................98
Disaster Recovery Plan (ILM Server Outage).....................................................................................98
Section 13: Advanced Topics...............................................................................................................108
Student Portal Integration...............................................................................................................108
High Availability...............................................................................................................................109
Integration of Live@edu Into a Pre-existing ILM Environment........................................................109
Distribution List Management.........................................................................................................110
Appendix A: Valid Region/Country Codes............................................................................................112
Appendix B: Language Codes...............................................................................................................123
Appendix C: TimeZone Codes..............................................................................................................125
Appendix D: U.S. Region Codes...........................................................................................................139
Appendix E: Certificate Install Information..........................................................................................142
Obtaining a Certificate for your Domain..........................................................................................142
Installing the certificate on the ILM Server......................................................................................142
Installing WinHTTP Configuration Tool............................................................................................142
Installing the certificate to Windows Live Admin Center.................................................................147
Appendix F: Migrating from the SDK tools...........................................................................................156
Appendix G: Support information........................................................................................................183
Using Microsoft Premier Online.......................................................................................................184
Steps to access the Microsoft Premier Online site..........................................................................184
Steps to file a support request with Microsoft:...............................................................................184
Tracking/Updating an Incident:.......................................................................................................185
Incident Severity Definition.............................................................................................................186
Section 1: About the Live@edu Program
The Live@edu program was established to allow various educational institutions to provide their users
an e-mail address at a custom, institution determined domain without the difficulties and costs of
maintaining an in-house mail infrastructure. This e-mail address could be a for-life e-mail address since
the program allows for the users to continue the use of the address with no time constraints.
The e-mail address issued by Live@edu is accessible and hosted by Windows Live Hotmail (previously
known as Hotmail), the largest free e-mail provider in the world and may be accessed through
http://mail.live.com as well as a myriad of other web sites. Additionally, institutions will be able to
integrate with the Windows Live Hotmail interface to expose the functionality through custom
education portals. This document describes the Windows Live Management Agent; an application
primarily used for automating the creation, management and deletion of Windows Live IDs for use with
Windows Live sites and applications. The Windows Live Management Agent is an administration tool
used by universities participating in the Live@edu program. In addition to Windows Live Hotmail, the
users will be able to use the Windows Live ID to sign up for services on sites such as Windows Live
Spaces and Windows Live Messenger in place of using the @Live.com, @hotmail.com and @msn.com
domains that are available to the general public. The technical implementation of the Windows Live
Management Agent is a plug-in application to Microsoft Identity Lifecycle Manager (ILM) 2007 that
allows for manipulation of Windows Live IDs for the allowed domains. Minimal configuration is required;
specifically, you will be asked to decide on how the e-mail address is created and provide a temporary
initial password.
Why Choose Live@edu?

While there are a number of e-mail providers out there, here are some reasons that make Live@edu the
right choice for educational e-mail needs:
 No mail infrastructure requirement means there is no need to hire in-house support staff to
setup and maintain mail servers
 Familiar user interface of Live.com/Hotmail increases adoption and lowers support costs
 Powerful user creation and management tools
 Integration with your current student e-mail directory
 For-life e-mail address
 Free
About This Guide

This document describes how to implement the Windows Live Management Agent for creating,
managing and deleting Windows Live IDs for use with Windows Live sites and applications. The data that
is used to create the accounts can be retrieved from any number of sources such as an LDAP directory,
database or even a flat file. This guide describes how to setup and deploy the solution. It contains many
sections that describe the details needed to configure the settings and aid you in deciding which
features and functions are important to you. Additionally, various pitfalls and errors that may be
encountered are discussed with the intent of assisting in avoiding or resolving any issues.
NOTE: This Admin Guide covers provisioning of account to Hotmail Only. This guide does not
cover Exchange Labs provisioning
What if I get stuck?

The Live@edu program is meant to simplify the long term administration associated with student,
alumni and/or applicant e-mail. In addition to this document, there are several other tools to assist you
in understanding this solution. Premier Online support is included free with Live@edu, including
24x7x365 phone support for critical issues and Web-based support for non-critical issues.
Technology Overview
Windows Live is a suite of services and web applications that can be accessed with one Windows Live ID.
To integrate the student, alumni, and/or applicant information you have at your school with the
Windows Live environment, you establish communication between the source of this information and
Windows Live. This is accomplished with a Microsoft application called Microsoft Identity Lifecycle
Manager (ILM) 2007. ILM 2007 can gather data from the source and create, manage and delete accounts
automatically once it is configured. The data source is the repository which contains information about
the students whose accounts you would like to create. This data source may be Active Directory, an
LDAP server, a text file, a database or any other data source supported by ILM 2007. This document will
be limited to covering the first four of the sources listed above; should you need information about
connecting to the other ones, please refer to the ILM 2007 documentation.
ILM 2007 is a software product that enables IT organizations to reduce the cost of managing the identity
and access life cycle by providing a single view of a user's identity across the heterogeneous enterprise
and through the automation of common tasks. In essence, ILM 2007 allows data sources that were
never designed to talk to each to other to communicate and synchronize data. For that reason, ILM 2007
is leveraged to allow your student data source to communicate with Windows Live. The Windows Live
Management Agent is a plug-in to ILM 2007 that knows how to communicate with Windows Live.
Additionally, ILM 2007 has other plug-ins that know how to communicate with lot of standard places
where identity information is stored such as LDAP servers, databases, etc. The other management
agents allow ILM 2007 to gather the student, alumni or application information and the Windows Live
Management Agent allows for the creation, eviction and modification of Windows Live IDs. Even though
ILM 2007 is designed to integrate a variety of data sources, we will be working with a limited subset of
the ILM 2007 functionality for the purposes of the Live@edu solution. As visualized by the diagram
below, the data flow occurs in one direction. First, the data is imported from the data source (LDAP,
database, etc). Then it is processed by ILM 2007 and exported to Windows Live. The result of this
process is a group of Windows Live IDs that are managed based on your existing student information.
Live@edu Solution Details
Now that you have a better understanding of ILM 2007 including the terminology, you can apply that
knowledge to the Live@edu solution. The following section provides an overview of the basics necessary
to understand Live@edu.
List of Features
Here are some of the features that you can expect from the Windows Live Management Agent
management agent.
 Tight integration with ILM 2007

 Support for multiple e-mail domains
 Password resets via attribute flows for member accounts
 Ability to suspend e-mail accounts as needed
 E-mail address renames/changes
 Support for custom portal integration
 Ability to re-brand web interface with a custom logo
 Automatic enablement of Windows Live Hotmail inboxes
 Password Synchronization with Active Directory
 Disaster Recovery
Terms and Definitions
Term or Acronym Definition
Anchor The anchor attribute uniquely identifies an object in the connected data
source. For the MA, NetID will be utilized as the anchor.
Branding A customized user interface (UI) with logos, etc. to be displayed when
the user signs in to Windows Live Hotmail, Messenger, Spaces, and other
Windows Live services. Co-branding is now available through the
Windows Live Admin Center.
Eviction The process of setting a user into a state in which they will be required to
choose a new sign-in name that is not in the Windows Live domain on
their next sign-in attempt.
Identity The entity represented by NetID. A single identity may have multiple
credentials of different types associated with it.
NetID A unique identifier associated with a Windows Live ID. This is generated
automatically by Windows Live
Managed Namespace A namespace that is created and controlled by a partner whose users‘
accounts are authenticated by Windows Live ID.
OfferName The OfferName is a function of the Windows Live Admin Center that
controls advertising.
Partner An organization working with the management agent under appropriate

contracts for a Microsoft service, such as a participant university.
Profile Personal data about a user other than their e-mail account and password
(Windows Live ID), for example, first name, last name, and zip code are
properties of a user‘s profile.
Provisioning The process by which the Windows Live ID service agrees a partner is
authorized to set up a managed namespace. Alternatively: an ILM term
used to describe the creation of an object in a Connector Space.
SOAP Simple Object Access Protocol. An HTTP/XML-based protocol by which

the management agent will communicate with Windows Live Admin
Center
Tertiary Namespace A namespace with three parts, such as edu01.wledutraining.com, that is

derived from a top-level domain. The management agent will support
tertiary namespaces.
Windows Live ID A username and password used to authenticate with Windows Live
Term or Acronym Definition
services. Synonymous with a “Passport ID”.
Section 2: Checklist of Items before Deployment
The following is a high level checklist of work items that need to be completed before you are fully
deployed on the Live@edu program. As you move forward on-boarding with Live@edu, you will be
given more detail around each of these items.
 Complete and submit the Live@edu enrollment form (https://imagine-

windowslive.com/Education/Connect/Enroll/Default.aspx?). Be sure to submit the domains you
plan to use to host your Live@edu email accounts
 You will receive an invite via email to reserve your domain with Windows Live Admin Center
(WLAC). You will receive separate invites for each domain you want to reserve.
 Click on the invite and you will be redirected to the WLAC web site (http://domains.live.com).
(See Section 2)
o Assign a Windows Live ID account as the domain administrator
o Set the MX record as directed by WLAC and wait for WLAC to confirm the MX record
change (this needs to propagate over the internet)
o Configure co-branding for your domain via the Co-branding tab in WLAC
 Install Windows Server 2003 Enterprise Edition or later (See Section 4)
 Install SQL Server 2000 or 2005 (Enterprise or Standard Edition. SQL 2000 requires SP3) (See
Section 4)
 Install ILM 2007 (MIIS SP2). (See Section 4)
 Configure a data source management agent (See Section 5)
 Confirm domain reservation is complete and configured for Live@edu offers and co-branding
 Install WLCD MAV3 bits (See Section 5)
 Configure WLCDGlobalConfig and WLCDProvisioningConfig XMLs (See Section 5)
 Configure the WLCD export management agent (See Section 5)
NOTE: BEFORE MOVING FORWARD ALL THE ABOVE STEPS MUST BE COMPLETE
 Create test accounts

 Verify test accounts behave as expected
o Log in
o Send/receive e-mail
o Ads or No Ads as expected
o Forwarding works as expected
Section 3: Reserving a Domain with Windows Live Admin Center
Before you reserve your domain, please submit your enrollment form to the Windows Live Commercial
Partner Center. The enrollment form is available @ https://imagine-
windowslive.com/Education/Connect/Enroll/Default.aspx.
1. To reserve a Windows Live domain, use your browser to go to the address

http://admincenter.live.com and click “Get started” in window.
Select a Domain Name

2. Provide your domain name or purchase a new one, then click “set up Windows Live Hotmail for
my domain” or choose “No mail for my domain” if you do not want to create e-mail inboxes.
Setting up Windows Live without mail is not common.
Assign a Domain Administrator
3. The next step is to assign a domain administrator to your domain. You can use an existing
Windows Live ID:
Or create a new Windows Live ID:

4. If you select to create a new Windows Live ID, you will have to complete the account creation
process:
Review Settings and Accept Agreement

5. After assigning your domain administrator account, confirm your domain by reviewing the
agreement applicable to your program. By clicking accept, you agree to the terms of the
Live@edu agreement. To review the Live@edu terms, click the link.
Confirm the Administrator Account
6. To confirm domain ownership and allow mail delivery to Hotmail, Windows Live requires an MX
record to be added at your domain registrar in charge of your DNS records.
7. If you are not pointing your MX records to Windows Live, you will need to change your CNAME
record with a value from Windows Live which will validate that you own the domain.
8. Once your credentials are confirmed, you are taken to the administration page for your domain.
At this point you should notify the Windows Live Commercial Partner Center (using this e-form:
https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww) that your domain(s) are
registered with Windows Live Admin Center. The Windows Live Commercial Partner Center will
configure your domain as a Live@edu domain and will provide you with the appropriate information for
you to begin creating Live@edu accounts.
Note: You will need to confirm an administrator account for all Windows Live domains separately.
It is recommended for security purposes that you register an administrator’s Windows Live ID for each
person that will be managing your domain. If you are using a certificate for authentication, the
certificate will need to be uploaded for each domain and installed on each computer that will be used
for administering the domain. For example, if you have 10 separate domains and 10 separate
administrators, there are 10 MX records to confirm.
In order to set up multiple administrator accounts for a single domain or assign administrators for a
tertiary domain, the above steps will have to be completed for each administrator added to the domain.
Section 4: Identity Lifecycle Manager 2007
Primary Concepts and Terminology
ILM 2007 is a metadirectory product that has a variety of uses for data synchronization and identity
management. In the case of the Live@edu program, it will be used to facilitate the management of
Windows Live IDs by synchronizing data from the data source for student information and Windows
Live. To further understand the role of ILM 2007 as it relates to Live@edu it is important to understand
the fundamentals of this type of product.
The ILM 2007 application runs on Windows 2003 Enterprise Edition. It relies upon Microsoft SQL Server
as the application data store to retain all of the settings for ILM 2007 as well as the identity data that is
synchronized through it.
System Requirements
 Windows Server 2003 Enterprise Edition or Windows Server 2003 R2 Enterprise Edition
 Microsoft .NET Framework 2.0
 Microsoft SQL Server 2000 Enterprise Edition, Standard Edition, or Developer Edition with
Service Pack 3a or later; or Microsoft SQL Server 2005 Enterprise Edition, Standard Edition, or
Developer Edition (32-bit or 64-bit) with Service Pack 1 recommended
For a detailed list of requirements and answers to commonly asked questions, please refer to the ILM
2007 FAQ at http://www.microsoft.com/windowsserver/ilm2007/faq.mspx#EKD.
Metadirectory
A metadirectory collects information from different data sources throughout an institution and then
combines all or part of that information into an integrated unified view. This unified view presents all
the information about an object such as a student or network resource that is contained throughout the
institution. An Identity Management system may have a metadirectory at its heart and ILM 2007 is such
a system. A metadirectory performs the following functions:
 Connects to a variety of data sources, importing a desired subset of data from each one
 Combines all the information about each student or resource into a single entry
 Presents to the institution the unified view of all known information about each student or
resource
 Enforces rules as to which sources are authoritative for a given attribute and what precedence
applies where more than one source is authoritative
Microsoft currently distributes two separate versions of ILM 2007. The Live@edu version allows an
institution to connect to one data source for account imports and to Windows Live for account creation.
The full version of Microsoft Identity Lifecycle Manager 2007 is needed to connect to more than two
data sources. The following table lists the supported management agents for the full version of
Microsoft Identity Lifecycle Manager 2007. This table illustrates the capabilities of the full version of ILM
2007 to communicate with some of the types of data sources that ILM 2007 includes out of the box.
System Management Agent
Network Operating Systems and Microsoft Active Directory Windows Server 2003 R2, 2003, and 2000
Directory Services Microsoft Active Directory Application Mode Windows Server 2003 R2
and 2003
Microsoft Windows NT 4.0
IBM Tivoli Directory Server
Novell eDirectory 8.6.2, 8.7, and 8.7.x
Sun Directory Server (Netscape/iPlanet/SunONE) 4.x and 5.x
Mainframe IBM Resource Access Control Facility

Computer Associates eTrust ACF2
Computer Associates eTrust Top Secret
E-mail and Messaging Microsoft Exchange 2007, 2003, 2000, and 5.5
Lotus Notes 6.x, 5.0, and 4.6
Applications SAP 5.0 and 4.7

Telephone switches
XML-based systems
DSML-based systems
Databases Microsoft SQL Server 2005, 2000, and 7

IBM DB2
Oracle 10g, 9i, and 8i
File-Based Attribute value Pairs

CSV
Delimited
Fixed Width
Directory Services Markup Language (DSML) 2.0
LDAP Interchange Format (LDIF)
All Other Extensible Management Agent for connectivity to all other systems
If the previous table does not include your student data source, you have several options. The first is to
get the data out of your data source and into a format that ILM 2007 can recognize, such as an LDIF file
or delimited flat-file. Flat-files can often be the lowest common denominator between integrating two
systems. You also have the possibility to build your own extensible management agent to connect to the
data source.
Data Aggregation
In most institutions, student information exists in many different data repositories resulting in
duplication of student information; there is no single, reliable place to go for this information about a
student or faculty. Directories that hold identity information are often incompatible. These
incompatibilities include different naming conventions, different directory schemas, different
communication protocols and different data formats. The number of places in which organizations must
manage identity information increases with the addition of new systems. To solve the issues that result
from identity data residing in multiple repositories you can use a metadirectory to:
 Combine the data for a specific person or resource in the metadirectory, thereby creating a
single entry that contains some or all of the identity information from each directory.
 Present a single unified view that contains some or all of the attributes from the different
directories regardless of whether the directories are compatible.
 Provide a platform that can become the basis of an Identity Management (IdM) system – it
contains the authoritative identity information for objects.
Data Synchronization
Because an institution‘s student information is often contained in different data repositories, a change
made to data in one repository is not automatically made in any of the other repositories. Making the
change throughout the organization requires the administrator(s) to make the change in each directory
manually. Therefore, updating data in each directory is costly, unreliable and may even present a
security risk. Unmanaged identity information quickly becomes disorganized which results in identity
information that is not synchronized throughout the organization. To manage changes to identity
information you can use a metadirectory to:
 Identify changes to identity information from many sources.

 Propagate those changes automatically to other directories as appropriate (i.e. as defined by
rules which have been configured to support company procedures).
 These changes can be modifications to attributes or to whole objects. This change detection
infrastructure keeps the directories synchronized.
Data Enforcement
Data ownership issues often prevent effective coordination of an institution‘s identity information even
though it may be technically possible. Certain departments maintain a strong ownership of their data.
Although ownership of data is not an issue when directories remain separate, retaining ownership when
data is synchronized among multiple directories becomes more challenging. To address data ownership
issues you can use a metadirectory system to:
 Enable administrators to define and enforce ownership relationships at the attribute level.
 Allow, block, or reverse changes made to identity information. If a change to data is consistent
with the ownership rules it is allowed; otherwise, it is blocked (allowing local control) or
reversed.
 Ensure that the departments that own the identity information in a specific directory will
maintain that ownership even when that directory is synchronized with other directories in the
organization.
Data Source
A data source for the Live@edu solution is any place where you have student information – a directory,
database, or other data repository that contains data to be integrated within ILM 2007. Data sources
can be enterprise directories (Active Directory, Novell, ADAM, etc), databases (Oracle, SQL, etc), or even
data in flat files, such as LDIF, DSML or delimited text.
Management Agent
A management agent is a component of ILM that manages the data associated with a specific data
source and connectivity to the data source. The management agent not only connects to the data
source, but is responsible for managing the flow of data (inbound and outbound). There is at least one
management agent for each data source. For many management agents, ILM 2007 communicates
directly with the data source – these are call-based and examples of such directories are LDAP and
Active Directory. For others, where a direct call is not possible, an intermediary file is used such as AVP,
LDIF or fixed width – these are file-based management agents. In some cases, the situation may be more
complex: there may be no management agent specifically for the data source or the data source may,
for example, support a mixture of file-based and call-based activities so that a simple file-based
management agent is insufficiently feature-rich. In such a case, the extensible management agent allows
a developer to create code which instructs the management agent how to communicate with the data
source.
Management agents are primarily configured by setting their properties within the wizard-like interface
in the Identity Manager, the application that manages and configures ILM 2007. There are occasions
when more complex operations are desired than those possible through the user interface (for example,
combining the contents of FirstName and LastName to make a displayName); in this case, a
management agent can be augmented by .dll extensions produced using Visual Basic.NET or C# or,
indeed, any language making use of the .NET Common Language Runtime (CLR). It is not necessary to
write code in most basic implementations of Live@edu, however remember that the capability is there
if needed.
Metaverse
The Metaverse is a set of tables within ILM 2007 that contain the integrated identity information from
multiple data sources. All identity information about a specific student or object, which is stored in
multiple data sources, is synthesized into a single entry in the metaverse. Your students will most likely
have a single unique object in the metaverse representing each student.
Connector Space
The connector space is a storage area and a staging area. It stores the different states that are used to
decide whether information in a data source has changed, or needs to be changed. It is also where
changes are staged on their way into or out of ILM 2007. Each data source has its own logical area in the
connector space, which is managed by its corresponding management agent. The connector space is
essentially a mirror of the related data source, with each object in the data source having a
corresponding entry in the connector space. The connector space does not contain the data source
object itself, but a subset of the object‘s attributes, as defined by the management agent.
Provisioning
When we think of objects in data sources, they will often be accounts, such as an Active Directory®
service account. The term account is often used even for groups, resources, and so on. Provisioning is
the creation of accounts in data sources (such as LDAP directories, databases, and e-mail systems). Once
provisioned, the account attributes can be managed as those of any existing object. The manual creation
(and removal or disabling) of accounts in several systems is administratively burdensome, prone to
errors and inconsistency, and leaves potential security gaps. For Live@edu, the act of provisioning refers
to the creation of a Windows Live ID account. You can use ILM 2007 to:
 Automatically create accounts (objects) in directories, based on their addition in one

(authoritative) directory.
 Continue to manage those accounts, including removal (de-provisioning) and disablement.
Provisioning will occur within ILM 2007 to create the Windows Live IDs in the Windows Live
environment. The Windows Live Management Agent will be entrusted to handle this task on behalf of
ILM 2007. This management agent will take the e-mail address of the student to be provisioned from
the data source, connect to the Windows Live server, create the account and then return the
confirmation to ILM 2007. Similarly, should the user who has an account need to have the account
evicted (deleted) from the school namespace, the management agent will again connect to the
Windows Live server to evict the account.
Running a Synchronization
During development, a management agent is executed by means of the user interface. In production
systems, it is desirable to run management agents in sequence without user intervention, both on a
scheduled basis, and occasionally in response to specific events (for example, the submission of a new
student registration). Such automated execution of management agents is achieved using the WMI
functions of ILM 2007 in conjunction with a scheduling agent (described in detail later).
Extensible Management Agents
Management agents allow ILM 2007 to connect to a wide variety of different data sources to manipulate
data from them. While most of the management agents allow for connectivity to a specific connected
data source the extensible management agent has expanded the ILM 2007 connectivity options by
allowing developers to build any connection they want by simply creating code within the confines of a
management agent. Information is provided in the ILM 2007 developer reference help files and on
MSDN.
State Based System

ILM 2007 is a state-based system. There are advantages to this (particularly robustness) as well as
potential disadvantages (extra processing and storage) but the actual result is a very effective and
flexible compromise. ILM 2007 stores a hologram for each external object of which it is aware; this
hologram represents the current view of the data stored in each data source. During a subsequent
import of the data from the data source, the imported object data is compared with the hologram. If
any differences are detected between the two (for example, the values for the Student Type attribute do
not match, or a new or missing object is detected), a change is inferred and the change is passed to the
ILM 2007 Sync Engine to be propagated through the metadirectory. In a deployed system, management
agent runs are invoked by scheduled scripts, which are run either on a scheduled basis or in response to
external events (perhaps a web portal could invoke a run to ensure that accounts created through the
portal are created). ILM 2007 then asks for data -- it is a pull system, which avoids the need for a push
agent on each data source. However, ILM 2007 can work with Delta Import (i.e. imports of only those
objects that have changed; as it happens, Exports are always delta in nature). Some data sources
support this already, others may be able to with some modification, yet others simply cannot support
this feature. Where deltas can be used, there are considerable savings in processing time (traffic and
state comparisons). Depending on how many students are being processed by the system and the
frequency of the processing, designing the data source to provide ILM 2007 with delta updates may be
extremely important. ILM 2007 can work entirely with Full Imports, minimizing the intrusion on data
sources; additionally, it is sometimes necessary to use a Full Import (for example on initial import or
when recovering from a data source failure).
Operations
This section discusses common operational and maintenance related tasks that need to be performed
on the ILM 2007 server to ensure the solution is backed up and stable. Additionally common
troubleshooting methodology is outlined to assist in dealing with operational errors.
Backup and Restore of ILM 2007

Microsoft Identity Lifecycle Manager 2007 is composed of two primary pieces, the ILM 2007 application
and the SQL server database that stores the configuration and identity information. These pieces
together are used to complete the synchronization of data between the connected directories. Since
there is a logical separation between the two parts of the application disaster recover needs to be
approached accordingly.
ILM 2007 Application
The ILM 2007 server contains the installation of the ILM 2007 application along with the rules-
extensions, scripts, configuration files, log files and data files that are used to run the day to day
operations. A backup of the files that are associated with the ILM server are needed to restore/fail-over
the complete ILM solution on a different server. The entire directory containing the ILM installation will
need to be backed up. The default directory, unless it has been modified on installation, is c:\Program
Files\Microsoft Identity Integration Server.
ILM 2007 Database

In addition to the ILM application and associated files the MicrosoftIdentityIntegrationServer database is
stored in a SQL server. This server can be the local server that runs ILM, or another dedicated SQL
server. All of the configuration and run history as well as all objects in the connector space and
Metaverse are stored in this SQL server. Additionally, some of the files such as the extensions in the
c:\Microsoft Identity Integration Server\Extensions folder are stored in SQL as binary entries. When a
database restore is completed, these files are extracted out of the database and stored on the server.
There are several methods to fail-over the ILM application.. Depending on what fails (server, servers,
network, site, SQL servers due to SQL related virus, etc), it might be necessary to modify the disaster
recovery plan. The following plans common scenarios for failing-over the ILM application.
Disaster Recovery Plan 1 (SQL Outage)

The main focus of a SQL disaster recovery plan is to restore the SQL database on the local server or
another server and then re-install ILM to point to the database (if it is on a different server). Since all of
the run-history, management agent data, and Synchronization information is stored in the database,
restoring the database will bring you back to the state when the backup was taken. Please refer to the
ILM documentation on how to restore the MicrosoftIdentityIntegrationServer database. Specifically
“Restoring Microsoft Identity Lifecycle Manager 2007” in the main help. After recovering from a SQL
outage, running a full import may be necessary to refresh the data in the connector spaces.
Disaster Recovery Plan 2 (ILM Server Outage)

A failure of the ILM server should not result in any data-loss however there are other critical
components on the ILM servers. For example all of the source code, backup keys, operations scripts and
any information in the MAData folder will be lost if restoring by reinstalling ILM. From this standpoint it
is important to also have file system backups of the Microsoft Identity Integration Server folder.
If you have the encryption keys mentioned above the easiest way to recover from an ILM server outage
is to reinstall ILM 2007 and the Windows Live Management Agent and point it to the existing SQL Server
Database. Once you provide the encryption keys and restore the supporting files in the proper folders
you should be up and running. Again, refer to “Restoring Microsoft Identity Lifecycle Manager 2007”. in
the ILM 2007 help.
List of Maintenance Operations
The table below provides a quick reference for those product maintenance tasks that the System
Administrator should perform on a regular basis. This list summarizes the tasks that are required to
maintain ILM operations. There are more best practices listed in the Help File of your ILM server.
Frequency Tasks
Daily View and examine the results of all the ILM management agent runs from the Identity
Manager Operation interface (see .Identity Manager. section below).
Weekly Examine the Run History to determine if it needs to be backed up and cleared.
As needed Resolve issues reported by your customers.
As needed Understand and if needed fix all events reported in the Event Log
As needed Disconnect object incorrectly joined and make sure they are properly joined at the next
synchronization cycle
As needed When bad data is found through ILM, take the proper steps to ensure that the owner of
this data fixes it at the sourceBackup and clear the run history of ILM
Backing up Management Agents
Once you have your Windows Live ILM implementation up and running, it’s a good idea to back up the
management agents by exporting them in XML format.
1. To back up your management agents, highlight a management agent in the management agent
window, from the Actions menu, select Export Management Agent.
2. Save the management agent configuration file to a location on your hard drive.
3. To import your MA to a new or restored ILM implementation, from the Identity Manager, click
Import Management Agent.
4. Select the XML file for the management agent you want to import and click Open.
5. Verify your settings by visiting the configuration tabs in the MA, then click OK.
Section 5: Setting up the Environment
Installation requirements
The following requirements must be installed prior to implementing the Live@edu solution. Please refer
to the product documentation for the different products for more details.
Windows Server 2003 Enterprise Edition

ILM 2007 requires Windows Server 2003 Enterprise Edition. To verify that your server meets the
minimum hardware requirements and for instructions about installing Windows Server 2003, Enterprise
Edition, see Installing and Upgrading the Operating System at the Microsoft Web site
(http://go.microsoft.com/fwlink/?LinkId=36737). Please install the latest version of Windows Server
2003 with any appropriate service packs and hot fixes.
Microsoft SQL Server 2005, or 2000, Standard or Enterprise Edition, Service Pack 3 (SP3)
ILM 2007 utilizes SQL server as the back end data store. This allows ILM 2007 to retain all of the
configuration settings for ILM 2007 as well as the identity information that is contained in ILM 2007.
During installation ILM 2007 creates the database it will use as its data store. ILM 2007 requires SQL
Server 2000 with Service Pack 3a (SP3a) or later. This means that SQL Server 2000 must be installed first
and then the SQL Server 2000 Service Pack must be applied.
ILM Service Account and Security Groups

ILM 2007 requires a service account to be configured to run the ILM 2007 service. When installing ILM
2007, you must create an account that will be used to run the ILM 2007 service. This account is known
as the ILM service account. This account must be a domain account if the SQL Server is not installed on
the ILM 2007 Server. If SQL is installed locally, the service account may be a local account.
Additionally there are five security groups that need to be configured. ILM 2007 creates three groups
during installation that control which tasks in the Identity Manager users can perform. The following
groups are created by ILM 2007:
 MIISAdmins — Members of this group have full access to everything in the Identity Manager.
 MIISOperators — Members of this group have access to Operations in the Identity Manager
only.
 MIISOperators can run management agents, view synchronization statistics for each run, and
save the run histories to file. Members of the MIISOperators group must also be members of the
MIISBrowse group to open links in the synchronization statistics.
 MIISJoiners — Members of this group have access to Joiner and Metaverse Search in the
Identity Manager. MIISJoiners can join or project disconnectors using Joiner, and use Metaverse
Search to view object properties and disconnect objects from the Metaverse.
ILM 2007 also creates two security groups during installation that do not have access to the Identity
Manager, but are used for authentication during password management operations:
 MIISBrowse — Members of this group have permission to gather information about a user's
lineage when doing password reset operations with Windows Management Interface (WMI)
queries.
 MIISPasswordSet — Members of this group have permission to perform all operations using the
password management interfaces with WMI. Members in this group inherit all MIISBrowse
permissions. For more information about setting passwords using WMI, open the ILM 2007
Developer Reference.
Typically it is best to create the service account and security groups before you begin setup otherwise
the person running the ILM 2007 installation will have to have rights in the domain to create the groups
through the setup program. After the ILM 2007 is installed, add your user account to the
MIISAdministrators group (or whatever is the name you chose for the group). Adding yourself will allow
you full control of ILM 2007.
Note: You must log out and log back in before security group membership will take effect.
Microsoft Identity Lifecycle Manager 2007

To install ILM 2007, you use the ILM Install Wizard. The wizard allows you to customize the installation
of ILM 2007 depending on your environment. The following list describes the options that are available
in the wizard during a complete setup:
 License Agreement - You must accept the terms in the license agreement to continue with the
installation.
 Setup Type Complete - Selecting this option allows, you to specify the values for the Store
Information, the Service Account Information, and the Group Information options. The
remaining options will be installed with their default values.
 Store Information - You use the Store Information option to specify information about the SQL
Server that will be hosting the ILM 2007 database. You can chose between a local and remote
SQL Server, and between the default instance and a named instance of SQL Server.
 Service Account Information - Use the Service Account Information option to specify the
account to be used for the ILM 2007 service. This account must already exist.
 Group Information - ILM 2007 uses five different security groups to provide different levels of
access. The Group Information option is used to specify the names of these five groups. If the
groups do not exist the wizard will create them. In addition to creating the groups the wizard
will add the user account being used to perform the installation to the ILMAdmins group. This
option is only available if you selected the Custom setup type.
When the installation is complete and before you can run the Identity Manager, you must log off and
then log on again to have your new group membership (in the ILMAdmins group) take effect.
Section 6: Creating and Configuring the Data Source Management Agent
Configuring the Data Source Management Agent
There are nine basic steps to configure your data source management agent. These steps will vary
depending on the type of data source; however the overall concepts include the following:
1. Connecting ILM 2007 to the Student Data Source

2. Understanding the Student Data Source Schema
3. Select a Subset of the Source Data
4. Configure Connector Filter Rules
5. Configure Join Rules
6. Configure Projection Rules
7. Configure Import Attribute Flow
8. Configure Deprovisioning
9. Configure Extensions
Using these nine concepts and the details below should allow you to create a management agent that
connects to you data source to get the student information.
Connecting to the Student Data Source

ILM 2007 can connect to a wide range of data sources including databases (SQL Server, Oracle),
directories (Active Directory, Sun ONE) and files. Depending on which data source type you are working
with you will be presented with different options during the configuration of the management agent
that works with that data source.
Database Management Agents

Database management agents generally require a data source name (or Server name plus a Database
name) and the name of the relevant table or view containing the data to be processed. A View is
generally preferable to a Table as it provides a level of abstraction between source data and ILM. A View
lets you pre-select both the dataset to be processed by ILM and the attributes which are available to
ILM; but it also means that if the underlying table(s) change, you do not have to reconfigure ILM (you
may or may not need to modify the Views concerned).
You must supply the security credentials of an account which has the appropriate permissions in the
target system – i.e. it must be at least able to read the data and able to write to the database
appropriately if changes are to be exported from ILM into this database.
Note: The Table or View you specify for Full Import is also written to during Export. Not all views can
be written to in this way – a detail that will have to be taken into account during design. It is not
common that you will need to export to the data source when implementing a basic Live@edu
solution.
LDAP Management Agents

LDAP management agents such eDirectory, ADAM and Sun ONE Directory Services management agents
typically require the specification of a server and TCP port to which to connect as well as a security
account which has the appropriate permissions to the directory concerned. Active Directory is a little
more complex requiring a forest and domain and providing for preferred domain controllers. You can
generally specify secure communication where available (e.g. SSL/SASL or Sign & Seal).
File-based Management Agents
Because a file-based management agent does not communicate directly with its Connected Data Source,
you do not connect – instead you provide the name and location of a template file.
Understanding the Student Data Source Schema

Before you can identify the object types and attributes to be managed by a management agent the data
sources schema must be established – a process which the management agent uses to identify which
object types and attributes are available. Different management agents handle this process differently.
Some data sources do not have extensible schemas in which case the management agent already knows
the predefined schema for that data source.
Management Agent Schemas

The following list describes schema discovery approaches for each management agent:
Management Agents that support the dynamic discovery of the source directory or database:
 Active Directory
 Active Directory Application Mode (ADAM)
 Active Directory global address list (GAL)
 Microsoft Exchange Server 5.5
 Microsoft Exchange Server 5.5 (bridgehead server)
 Novell eDirectory
 Sun ONE directory services
 Microsoft SQL Server
 Oracle Database
Management Agents with a fixed schema that models the database structure:
 Windows NT 4.0
 Lotus Notes
Management Agents that require the discovery of the data in the sample file:
 Delimited text file

 Fixed-width text file
 Attribute-value pair text file (AVP)
 Directory Services Markup Language (DSML)
 LDAP Directory Interface Format (LDIF)
Anchor Attributes
The anchor attribute contains the unique value that links an object in the data source to its object in the
connector space. Management agents can make educated assumptions about anchor attributes. Here
are some examples: SQL Server management agents will offer (as a default) the primary key of the
source table if it is defined, although you can override this if necessary (this default won‘t work where a
view is used). You can assume that other database management agents behave like this (e.g. Oracle).
With AVP, delimited or fixed width management agents you must define the anchor. It is a reasonable
assumption that other text management agents behave like this. In the Active Directory management
agent the DN is treated as the anchor and during account creation a unique DN will be generated. The
way the management agent actually keeps track of AD accounts is through the AD GUID, although this
takes place under the covers and you don‘t actually see this. In this way, a DN can be changed in AD
resulting in a rename at next import. Renames cannot happen in simple anchor cases like SQL Server or
AVP. Most other LDAP-based management agents behave much like this (e.g. ADAM, Sun ONE, Lotus
Notes, eDirectory). LDIF and DSML management agents must contain a DN attribute and you must either
define this DN as the anchor attribute or select another attribute as the anchor. The full explanation of
this isn‘t appropriate here but in summary, if you have the DN as the anchor as well, it isn‘t possible for
ILM to detect a rename (i.e. if the object has moved, ILM can‘t keep track of it). Renames can be
recognized through special MOD DN and MOD RDN change type.
Object Types and Attributes

LDAP management agents (like AD, ADAM) allow you to pick object classes and attributes from a list.
With database management agents, you define a view to contain the appropriate records and fields. All
of the attributes discovered are then processed. Similarly, the columns or attributes discovered in a
template file will determine which attributes are imported and exported by a file-based management
agent.
The object types and attributes available in the data source are reflected in the ILM system by the
generation of a schema for the connector space. It is sometimes required to specify additional details for
an attribute if the management agent is not able to identify those details from the data source. Where
the management agent understands its source system very well (the Active Directory management
agent, for example) there is no need (or potential) to modify the attributes which will be created in the
ILM system. However, for both file-based management agents and a more limited extent for database
management agents, it is possible to modify the attribute details. You can specify (for example) the data
type, the length of the data (minimum and maximum), whether the attribute will store a reference to
another object, and whether the attribute is multi-valued.
Select a Subset of the Source Data

For both fundamental design reasons and for improved performance you may wish ILM to process only
a subset of the data stored in the connected data source.
Database management agents

Database management agents import all the records and all the fields (columns) in the specified table or
view. Intelligent design of a view as a source for the management agent will provide the appropriate
data subset for the management agent.
LDAP management agents

LDAP connected data sources potentially contain multiple partitions (e.g. naming contexts or domains)
as well as hierarchical container structures within those partitions and LDAP management agents
support the selection of subsets of both these elements. You can select one or more partitions along
with one or more of the containers within each partition. You are next asked to select object classes to
process and their attributes. The management agent will then process all the objects of the selected
types within the selected containers within the selected partitions.
File-based Management Agents

Since a different file is typically used for export and import runs, the file to be used is specified in the run
profile selection (rather than in the management agent itself). Such import files are processed in their
entirety so configuration of a data subset for file-based management agents is performed by the process
which generates the text file for the management agent.
Configure Connector Filter Rules

A staging object that is not linked to a metaverse object is called a disconnector object. A connector
filter determines whether an object should stay a disconnector object in the connector space. Thus, the
connector filter prevents these objects from being further processed by the synchronization and rules
engine and even disconnects objects that are already connected (with the exception of explicit
connectors – those that have been manually joined). Connector filters are not required. They are used to
prevent unwanted objects from being synchronized with the metaverse.
Refine Further by Using Filters to Select Subsets

When we think of filters, we tend to think of subsets or data and a clear distinction needs to be made
between the data subset that is imported (staged) from the data source to the connector space, as
already discussed, and the subset of staged data to be held in the connector space as disconnectors. An
example of use would be where you have objects in the connector space that while not actually deleted
in the data source are no longer active and therefore do not need to be represented in the metaverse.
This could be filtered out at source and therefore not imported, but this may not be convenient or even
achievable. Another example might be if your Active Directory included an attribute named status that
was set to contain the current status of each person in the student list (such as Student, Alumni, or
Applicant). You may not want to assign Windows Live IDs to Applicants since they are not yet students. A
filter can be used to prevent data related to applicants from being added to the metaverse during
synchronization.
Configure Join Rules

Join rules determine whether there is an existing metaverse object to which to join a connector space
object. If the join criterion is met the connector space object is linked to that metaverse object.
A join rule is made up of one or more conditions which compare connector space object attribute values
and metaverse attribute values looking for matches. As each connector space object is considered and if
all conditions are met for a given metaverse object then that object becomes a candidate for joining. If
this is not the case the next rule in the specified order will be tested and so on. Unless you are
integrating the Live@edu solution into an environment where you have an existing ILM 2007 installation
you will most likely not need to configure a join rule. Instead you will configure a projection rule. In a
disaster recovery scenario, for example, you would join disconnected object with its mail address.
Configure Projection Rules
Projection rules govern the conditions under which a new metaverse object is created from a connector
space object. Projection rules are responsible for determining if projection into the metaverse should
occur and the appropriate object type to employ. Projection rules differ from join rules in that during a
join process the metaverse is searched for existing objects; during the projection process projection
rules determine whether or not a new object is created in the metaverse so that other connector space
objects can link to it. Management agents apply projection rules to objects where a join has failed or join
rules were not configured.
Note: At least one of your management agents must have a projection rule or you’ll never get any
data in the metaverse.
You need to define a projection rule for your object type so that ILM 2007 will create the objects in the
metaverse for each of the imported students (except those filtered out). You will typically choose to
project your students through a declarative rule to the person object type.
Configure Import Attribute Flow

ILM 2007 uses connector space objects to store data moving from and to the connected data sources
during import and export operations. ILM 2007 uses metaverse objects to store the data in the
metaverse. The process of moving data between connector space objects and metaverse objects is
called attribute flow. Attribute flow occurs during synchronization and is governed by attribute flow
rules. Attribute flow rules are scoped by data source object type and metaverse object type and can be
defined with the following options:
 Direct – simple flow a value from one attribute into another attribute
 Advanced – either a rules extension, a constant value to be flowed into an attribute in every
case, or a chosen element of a DN to be flowed into an attribute
 Import – from connector space to metaverse – inbound attribute flow.
 Export – from metaverse to connector space – outbound attribute flow.
If you want to create a custom attribute in Metaverse (for example, TempPassword), use the Metaverse
Designer tool. In Identity Manager, click Metaverse Designer.
Click Add Attribute from the Attributes Action list.
Click the New attribute button, type the attribute name, select the attribute type and click the tick box
next to Indexed. Click Ok. The Metaverse attribute is now ready to be used.
Import flow rules

Import flow rules specify how attribute values should flow from the data source via the connector space
to the metaverse. You specify the source attribute from the connected data source (data source) and
the destination metaverse attribute. You will need to create flow rules for any information that is
interesting to Windows Live. A prime example of this is importing the e-mail address of the students in
the mail attribute in the metaverse.
Direct flow rules

You can specify direct flow rules which simply copy the value from source to destination.
Advanced rules
You can also specify advanced rules which allow you to specify flow calculations with rules extensions.
For example, allowing the flow of a component of a distinguished name into a destination attribute as a
string. Finally, a common advanced mapping type is the constant option. This allows you to specify a
string value that will flow into the metaverse object for all linked objects of this type. Advanced
attribute flows are discussed in more detail in the ILM 2007 Developer Reference help file.
Configure Deprovisioning
Deprovisioning is the action applied to the connector space object as a result of either the deletion of its
connected metaverse object or a direct call for a deprovisioning of the connector space object from a
piece of code. For Live@edu, you will want to check the box next to “Do Not Recall Attributes” and
leave the radion button set to become a disconnector so that you don‘t start deleting objects from your
data source.
Make them Disconnectors

If the objects become disconnectors, then every time a synchronization run of the management agent is
performed they are run against the filter, join and project rules, and perhaps resulting in it joining to a
metaverse object again if a join rule was specified.
Make them Explicit Disconnectors

If the objects become explicit disconnectors then they are not run against the filter, join and project
rules, when a synchronization run of the management agent is performed, and thus will never rejoin to
a new metaverse object even if a new match becomes available unless the join is performed manually
with the Joiner tool.
Stage a Delete
You can put the connector space object into a pending delete state; when the next export run is
performed the corresponding data source object will be deleted.
Rules Extension
Determine via a rules extension in which you will have to provide code to make the decision on what to
do with the object.
Configure Extensions
Extensions are code that is written, compiled, and configured for use with ILM 2007 that makes it
possible to add functionality to the rules provided in Identity Manager. They are not necessary for a
basic Live@edu implementation but allow for customized and extended functionality.
Section 7: Installing and Configuring the Export Management Agent
Installing the Windows Live Management Agent

To create and manage accounts in Windows Live, ILM 2007 needs a management agent that knows how
to communicate with Windows Live. This is done through the Windows Live Management Agent.
Running the installation program will add the Windows Live Management Agent to the ILM 2007
installation that you just completed.
1. Locate the Windows Live Management Agent installation file (WLCDMASetup.msi) and then
launch.
Create the Windows Live (Export) Management Agent
Make sure you are logged into the machine as a user that is a member of the ILM administrators group.
2. Open the ILM Identity Manager console by clicking Start ->. All Programs ->. Microsoft Identity
Integration Server -> Identity Manager.
3. Click Management Agents.
4. On the Actions menu on the right you will see a list of actions that you can perform on a
management agent. Click Create to launch the wizard for creating a management agent.
5. Under Create Management Agent, there will be a dropdown list of all of the different installed
Management Agents. The fact that each of these management agents is installed on this server
means that this ILM installation could potentially connect to and communicate with each type of
data source in that list. Select WLCD Management Agent (Microsoft).
6. In the Name text box enter a name that describes the use of this management agent. Click Next.
7. On the Configure Connection Information page, enter your domain administrator credentials. If
you are using a certificate for authentication, click Next.
8. On the Configure Additional Parameters page, you can change the value for the name of the log
file created during every export to Windows Live.
9. On the Configure Attributes page, as with the other management agent you just created, you
could make further configuration changes – for example setting an anchor – but it has been
done already. Accept the default settings. Click Next.
10. On the Configure Object Types page accept the default settings (as with the other management
agents, there is only one type of object – evidently called PassportUser in this case, rather than
person – so there is nothing to do here. Click Next.
11. On the Configure Connector Filter page accept the default settings (since the Windows Live
Management Agent is export only, you will never have a requirement for a filter). Click Next.
12. On the Configure Join and Projection Rules page, accept the default settings. Join and
projections rules are associated with inbound synchronization, which usually applies to
imported records – we are only going to be exporting to Windows Live so there is no
requirement for such rules. Click Next.
13. On the Configure Attribute Flow page you must at a minimum create a rule to export the e-mail
address to Windows Live.
 Ensure that the Data source object type is set to PassportUser
 Ensure that the Metaverse object type is set to person (if applicable)
 Under Metaverse Attributes on the bottom right, select the mail attribute or whichever
attribute you have contributed the e-mail address of the student to from the data source
 Under Mapping Type in the middle, select Direct (this is the default)
 Under Flow Direction in the middle, select Export (ensure that Allow Nulls is unchecked)
 Under Data Source Attributes on the bottom left, select the SigninName attribute
 Click New
14. Verify that the attribute flow is configured similar to the figure below:
15. Click Next
This rule will allow the mail attribute that we contributed to the metaverse from the student data source
to flow out to the SigninName in Windows Live using a direct export rule.
Passport User Attributes
The SigninName string represents the member name (e-mail address). Windows Live ID e-mails names
must conform to the SMTP RFC 822 for the user name portion of the e-mail address and RFC 1035 for
the domain portion. Some exceptions are made:
 50 characters max
 No UNICODE
 First character must be a letter (must be in ASCII code range of 97-122, 65-90)
 Period (ASCII 46) allowed except for the first and last characters but cannot have two adjacent
periods
 All other chars must be in ASCII code range of 48-57 (numbers), 65-90 (uppercase), 95
(underscore), 97-122 (lowercase)
 All other characters are disallowed
Note: Configuring the SigninName is the minimum that you need to do for this management agent;
however there are also other attributes that you can use to change settings or set initial account
passwords. The following attributes allow you to flow the following values to specific student
accounts.
Attribute Description
<dn> The distinguished name is used as an anchor.
AltEmail The user‘s alternate e-mail address. A string with a maximum length of 129
characters. Set this for the students if you know it so that they don‘t have to call
the helpdesk to have the administrators of the solution reset their password if they
forget it. Sets only on creation of account, not on update.
Birthdate The user‘s birth date. A string with a maximum length of 10 characters in the
following format: dd:mm:yyyy. Sets only on creation of account, not on update.
Country The user‘s country. A string with a maximum length of 2 characters. Sets only on
creation of account, not on update. There is a list of valid Country Codes in
Appendix A.
DeleteUser A boolean value (true or false) that determines whether an account should be
evicted from the managed namespace.
Export_password An attribute used by ILM for password management. Not user configurable.
FirstName A member’s given name. Sets only on creation of account, not on update.
LanguageCode The member’s language. A string with a maximum length of 5 characters. Sets only
on creation of account, not on update. There is a list of valid Language Codes in
Appendix B.
LastName A member’s surname Sets only on creation of account, not on update.
MailDisabled Boolean value (1 or 0) that represents if a user is blocked from logging in. A setting
of 1 indicates that the user is blocked and will not be able to use his or her Windows
Live ID to access any services. This might be used to lock a student out of their
account while an investigation of invalid behavior takes place. Remember that
evicting accounts means that the account can no longer be a member of the
university namespace. Blocking a user is a reversible operation, where eviction is
not.
NetID A long string representing the user‘s ID in the Windows Live system. This unique
identifier will be assigned by the Live ID servers and does not need to be managed.
OfferAction A value that performs an action on an OfferName. Can be Add or Remove.
OfferName A string that represents the OfferID associated with the user, for example, US No
Ads. Offers must be configured on the Microsoft system to be valid. If you are
having issues with your offer, please contact the Windows Live Commercial Partner
Center using this e-form: https://support.live.com/default.aspx?
productkey=wlpc&mkt=en-ww
PostalCode The user‘s postal code. A string with a maximum length of 15 characters; United
States only. Sets only on creation of account, not on update.
RegionCode The user‘s region. A string with a maximum length of 10 characters; United States
only. Sets only on creation of account, not on update. There is a list of valid Country
Codes in Appendix A.
ResetPassword A value that determines whether a user should be prompted to change their
password during first login.
TempPassword The temporary initial password for a new Windows Live ID. The password must be
reset by the user on initial login. There are several options for managing passwords
for the accounts. If you choose to set the initial password to a known value, this is
the right value to set. Otherwise you can leave this setting blank and have the
Windows Live Management Agent create a password for you in which case the
password would be available in the log file for you to communicate to the students.
Please see the Password Management section of this document for more
information.
TimeZone The user‘s time zone. This setting is important to set for the students so that
features such as the calendar are properly experienced. If the time zone is not set,
then the mailbox defaults to GMT. Sets only on creation of account, not on update.
There is a list of valid time zones in Appendix C.
16. On the Configure Deprovisioning page, accept the default settings which should be Make them
disconnectors. This will prevent your users from inadvertently getting evicted from the Windows
Live namespace. Click Next.
17. If you are using password synchronization with Active Directory, click the Enable Password
Management tick box, otherwise on the Configure Extensions page, click Finish.
Enable Provisioning
ILM 2007 uses the term provision to describe the process that it goes through to create a new account.
For ILM 2007 to be able to create new accounts in Windows Live you must first enable provisioning.
Typically using ILM 2007 to provision (create) accounts requires some code to be written so that it
knows how to properly create those accounts. The Live@edu installation has already taken care of this
for you by placing the compiled code into the correct folder. The compiled code is referred to as a
Metaverse Rules Extension. You will need to configure ILM 2007 to use that Metaverse rules extension
to create accounts in Windows Live. This is done by pointing ILM 2007 to the rules extension that was
installed on the machine during setup of the Windows Live Management Agent and checking the box to
enable provisioning.
18. In Identity Manager, on the Tools menu, click Options
19. On the Configure Extensions dialog box, click Enable Metaverse Rules Extensions.
20. To pick the name of the Rules Extension from the list of files in the Extensions folder, click
Browse.
21. Select WLCDMVExtensionLoader.dll from the list of file names.
22. Click OK.
You should see the filename WLCDMVExtensionLoader.dll that you selected in the Rules extension name
field.
23. Click Enable Provisioning Rules Extension.
24. Click OK.

Section 8: Configure XML Files
Configure XML Settings
You must configure XML file settings to reflect the configuration of your environment. For the Windows
Live Management Agent to be adaptable to the needs of different schools there are certain settings that
need to be configured specific to each implementation. During installation, the default files were copied
to the appropriate folder. The XML configuration files are located in the Extensions folder of the ILM
2007 installation path, usually C:\Program Files\Microsoft Identity Integration Server\Extensions. There
are two XML files in total that may need to be configured. They are:
WLCDGlobalConfig.xml
This XML file uses elements that the management agent uses to apply global account attributes and
controls for a domain, such as certificate authentication, offers, and global user attributes.
The WLCDGlobalConfig.xml contains settings that apply to all Windows Live member accounts
provisioned with ILM. It may be opened with Notepad as a text file for ease of viewing and editing. You
will need to change values for at least the DefaultOfferName and Domain Name elements to reflect your
offer and domain name assigned to you. This file resides in the ILM Extensions directory (usually
c:\program files\microsoft identity integration server\extensions). Here is an example WLCD
GlobalConfig XML file:
Elements
An element in XML is defined as a unit of XML data, delimited by tags. An XML element can enclose
other elements. The following elements make up the body of the management agent Global
Configuration XML file:
Element Description
<DefaultCert> If using a certificate for authentication, the elements subject and issuer
need to contain the strings for both Subject and Issuer from the
Windows Live Admin Center Control Panel in the SDK menu.
<Subject> Contains a value such as E=ed-desk@microsoft.com,

CN=sapipartner.com, O=OXFORD Computer Group, C=US copied from
the Windows Live Admin Center SDK Control Panel.
<Issuer> Contains a value such as CN=Microsoft Secure Server Authority,

DC=redmond, DC=corp, DC=microsoft, DC=com, copied from the
Windows Live Admin Center SDK Control Panel.
<DefaultOfferName> Contains value such as “US No Ads”
<DefaultResetPassword> Controls whether members have to reset their password during the
initial login experience. This element can contain the values True or
False.
<Url> Contains the URL for the Windows Live Admin Center administration
website for provisioning accounts, such as
https://domains.live.com/service/ManageDomain2.asmx.
<Domain name=""> Contains the value of your fully qualified domain between the quotation
marks, such as wledutraining.com.
<DefaultUserAttributes> Contains values for the attributes below that will be applied globally to
all member accounts.
<Country> Contains a value representing a member’s country code for a domain.

See Appendix A.
<LanguageCode> Contains a value representing a member’s language code for a domain.

See Appendix B.
<OfferName> Contains a value representing a member’s offer, such as “US No Ads”.
<TimeZone> Contains a value representing a member’s time zone. See Appendix C.
Element Description
<PostalCode> Contains a value representing the member’s postal code.

<RegionCode> Contains a value representing the member’s region code. See Appendix
D.
<BirthDate> Contains a value representing a member’s default birthdate. BirthDate

is in the format DD:MM:YYYY
Note: Global attributes from the XML are only set on member accounts upon account creation.
Setting the attribute values after provisioning accounts will not update them.
WLCDProvisioningConfig.xml
This XML file controls the settings that are relevant to ILM 2007 and how you have it configured. You
will need to edit this file for the solution to work properly. This XML file is used to identify the name of
your export management agent and enable account creation of Windows Live IDs in ILM 2007. Other
elements may also be set in this file to identify and customize your ILM environment, such as
MVEntryObject and MVEntryAttribute, if you customized them. An administrator can also use this XML
file to filter domains and add custom assemblies for added functionality, or specify more than one
export management agent.
You will need to enter the name of your management agent in the name element and (optionally) the
MVEntryObject and the MVEntryAttribute. This file resides in the same ILM extensions directory
(usually c:\program files\microsoft identity integration server\extensions) as the WLCDGlobalConfig. The
following is a sample WLCDProvisioningConfig XML :
Elements
Element Description
<rules-extension-properties> Wrapper element for the contents of the file.
<account-provisioning> Wrapper element contains multiple ManagementAgent elements
<ManagementAgent> Contains several sub elements specifying the attributes to which this
rule extension applies. There should be one ManagementAgent
element for each Windows Live Management Agent in ILM 2007.
<Name> The name of the export management agent for connecting to

Windows Live Admin Center. The XML file’s default management
agent name is “Windows Live Custom Domains Management
Agent”. This value should reflect the exact name of the Windows
Live Management Agent as it appears in ILM 2007. It is a good idea
to copy and paste from the Name field in the management agent
properties window to ensure they match.
<MVEntryObject> The type of the Metaverse Entry Object containing member account
information, the XML file’s default MVEntryObject is person.
Usually, it is set to “person”. This value should match that used in
configuring the management agent‘s attribute flow.
<MVEntryAttribute> The name of the Metaverse Entry Attribute containing member

accounts, the XML file’s default MVEntryObject is mail. This is the
attribute inside the object defined by MVEntryObject, which
contains the e-mail address of the specified user to be exported.
Usually set to mail or another attribute where you have previously
set up the writing of the Windows Live e-mail address.
<Domain> The domain to which the rule extension applies. If you only have
one e-mail domain that you have set up with Live@edu, this is the
domain that should appear here (wledutraining.com). This attribute
may be repeated.
<Filter> Contains a Boolean value, true or false, whether to filter the

domain. If the tag is true, the filter limits the users to be exported to
the management agent named above to only those in the domain
specified by name below. In other words, anyone whose domain
does not match the above will not be exported by the Windows Live
Management Agent that you are currently configuring.
<Name> The domain specified for filtered exports. Only used if Filter is
Element Description
specified.
<add-assemblies> A node that contains multiple assembly elements and configures the
Metaverse extension DLLs that are to be used by ILM 2007.
<assembly The name of the assembly to run. You can copy and paste
name="WLCDMVExtension.dll additional assembly names if you are running other rules
" extensions.
<assembly> Specifies an additional assembly linked to this rule. The name

attribute of this element specifies the name of the DLL file that
contains the Metaverse Rules Extension.
Note: If you have multiple Windows Live Management Agents in ILM 2007, you must create a
<ManagementAgent> node with all the required data for each one.
Configure Offers
OfferName and OfferAction are 2 attributes in version 3 of the Windows Live Management Agent that
ensure accounts receive the Live@edu offers for your domain. All accounts must have their OfferName
and OfferAction configured.
Your offer name is provided to you by the Windows Live Commercial Partner Center when they
configure your domain as a Live@edu domain. Appropriate offer actions are Add and Delete.
Attribute Flow
In the Attribute Flow scenario, the values for OfferName and OfferAction are stored in your source data
and flowed through ILM in much the same way as e-mail address. OfferName assumes the OfferAction
of Add if it is not specified.
WLCDGlobalConfig
In the Global Config scenario, the values for OfferName are included in the WLCDGlobalConfig XML file
and stamped on member accounts at the time of creation.
Section 9: Additional Settings
Managing MX Records
MX records specify how to route mail to your new e-mail domain. It is critical that these are modified
correctly for the proper routing of mail messages to your Windows Live IDs. These records must be
modified in your DNS server by the DNS server administrator.
Create DNS MX Entry

For each e-mail domain, an administrator account must be created in the Windows Live Admin Center as
mentioned on page 15. Once the administrator account has been confirmed, the mail service is
enabled.
Add a Sender Policy Framework (SPF) Record for Each E-mail Domain
To facilitate the combating of unsolicited e-mail you are encouraged to create an SPF record and add it
to the DNS records of your domain. This record will allow the receivers of e-mail from your domain to be
certain that the e-mail did indeed come from the domain it purports to be from. This will minimize the
chance of it being filtered or rejected by the receiving mail server if that server is checking SPF records.
An example of Add Sender ID TXT Record DNS Entry:
v=spf1 include:hotmail.com ~all
Optional: DNS SRV Record

You must create a DNS SRV record for anyone to use instant messaging in their assigned Windows Live
Managed Namespace(s) with any company that has rolled out Live Communications Server 2005 with
Public IM Connectivity (PIC).
The format of that DSN SRV record is:
_sipfederationtls._tcp.<domain name> ttl class SRV 10 2 5061

federation.messenger.msn.com
For instance,
_sipfederationtls._tcp.alumni.university.edu ttl class SRV 10 2 5061

federation.messenger.msn.com
Section 10: Running the Solution
Once the solution is installed and configured you can create the necessary run profiles and complete the
solution.
Data Synchronization
Data flow in ILM 2007 occurs in three phases: import, synchronization, and export. Importing is the
process of retrieving data from a connected data source and storing it in the connector space. Objects
must exist in the connector space to store the data being imported. If new objects are needed in the
connector space they are created during the import operation. The process of creating the new objects
and storing the newly imported data in the connector space is referred to as staging. Once data is
staged, it is ready for inbound synchronization. Inbound synchronization is the process that adds the
imported (staged) data to the Metaverse. During the import (staging) operation all data is imported into
the connector space including objects that meet the filtering criteria. All filtered objects in the connector
space are ignored during inbound synchronization so they do not get processed and are not added to
the Metaverse. Join and projection rules are applied during inbound synchronization to create
Metaverse objects as necessary and connect connector space objects to Metaverse objects. Import
attribute flow rules are applied during inbound synchronization to further control exactly what data
flows from the connector space to the Metaverse.
Outbound synchronization takes place at the same time as inbound synchronization and is the process
of retrieving data from the Metaverse and storing it in the connector space to get it ready for export.
Exporting is the process of sending data in the connector space to a connected data source. Outbound
synchronization and exporting data are discussed in more detail later in this guide.
Now that the management agents are configured you can begin processing the data. ILM 2007 makes it
possible for you to examine the data being processed during each phase of the data flow process. You
may take advantage of this feature to familiarize yourself with the statistics and message displays that
are shown during and at the completion of the runs.
Run Profiles
For each management agent you can define a number of run profiles. These are used to initiate each of
the three phases of data flow. Run profiles provide operating parameters to management agents each
time they are run. The information in the run profile varies based on the management agent that uses it.
For example, a run profile for a delimited text file management agent contains parameters indicating the
name of the text file that is used as the connected data source and data indicating which phase of the
data flow is to be processed.
In this document you create one run profile for each management agent. This makes it possible to
process one phase of the data flow and then stop and examine the data to make sure data is flowing as
expected allowing you to monitor and troubleshoot the implementation of a new deployment. Once
data flow has been verified and you are confident everything is functioning properly, you can create
more sophisticated run profiles that perform a number of steps at once. For the purposes of this
walkthrough and to help you learn how data flows simpler individual run profiles are used for each
phase of data flow rather than combining multiple phases into a more extensive run profile.
Configure the Full Import and Full Synchronization Run Profile for the Import Management
Agent
The first run profile is used to stage the data from the source management agent to the connector space
and from there, to synchronize it with the Metaverse. ILM 2007 allows the combining of these two
actions into a single run profile.
1. Open Identity Manager if necessary.
2. Make sure that Management Agents tool is active.
3. Click the name of the source management agent that you assigned to it at the time of creation.
4. In the Actions menu, choose Configure Run Profiles. The Configure Run Profiles for <management
agent Name> screen opens.
5. Click New Profile… to open the Configure Run Profile screen.
6. Enter Full Import and Full Synchronization as the name of the run profile in the Name text box and
click Next.
7. On the Configure Step screen specify the type of operation that will occur when this run profile is
used. This is where you choose the phase of data flow that will be processed when this run profile is
used. In the drop-down list, choose Full Import and Full Synchronization. This option will cause all
the data in the data source to be staged in the connector space.
8. The other options on this screen are not needed in this instance. Click Next.
9. Leave the Partition set to default and click Finish.
10. Click OK to return to Identity Manager.
Configure Export Run Profile for the Windows Live Management Agent
The second run profile that you will need to create is the Export run profile for the Windows Live
Management Agent. This profile exports the data from the Windows Live ID connector space and sends
it to the Windows Live service for processing. Examples of data that may be exported as part of an
Export run of the Windows Live Management Agent include adding (provisioning) o users, eviction
(removal from namespace) of users, and resetting passwords . To create the Export run profile please
follow the steps above used to create the Full Import and Full Synchronization profile Create the Export
profile for the Windows Live Management Agent but instead of selecting the Full Import and Full
Synchronization in the drop-down list, select Export. To verify that the run profile has been created
select the name you have assigned to the Windows Live Management Agent in the management agents
screen and then select Run from the Actions menu. You should see a screen listing the profiles with the
Export profile being listed.
Delta Import and Delta Synchronization
What are Deltas?

While Full Imports and Full Synchronization runs are very thorough and will evaluate the necessary tasks
on every object in the data source, it may be prudent to consider running Delta Import and Delta
Synchronization runs whenever possible and running a Full Import and Full Synchronization runs
occasionally (Weekends, Monthly, etc). The difference between a full and a delta run is that a full run
will process every object every time, but a delta run will only process the objects that have changed
since the last time a run has occurred. For example, if you have a 150,000 users in your source
repository but only 15 of them are new as of today and you have performed a run yesterday a delta run
will only process these 15 users and ignore the previous 150,000. However a full run will process the full
150,000 users. The delta synchronization and full synchronization run profiles only affect those objects
from Management Agent connected to the data source . The Windows Live Management Agent only
performs exports which are inherently deltas.
Setting up Deltas
Setting up deltas is straight forward if you are using Active Directory as the .source. data store. AD
inherently supports deltas by default and the only change that must be made to accommodate deltas is
the creation of a run profile that explicitly uses them. Choose the .Delta Import, Delta Synchronization.
step rather than the .Full Import, Full Synchronization. step when creating the profile. The deltas will
automatically be created and used by the AD management agent. Should AD not be your data source,
you may still be able to create deltas if your source supports it. For example, deltas have been
implemented with such systems as LDAP directories, SQL servers and many others. Please see the
Developer Reference in the Help menu of Identity Manager for more information on setting up and
configuring deltas in various connected directories.
Populating the Metaverse
Now that you are have created the appropriate Run Profiles, you will need to first populate the ILM
Metaverse before you are able to create new Windows Live IDs from the data that it will contain. To
populate the Metaverse run the data source management agent with a Full Import Full Synchronization
run profile. This type of run should occur at regular intervals but should probably not be the standard
daily run that you will want to execute. Running Full imports and full synchronization routines consumes
time because every object is evaluated. In the ILM management console, on the Tools menu, click
management agents, and then click the data source management agent (the name that you have
previously assigned to it) to highlight it. On the Action menu click Run to display the Run management
agent dialog box. Under Run profiles click the appropriate profile for Full Import, Full Synchronization
(for most setups like the one discussed above, there is only one), and then click OK.
Note: If the option is available, create and run a delta import delta synchronization instead of a full
import full synchronization. The “Delta Import, Delta Synchronization” profile can be run via steps
similar to the ones above except with a different run profile being selected. For more information,
please see Delta Import and Delta Synchronization section below.
Note: Depending upon the number of Windows Live IDs to be processed the job may execute for
several seconds to several hours. ILM management agents run in a single thread and you can expect
an approximate rate of 2-6 seconds per account, depending on network traffic, connectivity etc.
The end result of a management agent run will be shown at the bottom of the main window in a panel
containing the end time and status. If the status indicates success, see the next section, Creating
Window Live IDs. Otherwise, see the Troubleshooting section later in this guide.
Troubleshooting the Staging of the Student Data

If you are having problems staging the data for the Students data source, consider the following and see
the section titled Troubleshooting:
 Configure the proper partition and OU information when setting up the Active Directory
management agent (the .source. management agent).
 Set the synchronization step Type to Full Import and Full Synchronization when you creating the
Staging run profile,
Creating Windows Live IDs

In the ILM management console on the Tools menu, click management agents, and then click the
Windows Live Management Agent (or another name you‘ve assigned to it at the time of creation) to
highlight it. On the Action menu click Run to display the Run management agent dialog box. Under Run
profiles click the appropriate profile for export (for most setups, there is only one named Export), and
then click OK.
The end result of a management agent run will be shown in the bottom of the main window in a panel
containing, the end time and status. If the status indicates success as circled in the screen capture below
see the next section, .Managing the Output Files.
As with other ILM management agents Windows Live Management Agent results are available for future
reference in the Operations log. To view the Operations log click on the Tools menu of the ILM
management console and then click Operations.
Managing the Output Files

For a management agent run with status of “success”, or in some cases completed-export-errors, an
output log will contain the details of the temporary passwords assigned to the new Windows Live IDs
that were successfully processed. The location of the logs is C:\Program Files\Microsoft Identity
Integration Server\MaData\<your Windows Live Management Agent name> (or adapt for your ILM
installation). The file name prefix is indicated in the Additional Parameters property of the management
agent, with date/time appended to complete the file name. The format of the file looks like this:
Given the sensitive nature of the file contents it is stored in a folder that is accessible only to members
of the MIISAdmins security group by default and optionally the MIISOperators security group; the latter
is assigned permission by a manual configuration step. This folder should also be backed up to a
secondary location with restricted access. The intention of the output file is to provide the System
Administrator a reference from which to produce the first-time communication of the Windows Live ID
e-mail account name and password to the target user should the password not be supplied by ILM at
the time of user creation. The user will be forced to change their password (and secret question/answer)
at first sign on per the flow shown in Password Management later in this guide. Though the user will
change the password, the file is still considered to contain sensitive data because it contains an
inventory of valid e-mail names. It is recommended to delete the file and the backup(s) 60 days after the
temporary Windows Live IDs have been communicated to the users. After deletion the ILM Metaverse
contains the definitive source for the e-mail names and is backed up as a standard operating procedure.
Features of the Windows Live Management Agent

Besides the basic configuration of the attribute flow and XML files there are several other features of the
Windows Live Management Agent that you can take advantage of.
Renaming of E-mail Addresses

As the Windows Live Management Agent v3.0 allows for renaming of e-mail addresses you may perform
the renames by flowing a new e-mail address into the SigninName attribute in the Windows Live
Management Agent. This may be useful for cases such as the one where the e-mail address is based on
the person‘s name and the name changes due to an event such as a marriage.
Note: Currently, renaming an account will result in the loss of the mailbox content for that
account but retain calendar and contact information. Microsoft is building out functionality so
that the account will maintain the mailbox content as well. There is not a ETA for when this
functionality will be ready, however as soon as it is released the Windows Live@ Edu team will
communicate to all schools in the program and update the FAQ. In the interim, it is
recommended that you create new accounts instead. In order to create new accounts using
Active Directory as your data source, it is required to use an anchor attribute such as
employeeID instead of SigninName.
Deleting Windows Live IDs

You can delete, or evict, Window Live IDs from your namespace for students who are voluntarily leaving
the namespace, and whenever you need to clean up the namespace. If a member tries to sign in to an
evicted account, the member will be asked to rename their Windows Live ID to something else outside
the domain namespace. The member will have the ability to rename into an @hotmail.com address.
Windows Live IDs that are evicted will not retain the actual e-mail in their existing accounts but they will
retain their Windows Live Address Book. For Windows Live Messenger, the student will retain their
contact list and all their contacts will automatically be updated to the student‘s new IM identity. The
freed account name becomes available immediately for re-use as long as the password length is
different.
Setting an Object Deletion Rule
The Windows Live management agent needs to be configured with “Stage a Delete” in the Configure
Extensions tab, then in the ILM management console on the Tools menu, click Metaverse Designer, and
then click Configure Object Deletion Rule.
To enable the Windows Live ID evict feature select either the second or third option in the following
dialog box.
Note: The second option is used in conjunction with your source data management agent and not with
the Windows Live Management Agent. When an object is deleted from the source management agent
the Windows Live ID will be evicted from the managed namespace on the next export run. If you want
to write custom code for the deletion rules select the third option and modify your rules extension
code accordingly. Note that you may not, in this case, use the precompiled rules extension that ships
with the management agent because it contains no deletion rules.
Attribute Interdependencies
Within the Windows Live ID system, certain attributes are related to each other. For improved user
experience we suggest you configure the five attributes below on all accounts. These attributes will
allow students to self reset their passwords, access the calendar, and have their mail stamped with the
appropriate date and time.
The values can be applied to the Windows Live ID profiles via Attribute Flow or in
WLCDGlobalConfig.xml. Further information regarding these attributes can be found in the
Administrators Guide appendices.
Country 2 digit alphabetic code for country. E.g. US.

PostalCode 1-15 digit numeric code for the user‘s postal code. E.g. 98052
TimeZone 1-4 digit numeric code for the uses time zone. E.g. 1119.
RegionCod 1-5 digit numeric code for the uses region (state). E.g. 5599
e
Birthdate 10 digit alphanumeric string for birthdate in the format of DD:MM:YYYY e.g. “31/12/1960”
without the quotes.
Note: Providing some, but not all of these fields may cause errors. It is best practice to provide all.
Active vs. Inactive student handling

If you wish to retire student accounts no longer active in your domain, you have a couple of options.
1. If a member should no longer part of the domain and you have object deletion rules set, you can
simply delete the member from the data source. Performing this action will evict the member
from the domain namespace. The member’s mailbox will be deleted but contact and calendar
information remain intact.
2. If a member retains the domain account but is no longer an active student, offers for the
student should be removed using attribute flow.
Configuring Multiple Sites
It is a common scenario where schools have a completely different domain for either different schools
within their community or different domains for students and alumni. The WLCDGlobalConfig.xml file
will allow you to specify additional domains, and as long as the administrator being used to create the
accounts is an administrator on both domains (or the certificate used for authentication), the accounts
will be created. A sample WLCDGlobalConfig.xml configured for two domains is below:
Section 11: Password Management
Create Initial Password
In order to set the initial password for the students, you must select one of the two methods. Either you
can use attribute flow in ILM 2007 to set the initial password using the TempPassword attribute or you
can allow the management agent to set the password for you. When you allow the management agent
to create the initial password for you it is stored in the log file in the C:\Program Files\Microsoft Identity
Integration Server\MaData\<export ma> folder by default.
Password Reset
Two methods are available online for an individual Windows Live ID user to reset his/her own password,
namely: (a) using data verification and answering the secret question, or (b) if an optional alternative e-
mail was provided, a mail is sent to that address which contains a link to a site where you can change
your password. The System Administrator-based password reset procedure presumes these methods
have failed the end user. Before proceeding, it is required that the System Administrator has validated
that the user requesting the password reset is the legitimate owner of the Windows Live ID, for
example, by viewing a student ID card and ensuring that student was assigned the e-mail address for
which they are requesting a password reset. Once it is determined that a System Administrator-based
password is required, the password may be reset using the methods described below.
Password limitations
Passwords must be at least six characters and a maximum of 16. The Windows Live ID may NOT be part
of the password. For security purposes we recommend that when creating temporary passwords use 10
characters and at least one each from the following characters sets:
 Lower-case chars: {abcdefghijklmnopqrstuvqxyz}
 Upper-case chars: {ABCDEFGHIJKLMNOPQRSTUVWXYZ}
 Numbers: {0123456789}
 Special Characters: {!@#$%^*()-_=+;:,./?`~} (excluding the curly braces)
A password cannot contain part of the secret question or secret answer after an account has been
activated and the secret question set. The answer to the Windows Live ID secret question helps a
member reset a password in case it was forgotten. For example, if the Windows Live ID secret question
is “Mother’s Birthplace” and “Seattle” is the answer, the Live ID password cannot contain “Seattle”. This
restriction is not case sensitive.
Attribute Flow based Password Resets (Method 1)

Resetting a lost password is as simple as changing the value for TempPassword that was set in attribute
flow. On the next export run cycle, the user‘s password will be set to that value after which you can
communicate the new password to the user who will be forced to change the password on next log on.
In the screen shot example below, we are using a text file as our data source.
In the data source, we’ve assigned a new temporary password in a delimited text file.
After saving the file, one would perform the normal run cycle for the import and export management
agents; an import to connector space from the data source management agent followed by a
synchronization and finished with an export to Windows Live. Attribute flow for the delimited file
management agent looks like the screen shot below, with SigninName and TempPassword importing to
mail and TempPassword in the metaverse.
Delimited data source management agent’s attribute flow:
Export management agent’s attribute flow:
Below is another example of using Active Directory to flow a TempPassword. In this case, the mail
attribute is set in the e-mail field on the General tab and the TempPassword is using the Notes field to
flow into Metaverse.
Active Directory import management agent’s attribute flow:
Export management agent’s attribute flow:
Attribute Flow based Password Resets (Method 2)

1. Create a template delimited text or comma-separated values file that contains with 2 values
(SigninName, TempPassword) and only a comma.
2. Create a second import MA (delimited .txt or .csv) by clicking Create in the Management Agents
tool.
3. Give the management agent a name and a description (optional) and click Next.
4. In Select Template File, click Browse and select the delimited text file you created in step 1.
5. In Delimited Text Format, select the tick box for Use first row for header names, select comma
as the delimiter and click Next.
6. On the Configure Attributes page, set the anchor to the SigninName. Click the Set Anchor
button.
7. Select the SigninName attribute from the list of available attributes, click the Add button and
click OK.
8. Skip the pages for Map Object Types, Define Object Types, Configure Connector Filter and on
the Configure Join and projection rules page, click the New Join Rule button.
9. Select SigninName from the Data source attribute list, set the Mapping type to direct, and select
the metaverse object containing the Windows Live ID, then click Add Condition.
10. If the Metaverse attribute containing your Windows Live ID isn’t indexed in ILM, the message
below may appear. You can fix this by selecting the tick box for the attribute in Metaverse
Designer but it is not necessary. Click OK.
11. The condition statement for the join rule appears in the list; click OK.
12. The join rule appears in Configure Join and Projection Rules, click Next.
13. On the Configure Attribute Flow page, set up direct import attribute flow for SigninName and
TempPassword, then click Next.
14. On the Configure Deprovisioning page, select the radio button next to Do not recall attributes
and click Next.
15. On the Configure Extensions page, click Finish.

16. Copy the template file to MaData folder in the ILM 2007 installation path. The default path is
c:\Program Files\Microsoft Identity Integration Server.
17. Create a Full Import and Full Synchronization run profile for the new management agent by
selecting the management agent in ILM, clicking Configure Run Profiles as mentioned before in
Section…
18. Set the hierarchy for the password reset management agent above the data source
management agent by clicking the Metaverse Designer tool, selecting the metaverse object type
and the TempPassword attribute and select Configure Attribute Flow Precedence from the
actions menu.
19. Select the password reset management agent in the list and click the up arrow so that it takes
first order of precedence and click OK.
Performing the reset

1. Edit the template file with the username of the member who needs their password reset and
the new temporary password and save the changes.
2. Run a full import and synchronization on the password reset management agent. You will
notice a successful join in the synchronization statistics.
3. Run an export on the Windows Live export management agent. The user will now be able to use
the new temporary password to log into their account and set a new password.
ILM Password Synchronization

ILM 2007 allows the synchronization of passwords set in Active Directory or other “source” systems to
other target systems such as a different AD domain or in this case Windows Live. This functionality
allows you to perform one-way synchronization of passwords from AD to Windows Live IDs if desired.
Using Active Directory as the Source for Password Changes

If you elect to use Active Directory as the source for Password Changes to Windows Live you may use a
free pre-built Microsoft solution called Password Change Notification Service (PCNS). PCNS is a mature
supported solution used by enterprise customers to perform password resets; it was designed to allow
for password resets to be performed between separate AD domains or even AD forests but does not
require the target of the password change to be Active Directory; thus, you may set the Windows Live
Management Agent as the target.
Note: Even though ILM 2007 is not a real-time system in general, the password synchronization will
occur as close to real-time as possible. No running of any management agent is required for the
synchronization to occur; the password will automatically be sent out as soon as it is received.
 The user or an administrator initiates the password change request in AD. The password change
request, including the new password, is sent to the nearest AD domain controller.
 The domain controller records the password change request and notifies the password change
notification filter (a PCNS DLL that monitors for change notifications).
 The password change notification filter passes the request to PCNS.
 PCNS verifies the password change request then authenticates the Service Principal Name (SPN) by
using Kerberos and forwards the password change request in encrypted Remote Procedure Call
(RPC) to the desired ILM 2007 server.
 ILM 2007 validates that the source domain controller is a member of the Domain Controllers
container in the source domain and then uses the domain name to locate the management agent
that services that domain. It uses the user account information in the password change request to
locate the corresponding object in the connector space.
 ILM 2007 determines the management agents that have been configured to receive the password
change (.target. management agents, in our case, Windows Live Management Agent) and if they are
enabled for password synchronization propagates the password change to them.
 The Windows Live Management Agent then performs the proper web service calls to reset the
password in the Windows Live system.
The synchronization described above is a one-way synchronization. Should a user reset his or her
password in Windows Live it will not be reset in AD. However, if the user resets the password in AD it
will automatically be set in Windows Live.
Should you choose to implement password synchronization via PCNS please download the following file:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ae09d2f5-8ac2-4769-ab6a-
48fe35a25c63&DisplayLang=en. After installation please see the Password Synchronization scenario
that may be found under C:\Program Files\Microsoft Identity Integration
Server\Scenarios\PasswordSynchronization or another directory similar to the one above if you had
changed the installation path for ILM 2007. To set up PCNS to synchronize AD passwords to Windows
Live you will need to perform the following steps. Each of these is explained in detail in the above
mentioned document which should serve as your primary reference when setting up PNCS.
 Install the DLL filter on each domain controller in the domain. This is accomplished by running the
MSI installation file that is provided as part of the PCNS solution on each domain controller. This task
may be automated using a push mechanism of your choice that supports automated installs of MSI
files.
 Configure the service principal name (SPN) to point to the desired ILM 2007 server. This is
configured by using the SETSPN utility in Windows and only needs to be performed once on the ILM
2007 server
 Configure the groups in AD that are to have their passwords synchronized. This allows you the
flexibility of only synchronizing the passwords for your student users who are in AD rather than
monitoring for changes from any user.
 Configure the Active Directory management agent (source management agent) to allow for
Password Synchronization. Once the Active Directory management agent is installed and configured
begin by selecting the AD management agent, select Properties, then Configure Active Directory
Partitions. In Password Synchronization, select Enable this partition as a password synchronization
source. Click the Targets button and place a checkmark next to the Windows Live Management
Agent that should be the target management agent for the password changes. Be sure to uncheck
the box to require secure connection for password synchronization operations.
 Configure the Windows Live Management Agent (target management agent) to allow for reception
of password change notifications. Once Windows Live Management Agent is installed and
configured begin by selecting the Windows Live Management Agent, select Properties, then
Configure Extensions. In Password Management, place a checkmark in Enable Password
Management. Verify that the Extension Name is filled in with PassportPasswordExtension.dll and
that the radio button is set to Set and Change. Click the Targets button and uncheck the box to
require secure connection for password synchronization operations.
 While still on the Configure Extensions, click the settings button. Type in the CN value from the
subject field of your certificate the Connect To: textbox (in most cases “sapipartner.com”), without
the quotation marks. The CN value from the certificate can be found in the details tab of the
certificate in the Certificates management console. Leave the password field blank (it is not
necessary).
 Enable Password Synchronization in ILM Options. In Identity Manager, select Tools and then
Options. Place a checkbox in Enable Password Synchronization if it is not already there. This will
allow your management agents to receive Password Synchronization requests from the domain
controllers.
Using Other Systems as the Source for Password Changes

To enable password synchronization from systems other than Active Directory you will need to
programmatically capture the changes in passwords and then propagate it to ILM using the WMI
interface. Examples of this may be found in the Developer Reference help file in ILM by going to
mk:@MSITStore:c:\program%20files\microsoft%20identity%20integration
%20server\uishell\helpfiles\mmsdev.chm::/mms/example__setting_passwords.htm or by searching for
Example: Setting Passwords in the Developer Reference accessible via the Help menu in Identity
Manager. The following will need to be configured in ILM 2007 to allow it to receive password change
requests from your code.
 Configure the Windows Live Management Agent to allow for reception of password change
notifications. Once Windows Live Management Agent is installed and configured begin by selecting
the Windows Live Management Agent, select Properties, then Configure Extensions. In Password
Management, place a checkmark in Enable Password Management. Verify that the Extension Name
is filled in with PassportPasswordExtension.dll and that the radio button is set to Set and Change.
 Enable Password Synchronization in ILM Options. In Identity Manager, select Tools and then
Options. Place a checkbox in Enable Password Synchronization if it is not already there. This will
allow your management agents to receive Password Synchronization requests from your password
change code.
Once the above steps are completed you may use the example code from the Developer Reference to
send passwords to the Windows Live ID for reset.
Another option for creation of Password Reset or Change functionality is to contact Oxford Computer
Group (Oxford). Oxford has a long history of creating password change and reset solutions with ILM.
Oxford specializes in identity and access management and it is a Microsoft Gold Partner with offices in
UK, Germany, Canada and the US. Services include: strategic and functional consulting, system
integration, as well as solution and skill development.
To contact Oxford Computer group please use the following e-mail address –
info@oxfordcomputergroup.com
Reset Password Flow

If a student forgets his/her password to their Windows Live ID there are two ways for them to reset
their password online:
 Send an automated reset password e-mail to an alternate e-mail address.
 Enter information online including Country/Region, State, Zip Code, Secret Question and Secret
Answer.
If all else fails the student can contact the appropriate school department to have the System
Administrator reset his/her password using ILM 2007. Should a user lose their temporary password or
forgot the one they subsequently created and are unable to complete the online password reset
procedure the System Administrator should perform the following procedure to reset passwords.
Recovering from a Forgotten Password

If a student forgets their password, they have to reset it before they can sign in to Windows Live again.
They can reset their password by sending themselves a password reset e-mail message or by answering
the secret question and entering their location information.
If the student does not already have an alternate e-mail address, the student will be prompted to enter
an alternate e-mail address to make resetting passwords in the future easier. A confirmation page is
displayed after a successful password reset.
Alternate E-mail Addresses
We recommend that students enter an alternate e-mail address upon first sign in to Windows Live
Hotmail or any other Windows Live ID site if Windows Live Hotmail isn‘t the first one. When signing in
the first time the student will be required to enter a Secret Question/Secret Answer pair. See “Appendix
– First-Time User Sign-in Flow” for more information. Optionally, the student will also be asked to enter
an Alternate E-mail address. If a student has an existing e-mail address in addition to the one being
established by the school we highly recommend that the student enter it. Doing so allows the student to
easily reset their Windows Live ID password should they later forget it without contacting the System
Administrator.
For security purposes, the student will also be prompted to change their school-supplied temporary
password the first time they sign in. Entering Windows Live ID Profile Information If the student does
not have an alternate e-mail address they will need to enter a limited amount of Windows Live ID profile
information. This needs to be done separately because a student will not be prompted to enter this
information on first time login.
 Go to https://account.live.com/. Sign in if prompted (authentication is required to use Account

Services). In the left pane click Account Summary, and then click Add or Change your Alternate e-
mail address.
 On the next screen, scroll to the bottom and fill in Country/Region, State, and ZIP code. These values
are required when resetting your password so make sure this information is filled in with accurate
values that will be remembered and then click Save. No other values are required on this screen.
Section 12: Troubleshooting

This section covers common issues that people face when they are installing the Live@edu solution.
Deprovisioning
It is important to pay careful attention to the settings used by the Windows Live Management Agent for
deprovisioning actions. Setting these incorrectly may result in you to inadvertently evicting users with
negative consequences. The results of an accidental deletion might include the following:
 Deletion of all students e-mail
 Inability for the students to continue to use the e-mail address
Here are a few possible deprovisioning scenarios you may encounter and possible troubleshooting
steps. All scenarios are structured around the limitation of not being able to reuse an e-mail address for
210 days after it has been evicted.
Scenario 1: Inadvertently deleting users prior to handing out e-mail addresses.
Since the e-mail addresses have not yet been distributed to the users it may be possible to change the
schema of the addresses and create new addresses. For example, should a user have been
Adam.Smith@university.edu previously, you may consider changing the schema to make it
A.Smith@university.edu. This will allow you to recreate the e-mail addresses.
Scenario 2: Inadvertently deleting users after handing out e-mail addresses but prior to accounts being
used.
The solution for this is the same as scenario 1, if the schema change is possible. No mail or data will be
lost since none is present yet.
Scenario 3: Inadvertently deleting users after handing out e-mail addresses to users. The users have
started using accounts and have populated them with data.
This is not an easily recoverable scenario. You may use the solution from Scenario 1 to recreate the
users but you will not be able to recover the data in the accounts such as e-mails. Additionally, if you are
going to change the schema for e-mail addresses, be mindful not to change the addresses of the users
who may not have been affected by the eviction as changing their address will rename their address to
the new one. Microsoft may be able to assist you if you get into this situation.
Name Recycling Limitations

Once a user is evicted from the namespace you may reuse their e-mail name for another account (or to
re-provision this one) immediately, as long as the password for the member account is a different length
than the previous password.
Note: Member accounts can only be recreated four times.
365 Day Usage Requirements

Users are required to log into their Windows Live e-mail accounts every 365 days or their e-mail will be
deleted due to disuse. The account will still exist and can be reactivated on demand during the next
login, however the contents of the mailbox will be deleted.
Windows Live ID SigninName Limitations

You must flow the full e-mail address including the domain portion to the attribute SigninName in the
Windows Live Management Agent connector space. You must provide the full e-mail address in the form
of James.Smith@university.com and not just James Smith.
Windows Live ID e-mails names must conform to the SMTP RFC 822 for the user name portion of the e-
mail address and RFC 1035 for the domain portion. Some exceptions are made:
 50 characters max
 No UNICODE
 First char must be a letter (must be in ASCII code range of 97-122, 65-90)
 Period = (ASCII 46) allowed except for the first and last characters but cannot have two adjacent
periods
 All other chars must be in ASCII code range of 48-57 (numbers), 65-90 (uppercase), 95 (underscore),
97-122 (lowercase)
 All other characters are disallowed
Windows Live ID Passwords Limitations

Passwords must be at least six characters and a maximum of 16. The Windows Live ID may NOT be part
of the password. For security purposes we recommend that when creating temporary passwords, use 10
characters and at least one each from the following characters sets:
 Lower-case chars: {abcdefghijklmnopqrstuvqxyz}
 Upper-case chars: {ABCDEFGHIJKLMNOPQRSTUVWXYZ}
 Numbers: {0123456789}
 Special Characters: {!@#$%^*()-_=+;:,./?`~} (excluding the curly braces)
.Net 2.0 and Hotfixes

You must have the .Net 2.0 library installed and the latest ILM 2007 hotfixes or you will encounter
.stopped-extension-dll-exception. errors. Determine which versions of the .NET Framework are installed
on a computer:
2. Locate the folder that contains the .NET framework by clicking Start . Run and then pasting or
typing %systemroot%\Microsoft.NET\Framework on the line. Click OK to open the folder.
3. Under that folder there should be another folder that has a name depicting each version of
the .NET framework installed. Look for a folder with the version number of v2.0.50727. If you
do not see this folder then you need to install the .NET framework 2.0.
4. If you do have the folder then open the v2.0.50727 folder and then locate the Mscorlib.dll file.
5. Right-click the file and then click Properties.
6. Click the Version tab and then note the file version.
7. If the version number starts with v2.0.50727.XXXX then you already have the correct version of
the .NET framework installed and you should go to the Troubleshooting section in this guide for
more information about troubleshooting error messages. If not (or if you haven‘t got the folder
at all) then you must install the .NET 2.0 framework using the instructions below. Click OK.
The .NET framework 2.0 installation can be downloaded from

http://www.microsoft.com/downloads/details.aspx?FamilyID=0856eacb-4362-4b0d-8edd-aab15c5e04f5
or by searching for .NET Framework Version 2.0 at http://download.microsoft.com. To download and
start the setup follow the instructions provided on the download site.
Additionally, you must install the latest ILM 2007 hotfixes to ensure that ILM 2007 will work with the
.NET libraries installed. The ILM 2007 updates can be downloaded from
http://www.microsoft.com/downloads/details.aspx?familyid=fa9dbb67-4654-4c94-b073-aa59676130af
or by searching for ILM Hotfix at http://support.microsoft.com.
Issues Sending or Receiving E-mail

If you have trouble sending or receiving mail from accounts you have created, the issues are most
commonly caused by the lack of proper configuration of the MX records. Please see section Managing
MX Records for more information.
Account Settings Precedence

There are several places where the account settings can be changed as part of the solution. The order of
precedence in which properties are assigned is as follows:
1. Mapped connector space attributes using attribute flows

2. Global config rules (using the WLCDGlobalConfig.xml file)
You should be mindful of which properties you set and where you set them since they may be
overridden by a higher priority property set elsewhere.
Steps to troubleshoot the Live@edu solution depend on where the error occurs. Sometimes it is difficult
to determine where to start however you can usually follow the data through the solution to determine
the error condition. Start with the student data source, then move on to ILM 2007 and finally out to the
Windows Live system.
ILM 2007 Failure Analysis Process Flow

Start by looking at the status from the run which is normally displayed half way down the screen on the
right side as displayed in the following screen.
The following table contains next steps for each run status.
Status Next Steps

<null> This is normal while the extension starts. Wait for
the status to change.
in-progress Windows Live IDs are exporting. You should see

the Adds being incremented while the extension is
in progress.
completed-export-errors See the following .For completed-export-errors.

section.
success This is normal if the extension ran without any

Status Next Steps
errors. However, if you have zero Windows Live
IDs added, and were expecting more, you may
need check that your input data source has
imported the data into the Metaverse, and that
your attribute flows and provisioning rules
extension are correctly configured.
stopped-bad-server-credentials Check the management agent properties and

ensure that you have entered a user and password
in the Configure Connection Information. tab of
the management agent properties.
stopped-extension-dll-exception See the following .For stopped-extension-dll-

exception. section.
For “stopped-extension-dll-exception”
Windows Live IDs will not be processed because the exception occurred prior to attempting the
Windows Live ID export. ILM 2007 will place the errors into the application event log which you can view
with the Event Viewer. To open Event Viewer click on the Start menu, click Run, and then type:
eventvwr.
For “completed-export-errors“
See Managing the Output Files in this guide. Note that Windows Live IDs that succeeded will NOT be re-
processed on the next export run. We recommend that you re-attempt the export before further
troubleshooting. It is not unusual to have networking conditions cause a few Windows Live IDs in a large
batch to fail; by retrying, you will minimize the number of failures that require investigation and there is
no downside to doing so. Once you determine that the remaining failures are not due to random
networking conditions you can find the cause of the error for each Windows Live ID by double-clicking
on the corresponding error link as shown in right pane of the above screen shot, which brings up the
detailed error report for that Windows Live ID.
Getting Support
For ILM and Windows Live Management Agent support, see http://support.microsoft.com/ph/1980.
Disaster Recovery Plan (ILM Server Outage)

A failure of the ILM server should not result in any data-loss however there are other critical
components on the ILM servers. For example all of the source code, backup keys, operations scripts and
any information in the MAData folder will be lost if restoring by reinstalling ILM. From this standpoint it
is important to also have file system backups of the Microsoft Identity Integration Server folder.
If you have the encryption keys mentioned above the easiest way to recover from an ILM server outage
is to reinstall ILM 2007 and the Windows Live Management Agent and point it to the existing SQL Server
Database. Once you provide the encryption keys and restore the supporting files in the proper folders
you should be up and running. Again, refer to .Restoring Microsoft Identity Lifecycle Manager 2007. in
the ILM 2007 help.
In the event that the ILM server suffers a failure or the management agents and the database are
deleted, the following steps must be done to restore functionality to ILM and prevent errors upon re-
synchronizing the data with your data source.
1. Install ILM and appropriate software onto the server as needed depending on the severity of the
failure.
2. Restore your management agents from backup XML files or set up your management agents in
ILM as they were before.
3. Turn off provisioning in ILM by going to the Tools menu and selecting Options, then unchecking
the Enable Provisioning Rules Extension.
4. Create a full import run profile for the data source management agent.
a. Click the New Profile button, give the run profile a name (in this case, Full Import) and
click Next.
b. In Configure Step, set the type of run profile by selecting Full Import (Stage Only).
c. In Management Agent Configuration, select the Input file name if using a text
management agent, otherwise skip this step and click finish.
d. Create a full synchronization run profile for the data source management agent. Follow
the exact same steps as Step 4; name the profile appropriately, select Full
Synchronization from the run profile type, and click Finish in Management Agent
Configuration.
5. Run a full import and full sync from the data source management agent to project data into the
metaverse.
6. In Identity Manager under Actions, select Run, select Full Import and click OK.
7. In Identity Manager under Actions, select Run, select Full Sync and click OK.
8. In the Windows Live management agent, we have to set the domain into recovery mode and
configure some parameters for the disaster recovery to work.
9. Open the Windows Live management agent and click the Configure Additional Parameters tab.
10. We need to add two parameters in this tab. Click New and add a Parameter name of Domain.
In the Value field, type the name of your domain. Click OK.
11. Click new and add a Parameter name of DisasterRecoveryMode. In the Value field, type true and
click OK.
12. Set a join rule on the Windows Live management agent for the SignInName attribute in
Windows Live to join to the mail attribute (or whatever attribute you used in Metaverse to store
member e-mail accounts).
13. In Identity Manager, in the Windows Live management agent, select the Configure Join and
Projection Rules tab.
14. Click New Join Rule and select the data source attribute SigninName and Metaverse object type
mail (or whatever attribute in Metaverse you’re using to store member accounts) and click Add
Condition.
15. Create a template for use in the full import run profile for the Windows Live management agent.
16. Navigate to the MaData folder in the installation folder for ILM. Usually this is c\Program Files\
Microsoft Identity Integration Server\MaData unless changed upon install.
17. Open the folder for the Windows Live management agent, right click and select New Text
Document from the menu.
18. Give the file any name, for example, import.txt, and close the install folder window.
19. Create a full import run profile for the Windows Live management agent.
20. Follow the exact same steps as Step 4; name the profile appropriately, select Full Import from
the run profile type, select the file you just created in Step 9c above and click Finish in
Management Agent Configuration.
21. Create a full synchronization run profile for the Windows Live management agent.
22. Follow the exact same steps as Step 4; name the profile appropriately, select Full
Synchronization from the run profile type, and click Finish in Management Agent Configuration.
23. Run a full import on the Windows Live management agent. Note the number of objects.
24. Run a full synchronization on the Windows Live management agent.

25. Verify that all imported accounts are joined. There should be the same number of joins as
objects from the full import (unless you’re using Active Directory or another LDAP directory as
your data source; in this case, you would subtract the container objects)
26. There should be pending exports to Windows Live for all joined accounts. Randomly examine a
few pending exports to make sure attributes are correctly set. For instance, do not set the
ResetPassword attribute unless you want to require all users to reset their password.
27. Run an export on the Windows Live MA.
28. Enable provisioning by going to the Tools menu\Options in ILM and clicking the “Enable
Provisioning Rules Extension”.
29. Run a full synchronization on the data source management agent
30. If any exports are pending for the Windows Live management agent after step 16, these must be
new users that were not created in Windows Live before the disaster occurred.
31. Run an export to Windows Live to create the new users (if desired).
Section 13: Advanced Topics
These advanced topics should be taken into consideration to extend the stability and functionality of
you solution.
Student Portal Integration

The following example demonstrates a method to streamline the signup process and allow your
students to be responsible for creating their own accounts. Eastern Washington University has
demonstrated this methodology well. ILM 2007 still needs to be part of the solution to create the
accounts; however it can be wrapped with a front-end. This front-end could take the shape of an
extension to your existing student portal. The following screenshots provide an example of a way to do
this.
The portal integration solution would need to establish the login for the students. This login could
potentially be created by the students as demonstrated below. The sign in name that the student
choose would eventually make its way into a data source that ILM 2007 can read such as a SQL database
or a text file. This SQL database or text file would then become the source of the student information
rather than your existing student records. Additionally the temp password could be set through the
portal and then provided for ILM 2007 via the database or text file.
If you need assistance with the methodology for or development of a solution that includes portal
integration you can e-mail Oxford Computer Group at info@oxfordcomputergroup.com.
High Availability
While ILM is not a real time system and thus may not be required to have a 99.999% uptime it is
imperative to have the system operational whenever a “run” is required however often that may be.
Because ILM is not a real-time system the normal high availability technique of clustering ILM 2007 may
not appropriate. ILM 2007 is not a clustering aware application.
A desirable and recommended strategy for high availability of ILM 2007 is to maintain a cold-standby
server which may be brought up at any time should the primary machine malfunction.
Integration of Live@edu Into a Pre-existing ILM Environment

While many institutions are not yet using ILM 2007 for student synchronization those that are may
choose to integrate the Live@edu solution into their existing ILM 2007 environments. The steps for
doing so are as follows:
 Ensure you have the latest .Net and ILM 2007 hotfixes, according to the perquisite requirements
stated above. If you do not you need to install these before proceeding.
 Ensure your source management agent for student data provides an e-mail address to the
Metaverse (note the attribute the address is in). This must be the full e-mail address including
the domain portion. If you intend to provide an initial password for the user the data must be
provided in the Metaverse as well.
 Install and configure the Windows Live Management Agent in accordance with the instructions
above. Please note that you will need to create a flow from the attribute in the Metaverse that
contains e-mail address you would like to provision to the SigninName attribute in the Windows
Live Management Agent connector space.
 Configure the Metaverse provisioning extension as follows:
o Perform the steps listed in the Enable Provisioning section above noting the previously
listed DLL if any.
o If you noted a DLL in the above step, please edit the file specified by the section titled
Metaverse Rules Extension XML Schema and a line with contents of <add-assemblies…>
but with the noted DLL from the step above. This will allow all of your previous code to
receive data from ILM 2007 as it has prior to the Live@edu changes.
Distribution List Management

Distribution list management lives on the enterprise system. Once users receive their assigned e-mail
addresses the school administration or faculty may have a need to send out mailings to groups or
distribution lists. For example, an institution may want to group all users based on the campus they are
located on and so it would create a group for each campus and mail-enable the group. It typically
involves a great deal of administrative overhead to manually place individual accounts into the groups as
users are created, modified or deleted. ILM 2007 can be leveraged to assist in the automated creation
and maintenance of these groups. This can be automatically performed using a free Microsoft Group
Management solution that is implemented in ILM 2007 (see the URL below for more information). The
Group Management solution is a utility provided by Microsoft to allow the automatic population and
management of group membership. This solution will allow the administrators to create criteria for
groups via a web interface and then allow the solution to automatically populate the groups based on
the criteria specified. This can result in the creation of groups for any data source that ILM 2007 can
connect to such as (Active Directory (Exchange), Lotus Notes, Sun One, etc). For more details about the
Group Management solution and links to the download, please use the following link:
http://www.microsoft.com/technet/technetmag/issues/2006/07/Automate/default.aspx
Integration of Metadata into Accounts

To build these groups, you will need to provide information about the students in the Metaverse. This
information could include:
 Class
 Status (student or alumni)
 State
 City
 Etc
In addition to utilizing this data to automatically create distribution lists using the Group Management
solution, information contained in attributes like this can assist in the general maintenance of account
information. Connecting ILM 2007 to other data sources and synchronizing this type of information can
greatly reduce the costs of account administration.
Appendix A: Valid Region/Country Codes
Code Country
AF Afghanistan
AL Albania
DZ Algeria
AS American Samoa
AD Andorra
AO Angola
AI Anguilla
AQ Antarctica
AG Antigua and Barbuda
AR Argentina
AM Armenia
AW Aruba
AC Ascension Island
AU Australia
AT Austria
AZ Azerbaijan
BS Bahamas
BH Bahrain
BD Bangladesh
BB Barbados
BY Belarus
BE Belgium
BZ Belize
BJ Benin
BM Bermuda
BT Bhutan
BO Bolivia
BA Bosnia and Herzegovina
BW Botswana
BV Bouvet Island
BR Brazil
IO British Indian Ocean Territory
BN Brunei
BG Bulgaria
BF Burkina Faso
BI Burundi
KH Cambodia
CM Cameroon
CA Canada
CV Cape Verde
KY Cayman Islands
CF Central African Republic
TD Chad
CL Chile
CN China
CX Christmas Island
CC Cocos (Keeling) Islands
CO Colombia
KM Comoros
CD Congo (DRC)
CG Congo
CK Cook Islands
CR Costa Rica
CI Côte d'Ivoire
HR Croatia
CU Cuba
CY Cyprus
CZ Czech Republic
DK Denmark
DJ Djibouti
DM Dominica
DO Dominican Republic
EC Ecuador
EG Egypt
SV El Salvador
GQ Equatorial Guinea
ER Eritrea
EE Estonia
ET Ethiopia
FK Falkland Islands (Islas Malvinas)
FO Faroe Islands
FJ Fiji Islands
FI Finland
FR France
GF French Guiana
PF French Polynesia
TF French Southern and Antarctic Lands
GA Gabon
GM Gambia, The
GE Georgia
DE Germany
GH Ghana
GI Gibraltar
GR Greece
GL Greenland
GD Grenada
GP Guadeloupe
GU Guam
GT Guatemala
GG Guernsey
GN Guinea
GW Guinea-Bissau
GY Guyana
HT Haiti
HM Heard Island and McDonald Islands
HN Honduras
HK Hong Kong SAR
HU Hungary
IS Iceland
IN India
ID Indonesia
IR Iran
IQ Iraq
IE Ireland
IM Isle of Man
IL Israel
IT Italy
JM Jamaica
JP Japan
JO Jordan
JE Jersey
KZ Kazakhstan
KE Kenya
KI Kiribati
KR Korea
KW Kuwait
KG Kyrgyzstan
LA Laos
LV Latvia
LB Lebanon
LS Lesotho
LR Liberia
LY Libya
LI Liechtenstein
LT Lithuania
LU Luxembourg
MO Macao SAR
MK Macedonia, Former Yugoslav Republic of
MG Madagascar
MW Malawi
MY Malaysia
MV Maldives
ML Mali
MT Malta
MH Marshall Islands
MQ Martinique
MR Mauritania
MU Mauritius
YT Mayotte
MX Mexico
FM Micronesia
MD Moldova
MC Monaco
MN Mongolia
MS Montserrat
MA Morocco
MZ Mozambique
MM Myanmar
NA Namibia
NR Nauru
NP Nepal
AN Netherlands Antilles
NL Netherlands, The
NC New Caledonia
NZ New Zealand
NI Nicaragua
NE Niger
NG Nigeria
NU Niue
NF Norfolk Island
KP North Korea
MP Northern Mariana Islands
NO Norway
OM Oman
PK Pakistan
PW Palau
PS Palestinian Authority
PA Panama
PG Papua New Guinea
PY Paraguay
PE Peru
PH Philippines
PN Pitcairn Islands
PL Poland
PT Portugal
PR Puerto Rico
QA Qatar
RE Reunion
RO Romania
RU Russia
RW Rwanda
WS Samoa
SM San Marino
ST São Tomé and Príncipe
SA Saudi Arabia
SN Senegal
YU Serbia and Montenegro
SC Seychelles
SL Sierra Leone
SG Singapore
SK Slovakia
SI Slovenia
SB Solomon Islands
SO Somalia
ZA South Africa
GS South Georgia and the South Sandwich Islands
ES Spain
LK Sri Lanka
SH St. Helena
KN St. Kitts and Nevis
LC St. Lucia
PM St. Pierre and Miquelon
VC St. Vincent and the Grenadines
SD Sudan
SR Suriname
SJ Svalbard and Jan Mayen
SZ Swaziland
SE Sweden
CH Switzerland
SY Syria
TW Taiwan
TJ Tajikistan
TZ Tanzania
TH Thailand
TP Timor-Leste
TG Togo
TK Tokelau
TO Tonga
TT Trinidad and Tobago
TA Tristan da Cunha
TN Tunisia
TR Turkey
TM Turkmenistan
TC Turks and Caicos Islands
TV Tuvalu
UG Uganda
UA Ukraine
AE United Arab Emirates
UK United Kingdom
US United States
UM United States Minor Outlying Islands
UY Uruguay
UZ Uzbekistan
VU Vanuatu
VA Vatican City
VE Venezuela
VN Vietnam
VI Virgin Islands
VG Virgin Islands, British
WF Wallis and Futuna
YE Yemen
ZM Zambia
ZW Zimbabwe
Appendix B: Language Codes
These are the languages currently supported by Windows Live Hotmail.
Cod Language
e
1025 Arabic
1046 Brazilian Portuguese
1026 Bulgarian
2052 Chinese (Simple)
1028 Chinese (Traditional)
1050 Croatian
1029 Czech
1030 Danish
1043 Dutch
1033 English
1061 Estonian
1035 Finnish
1036 French
1031 German
1032 Greek
1037 Hebrew
1038 Hungarian
1040 Italian
1041 Japanese
1042 Korean
1062 Latvian
1063 Lithuanian
1044 Norwegian
1045 Polish
2070 Portuguese
1048 Romanian
1049 Russian
2074 Serbian – Latin
1051 Slovak
1060 Slovenian
1034 Spanish
1053 Swedish
1054 Thai
1055 Turkish
1058 Ukrainian
Appendix C: TimeZone Codes
TimeZone Code Location
0 Universal Time
1264 Andorra, Andorra
1191 Dubai, United Arab Emirates
1201 Kabul, Afghanistan
1078 Antigua, Antigua and Barbuda
1077 Anguilla, Anguilla
1303 Tirane, Albania
1240 Yerevan, Armenia
1093 Curacao, Netherlands Antilles
1056 Luanda, Angola
1165 Casey, Casey Station, Bailey Peninsula
1166 Mawson, Mawson Station, Holme Bay
1167 McMurdo, McMurdo, McMurdo Station, Ross Island
1168 Palmer, Palmer Station, Anvers Island
1169 South Pole, Amundsen Scott Station, South Pole
1084 Buenos Aires, E Argentina (BA, DF, SC, TF)
1086 Catamarca, Catamarca (CT)
1090 Cordoba, W Argentina (CB, SA, TM, LR, SJ, SL, NQ, RN)
1116 Jujuy, Jujuy (JY)
1125 Mendoza, Mendoza (MZ)
1145 Rosario, NE Argentina, Mendoza (MZ)
1346 Pago Pago, American Samoa
1306 Vienna, Austria
1252 Adelaide, South Australia
1253 Brisbane, Queensland, most locations
1254 Broken Hill, New South Wales

1255 Darwin, Northern Territory
1256 Hobart, Tasmania
1257 Lindeman, Queensland, Holiday Islands
1258 Lord Howe, Lord Howe Island
1259 Melbourne, Victoria
1260 Perth, Western Australia
1262 Sydney, New South Wales, most locations
1079 Aruba, Aruba
1181 Baku, Azerbaijan
1297 Sarajevo, Bosnia and Herzegowina
1081 Barbados, Barbados
1189 Dacca, Bangladesh
1269 Brussels, Belgium
1069 Ouagadougou, Burkina Faso
1300 Sofia, Bulgaria
1180 Bahrain, Bahrain
1035 Bujumbura, Burundi
1070 Porto-Novo, Benin
1242 Bermuda, Bermuda
1185 Brunei, Brunei Darussalam
1117 La Paz, Bolivia
1092 Cuiaba, SW Brazil (MT, MS)
1101 Fortaleza, NE Brazil (AP, east PA, MA, PI, CE)
1120 Maceio, ENE Brazil (AL, SE, TO)
1122 Manaus, NW Brazil (RR, west PA, AM, RO)
1133 Noronha, Fernando de Noronha
1140 Porto Acre, Acre

1148 Sao Paulo, S & SE Brazil (BA, GO, DF, MG, ES)
1131 Nassau, Bahamas
1230 Thimbu, Bhutan
1047 Gaborone, Botswana
1286 Minsk, Belarus
1082 Belize, Belize
1094 Pacific Time, Victoria, British Columbia
1095 Pacific Time, Kamloops, British Columbia
1098 Mountain Time, Edmonton, Alberta
1103 Atlantic Time, Charlottetown, P.E.I.
1110 Atlantic Time, Halifax, Nova Scotia
1113 Mountain Time, Calgary, Alberta
1114 Eastern Time, Iqaluit, Nunavut
1129 Eastern Time, Montreal, Quebec
1135 Atlantic Time, Saint John, New Brunswick
1142 Central Time, St. Vital, Manitoba
1143 Central Time, St. Boniface, Manitoba
1144 Central Time, Regina, Saskatchewan
1150 Newfoundland Time, St. John's, Newfoundland
1155 Central Time, Saskatoon, Saskatchewan
1158 Eastern Time, Toronto, Ontario
1161 Pacific Time, Vancouver, British Columbia
1162 Pacific Time, Whitehorse, Yukon Territory
1163 Central Time, Winnipeg, Manitoba
1164 Mountain Time, Yellowknife, Northwest Territories
1314 Cocos, Cocos (Keeling) Islands
1030 Bangui, Central African Republic

1034 Brazzaville, Congo
1310 Zurich, Switzerland
1024 Abidjan, CÃ´te d'Ivoire
1351 Rarotonga, Cook Islands
1324 Easter, Easter Island
1146 Santiago, Mainland
1044 Douala, Cameroon
1224 Beijing, China
1083 Bogota, Colombia
1091 Costa Rica, Costa Rica
1111 Havana, Cuba
1244 Cape Verde, Cape Verde
1313 Christmas, Christmas Island
1214 Nicosia, Cyprus
1292 Prague, Czech Republic
1267 Berlin, Germany
1043 Djibouti, Djibouti
1273 Copenhagen, Denmark
1097 Dominica, Dominica
1147 Santo Domingo, Dominican Republic
1037 Algiers, Algeria
1330 Galapagos, Galapagos Islands
1108 Guayaquil, Mainland
1302 Tallinn, Estonia
1036 Cairo, Egypt
1028 Asmera, Eritrea
1243 Canary, Canary Islands

1038 Ceuta, Ceuta, Melilla
1284 Madrid, Mainland
1026 Addis Ababa, Ethiopia
1276 Helsinki, Finland
1328 Fiji, Fiji
1251 Stanley, Falkland Islands
1337 Kosrae, Kosrae
1349 Ponape, Ponape (Pohnpei)
1356 Truk, Truk (Chuuk)
1359 Yap, Yap
1245 Faeroe, Faroe Islands
1031 Banjul, Gambia
1105 Grenada, Grenada
1228 Tbilisi, Georgia
1087 Cayenne, French Guiana
1025 Accra, Ghana
1275 Gibraltar, Gibraltar
1102 Godthab, Southwest Greenland
1149 Scoresbysund, East Greenland
1157 Thule, Northwest Greenland
1039 Conakry, Guinea
1106 Guadeloupe, Guadeloupe
1059 Malabo, Equatorial Guinea
1265 Athens, Greece
1249 South Georgia, South Georgia and The South Sandwich

Islands
1107 Guatemala, Guatemala

1333 Guam, Guam
1109 Guyana, Guyana
1195 Peking, Hong Kong
1156 Tegucigalpa, Honduras
1309 Zagreb, Croatia
1138 Port-au-Prince, Haiti
1271 Budapest, Hungary
1198 Jakarta, Java, Sumatra
1199 Jayapura, Irian Jaya, Moluccas
1232 Ujung Pandang, Borneo, Celebes
1274 Dublin, Ireland
1193 Gaza, Gaza Strip
1200 Jerusalem, Jerusalem, most locations
1186 Calcutta, India
1312 Chagos, British Indian Ocean Territory
1179 Baghdad, Iraq
1229 Tehran, Iran
1248 Reykjavik, Iceland
1294 Rome, Italy
1115 Jamaica, Jamaica
1174 Amman, Jordan
1231 Tokyo, Japan
1065 Nairobi, Kenya
1184 Bishkek, Kyrgyzstan
1217 Phnom Penh, Cambodia
1326 Enderbury, Phoenix Islands
1336 Kiritimati, Line Islands

1354 Tarawa, Gilbert Islands
1315 Comoro, Comoros
1151 St Kitts, Saint Kitts and Nevis
1218 Pyeongyang, Korea, North (Democratic People's Republic

of Korea)
1223 Seoul, Korea (Republic Of Korea)
1209 Kuwait, Kuwait
1088 Cayman, Cayman Islands
1173 Alma-Ata, East Kazakhstan
1176 Aqtau, West Kazakhstan
1177 Aqtobe, Central Kazakhstan
1236 Vientiane, Lao People's Republic
1183 Beirut, Lebanon
1152 St Lucia, Saint Lucia
1304 Vaduz, Liechtenstein
1188 Colombo, Sri Lanka
1064 Monrovia, Liberia
1061 Maseru, Lesotho
1307 Vilnius, Lithuania
1283 Luxembourg, Luxembourg
1293 Riga, Latvia
1073 Tripoli, Libyan Arab Jamahiriya
1037 Casablanca, Morocco
1287 Monaco, Monaco
1272 Chisinau, Moldova
1311 Antananarivo, Madagascar
1338 Kwajalein, Kwajalein

1339 Majuro, Majuro, most locations
1299 Skopje
1029 Bamako, Southwest Mali
1072 Timbuktu, Northeast Mali
1220 Yangon (Rangoon), Myanmar
1234 Ulan Bator, Mongolia
1210 Macao, Macao
1352 Saipan, Northern Mariana Islands
1123 Martinique, Martinique
1068 Nouakchott, Mauritania
1130 Montserrat, Montserrat
1285 Malta, Malta
1318 Mauritius, Mauritius
1317 Maldives, Maldives
1033 Blantyre, Malawi
1100 Pacific Time, Ensenada, most locations
1124 Mountain Time, Mazatlan
1126 Central Time, Mexico City
1159 Pacific Time, Tijuana, N. Baja California
1207 Kuala Lumpur, peninsular Malaysia
1208 Kuching, Sabah & Sarawak
1060 Maputo, Mozambique
1075 Windhoek, Namibia
1345 Noumea, New Caledonia
1067 Niamey, Niger
1344 Norfolk, Norfolk Island
1054 Lagos, Nigeria

1121 Managua, Nicaragua
1263 Amsterdam, Netherlands
1289 Oslo, Norway
1205 Katmandu, Nepal
1342 Nauru, Nauru
1343 Niue, Niue
1322 Auckland, most locations
1213 Muscat, Oman
1134 Panama, Panama
1118 Lima, Peru
1331 Gambier, Gambier Islands
1340 Marquesas, Marquesas Islands
1353 Tahiti, Society Islands
1350 Port Moresby, Papua New Guinea
1212 Manila, Philippines
1203 Karachi, Pakistan
1308 Warsaw, Poland
1127 Miquelon, St Pierre and Miquelon
1348 Pitcairn, Pitcairn
1141 Puerto Rico, Puerto Rico
1241 Azores, Azores
1280 Lisbon, mainland
1247 Madeira, Madeira Islands
1347 Palau, Palau
1080 Asuncion, Paraguay
1219 Qatar, Qatar
1320 Reunion, Reunion

1270 Bucharest, Romania
1175 Anadyr, Moscow+10 - Bering Sea
1197 Irkutsk, Moscow+05 - Lake Baikal
1278 Kaliningrad, Moscow-01 - Kaliningrad
1202 Kamchatka, Moscow+09 - Kamchatka
1206 Krasnoyarsk, Moscow+04 - Yenisei River
1211 Magadan, Moscow+08 - Magadan & Sakhalin
1288 Moscow, Moscow+00 - West Russia
1215 Novosibirsk, Moscow+03 - Novosibirsk
1216 Omsk, Moscow+03 - West Siberia
1295 Samara, Moscow+01 - Caspian Sea
1237 Vladivostok, Moscow+07 - Amur River
1238 Yakutsk, Moscow+06 - Lena River
1239 Yekaterinburg, Moscow+02 - Urals
1052 Kigali, Rwanda
1221 Riyadh, Saudi Arabia
1332 Guadalcanal, Solomon Islands
1316 Mahe, Seychelles
1051 Khartoum, Sudan
1301 Stockholm, Sweden
1225 Singapore, Singapore
1250 St Helena, St Helena
1281 Ljubljana, Slovenia
1246 Jan Mayen, Jan Mayen
1171 Longyearbyen, Svalbard
1268 Bratislava, Slovakia
1046 Freetown, Sierra Leone

1296 San Marino, San Marino
1041 Dakar, Senegal
1063 Mogadishu, Somalia
1136 Paramaribo, Suriname
1071 SÃ£o TomÃ©, SÃ£o TomÃ© and PrÃncipe
1099 El Salvador, El Salvador
1190 Damascus, Syrian Arab Republic
1062 Mbabane, Swaziland
1104 Grand Turk, Turks and Caicos Islands
1066 Ndjamena, Chad
1290 Paris, French Southern Territories
1055 Lome, Togo
1182 Bangkok, Thailand
1192 Dushanbe, Tajikistan
1327 Fakaofo, Tokelau
1178 Ashkhabad, Turkmenistan
1074 Tunis, Tunisia
1355 Tongatapu, Tonga
1277 Istanbul, Turkey
1139 Port of Spain, Trinidad and Tobago
1329 Funafuti, Tuvalu
1226 Taipei, Taiwan
1042 Dar es Salaam, Tanzania
1279 Kiev, most locations
1298 Simferopol, Crimea
1050 Kampala, Uganda
1266 Belfast, Northern Ireland

1282 London, United Kingdom
1335 Johnston, Johnston Islands
1341 Midway, Midway Islands
1357 Wake, Wake Island
1076 United States, Alaska Time
1137 United States, Arizona
1089 United States, Central Time
1132 United States, Eastern Time
1334 United States, Hawaii
1112 United States, Indiana
1096 United States, Mountain Time
1119 United States, Pacific Time
1128 Montevideo, Uruguay
1227 Tashkent, Uzbekistan
1305 Vatican, Vatican City State
1154 St Vincent, Saint Vincent and The Grenadines
1085 Caracas, Venezuela
1160 Tortola, Virgin Islands (British)
1153 St Thomas, Virgin Islands (U.S.)
1222 Saigon, Viet Nam
1325 Efate, Vanuatu
1358 Wallis, Wallis and Futuna Islands
1321 Apia, Samoa
1172 Aden, Yemen
1319 Mayotte, Mayotte
1360 Serbia and Montenegro
1049 Johannesburg, South Africa

1058 Lusaka, Zambia
1053 Kinshasa, West Democratic Republic of Congo
1057 Lubumbashi, East Democratic Republic of Congo
1048 Harare, Zimbabwe

Appendix D: U.S. Region Codes
Code State
1003 Alabama
1040 Alaska
1945 Arizona
1951 Arkansas
10595903 Armed Forces Asia
10595904 Armed Forces Europe
10595905 Armed Forces Pacific
5599 California
7636 Colorado
7798 Connecticut
8831 Delaware
9130 District of Columbia
11032 Florida
12004 Georgia
13656 Hawaii
14713 Idaho
14808 Illinois
14882 Indiana
14987 Iowa
16121 Kansas
16480 Kentucky
19283 Louisiana
19840 Maine
20487 Maryland
20543 Massachusetts
21196 Michigan
21412 Minnesota
21502 Mississippi
21512 Missouri
21789 Montana
22869 Nebraska
23035 Nevada
23097 New Hampshire
23117 New Jersey
23132 New Mexico
23161 New York
23611 North Carolina
23624 North Dakota
24230 Ohio
24293 Oklahoma
24561 Oregon
25623 Pennsylvania
27664 Rhode Island
31410 South Carolina
31418 South Dakota
33025 Tennessee
33145 Texas
34626 Utah
35022 Vermont
35364 Virginia
35841 Washington
36208 West Virginia
36684 Wisconsin
36927 Wyoming
Appendix E: Certificate Install Information
If you chose to use a certificate to provide your identity to Microsoft, the certificate is provided to you
by the Windows Live Commercial Partner Center. You will be contacted with a password for the private
key. You will need to use a workstation to properly unpack and export your certificate for use with
Windows Live Admin Center.
Obtaining a Certificate for your Domain

 If you want to authenticate using a certificate, you need to specifically request one from the
Windows Live Commercial Partner Center using this e-form:
https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww for details.
 The Windows Live Commercial Partner Center will create a certificate for you and give you the
exportable private key to import into your systems.
 Windows Live Commercial Partner Center will transfer your certificate to you.
 Windows Live Commercial Partner Center will call you with the password for the private key.
Installing the certificate on the ILM Server

Follow the steps below to install the certificate provided to you by the Windows Live Commercial
Partner Center on all machines that will be used to administer Windows Live IDs:
Copy your certificate to the root of your ILM Server.
In order to place the correct permissions for the ILM Service account to access the certificate, you will
need to use the WinHTTP Configuration Tool, available from the Microsoft Download site at
http://www.microsoft.com/downloads/details.aspx?familyid=c42e27ac-3409-40e9-8667-
c748e422833f&displaylang=en.
Installing WinHTTP Configuration Tool

Locate the winhttpcertcfg.msi you downloaded above and double-click to open. Click Next on the
welcome screen.
Read the end-user license agreement, click the “I accept” button and click Next to continue.
Choose a Destination Folder or accept the default location and click Install Now.
The installation is complete, click Finish.
To run the program, open a command-prompt window by clicking the Start menu, selecting run and
typing CMD in the open field. Click OK.
Change to the directory where you installed the tool, if using the default settings, the location is
C:\Program Files\Windows Resource Kits\Tools. You will need to copy the certificate provided to you by
the Windows Live Commercial Partner Center to the root of your C: drive and know the private key
password.
The following example shows the command line parameters that are valid for use with this tool.
winhttpcertcfg [/?]
winhttpcertcfg [-i PFXFile | -g | -r | -l] [-a Account] [-c CertStore] [-s SubjectStr]
The following table explains the parameters for the configuration tool.
Parameter Description
-? Displays syntax information.
-i Specifies that the certificate is to be imported from a Personal Information Exchange (PFX) file.
This parameter must be followed by the name of the file. When this parameter is specified, -a
and -c must also be specified.
-g Specifies that access is granted to a private key. When this parameter is specified, -a, -c, and -s
must also be specified.
-r Specifies that access is removed for a private key. When this parameter is specified, -a, -c, and -s
must also be specified.
-l Specifies that accounts with access to a private key are listed. When this parameter is specified,
-c and -s must also be specified.
-a Specifies the user account on the machine being configured. This could be a local machine or
domain account, such as IWAM_TESTMACHINE, TESTUSER, or TESTDOMAIN\DOMAINUSER.
-c Specifies the location and name of the certificate store. Use LOCAL_MACHINE or
CURRENT_USER to designate which registry branch to use for the location. The certificate store
can be any installed on the machine. Typical name examples are MY, Root, and TrustedPeople.
The location and name of the certificate store are separated with a backward slash; for example,
LOCAL_MACHINE\Root.
Note Although the CURRENT_USER branch of the registry can be specified with this parameter,
extending access to private keys is primarily intended for certificates installed in a local machine
certificate store that can be accessed by multiple users.
-s Specifies a case-insensitive search string for finding the first enumerated certificate with a
subject name that contains this substring.
To install your certificate with the correct permissions, you will need to run the configuration tool with
the following command:
winhttpcertcfg.exe -g -i c:\yourcertificatename -c LOCAL_MACHINE\My -a yourILMserviceaccount -p

yourcertificatepassword
Once successfully executed, you will see a screen similar to below.

Installing the certificate to Windows Live Admin Center
Once you have the certificate installed on the server(s) that will be used to manage Windows Live IDs,
you need to export the certificate for use with Windows Live Admin Center and upload your cert to the
service.
Click OK.
In the MMC, go to the File menu, select Add/Remove Snap-in
Select the snap-in for Certificates, click Add.

Select the radio button for the Certificates snap-in to manage certificates for the Computer account,
click Next.
Select local computer, click Finish.
When you click Finish, the snap in appears in the MMC window. On the left side, expand Certificates
(Local Computer) and select the Personal store.
In the Object type window in the right pane, click All Tasks and select From the Certificates MMC, right
click the certificate in the Certificates (Local Computer)Personal Certificates store, select All Tasks
and Export.
The Certificate Export Wizard appears, click Next
Select the radio button next to “No, do not export the private key” and click Next.
Use DER encoded X.509 (.CER), click Next.
Click the Browse button, select a location for the exported certificate, click Next.
Click Finish to complete the Certificate Export Wizard.

To upload the exported certificate to the Windows Live Admin Center, go to
http://admincenter.live.com in Internet Explorer, click the Sign In button and login with your Domain
Admin credentials that you established when you reserved your domain.
Click the domain you’re managing from your domains.

Click SDK.
Browse to the location where you exported the cert and click Add/Update. If Add/Update is not
available, contact the Windows Live Commercial Partner Center using this e-form:
https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww. To enable the feature for your
domain
The certificate has been uploaded successfully.
Appendix F: Migrating from the SDK tools
If you have been using one of the SDK Tools to manage your domain, you can migrate from them to ILM
if you prefer.
Note: We recommend if you do this, you’re making a full move to Identity Lifecycle Manager. Do NOT
use the SDK apps for account management after you migrate from them, otherwise you will encounter
errors. If you add or remove accounts with the SDK tools after moving to ILM, the domain will become
out of sync.
The EduExpress application contains an option to export a CSV file containing your domain’s member
accounts. This file can be used to import members into ILM.
1. First, launch the EduExpress application and locate the Export Existing Member List link.
2. Clicking this link brings up a save dialog box. Save the file to a known location.
You can use this CSV file to populate Active Directory, a SQL database, a delimited text file or any other
source supported by ILM. For demonstration purposes, we’ll create a delimited text file for use with
ILM.
3. Create a new text file with the attributes you want to use in the header of the file. Refer to the
Passport User Attributes section for more information.
4. Launch Identity Manager, click Create to create a new management agent for a data source.
More information about configuring data source management agents are included in Section 5.
5. Select Delimited Text File in the Management Agent For: drop down menu. Give the
management agent a name and a description (if desired).
6. In Select Template Input File, select the text file you created in step 3. Click Next.
7. In Delimited Text Format, click Use first row for header names and click Next.
8. In Configure Attributes, click the Set Anchor button to set an anchor attribute for the
management agent.
9. In the Set Anchor window, click the SigninName attribute and click the Add button to construct
the anchor. Click OK and click Next.
10. In Define Object Types, accept the default and click Next.
11. In Configure Connector Filter, accept the defaults by clicking Next.
12. In Configure Join and Projection rules, we want to create a projection rule for the data source
management object to project members into the Metaverse. Click New Projection Rule.
13. Unless you’ve created your own object type in Metaverse, select the person metaverse object
type, leave the radio button next to Declared selected, click OK and click Next.
14. In Configure Attribute Flow, we will create attribute flow for the attributes in our text file. Select
an attribute in the data source attribute column, set the radio button for mapping type to Direct,
set the radio button for Flow Direction to be Import, click the corresponding Metaverse
Attribute and click the New button. Follow these same steps for every attribute mapping. In
the example, we’re flowing our attributes like this:
Data source attribute Mapping Type Flow Direction Metaverse Object Type
FirstName Direct Import givenName
LastName Direct Import LastName
SigninName Direct Import mail
When you’re finished setting attribute flow, click Next.

15. In Configure Deprovisioning, accept the default of Make them Disconnectors by clicking Next.
16. In Configure Extensions, accept the default by clicking the Finish button.
17. Next we will configure the export management agent. In Identity Manager, click Create from
under the Actions menu.
18. From the Create Management Agent drop down menu, select WLCD Management Agent
(Microsoft), give the management agent a name and a description (if desired).
19. In Configure Connection Information, enter your administrator account and password into the
appropriate fields. If you’re using a certificate for authentication, you can skip this step.
20. In Configure Additional Parameters, accept the defaults for now by clicking Next.
21. In Configure Attributes, accept the default settings and click Next .
22. In Define Object Types, accept the default settings and click Next.
23. In Configure Connector Filter, accept the defaults and click Next.
24. In Configure Join and Projection Rules, accept the defaults for now and click Next.
25. In Configure Attribute Flow, we will set up direct export attribute flows for the attributes we set
up on the data source management agent. Select an attribute in the data source attribute
column (Passport User), set the radio button for mapping type to Direct, set the radio button for
Flow Direction to be Export, click the corresponding Metaverse Attribute and click the New
button. Follow these same steps for every attribute mapping. In the example, we’re flowing
our attributes like this:
Data source attribute Mapping Type Flow Direction Metaverse Object Type
FirstName Direct Export givenName
LastName Direct Export LastName
SigninName Direct Export mail
When you’re finished setting attribute flow, click Next.

26. In Configure Deprovisioning, accept the defaults and click Next.
27. In Configure Extensions, uncheck Enable password management and click Finish.
28. Both management agents are now configured. Now we need to turn off provisioning in ILM so
that we can sync our accounts with those existing in Windows Live. Go to ToolsOptions and
remove the tick from the checkbox next to Enable Provisioning Rules Extension.
29. We need to copy the data source text file to the C:\Program Files\Microsoft Identity Integration
Server\MaData\<data source management agent folder>.
30. Create a full import run profile for the data source management agent.
a. Click the New Profile button, give the run profile a name (in this case, Full Import) and
click Next.
b. In Configure Step, set the type of run profile by selecting Full Import (Stage Only).
c. In Management Agent Configuration, Click the Select button to select the Input file you
placed in the C:\Program Files\Microsoft Identity Integration Server\MaData\<data
source management agent folder>.
d. Select the file from the list, click OK and Click Finish.
31. Create a full synchronization run profile for the data source management agent.
a. Follow the exact same steps as Step 30; name the profile appropriately, select Full
Configuration.
32. Run a full import and sync from the data source management agent to project data into the
metaverse.
a. In Identity Manager under Actions, select Run, select Full Import and click OK.
b. In Identity Manager under Actions, select Run, select Full Sync and click OK. Be sure to
note the number of projections. This number should match the number of accounts
you’re synchronizing with Windows Live.
Note: If you experience the error no-start-file-access-denied, select the folder for the data source
management agent (C:\Program Files\Microsoft Identity Integration Server\MaData\<data source
management agent folder>), click the Security tab, click the Advanced tab and select the tick box for
“Replace permission entries on all child objects with entries shown here that apply to child objects Click
OK and click OK on the security dialog box below:
c. Click Yes, then OK to close the properties dialog box. This will enable the correct
permissions.
33. In the Windows Live management agent, we have to set the domain into recovery mode and
configure some parameters for the disaster recovery to work.
a. Open the Windows Live management agent and click the Configure Additional
Parameters tab.
We need to add two parameters in this tab. Click New and add a Parameter name of Domain. In the
Value field, type the name of your domain. Click OK.
b. Click new and add a Parameter name of DisasterRecoveryMode. In the Value field, type
true and click OK.
34. Set a join rule on the Windows Live management agent for the SignInName attribute in
Windows Live to join to the mail attribute (or whatever attribute you used in Metaverse to store
member e-mail accounts).
a. In Identity Manager, in the Windows Live management agent, select the Configure Join
and Projection Rules tab.
b. Click New Join Rule and select the data source attribute SigninName and Metaverse
object type mail (or whatever attribute in Metaverse you’re using to store member
accounts) and click Add Condition.
35. Create a template for use in the full import run profile for the Windows Live management agent.
a. Navigate to the MaData folder in the installation folder for ILM. Usually this is
c\Program Files\ Microsoft Identity Integration Server\MaData unless changed upon
install.
36. Open the folder for the Windows Live management agent, right click and select New Text
Document from the menu.
37. Give the file any name, for example, import.txt, and close the install folder window.
38. Create a full import run profile for the Windows Live management agent.
b. Follow the exact same steps as Step 30; name the profile appropriately, select Full
Import from the run profile type, select the file you just created in Step 9c above and
click Finish in Management Agent Configuration.
39. Create a full synchronization run profile for the Windows Live management agent.
c. Follow the exact same steps as Step 30; name the profile appropriately, select Full
Configuration.
40. Run a full import on the Windows Live management agent. Note the number of objects.
41. Run a full synchronization on the Windows Live management agent.
42. Verify that all imported accounts are joined. There should be the same number of joins as
objects from the full import (unless you’re using Active Directory or another LDAP directory as
your data source; in this case, you would subtract the container objects)
43. There should be pending exports to Windows Live for all joined accounts. Randomly examine a
few pending exports to make sure attributes are correctly set. For instance, do not set the
ResetPassword attribute unless you want to require all users to reset their password.
44. Create an Export run profile on the Windows Live MA.
45. Enable provisioning by going to the Tools menu\Options in ILM and clicking the “Enable
Provisioning Rules Extension”.
46. Run a full synchronization on the data source management agent
47. If any exports are pending for the Windows Live management agent after step 16, these must be
new users that were not created in Windows Live before the disaster occurred.
48. Run an export to Windows Live to create the new users (if desired).
Appendix G: Support information
Getting Help from Microsoft
For general Live@edu program information please refer to our Live@edu program website located here
- http://www.liveatedu.com/
For additional questions regarding the program that are not addressed on the program page, or any
onboarding questions please direct your inquire to the Windows Live Commercial Partner Center using
this e-form: https://support.live.com/default.aspx?productkey=wlpc&mkt=en-ww.
Please refer all single user issues that involve MSN Services to http://support.live.com. This is the same
support resource that is available to all global users of Windows Live services and can often resolve
single user issues.
If you are experiencing an issue that impacts multiple end users, or are experiencing errors or
unexpected behavior with your account provisioning tools we suggest you file a ticket with our Premier
Partner Support team.
Once you have onboarded with the Live@edu program you will be provided a unique Premier Online
account for your institution. Please use this Premier Online account for filing issues only directly related
to the Microsoft Live@edu program.
If, after filing your support ticket, you feel that you have not received a timely response or if you would
like a status update please contact the Live@edu escalation services team ( edues@microsoft.com).
Please provide your support ticket number when contacting this team. These tickets usually begin with
the characters “SR”.
Live@edu partners who use Windows Live Services are supported by the MSN Partner Support team
that is staffed time to assist you with your technical support issues regarding the Microsoft Live@edu
products (e.g. ILM, Passport MA, mail delivery issues etc.)
In addition to our Partner Support staff we have an Emergency Response Team (ERT) available
24x7x365 to respond to operational support issues submitted from Live@edu partners that deal with
the Windows Live Services (e.g. confirm Windows Live maintenance, latency or issues impacting login pr
mail delivery, etc.) Note: technical support related issues will be addressed by the Partner Support team
the next business day.
To engage our Support Professionals you will need to submit Microsoft Live@edu technical issues using
the Microsoft Premier Online website. Premier Online will be the primary tool used by your support and
Helpdesk personnel to submit support cases to engage Microsoft Partner Support and the Emergency
Response team.
Using Microsoft Premier Online
Microsoft Premier Online is a secure website that requires a Windows Live ID (Passport) account, a
Microsoft Premier Online Access ID and Password for login.
Steps to access the Microsoft Premier Online site

First if you do not already have one, you will need to create a Windows Live ID (formerly known as .NET
Passport); please go to http://www.passport.net to create a Windows Live ID.
Next go to the Premier Online site ( https://premier.microsoft.com) and link your Windows Live ID
(formerly .NET Passport) to your Premier Online support account. For this step, you will need your
Premier Online Access ID and your password:
Your unique credentials will be provided by the Live@edu Escalation services team via e-mail once you
have on boarded with the Live@edu program.
Note: Please safeguard this access ID and password. Provide this information only to support and
Helpdesk personnel who you authorize to open support incidents.
Steps to file a support request with Microsoft:

1. Sign into the Premier Online site.
2. Click “Submit Incident” in the left hand column (this will take you to the Submit Incident page).
3. From the “Select a Product”, drop down choose “Beta and Other Products”
4. From the “Select a product version or edition” drop down scroll down and select “MSN College
& University Program”.
5. Click “Next>>”.
6. On the “Describe the problem” page, fill out the following information:
a. Title: Include <Institution Name:> The Title should be a short, clear description of the
issue
b. Severity: Choose Severity C or B (tool does not allow Severity A issues to be submitted;
In order to upgrade an issue to severity A you must call the Emergency Response team)
c. Details: copy and paste the following template to fill out the incident details section:
Severity of the incident e.g. number of users impacted as well as your internal issue severity level.
 Detailed description of the incident.

 Steps to Reproduce the problem.
 Troubleshooting done:
 Full error text annd logs
 Other comments/additional information that might be useful to bring about the resolution
of the incident e.g. error messages, etc.
 Specific user accounts, if needed, that demonstrate/exhibit the problem. Note: (Never
Include the User’s Password)
NOTE: Currently we provide support in English only. Submitting support incidents in languages other
than English may result in delays in handling.
 Computer Information: Select the Operating System.

 Attachments: the Computer Information section includes the ability for you to attach files,
error logs, and images to your case that may be useful to Support Professional in resolving
your issue.
 Contact Information: Ensure your contact information is accurate
7. Click the “Submit” button. Your incident submission is complete and a tracking number will be
provided for your case.
Once your case has been submitted, a Partner Support team member will be assigned ownership of your
case and the will work with you directly to assist in resolving your issue.
Tracking/Updating an Incident:
Please note that you can check the latest status of your issue(s) or add additional information at any
time by logging on to the Premier Online site.
1. Sign into the Premier Online site. https://premier.microsoft.com

2. Click “View Incidents” in the left hand navigation pane. (found under the Online Services
section)
3. Make sure the Schedule name is “MSN University Program” and apply any other needed view
filters.
4. Click on the incident number that you are interested in.
5. Review the Microsoft Support Professional’s notes and enter a response and additional notes for
the Microsoft Support Professional in the provided text box if necessary.
6. If you are adding notes to the incident, update contact information if needed, and click “Send”.
Incident Severity Definition
When you submit an issue (called a support incident) to Microsoft, you will need to assign a severity
level to the incident; the Severity definitions listed below will assist you in assigning the appropriate
severity to an issue. NOTE: ERT may reset the Severity level as appropriate based on the issue.
Severity A: Significant business impact; significant loss or degradation of services, business process and
work cannot reasonably continue. All employees, students, and alumni are affected. Our response goal
for Severity A issues is one hour, followed by updates every hour or as needed.
Severity B: Moderate business impact; moderate loss or degradation of services, but work can
reasonably continue in an impaired manner. Issue affect most (but not all) employees, students, and
alumni. Our response time goal for Severity B issues is two hours, followed by updates every two hours
or as needed.
Severity C: Minimum business impact; used for issues encountered during implementation (pre-
deployment), but prior to launching the service to your students and faculty. Our response time goal
for Severity C issues is 4 hours or next business day with updates as needed. NOTE: All installation and
configuration issues related to Windows Live@Edu would qualify as Sev C.
Severity D is used to monitor incidents that need to remain open for long periods of time.

Live@Edu Admin Guide 29jan09

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Live@Edu Admin Guide 29jan09

Uploaded by

Copyright:

Available Formats

Live@edu Admin Guide

Provisioning Windows Live IDs with Identity Lifecycle

Why Choose Live@edu?

About This Guide

What if I get stuck?

 Tight integration with ILM 2007

Partner An organization working with the management agent under appropriate

SOAP Simple Object Access Protocol. An HTTP/XML-based protocol by which

Tertiary Namespace A namespace with three parts, such as edu01.wledutraining.com, that is

 Complete and submit the Live@edu enrollment form (https://imagine-

 Create test accounts

1. To reserve a Windows Live domain, use your browser to go to the address

Select a Domain Name

Or create a new Windows Live ID:

Review Settings and Accept Agreement

 Microsoft .NET Framework 2.0

System Management Agent

Mainframe IBM Resource Access Control Facility

Applications SAP 5.0 and 4.7

Databases Microsoft SQL Server 2005, 2000, and 7

File-Based Attribute value Pairs

 Identify changes to identity information from many sources.

 Automatically create accounts (objects) in directories, based on their addition in one

State Based System

Backup and Restore of ILM 2007

ILM 2007 Database

Disaster Recovery Plan 1 (SQL Outage)

Disaster Recovery Plan 2 (ILM Server Outage)

As needed Resolve issues reported by your customers.

Windows Server 2003 Enterprise Edition

ILM Service Account and Security Groups

Microsoft Identity Lifecycle Manager 2007

1. Connecting ILM 2007 to the Student Data Source

Connecting to the Student Data Source

Database Management Agents

LDAP Management Agents

Understanding the Student Data Source Schema

Management Agent Schemas

 Delimited text file

Object Types and Attributes

Select a Subset of the Source Data

Database management agents

LDAP management agents

File-based Management Agents

Configure Connector Filter Rules

Refine Further by Using Filters to Select Subsets

Configure Join Rules

Configure Import Attribute Flow

Import flow rules

Direct flow rules

Make them Disconnectors

Make them Explicit Disconnectors

Installing the Windows Live Management Agent

3. Click Management Agents.

15. Click Next

 All other characters are disallowed

LastName A member’s surname Sets only on creation of account, not on update.

OfferAction A value that performs an action on an OfferName. Can be Add or Remove.

22. Click OK.

24. Click OK.

<Subject> Contains a value such as E=ed-desk@microsoft.com,

<Issuer> Contains a value such as CN=Microsoft Secure Server Authority,

<DefaultOfferName> Contains value such as “US No Ads”