Skip Navigation Links | |
Exit Print View | |
Oracle Identity Synchronization for Windows 6.0 Deployment Planning Guide |
2. Case Study: Deploying in a Multimaster Replication Environment
3. Case Study: Deploying in a High-Availability Environment Over a Wide Area Network Using SSL
Global Telco Deployment Information
Installation and Configuration Overview
Primary and Secondary Installations
Periodically Linking New Users
Large Deployment Considerations
Increasing Connector Worker Threads
Aligning Primary and Failover Configurations
Setting Multiple Passwords for uid=PSWConnector
Initial idsync resync Operation
Initial idsync resync Operation for Primary Installation
Initial idsync resync Operation for Failover Installation
Periodic idsync resync Operations
Periodic idsync resync Operation for Primary Installation
Periodic idsync resync Operation for Failover Installation
Understanding the Failover Process
Initializing the Connector State
Failover Installation Maintenance
Stopping Synchronization at the Primary Installation
Starting Synchronization at the Failover Installation
Re-enabling the Directory Server Plugins
Changing the PDC FSMO Role Owner
Failing Back to the Primary installation
A. Pluggable Authentication Modules
B. Identity Manager and Identity Synchronization for Windows Cohabitation
Identity Synchronization for Windows is a background system that with one exception is not user-facing. Therefore, if it is temporarily unavailable, for example, due to routine hardware maintenance, then most users will be unaffected. Once the system is restored, Identity Synchronization for Windows will synchronize all changes that were made while it was unavailable. The user-facing aspect is the on-demand password synchronization performed from the Directory Server Plugin to Active Directory. If on-demand password synchronization fails, then the user will not be able to log into Directory Server. Therefore, Identity Synchronization for Windows provides more availability options for this area. The Directory Server Plugin can be configured to authenticate to any Active Directory domain controller, so even if all but one Active Directory domain controller is down, on-demand password synchronization will still succeed.
Note - The Directory Server Plugins receive their configuration from the Directory Server Connector over an encrypted channel. This configuration, which includes the location of the Active Directory domain controllers and credentials, is cached in memory by the plugin, so even if the Directory Server Connector is unavailable, it will still be able to connect to Active Directory. However, if Directory Server is restarted, then the plugin's cached configuration is lost, and on-demand synchronization at that Directory Server will fail until the Directory Server Connector is available.
Depending on the size of the deployment, the failover procedure might take anywhere from minutes to over an hour to perform. Therefore, the failover procedure should not be undertaken if the Identity Synchronization for Windows outage is expected to be short and temporary, for example, during the system restart of the Identity Synchronization for Windows Core machine. Failover is recommended only in situations where Identity Synchronization for Windows must be completely re-installed or a complete idsync resync operation must be run over a large population.
For example:
Any machine where the Identity Synchronization for Windows Core or a Connector run has a hardware failure.
The configuration directory that stores the Identity Synchronization for Windows configuration is corrupt.
The Active Directory domain controller that the Active Directory Connector communicates with experiences a hardware fault and must be rebuilt.
The preferred Directory Server master is corrupted and must be initialized from another master.