Sun Identity Manager 8.1 Resources Reference

Architectural Components

This procedure involves the following components:

The Active Directory Synchronization Failure Process, which is defined on the Active Directory resource by the On Synchronization Failure Process Active Directory resource attribute
Active Directory Recovery Collector Task
Active Directory Failover Task

On Synchronization Failure Process Resource Attribute

The On Synchronization Failure Process Active Directory active synchronization resource attribute specifies the name of a process to be executed on a synchronization failure. By default, the value of this resource attribute is empty.

This attribute gives Identity Manager administrators the ability to execute a process when Active Directory synchronization failures occur.

Active Directory On Failure Process

The process specified by the resource attribute is launched by the resource on failure. You should invoke a process that sends email to the Active Directory administrator that alerts them to a synchronization failure. The body of the email might contain the error messages that were returned from the adapter poll method.

You can also design a business process that, when a specified error occurs, automatically calls the Synchronization Failover task after an approval by an administrator is given.

Process Context

The following arguments are available to the native process.

Argument	Description
`resourceName`	Identifies the resource where the failure occurred
`resultErrors`	Lists strings that represent the errors returned by the poll method
`failureTimestamp`	Indicates when the failure occurred

Active Directory Recovery Collector Task

You can schedule and launch the Active Directory Recovery Collector task from the Task Schedule pages of the Identity Manager Administrator interface. This process uses the resource object interface to contact each domain controller’s rootDSE object. The task’s schedule determines the frequency at which the data is collected from the domain controllers.

This task collects and stores resource recovery information in a Configuration object named ADSyncRecovery_resourceName. The extension to this configuration object is a GenericObject that stores a list of HighestCommittedUSN and the timestamp (milliseconds) that was collected for each domain controller.

During each execution, the task prunes old values for HighestCommittedUSN from the recovery data. You can configure the length of time to store this data through the daysToKeepUSNS argument.

Arguments

Argument	Description
`resourceName`	Specifies the Active Directory resource for which Identity Manager collects backup data.
`backupDCs`	Lists the fully qualified domain controller hostnames that should be contacted for recovery data. This can and should include the original host, which permits Identity Manager to include the source resource host if Identity Manager must fail over to the resource. When synchronizing against a global catalog, back up hosts in this list will be assumed to be global catalogs.
`daysToKeepUSNS`	Specifies the number of days for which Identity Manager stores the data (default is 7 days).

Argument

Description

resourceName

Specifies the Active Directory resource for which Identity Manager collects backup data.

backupDCs

Lists the fully qualified domain controller hostnames that should be contacted for recovery data. This can and should include the original host, which permits Identity Manager to include the source resource host if Identity Manager must fail over to the resource.

When synchronizing against a global catalog, back up hosts in this list will be assumed to be global catalogs.

daysToKeepUSNS

Specifies the number of days for which Identity Manager stores the data (default is 7 days).

Active Directory Failover Task

This task reconfigures the failed resource and the IAPI Object to use an alternate domain controller and usnChanged starting point. The task input form displays the available usn-changed times for a given host from the stored failover data.

Certain errors can identify conditions where failover is appropriate. One example of the potential difficulty of automatically calling the failover task is the java.net.UnknownHostException error message. The failure indicated by this message can occur for at least two reasons:

The host cannot be reached from the gateway machine due to a temporary routing issue.
The host cannot be reached and will be down for the next eight hours due to a planned outage.

Failover Modes

You can take one of two approaches towards implementing Active Directory failover resolution:

Manual mode. When a problem occurs, the administrator specifies which backup domain controller and USN to use. This is the only mode available when running tasks from the Identity Manager interface.
Semi-auto mode. Semi-auto mode permits you to semi-automate the fail-over resolution process. In semi-auto mode, the task uses the collected data to identify the best backup domain controller and USN to use. It computes this by looking for a collection point that is closest to a derived TargetTimestamp without exceeding this value

where TargetTimestamp = (FailureTimestamp - replicationTime)

Semi-auto mode is not available from the Identity Manager Administrator interface.

Arguments

If you have determined that launching semi-auto failover is appropriate for a particular error, set the following task arguments. (The on-error workflow must launch the Active Directory Synchronization failover task.) Setting these arguments reconfigures the failed resource and the IAPI Object to use an alternate domain controller and usnChanged starting point.

Argument	Description
`resourceName`	Identifies (by name or resource ID) where the failure has occurred.
`autoFailover`	Specifies whether auto failure is set. Must be set to `true`.
`failureTimestamp`	Indicates when the failure occurred. This value is derived from the onSync failure process.
`replicationTime`	Specifies the maximum time in hours for data to replicate across an Active Directory environment.

To manually specify which domain controller to fail over to and which saved HighestCommittedUSN number to start from, set the following arguments.

Argument	Description
`resourceName`	Specifies the name or ID of the resource where the failure has occurred.
`backupDC`	Specifies the name of the host with which to begin the synchronization process.
`usnDate`	The timestamp to use that correlates to a collected `HighestCommittedUSN` changed value from the collected data. This would be computed just as `targetTime` was computed in the semi-auto mode.
`restartActiveSync`	Specifies whether to start Active Sync after the switch to the new domain controller is complete.

Resource Object Changes

The Active Directory Recovery Collector task updates either the LDAPHostname or the GlobalCatalog resource attribute value (depending on which value is in use). If the search subdomains resource attribute is set to true, and the global catalog attribute value is not empty, the global catalog server attribute is changed. Otherwise, the LDAPHostname is changed to the name of the backup domain controller.

IAPI Object Changes

The Active Directory Recovery Collector task also updates the IAPI object so that the Active Directory resource adapter knows which changes to look for the next time it runs. The task updates the HighCommitedUSN value for both lastUpdated and lastDeleted attribute values.