Sun Identity Manager 8.1 Resources Reference

Architectural Components

This procedure involves the following components:

On Synchronization Failure Process Resource Attribute

The On Synchronization Failure Process Active Directory active synchronization resource attribute specifies the name of a process to be executed on a synchronization failure. By default, the value of this resource attribute is empty.

This attribute gives Identity Manager administrators the ability to execute a process when Active Directory synchronization failures occur.

Active Directory On Failure Process

The process specified by the resource attribute is launched by the resource on failure. You should invoke a process that sends email to the Active Directory administrator that alerts them to a synchronization failure. The body of the email might contain the error messages that were returned from the adapter poll method.

You can also design a business process that, when a specified error occurs, automatically calls the Synchronization Failover task after an approval by an administrator is given.

Process Context

The following arguments are available to the native process.




Identifies the resource where the failure occurred 


Lists strings that represent the errors returned by the poll method 


Indicates when the failure occurred 

Active Directory Recovery Collector Task

You can schedule and launch the Active Directory Recovery Collector task from the Task Schedule pages of the Identity Manager Administrator interface. This process uses the resource object interface to contact each domain controller’s rootDSE object. The task’s schedule determines the frequency at which the data is collected from the domain controllers.

This task collects and stores resource recovery information in a Configuration object named ADSyncRecovery_resourceName. The extension to this configuration object is a GenericObject that stores a list of HighestCommittedUSN and the timestamp (milliseconds) that was collected for each domain controller.

During each execution, the task prunes old values for HighestCommittedUSN from the recovery data. You can configure the length of time to store this data through the daysToKeepUSNS argument.





Specifies the Active Directory resource for which Identity Manager collects backup data. 


Lists the fully qualified domain controller hostnames that should be contacted for recovery data. This can and should include the original host, which permits Identity Manager to include the source resource host if Identity Manager must fail over to the resource. 

When synchronizing against a global catalog, back up hosts in this list will be assumed to be global catalogs. 


Specifies the number of days for which Identity Manager stores the data (default is 7 days). 

Active Directory Failover Task

This task reconfigures the failed resource and the IAPI Object to use an alternate domain controller and usnChanged starting point. The task input form displays the available usn-changed times for a given host from the stored failover data.

Certain errors can identify conditions where failover is appropriate. One example of the potential difficulty of automatically calling the failover task is the error message. The failure indicated by this message can occur for at least two reasons:

Failover Modes

You can take one of two approaches towards implementing Active Directory failover resolution:


If you have determined that launching semi-auto failover is appropriate for a particular error, set the following task arguments. (The on-error workflow must launch the Active Directory Synchronization failover task.) Setting these arguments reconfigures the failed resource and the IAPI Object to use an alternate domain controller and usnChanged starting point.




Identifies (by name or resource ID) where the failure has occurred. 


Specifies whether auto failure is set. Must be set to true.


Indicates when the failure occurred. This value is derived from the onSync failure process. 


Specifies the maximum time in hours for data to replicate across an Active Directory environment. 

To manually specify which domain controller to fail over to and which saved HighestCommittedUSN number to start from, set the following arguments.




Specifies the name or ID of the resource where the failure has occurred. 


Specifies the name of the host with which to begin the synchronization process. 


The timestamp to use that correlates to a collected HighestCommittedUSN changed value from the collected data. This would be computed just as targetTime was computed in the semi-auto mode.


Specifies whether to start Active Sync after the switch to the new domain controller is complete. 

Resource Object Changes

The Active Directory Recovery Collector task updates either the LDAPHostname or the GlobalCatalog resource attribute value (depending on which value is in use). If the search subdomains resource attribute is set to true, and the global catalog attribute value is not empty, the global catalog server attribute is changed. Otherwise, the LDAPHostname is changed to the name of the backup domain controller.

IAPI Object Changes

The Active Directory Recovery Collector task also updates the IAPI object so that the Active Directory resource adapter knows which changes to look for the next time it runs. The task updates the HighCommitedUSN value for both lastUpdated and lastDeleted attribute values.