Skip Navigation Links | |
Exit Print View | |
Oracle Fusion Middleware Administration Guide for Oracle Unified Directory 11g Release 1 (11.1.1) |
1. Starting and Stopping the Server
2. Configuring the Server Instance
3. Configuring the Proxy Components
4. Configuring Security Between Clients and Servers
5. Configuring Security Between the Proxy and the Data Source
6. Managing Oracle Unified Directory With Oracle Directory Services Manager
Configuring Data Replication With dsreplication
To Enable Replication Between Two Servers
To Initialize a Replicated Server
To Initialize an Entire Topology
To Obtain the Status of a Replicated Topology
To Merge Two Existing Replicated Topologies
To Disable Replication For a Specific Replication Domain
Configuring Large Replication Topologies
To Configure a Dedicated Replication Server
Modifying the Replication Configuration With dsconfig
Retrieving the Replication Domain Name
Changing the Replication Purge Delay
How Replication Changes Are Purged
To Change the Replication Purge Delay
Changing the Initialization Window Size
To Change the Initialization Window Size
Changing the Heartbeat Interval
To Change the Heartbeat Interval
To Change the Isolation Policy
Configuring Encrypted Replication
To Configure Encrypted Replication
Configuring Replication Groups
To Configure a Replication Group
Configuring Assured Replication
To Configure Assured Replication in Safe Data Mode
To Configure Assured Replication in Safe Read Mode
Configuring Fractional Replication
To Configure Exclusive Fractional Replication
To Configure Inclusive Fractional Replication
To Configure and Initialize a Fractional Domain
Configuring Replication Status
Initializing a Replicated Server With Data
Initializing a Single Replicated Server
Initializing a New Replicated Topology
Adding a Directory Server to an Existing Replicated Topology
Changing the Data Set in an Existing Replicated Topology
To Change the Data Set With import-ldif or Binary Copy
Appending Data in an Existing Replicated Topology
Enabling the External Change Log in Oracle Unified Directory
How a Client Application Uses the External Change Log in Cookie Mode
Format of External Change Log Entries
To Specify the Attributes to be Included in the External Change Log
Initializing Client Applications to Use the External Change Log
To Initialize a Client Application to Use the External Change Log
Reinitializing a Client Application When a Domain is Added
Reinitializing a Client Application When a Domain is Removed or Disabled
Controlling Access to the External Change Log
Purging the External Change Log
To Disable the External Change Log for a Domain
Configuring Schema Replication
To Specify That Schema Should Not Be Replicated
Replicating to a Read-Only Server
To Configure a Replica as Read-Only
Detecting and Resolving Replication Inconsistencies
Types of Replication Inconsistencies
Purging Historical Replication Data
Deployment Scenarios for Isolated Replicas
Using Isolated Replicas in a DMZ
Using Isolated Replicas for Testing
Replicating Between Oracle Directory Server Enterprise Edition and Oracle Unified Directory
To Migrate the Oracle Directory Server Enterprise Edition Schema and Configuration
To Initialize the Oracle Unified Directory with Oracle Directory Server Enterprise Edition Data
10. Managing Users and Groups With dsconfig
11. Managing Password Policies
This section describes how to change certain advanced properties of a replication configuration by using the dsconfig command. Advanced properties are usually optional, or have a default value that is acceptable in most cases. For general information about using dsconfig, see Managing the Server Configuration With dsconfig.
You cannot use dsconfig to set up replication between directory servers. Replication can be set up automatically using the GUI install utility, or manually, using the dsreplication command. For more information, see Configuring Data Replication With dsreplication.
This section covers the following topics:
The replication domain name is generated by the directory server and includes the base DN and a numeric unique identifier.
To obtain a list of the configured replication domains, use the list-replication-domains subcommand. For example:
$ dsconfig -h host1 -p 4444 -D "cn=directory manager" -w password -n \ list-replication-domains --provider-name "Multimaster Synchronization" Replication Domain : Type : server-id : replication-server : base-dn -------------------:---------:-----------:------------------------:-------------------- cn=admin data : generic : 13981 : host1:8989, host2:8989 : cn=admin data cn=schema : generic : 20284 : host1:8989, host2:8989 : cn=schema dc=example,dc=com : generic : 26560 : host1:8989, host2:8989 : "dc=example,dc=com"
The replication changes database maintains a record of updates, which might or might not have been replicated. The replication purge delay is a property of the replication server, and specifies the period of time after which internal purge operations are performed on the replication changes database.
Any change that is older than the purge delay is removed from the replication changes database, irrespective of whether that change has been applied. The default purge delay is one day. If the replication changes database is backed up less frequently than the purge delay, changes will be cleared before the changes database has been backed up. Changes can therefore be lost if you use the backup to restore data.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ get-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --property replication-purge-delay Property : Value(s) ------------------------:--------- replication-purge-delay : 1 d
The following command changes the purge delay to one week:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-server-prop \ --provider-name "Multimaster Synchronization" --set replication-purge-delay:1w
The window size is a property of the replication server and specifies the number of change requests that are sent to directory servers, without the replication server having to wait for an acknowledgment from the directory server before continuing.
The window size represents the maximum number of update messages that can be sent without immediate acknowledgment from the directory server. It is more efficient to send many messages in quick succession instead of waiting for an acknowledgment after each one. Using the appropriate window size, you can eliminate the time replication servers spend waiting for acknowledgments to arrive. The default window size is 100. If you notice that some directory servers are lagging behind in terms of replicated changes, increase the window size to a higher value and check replication performance again before making further adjustments.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ get-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced --property window-size Property : Value(s) ------------:--------- window-size : 100
The following command changes the window size to 200.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ set-replication-server-prop \ --provider-name "Multimaster Synchronization" --set window-size:200
During a data import in a replicated topology, it can occur that the importing server is too slow to keep up with the data that is sent by the exporting server. The importing server can therefore block not only the import, but can also stop any other replication changes from being propagated by the exporting server.
An initialization window size enables an exporting server to detect acknowledgements from the slowest importing server and to send data on the replication network only when the slow importer is available to receive them.
The initialization window size is set to 100 by default. If there are no slow servers in your topology, you can increase the initialization window size so that exporting servers send more updates before waiting for an acknowledgement. If your topology includes a particularly slow server, you can decrease the initialization window size to ensure that replication is not blocked by this server.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X -n \ get-replication-domain-prop --provider-name "Multimaster Synchronization" \ --domain-name dc=example,dc=com --advanced --property initialization-window-size Property : Value(s) ---------------------------:--------- initialization-window-size : 100
The following command changes the initialization window size to 50.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-domain-prop --provider-name "Multimaster Synchronization" \ --domain-name dc=example,dc=com --set initialization-window-size:50
The heartbeat interval is a property of the replication domain and specifies the frequency with which the replication domain communicates with the replication server. The replication domain expects a regular heartbeat at this interval from the replication server. If the heartbeat is not received, the domain closes its connection and connects to another replication server in the topology.
The default heartbeat interval is ten seconds. If replication is running over a WAN or a network with slow response times, you might want to increase the heartbeat interval. In addition, if you observe an error similar to the following in the logs, it is probably necessary to increase the heartbeat interval.
[26/May/2011:16:32:50 +0200] category=SYNC severity=NOTICE msgID=15138913 msg=Replication Heartbeat Monitor on RS rserver/192.157.197.62:8989 30382 for dc=example,dc=com in DS 10879 is closing the session because it could not detect a heartbeat
The heartbeat interval is sensitive to the settings of your JVM. If you require a lower heartbeat interval than the default, you must configure your JVM to have a low pause time during garbage collection by setting the -XX:+UseConcMarkSweepGC option. For more information, see Chapter 6, Configuring the JVM, Java Options, and Database Cache, in Oracle Fusion Middleware Installation Guide for Oracle Unified Directory.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ get-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 15853)" --advanced \ --property heartbeat-interval Property : Value(s) -------------------:--------- heartbeat-interval : 10 s
The following command changes the heartbeat interval to 5 seconds.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 15853)" --set heartbeat-interval:5s
The isolation policy is a property of the replication domain and specifies the behavior of the directory server if replication is configured but none of the replication servers are up and running when an update is received. The default behavior of the directory server in this situation is to reject all updates.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password \ get-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 15853)" \ --advanced --property isolation-policy -n Property : Value(s) -----------------:------------------- isolation-policy : reject-all-updates
The following command specifies that the directory server should accept all updates in this situation.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password \ set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 15853)" \ --set isolation-policy:accept-all-updates -n
By default, replication traffic is not encrypted. You can enable encryption by configuring the crypto manager.
The following command specifies that replication traffic should be encrypted.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-crypto-manager-prop \ --set ssl-encryption:true
Replication groups are designed to support multi-data center deployments and disaster recovery scenarios. For information about the design and implementation of replication groups in the directory server, see Replication Groups in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
Note - Changing the replication group configuration has an impact on assured replication. For more information, see Assured Replication in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
A replication group is configured on each directory server and replication server that should be part of the same group. On directory servers, a replication group is configured per replicated domain. On replication servers, the group is configured for the entire replication server.
Replication groups are configured by giving each replicated domain and replication server the same group ID. This example configures a replication group (1) for the replicated domain dc=example,dc=com.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --set group-id:1
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --set group-id:1
In most deployment scenarios, the loosely consistent multi-master replication model is sufficient. However, certain scenarios might require tighter consistency between replicas. In such cases, you can configure assured replication, which provides the following benefits:
High availability of data. If a server crashes immediately after a modification is received on that server, there is a risk that the modification will be lost before it is replayed to other servers in the topology. With assured replication, any modification is replayed to another server in the topology before an acknowledgement is sent to the client application. The risk of losing data in the event of a server crash is therefore minimized.
Immediacy of data availability. Some applications might require modifications to be available on additional servers in the topology immediately after a modification is made.
Assured replication is an extension of the replication protocol and is configured per replicated domain. For more information, see Retrieving the Replication Domain Name.
Assured replication is not the same as synchronous replication. That is, changes do not occur simultaneously on all servers in the topology. However, assured replication can mimic the functionality of synchronous replication to an extent, as far as LDAP clients are concerned. This is achieved by delaying acknowledgements to the client application until a modification has been propagated to additional servers in the topology.
Note - Assured replication relies on replication groups. All replication servers and directory servers that function together in an assured replication configuration must be part of the same replication group.
Assured replication can function in two modes:
Safe data mode. Any update must be propagated to a defined number of replication servers before the client receives an acknowledgement that the update has been successful.
The number of replication servers that must be reached defines the safe data level. The higher the safe data level, the higher the overall data availability.
Safe read mode. Any update must be propagated to all the directory servers in the topology before the client receives an acknowledgement that the update has been successful.
In both safe data mode and safe read mode, you can configure a timeout interval to prevent LDAP client calls from hanging if certain servers in the topology are not available.
On each directory server, you can configure a global timeout that comes into effect when the directory server sends an update to its replication server, either safe data mode or safe read mode. If this timeout is reached, the LDAP client call returns immediately and a message is written to the replication log to track the event.
On each replication server, you can configure a global timeout that comes into effect when the replication server sends an update to a peer replication server or to another directory server, either in safe data mode or in safe read mode. If this timeout is reached, the acknowledgement message that is returned to the initiating server (either a directory server or a replication server) includes a message that indicates the timeout. The initial directory server then logs a message that the timeout occurred for that update.
Note - The default timeout of two seconds for a directory server and one second for a replication server should be satisfactory for most deployments. Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change. The value of the timeout should reflect the anticipated time that an update requires to go through its full path to reach its destination.
The timeout value on a directory server should always be higher than the value on the replication server. For example: DS1(timeout 2s) -> RS1(timeout 1s) -> RS2(timeout 1s) -> DS2.
For a detailed explanation of the assured replication mechanism and the various configurable options, see Assured Replication in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
This procedure configures assured replication in safe data mode for a topology. The procedure assumes that replication has already been configured.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --set assured-type:safe-data
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --set assured-sd-level:2
If you have configured replication by using setup or dsreplication, your replication servers and directory servers will be on the same virtual machine. In this case, you must set the safe data level to 2 or higher.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced\ --set assured-timeout:5s
Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change.
This should be the same for all replication servers and directory servers that form part of this replication group. For instructions on configuring the group ID, see Configuring Replication Groups.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ get-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --property assured-type --property assured-sd-level --property assured-timeout Property : Value(s) -----------------:------------ assured-sd-level : 2 assured-timeout : 5 s assured-type : safe-data
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ get-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --property assured-timeout --property group-id Property : Value(s) --------------------------:--------- assured-timeout : 1 s group-id : 1
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --set assured-timeout:5s
Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change.
This should be the same for all replication servers and directory servers that form part of this replication group. For instructions on configuring the group ID, see Configuring Replication Groups.
Assured replication is configured per replicated domain. This procedure configures assured replication in safe read mode for a topology. The procedure assumes that replication has already been configured.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --set assured-type:safe-read
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --set assured-timeout:5s
Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change.
This should be the same for all replication servers and directory servers that form part of this replication group. For instructions on configuring the group ID, see Configuring Replication Groups. For more information about groups and assured replication, see Assured Replication in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ get-replication-domain-prop \ --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" --advanced \ --property assured-type --property assured-timeout --property group-id Property : Value(s) -----------------:------------ assured-timeout : 5 s assured-type : safe-read group-id : 1
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ get-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --property assured-timeout --property degraded-status-threshold \ --property group-id Property : Value(s) --------------------------:--------- assured-timeout : 1 s degraded-status-threshold : 5000 group-id : 1
Only change the timeout if you are viewing timeouts in the logs and if you have a complete understanding of the impact of such a change.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --set assured-timeout:5s
The degraded status threshold defines the stage at which the server is regarded as “too slow”, based on the number of updates queued in the replication server for that directory server. For more information, see Degraded Status in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
Do not adjust this value unless you observe timeouts in the logs.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-server-prop \ --provider-name "Multimaster Synchronization" --advanced \ --set degraded-status-threshold:2000
This should be the same for all replication servers and directory servers that form part of this replication group. For instructions on configuring the group ID, see Configuring Replication Groups. For more information about groups and assured replication, see Assured Replication in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
Fractional replication enables you to replicate specific parts of directory data to other replicas in the topology. This feature is particularly useful in the following scenarios:
Limited disk space. Restricting the data that is replicated can significantly cut down on the amount of disk space that is required on certain replicas, particularly if you restrict the replication of attributes such as jpeg photos, which represent large data volumes.
Security concerns. Certain data, such as user passwords, might be sensitive and not required on certain replicas, especially if there is a risk of inappropriate access on these replicas.
This section describes how to configure fractional replication on one or more servers in a topology. For information about the architecture of the fractional replication mechanism, see Fractional Replication in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
Fractional replication is configured on the directory server that receives the partial data, and is attribute-based. Consider the following scenario:
Fractional replication is configured on Directory Server B. An ldapmodify operation is sent to Directory Server A. The entire operation is forwarded to Replication Server 1, then to Replication Server 2, then to Directory Server B. When the operation is replayed on Directory Server B, certain attributes from the operation are filtered out, based on that server's fractional configuration.
Fractional replicas remain writable directly from client applications. However, if an add or modify operation that includes certain “forbidden attributes” is attempted on a fractional replica, the operation is denied and the server returns an “Unwilling to perform” error.
Fractional replication can be configured in one of two modes:
Exclusive mode. In this mode, the multi-valued fractional-exclude attribute is used to filter out the specified attributes from an incoming LDAP add or modify operation.
Excluded attributes must be optional attributes of an object class.
Inclusive mode. In this mode, the multi-valued fractional-include attribute is used to filter in only the specified attributes from an incoming LDAP add or modify operation.
All other attributes (except for those that are mandatory in the object class) are removed from the change that is replayed on the server.
The two modes are mutually exclusive, that is, you can include only one of these attributes in a domain configuration.
Fractional replication is configured per replicated domain (see Retrieving the Replication Domain Name). A fractional domain implies that certain attributes are entirely absent from the domain. These attributes are filtered out at operation replay time but are also absent from the existing data in the domain.
To ensure coherency of the data across a replicated topology, it is necessary to identify whether a particular data set is fractional. The configuration of a new fractional domain therefore implies specific steps to ensure that the domain is free of forbidden attributes, and recognizable as a fractional domain. For more information, see To Configure and Initialize a Fractional Domain.
Use the dsconfig command to configure fractional replication in a domain, as follows.
The following example configures a replica to exclude the photo and jpegPhoto attributes from any creation or modification of an entry whose object class is inetOrgPerson.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-replication-domain-prop --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" \ --set fractional-exclude:inetOrgPerson:photo,jpegPhoto
Object classes and attributes can be specified by their names, or by their OIDs, so the following example has the same effect as the previous example:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-replication-domain-prop --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" \ --set fractional-exclude:2.16.840.1.113730.3.2.2:0.9.2342.19200300.100.1.7, \ 0.9.2342.19200300.100.1.60
If you use object class or attribute names and OIDs, both values are added. For example, the following command adds both the attribute name and its OID to the list of excluded attributes:
$ dsconfig set-replication-domain-prop ... --set fractional-exclude:*:jpegPhoto,*:0.9.2342.19200300.100.1.60
If you wanted to remove this attribute from the list, you would need to remove both the attribute name and the OID.
To specify that the photo and jpegPhoto attributes should be removed from any creation or modification of any entry (regardless of its object class), use an asterisk in place of the object class. For example:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-replication-domain-prop --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" \ --set fractional-exclude:*:photo,jpegPhoto
The following example configures a replica to include only the uid and employeeNumber attributes from any creation or modification of an entry whose object class is inetOrgPerson. All other attributes are ignored in the modification, except those that are mandatory for the object class.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-replication-domain-prop --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" \ --set fractional-include:inetOrgPerson:uid,employeeNumber
Object classes and attributes can be specified by their names, or by their OIDs, so the following example has the same effect as the previous example:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-replication-domain-prop --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" \ --set fractional-include:2.16.840.1.113730.3.2.2:0.9.2342.19200300.100.1.1, \ 2.16.840.1.113730.3.1.3
If you use object class or attribute names and OIDs, both values are added. For example, the following command adds both the attribute name and its OID to the list of included attributes:
$ dsconfig set-replication-domain-prop ... --set fractional-include:*:jpegPhoto,*:0.9.2342.19200300.100.1.60
If you wanted to remove this attribute from the list, you would need to remove both the attribute name and the OID.
To specify that a particular attribute should be included in the creation or modification of any entry (regardless of its object class), use an asterisk in place of the object class. The following example includes only the description attribute in a creation or modification operation on any entry.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -X \ set-replication-domain-prop --provider-name "Multimaster Synchronization" \ --domain-name "dc=example,dc=com (domain 10233)" \ --set fractional-include:*:description
The following steps are required when you initialize a new fractional domain:
Configure exclusive or inclusive fractional replication, as described in the previous two sections.
At this point, the domain obtains a bad generation ID status. For more information, see Replication Status in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
This means that all modifications on the domain are blocked until the data is synchronized with the rest of the topology.
Import a new data set from one of the other servers in the topology.
The new data set can be imported online, by using dsreplication initialize or by using import-ldif in online or offline mode. The server from which you import the data must either be an entire replica (that is, not a fractional replica) or must have the same fractional configuration as the server to which you are importing the data. During the import, all entries will be filtered with the fractional configuration set up in the previous step.
For information about how to import a data set, see Initializing a Single Replicated Server and Importing and Exporting Data.
After the data import, the domain returns to normal status.
For more information, see Replication Status in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
The domain is now able to accept new entries from local LDAP operations, or synchronization operations with other servers in the topology. The data in the domain is free of any “forbidden” attributes.
Each replicated domain in a replicated topology has a certain replication status, depending on its connections within the topology, and on how up to date it is with regard to the changes that have occurred throughout the topology. For more information, see Replication Status in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
Replication status is generated automatically, based on how up to date a server is within the replicated topology. The only parameter that can be configured is the degraded status threshold. This parameter defines the maximum number of changes that can be in the replication server's queue for all domains of the directory servers that are connected to this replication server. When this number is reached, for a specific directory server, that server is assigned a degraded status. The degraded status remains until the number of changes drops beyond this value.
Note - The default value of the degraded status threshold should be adequate for most deployments. Only modify this value if you observe several timeout messages in the logs when assured replication is configured.
The default number of changes defined by this threshold is 5000. This example sets the threshold to 6000, to take into account a network with more latency.
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-server-prop \ --provider-name "Multimaster Synchronization" --set degraded-status-threshold:6000
In large topologies with several directory servers and several replication servers, it is more efficient to spread the directory servers out across the replication servers in a predefined manner. You can specify how many directory servers should connect to each replication server in a topology according to the relative capacity of the machine on which the replication server is running. For more information, see Replication Server Load Balancing in Oracle Fusion Middleware Architecture Reference for Oracle Unified Directory.
To configure the replication server weight, run the dsconfig command as follows:
$ dsconfig -h localhost -p 4444 -D "cn=directory manager" -w password -n \ set-replication-server-prop \ --provider-name "Multimaster Synchronization" --set weight:2
By default, the weight of each replication server in the topology is 1.