Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Primary and Secondary Installations

To provide a high-availability solution, Identity Synchronization for Windows must be installed in two separate environments, one in the United States, and another in Europe. The deployment in the United States is the primary deployment, while the one is Europe is only meant to be used during failover scenarios.

To improve performance, the Identity Synchronization for Windows components are distributed between two machines in each environment. For the deployment in the United States, the Identity Synchronization for Windows Core components are installed on config-us.gt.com, and both connectors are installed on connectors-us.gt.com. For the deployment in Europe, the Identity Synchronization for Windows Core components are installed on config-eu.gt.com and both connectors are installed on connectors-eu.gt.com.

The primary deployment and the various communication paths are shown in the following figure. For simplicity, gt.com is dropped, and only the machine names are shown.

Figure 3–3 Primary Installation of Identity Synchronization for Windows

Primary
Installation of Identity Synchronization for Windows

The Directory Server Connector and Active Directory Connector, installed on connectors-us.gt.com, communicate with each other and receive their configuration from the Message Queue that is installed with the Identity Synchronization for Windows Core.

The Active Directory Connector communicates exclusively with the ad1-us.gt.com domain controller, using LDAP. The Directory Server Connector communicates with two Directory Server masters. While it is available, it detects and propagates changes to master1-us.gt.com. If this machine is unavailable, it fails over to master2-us.gt.com to apply changes, but cannot detect further changes made at any master until master1-us.gt.com is available.


Note –

Identity Synchronization for Windows's Directory Server Plugin must be enabled on all the eight Directory Server instances, four masters and four read-only replicas.

You can enable Directory Server Plugin using the following:

idsync dspluginconfig -{C/U} -D <bind DN> -w <bind pass word | -> [-h <CD hostname>] [-p <CD port no>] [-s <configuration suffix>] [-Z] [-P <cert db path>] [-m <secmod db path>] [-d <ds plugin hostname>] [-r <ds plug in port>] [-u <ds plugin user>] [-x <ds plugin user password>] [-o <database suf fix>][-q <configuration password | ->]

Enter idsync --help for more information.

When a directory server starts up, the Directory Server Plugin establishes a secure connection to the Directory Server Connector. Once the plugin is authenticated, the connector sends the configuration information, and the plugin can send log messages to the central log, through the connector. The configuration includes keys for encrypting modified passwords and Active Directory information for performing on-demand password synchronization.

When a user's Active Directory password changes, Identity Synchronization for Windows sets the dspswvalidate attribute to true in the user's Directory Server entry. This attribute is set because the user can log into any directory server and on-demand password synchronization can originate from any server.

If the user logs into master1-us.gt.com or master2-us.gt.com, then on-demand password synchronization is done directly to the ad1-us.gt.com Active Directory domain controller. Other domain controllers are contacted only if ad1-us.gt.com is unavailable.

If the user logs into one of the other two masters or one of the read-only replicas, then on-demand password synchronization is done against master1-us.gt.com or master2-us.gt.com, and these masters in turn continue the on-demand password synchronization to one of the Active Directory domain controllers.

These two hops are necessary because:

After the Primary Installation is complete, the second Identity Synchronization for Windows installation is done on the two machines in Europe, config-eu.gt.com and connectors-eu.gt.com as shown in the figure below.

Figure 3–4 Failover Installation while the Primary Installation is Active

Failover Installation while the Primary Installation
is Active

The Identity Synchronization for Windows Directory Server Plugins have not been re-installed, so they still receive their configuration from the Directory Server Connector running on connectors-us.gt.com, while the on-demand password synchronization passes through master1-us.gt.com or master2-us.gt.com before reaching the Active Directory domain controllers.

The failover installation remains in this state until Global Telco needs to failover to it. To complete the failover process, the Identity Synchronization for Windows Plugin is enabled on every directory server, which changes its startup configuration to communicate with the Directory Server Connector running on connectors-eu.gt.com.

Figure 3–5 Primary Installation after Reinstalling the Identity Synchronization for Windows Plugins

Primary Installation after Reinstalling the Identity
Synchronization for Windows Plugins


Note –

Setting up the secondary installation significantly increases the amount of time required to deploy Identity Synchronization for Windows. However, this up front cost is offset by the ability to quickly failover to the alternate deployment if necessary.