Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

Configuring Directory Sources

This section explains how to configure the following directory sources:

Configuring the Sun Java System Directory Server Source

When configuring the Directory Server source, the preferred Directory Server is set to master-east.eb.com. The Directory Server Connector uses this Directory Server to detect and update changes that require synchronization with Active Directory and Windows NT. Alternatively, the master-west.eb.com domain could have been selected. However, Directory Server Connector performance is better when connecting to a local Directory Server instead of a Directory Server located over a wide area network (WAN).


Note –

When the password modification settings are changed, the Console automatically enables the SSL option, which is required while synchronizing from Directory Server to Active Directory.


ProcedureTo Specify the Preferred and Secondary Directory Servers

  1. In the Directory Sources window of the Identity Synchronization for Windows Console (Console), click New Sun Directory.

  2. In the Define Sun Java System Directory Source dialog box, select Specify a Preferred Server.

    Preferred Directory Server Instance Dialog
  3. Select Choose a Known Server and then choose a preferred Directory Server from the drop-down menu, in this case, master-east.eb.com.

  4. (Optional) Select Specify Secondary Servers to select a secondary Directory Server, in this case, master-west.eb.com.

    If master-east.eb.com is unavailable, the Directory Server Connector synchronizes changes made at Active Directory to master-west.eb.com.

    Specifying the Secondary Master Directory Server

Configuring the Active Directory Source

The Active Directory global catalog information enables the Identity Synchronization for Windows Console to learn the Active Directory configuration. In this case study, the global catalog is running on ad-west.eb.com. By default, the Console auto-populates the User DN field with the Administrator DN, cn=Administrator,cn=user,dc=eb,dc=com. However, you need to change this field to the special Identity Synchronization for Windows user that was created earlier, cn=iswUser,cn=Users,dc=eb,dc=com.

ProcedureTo Specify Information in the Global Catalog and for the Active Directory Domain

  1. In the Console, in the Directory Sources window, click New Active Directory Source.

    The Windows Global Catalog dialog box is displayed.

  2. Type the fully qualified name in the Host field, in this example, ad-west.ed.com.

  3. Change the default User DN (cn=Administrator) to the DN cn=iswUser,cn=Users,dc=eb,dc=com.

  4. Type the password and click OK.

    Windows Global Catalog Dialog Options
  5. Provide credentials for the Active Directory domain, then click Next.

    The Active Directory Connector uses the same Identity Synchronization for Windows special user credentials to connect to Active Directory that you provided when connecting to the global catalog.

    Credentials for the Active Directory Domain
  6. Specify the PDC FSMO role owner domain controller.

    The ad-west.eb.com domain controller is the PDC FSMO role owner. Certain changes (for example, password modifications) made at other domain controllers are replicated immediately to this domain controller. The Active Directory Connector communicates with this domain controller so that changes made at any Active Directory domain controller can be synchronized immediately to Directory Server. This Active Directory replication can take several minutes.

    The Active Directory Connector for this domain is installed on the same machine where Identity Synchronization for Windows Core is installed, on master-east.eb.com. The connector communicates over the WAN with ad-west.eb.com. Active Directory Connector performs better across WAN than the Directory Server Connector because Active Directory Connector performs fewer directory searches to detect changes.

    PDC FSMO Role Owner Domain Controller Dialog
  7. Specify one or more failover domain controllers for on-demand password synchronization, in this case, ad-east.eb.com.

    If ad-west.eb.com is unavailable, the Directory Server plug-in performs on-demand password synchronization against ad-east.eb.com.

    Failover Domain Controller Dialog Options

Configuring the Windows NT Source

After the Directory Server and the Active Directory sources are configured, configure the Windows NT domain.

ProcedureTo Specify the Windows NT Domain

  1. In the Console, in the Directory Sources window, click New Windows NT Directory Source.

    The Define a Windows NT Directory Source dialog box is displayed.

    Windows NT Directory Source Selection Dialog Options
  2. Select Specify the Windows NT Domain, type the Windows NT domain, in this case, EXBANK, and click Next.

  3. Type the Primary Domain Controller of the EXBANK domain.

    The NETBOIS name of the Primary Domain Controller is pdc-east. The fully qualified name of this host is pdc-east.eb.com.