Failing Over

The failover process, at a high-level, involves only these tasks:

• Stopping Synchronization at the Primary Installation

• Starting Synchronization at the Failover Installation

• Re-enabling the Directory Server Plug-Ins

• Changing the PDC FSMO Role Owner

• Monitoring the Logs

Stopping Synchronization at the Primary Installation

Before starting synchronization at the failover installation, stop synchronization at the primary installation to prevent unwanted interaction between the two systems. Depending on the reasons for failing over, this is accomplished in different ways. If the primary installation of Identity Synchronization for Windows is still operating properly, for example, failing over because a domain controller or Directory Server is down, stop synchronization using the console or idsync stopsync. Otherwise, stop the Identity Synchronization for Windows daemon (on Solaris) or service (on Windows) on each system where Identity Synchronization for Windows is still operational.

Starting Synchronization at the Failover Installation

After synchronization is stopped at the primary installation, it must be started at the failover installation by using the console or idsync startsync.

The Directory Server Connector will not enter the SYNCING state until the Directory Server Plug-ins are reinstalled on the preferred and secondary Directory Servers (master3-eu.gt.com and master4-eu.gt.com).

The Active Directory Connector will need to process every entry in Active Directory that has been modified since it was last started. It might take several minutes for the Active Directory Connector to begin propagating changes to Directory Server. Setting the log level to INFO before starting synchronization can reduce the impact of the Active Directory Connector having to catch up.

Re-enabling the Directory Server Plug-Ins

To complete the failover process, the Directory Server Plug-in is re-enabled on each Directory Server, which ensures the following:

• The plug-ins running on the preferred Directory Servers use the encryption key from the failover installation to encrypt password changes.

• All directory servers receive an updated on-demand password synchronization configuration.

• Logging done by the plug-ins is sent to the Central Logger of the failover installation.

The plug-ins must be re-enabled in this order:

1. Failover installation's preferred Directory Server.

2. Failover installation's secondary Directory Server.

3. All other preferred and secondary Directory Servers.

4. All preferred and secondary Directory Server replicas.

The order in which the Directory Server Plug-ins are enabled is important. If they are enabled in the wrong order, on-demand synchronization requests could loop between two preferred Directory Servers, tying up all Directory Server connections.

When re-enabling the plug-ins, make sure to specify the configuration directory of the failover installation, for example, config-eu.gt.com.

This re-enabling procedure can be automated by doing more work ahead of time:

1. Install the Directory Server Plug-ins for the failover configuration.

2. Export the plug-ins' configuration for each master from the cn=pswsync,cn=plugins,cn=config tree.

3. Re-enable the Directory Server Plug-ins for the primary configuration.

To fail over:

1. Delete the cn=pswsync,cn=plugins,cn=config tree.

2. Add the failover installation entries by using ldapmodify.

3. Restart the directory server.

Changing the PDC FSMO Role Owner

This task is optional. If the Active Directory Connector in the failover installation is configured to communicate with a domain controller that does not have the PDC FSMO role, synchronization from Active Directory will be delayed due to the Active Directory replication latency. To avoid this delay, the PDC FSMO role can be transferred to the domain controller that the connector is accessing.

Monitoring the Logs

After the failover process is complete, monitor the central error log of the failover installation for any unexpected warnings. Warnings similar to the following will likely appear:

[08/Nov/2004:07:58:24.803 -0600] WARNING 25  CNN100 connectors-eu  
"Unable to obtain password of user CN=Jane Test,OU=people,DC=gt,DC=com, 
because the password was encoded by a previous installation of 
Identity Synchronization for Windows Directory Server 
Plugin. The password of this user cannot be synchronized at this time. 
Update the password of this user again in Directory Server."

These warnings occur for each password update in the retro changelog that was made before the Directory Server Plug-in was reinstalled because the Primary Directory Server Plug-in was configured to use a different encryption key from the failover Directory Server Plug-in. Many of these password updates were likely synchronized by the primary installation before it went offline, but those that occurred after the primary installation went offline cannot be recovered. Users who are affected must change their password either in Active Directory or Directory Server to synchronize their passwords.

Failing Back to the Primary Installation

The procedure for failing back to the primary installation is identical.