JavaScript is required to for searching.
Skip Navigation Links
Exit Print View
Oracle Identity Synchronization for Windows 6.0 Deployment Planning Guide
search filter icon
search icon

Document Information

Preface

1.  Introduction

2.  Case Study: Deploying in a Multimaster Replication Environment

3.  Case Study: Deploying in a High-Availability Environment Over a Wide Area Network Using SSL

Global Telco Deployment Information

Directory Server Setup

Active Directory Information

Requirements

Installation and Configuration Overview

Primary and Secondary Installations

Periodically Linking New Users

Large Deployment Considerations

Configuration Walkthrough

Primary Installation

Failover Installation

Setting Up SSL

Increasing Connector Worker Threads

Aligning Primary and Failover Configurations

Setting Multiple Passwords for uid=PSWConnector

Initial idsync resync Operation

Initial idsync resync Operation for Primary Installation

Initial idsync resync Operation for Failover Installation

Periodic idsync resync Operations

Periodic idsync resync Operation for Primary Installation

Periodic idsync resync Operation for Failover Installation

Configuring Identity Manager

Understanding the Failover Process

Directory Server Connector

Active Directory Connector

Initializing the Connector State

Failover Installation Maintenance

When to Failover

Failing Over

Stopping Synchronization at the Primary Installation

Starting Synchronization at the Failover Installation

Re-enabling the Directory Server Plugins

Changing the PDC FSMO Role Owner

Monitoring the Logs

Failing Back to the Primary installation

A.  Pluggable Authentication Modules

B.  Identity Manager and Identity Synchronization for Windows Cohabitation

C.  Logging and Debugging

Glossary

Index

Initializing the Connector State

To initialize the connector state for the failover configuration, synchronization must be started. Before synchronization can be started, the Identity Synchronization for Windows Plugin must be enabled on both master3-eu.gt.com and master4-eu.gt.com to point to the failover configuration. Once the plugin has been enabled and the directory servers have been restarted, synchronization can be started. Verify that both connectors have entered the SYNCING state using the console or the idsync printstat command:

bash-2.05# ./idsync printstat -w <password omitted\> -q <password omitted\>
Exploring status of connectors, please wait
Connector ID: CNN100
     Type: Sun Java(TM) System Directory
     Manages:  dc=gt,dc=com (ldaps://master3-eu.gt.com:636)
    (ldaps://master4-eu.gt.com:636)
     State: SYNCING
     Installed on:  connectors-eu.gt.com
     Plugin SUBC100 is installed on ldaps://master3-eu.gt.com:636
     Plugin SUBC101 is installed on ldaps://master4-eu.gt.com:636

Connector ID: CNN101
     Type: Active Directory
     Manages: gt.com (ldaps://ad1-us.gt.com:636) (ldaps://ad2-us.gt.com:636)
    (ldaps://ad4-eu.gt.com:636) (ldaps://ad3-eu.gt.com:636)
     State: SYNCING
     Installed on:  connectors-eu.gt.com

Sun Java(TM) System Message Queue Status:  Started

Checking the System Manager status over the Sun Java(TM) System Message Queue.

System Manager Status:  Started
SUCCESS

      

Once synchronization has started, modify a user password both in Active Directory and in Directory Server and it will force the connectors to persist their state. To verify, do the following:

Directory Server Connector: Check for the presence of the /var/opt/SUNWisw/persist/ADP100/accessor.state file. And check that the highestacknowledgedchangenumber value stored in the file is not -1. (To determine the appropriate ADP subdirectory of persist, find the connector ID using the console or idsync printstat, and then replace CNN with ADP in the connector ID.)

Active Directory Connector: Check that the Active Directory Connector actually propagated the change. There should be an INFO message in the central log that includes the usnchanged value, for example,

[05/Nov/2004:14:07:38.982 -0600] INFO    18  CNN101 connectors-eu  
"The agent is sending the following inbound action to MQ: 
Type: MODIFY SUL: GT_USERS {Data Attrs: } {Other Attrs: cn: Jane Test 
dn: CN=Jane Test,CN=Users,DC=gt,DC=com objectclass: top,person, 
organizationalPerson, user dspswuserlink: Rwyr9YEFk0WYxbFP5Nnrjg== pwdlastset: 
127441696561778218 samaccountname: 3aa00test100001 sn: test100001 usnchanged: 120831 
whenchanged: 20041105230736.0Z passwordchanged: TRUE}." 
(Action ID=CNN102-1000A5846CB-5, SN=2)

Once you have verified that both the connectors have check-pointed their state, stop synchronization for the failover installation, and then reinstall the Directory Server Plugins on master3-eu.gt.com and master4-eu.gt.com to point to the primary configuration.