Chapter 7 Migrating Identity Synchronization for Windows

This chapter explains how to migrate your system from Identity Synchronization for Windows version 1.1, and 1.1 SP1, to version 6.0.

In the remainder of this chapter, version 1.1 includes version 1.1 SP1.

When you install Identity Synchronization for Windows version 1.1, Message Queue is also installed on your system. Identity Synchronization for Windows 6.0 does not install Message Queue.

For installation and upgrade information about Message Queue, read the installation instructions for Java Enterprise System software at http://docs.sun.com/coll/1286.2.

This chapter includes the following sections:

• Migration Overview

• Before You Migrate Identity Synchronization for Windows

• Preparing for Identity Synchronization for Windows Migration

• Migrating Your System

• What to Do if the 1.1 Uninstallation Fails

• Other Migration Scenarios

• Checking the Logs

Migration Overview

Migration from Identity Synchronization for Windows version 1.1 to version 6.0 is accomplished in the following major phases:

1. Preparing your Identity Synchronization for Windows 1.1 installation for migration.

2. Uninstalling Identity Synchronization for Windows 1.1.

3. Installing or upgrading dependent products.

4. Installing Identity Synchronization for Windows 6.0 by using the configuration and connector states you backed up.

Install Identity Synchronization for Windows 6.0 on the same platform and architecture where you installed Identity Synchronization for Windows 1.1.

Before You Migrate Identity Synchronization for Windows

Complete the following tasks before you migrate:

• Familiarize yourself with the new features and functionality provided in Identity Synchronization for Windows 6.0.

• Read Chapter 3, Understanding the Product, in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide for installation and configuration information that you can use to plan your migration process.

• Document your version 1.1 deployment and configuration. Be sure to note any customizations you have made to the configuration.

• Schedule migration. Because the migration process requires at least four hours, you might want to schedule migration after normal business hours.

If the input password or attribute changes while you are migrating the system, Identity Synchronization for Windows processes these changes as follows:

• For Active Directory. Any password changes made on Active Directory during the migration process will be synchronized on demand by the Directory Server Plug-in after the migration process.

• For Directory Server. Any password changes made on Directory Server during the migration process will not be synchronized. However, you can identify affected users in the Identity Synchronization for Windows 6.0 logs after completing the migration process. For more information, see Checking the Logs.

• For Windows NT. Any password changes made on NT during the migration process will not be synchronized.

  However, if you use the forcepwchg utility, you can identify affected users and force them to change passwords again. For more information, see Forcing Password Changes on Windows NT.

• All other attribute changes made during the migration process (at any directory source) will be synchronized after the migration process.

Preparing for Identity Synchronization for Windows Migration

Use one or more of the following utilities to migrate from version 1.1 to version 6.0:

• export11cnf. A stand-alone utility that enables you to create an export configuration file from your Identity Synchronization for Windows 1.1 configuration. For more information , see Exporting Version 1.1 Configuration.

  The exported XML document contains the directory deployment topology and enough information to configure the Identity Synchronization for Windows 6.0 installation.

• checktopics. A utility that checks Message Queue synchronization topics in a 1.1 installation and determines if any undelivered messages remain in the queue.

  Updates can remain in Message Queue after you stop 1.1 synchronization. You must verify that no updates exist in the Message Queue before you proceed with the migration. For more information, see Checking for Undelivered Messages.

• forcepwchg. A Windows NT tool that enables you to identify users who changed passwords during the migration process and forces them to change passwords again when the version 6.0 system is ready. Password changes made on Windows NT are not captured during the migration process. For more information, see Forcing Password Changes on Windows NT for detailed information.

These utilities facilitate the migration of Identity Synchronization for Windows version 1.1 to version 6.0. The migration is performed in the same environment where Identity Synchronization for Windows 1.1 is deployed. Consequently, these utilities are available in the Solaris/SPARC and Windows packages only.

You can find the migration utilities in the installation migration directory. No additional installation steps are required.

Exporting Version 1.1 Configuration

You can use the export11cnf utility to export an existing version 1.1 configuration file to an XML file and then use the idsync importcnf command to import the file into the 6.0 system before installing the connectors.

Although it is possible to re-enter the 1.1 configuration manually by using the Identity Synchronization for Windows console, it is recommended that you use the export11cnf utility. If you do not use export11cnf, the state of the connectors is not preserved.

Exporting the version 1.1 configuration enables you to:

• Eliminate most of the initial configuration process to be performed from the management Console.

• Guarantee that the connector IDs assigned in version 6.0 match the connector IDs used in version 1.1. This simplifies the task of preserving the existing connector states that can be used directly in the version 6.0 deployment.

  Back up the persist and etc directories, and then restore them later to avoid confusion about the underlying directory structure.

  You can find the export11cnf utility in the installation migration directory. No additional installation steps are necessary.

Using the export11cnf Utility

To export an Identity Synchronization for Windows configuration to an XML file, execute export11cnf from the migration directory as follows:

In a terminal window, type the following:

java -jar export11cnf.jar -h hostname
-p port -D bind DN
-w bind password -s rootsuffix
-q configuration password -Z -P cert-db-path
-m secmod-db-path -f filename

For example,

java -jar export11cnf.jar -D “cn=dirmanager” -w - -q - -s “dc=example,dc=com” -f exported-configuration

The export11cnf utility shares the same common arguments as the Identity Synchronization for Windows command-line utilities. For more information, see Common Arguments to the Idsync Subcommands in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide. The export11cnf utility exports the current configuration into the file specified in the argument of the -f option.

Inserting Clear-Text Passwords

For security reasons, the export11cnf utility does not export clear-text passwords from version 1.1. Instead, the utility inserts empty strings in cleartextPassword fields wherever applicable. For example,

<Credentials
        userName="cn=iswservice,cn=users,dc=example,dc=com"
        cleartextPassword=""/>
        <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->

You must enter a password manually, between double quotes, for every cleartextPassword field in the exported configuration file, before you can import the file into Identity Synchronization for Windows. importcnf validation prevents you from importing a configuration file with empty password values.

For example,

<Credentials
        userName="cn=iswservice,cn=users,dc=example,dc=com"
        cleartextPassword="mySecretPassword"/>
        <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->

Sample Export Configuration File

In the following sample exported configuration file,

• ad-host.example.com refers to the Active Directory domain controller.

• ds-host.example.com refers to the host running Directory Server.

Example 7–1 Sample Export Configuration File

			<?xml version="1.0" encoding="UTF-8"?>

			<ActiveConfiguration>
    			<SunDirectorySource
           			parent.attr="DirectorySource"
           			onDemandSSLOption="true"
           			maxConnections="5"
           			displayName="dc=example,dc=com"
           			resyncInterval="1000">

						<SynchronizationHost
           			hostOrderOfSignificance="1"
           			hostname="ds-host.example.com"
           			port="389"
           			portSSLOption="true"
           			securePort="636"/>
        			<Credentials 
              			userName="uid=PSWConnector, 
              			dc=example,
              			dc=com"
     			</SynchronizationHost>
    			<SyncScopeDefinitionSet
              			index="0"
              			location="ou=people,dc=example,dc=com"
              			filter=""
              			creationExpression="uid=%uid%,ou=people,dc=example,dc=com"
            				sulid="SUL1"/>
  			</SunDirectorySource>


  			<ActiveDirectorySource
        			parent.attr="DirectorySource"
        			displayName="example.com"
        			resyncInterval="1000">
    			<SynchronizationHost
            			hostOrderOfSignificance="1"
            			hostname="ad-host.example.com"
            			port="389"
            			portSSLOption="true"
            			securePort="636">
       			<Credentials 
                  	userName="cn=Administrator,cn=Users,dc=metaqa,dc=com"
                  	cleartextPassword=""/>
                  	<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
    			</SynchronizationHost>
    			<SyncScopeDefinitionSet
           			index="0"
           			location="cn=users,dc=example,dc=com"
           			filter=""
           			creationExpression="cn=%cn%,cn=users,dc=example,dc=com"
           			sulid="SUL1"/>
  			</ActiveDirectorySource>


  			<ActiveDirectoryGlobals
       			flowInboundCreates="true"
       			flowInboundModifies="true"
       			flowOutboundCreates="true"
       			flowOutboundModifies="true">
    			<TopologyHost
           			parent.attr="SchemaLocation"
           			hostname="ad-host.example.com"
           			port="3268"
           			portSSLOption="true"
           			securePort="3269">
      			<Credentials
               	parent.attr="Credentials"
               	userName="cn=Administrator,cn=Users,dc=example,dc=com"
               	cleartextPassword=""/>
        			<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
    			</TopologyHost>

    			<TopologyHost
           			parent.attr="HostsTopologyConfiguration"
           			hostname="ad-host.example.com"
           			port="3268"
           			portSSLOption="true"
           			securePort="3269">
        			<Credentials
               		parent.attr="Credentials"
               		userName="cn=Administrator,cn=Users,dc=example,dc=com"
               		cleartextPassword=""/>
               		<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
    			</TopologyHost>

    			<AttributeMap>
      			<AttributeDescription
           				parent.attr="WindowsAttribute"
            			name="lockouttime"
            			syntax="1.2.840.113556.1.4.906"/>
      			<AttributeDescription
            			parent.attr="SunAttribute"
            			name="pwdaccountlockedtime"
            			syntax="1.3.6.1.4.1.1466.115.121.1.24"/>
    			</AttributeMap>

    			<AttributeDescription
           				parent.attr="SignificantAttribute"
            			name="lockouttime"
            			syntax="1.2.840.113556.1.4.906"/>
    			<AttributeDescription
          			parent.attr="SignificantAttribute"
          			name="samaccountname"
      		 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
      		 			parent.attr="CreationAttribute"
      		 			name="samaccountname"
      		 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeMap>
      			<AttributeDescription
        	 			parent.attr="WindowsAttribute"
        	 			name="samaccountname"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
      			<AttributeDescription
       	 			parent.attr="SunAttribute"
        	 			name="uid"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			</AttributeMap>

    			<AttributeMap>
      			<AttributeDescription
       	    		parent.attr="SunAttribute"
        	 			name="sn"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
      			<AttributeDescription
        	 			parent.attr="WindowsAttribute"
        	 			name="sn"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			</AttributeMap>

    			<AttributeDescription
    		    			parent.attr="SignificantAttribute"
      		 			name="sn"
      		 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
		       			parent.attr="SignificantAttribute"
     					name="cn"
      					syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
		       			parent.attr="CreationAttribute"
		       			name="cn"
     					syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeMap>
		       			<AttributeDescription
     	    			parent.attr="SunAttribute"
        	 			name="cn"
        	 			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
      			<AttributeDescription
        						parent.attr="WindowsAttribute"
			          			name="cn"
			          			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			</AttributeMap>

    			<AttributeMap>
 		   	 	<AttributeDescription
        					parent.attr="SunAttribute"
        					name="uniquemember"
        					syntax="1.3.6.1.4.1.1466.115.121.1.25"/>
	      			<AttributeDescription
    			    			parent.attr="WindowsAttribute"
         		 			name="member"
		          			syntax="1.2.840.113556.1.4.910"/>
    			</AttributeMap>

    			<AttributeDescription
		      				parent.attr="SignificantAttribute"
    		   			name="member"
      	   			syntax="1.2.840.113556.1.4.910"/>
  			</ActiveDirectoryGlobals>

  			<SunDirectoryGlobals
   		 			userObjectClass="inetOrgPerson"
		    			flowInboundCreates="true"
		    			flowInboundModifies="true"
		    			flowOutboundCreates="true"
		    			flowOutboundModifies="true">
    			<AttributeDescription
    		    			parent.attr="SignificantAttribute"
			      			name="uniquemember"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.25"/>
    			<AttributeDescription
			      			parent.attr="CreationAttribute"
			      			name="cn"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
			      			parent.attr="SignificantAttribute"
			      			name="cn"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
			      			parent.attr="SignificantAttribute"
			      			name="pwdaccountlockedtime"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.24"/>
    			<TopologyHost
			      			parent.attr="SchemaLocation"
			      			hostname="ds-host.example.com"
			      			port="389"
			      			portSSLOption="false"
			      			securePort="636">
	      			<Credentials
 				       parent.attr="Credentials"
				       userName="cn=directory manager"
				       cleartextPassword=""/>
				       <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE 	FIELD -->
			    </TopologyHost>
    			<AttributeDescription
			    				parent.attr="SignificantAttribute"
			      			name="uid"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
			      			parent.attr="CreationAttribute"
			      			name="sn"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
    			<AttributeDescription
			      			parent.attr="SignificantAttribute"
			      			name="sn"
			      			syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
  			</SunDirectoryGlobals>
			</ActiveConfiguration>

After the completion of configuration export, export11cnf reports the result of the operation. If the operation fails, an appropriate error message is displayed with an error identifier.

Checking for Undelivered Messages

The migration process minimizes system downtime by preserving the connectors’ states in the existing deployment. However, these states reflect only the last change received and acknowledged by the Message Queue. Therefore, you do not know whether the message was actually delivered and applied to the destination connector.

This behavior does not cause problems as long as the Message Queue remains the same. However, you will lose any messages on the Message Queue during the migration process when you install Message Queue 3.6.

You must verify that the synchronization topics on the existing Message Queue do not have any undelivered messages before you proceed with the migration. The Identity Synchronization for Windows checktopics utility enables you to verify that all the synchronization topics are empty and the system is not causing any problem.

Using the checktopics Utility

The checktopics utility is delivered in the migration directory of the Solaris/SPARC and the Windows Identity Synchronization for Windows 6.0 package.

The prerequisite to run checktopics is a Java Virtual Machine.

When you run the checktopics utility, it connects to the configuration directory, which contains information about Synchronization User Lists (SULs) and current synchronization topic names used in Message Queue. In addition, when you run checktopics, it queries Message Queue to check how many outstanding messages remain on each active synchronization topic and then displays this information for you.

To execute the checktopics command line utility:

1. Open a Terminal window and cd to the migration directory.

2. From a command prompt, type the subcommand as follows.

   java -jar checktopics.jar -h hostname \ -p port -D bind-DN \ -w bind-password -s root-suffix \ -q configuration-password -Z

   For example,

   java -jar checktopics.jar -D "cn=directory manager" -w - -s "dc=example,dc=com" -q -Z

   ---

   Note –

   For more information about the checktopics arguments, see Common Arguments to the Idsync Subcommands in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide. For more information about using checktopics, see Checking for Undelivered Messages.

   After running checktopics, check your terminal for the following messages:

   • If the operation succeeds, the terminal window displays a message stating that there are no outstanding messages in the logs.

   • If the operation fails, an appropriate error message is displayed with an error identifier.

   ---

To Clear Messages

If any of the active synchronization topics contain outstanding messages, use the following procedure to clear the messages.

1. Restart synchronization.

2. Wait until the messages are applied to the destination connector.

3. Stop synchronization.

4. Rerun checktopics.

Forcing Password Changes on Windows NT

On Windows NT, password changes are not monitored and new password values are not captured during the migration process. Consequently, you cannot determine new password values after the migration process.

Instead of requiring all users to change passwords when you finish migrating to 6.0, you can use the forcepwchg command-line utility to require a password change for all the users who changed passwords during the migration process.

The forcepwchg utility is available only in the Windows packages.

You can find the forcepwchg utility in the Windows migration directory. Execute forcepwchg directly from that directory. No additional installation steps are necessary.

You must run forcepwchg on the Primary Domain Controller (PDC) host where the NT components (connector, Change Detector DLL, and Password Filter DLL) are installed. You cannot run forcepwchg remotely.

The forcepwchg utility also prints the account names (one name per line) that it is trying to migrate. If an error occurs during the migration process, look into the next entry to the last printed entry.

Migrating Your System

This section provides instructions for migrating a single-host deployment to version 6.0.

In a single-host deployment, all Identity Synchronization for Windows components are installed on a single host (Windows 2000 Server, Solaris version 8 or 9, or SPARC), as follows:

• Directory Server (one instance)

• Core (Message Queue, Central Logger, System Manager, and Console)

• Active Directory Connector

• Directory Server Connector

• Directory Server Plugin

If you are using Solaris as your installation host, then a Windows 2000 machine with Active Directory is required for synchronization purposes only. (No components would be installed on the Windows 2000 machine.)

The following figure illustrates the migration process and serves as a checklist to supplement the migration instructions that follow.

Figure 7–1 Migrating a Single-Host Deployment

Preparing for Migration

Use the following procedure to prepare for migration to version 6.0.

Preparing to migrate from version 1.1, and 1.1 SP1, to version 6.0

1. Open a terminal window or command prompt.

   • On Solaris type the following command.

     uncompress -c filename | tar xf -

   • On Windows type the following command or use any archive program for Windows, such as WinZip.

     %JAVA_HOME%\\bin\\jar -xf filename
     

   When the binaries are unpacked, the following subdirectories contain the required migration tools:

   • installer/

   • lib/

   • migration/

   Solaris	Windows
   export11cnf.jar	export11cnf.jar
   	forcepwchg.exe
   checktopics.jar	checktopics.jar

2. Export your version 1.1 configuration settings to an XML file.

   From the migration directory, execute export11cnf as described in Using the export11cnf Utility.

   java -jar export11cnf.jar -D “cn=directory manager” -w - \
    -s “dc=example,dc=com” -q - -f export.cfg

3. Add passwords to the exported XML file.

   Enter a password between the double quotes for each cleartextPassword field in the exported configuration file. For more information, see Inserting Clear-Text Passwords.

4. Stop synchronization as described in Starting and Stopping Synchronization in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

5. Verify that your system is in a stable state.

   From the migration directory, execute checktopics as described in Using the checktopics Utility. The following example shows the execution of the checktopics command.

   java -jar checktopics.jar -D “cn=directory manager” -w - \
    -s “dc=example,dc=com” -q -Z

6. Stop Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

   ---

   Note –

   Do not stop the Sun ONE Message Queue service.

   ---

7. On Windows NT only, perform the following steps.

   1. Stop the Sun One NT Change Detector Service by typing the following command.

      net stop “Sun One NT ChangeDetector Service”

   2. Save the NT Change Detector Service counters.

      1. Open the Registry Editor by executing regedt32.exe.

      2. Select the HKEY_LOCAL_MACHINE window.

      3. Navigate to the SOFTWARE\\Sun Microsystems\\PSW\\1.1 node.

      4. Save the following registry values.

         • HighestChangeNumber

         • LastProcessedSecLogRecordNumber

         • LastProcessedSecLogTimeStamp

         • QueueSize

8. Save the connector states by backing up the persist and etc directories from the existing 1.1 installation tree.

   • On Solaris, type the following command.

     cd serverRoot/isw-hostname
     tar cf /var/tmp/connector-state.tar persist etc

   • On Windows, type the following command.

     cd serverRoot\isw-hostname
      zip -r C:\\WINNT\Temp\connector-state.zip persist 
      etc%JAVA_HOME%\bin\jar -cfM %TEMP%\connector-state.jar persist etc

     Alternatively, use any archive program for Windows, such as WinZip.

9. Start the Identity Synchronization for Windows services. For more information, see Starting and Stopping Services in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

Uninstalling Identity Synchronization for Windows

The Identity Synchronization for Windows 1.1 uninstall program removes the SUNWjss package if it is not registered for use by another application. In particular, this situation may occur on a Solaris machine if you installed a zip version of Directory Server 5.2, where the uninstall program removes the jss3.jar file from /usr/share/lib/mps/secv1.

If you encounter this situation as you migrate to Identity Synchronization for Windows 6.0, the installer reports that a required file is missing, and logs the file name to the installation log. When this happens, you must re-install the required patches and restart the installation process. For a list of required patches, see (see Software Dependency Requirements in Sun Java System Directory Server Enterprise Edition 6.0 Release Notes.

To Uninstall Identity Synchronization for Windows Version 1.1

1. Uninstall the Directory Server plug-in manually and restart each Directory Server where the plug-in was installed.

   Execute the following steps on each Directory Server where the plug-in was installed:

   1. Remove the following entries from the Directory Server:

      cn=config,cn=pswsync,cn=plugins,cn=configcn=pswsync,cn=plugins,cn=config

      For example:

      ldapdelete -D “cn=directory manager” -w - -p <port \> -c cn=config, cn=pswsync,cn=plugins,cn=configcn=pswsync,cn=plugins,cn=config

   2. Restart the Directory Server.

      • On Solaris: Type < serverRoot \>/slapd-<hostname \>/restart-slapd

      • On Windows: Type < serverRoot\>\\slapd-< hostname\>\\restart-slapd.bat

   3. Remove the Plugin binaries from the system.

      • On Solaris: Type rm < serverRoot \>/lib/psw-plugin.sorm < serverRoot \>/lib/64/psw-plugin.so

      • On Windows: Type del <serverRoot\>\\lib\\psw-plugin.dll

2. Change directory (cd) to < ServerRoot \>\\isw-< hostname\> and then use the Identity Synchronization for Windows 1.1 (or 1.1 SP1) uninstallation program to uninstall the version 1.1, and 1.1 SP1, Connectors and Core components.

   ---

   Note –

   You must uninstall Connectors before uninstalling Core components.

   ---

   • On Solaris or SPARC: Type ./runUninstaller.sh

   • On Windows: Type \\runUninstaller.bat

3. Back up the product registry file and remove Identity Synchronization for Windows-related entries from the file.

   The location of the file is as follows:

   • On Solaris: /var/sadm/install/productregistry

   • On Windows: C:\\WINNT\\System32\\productregistry

   To remove the Identity Synchronization for Windows-related entries from the product registry file, follow the instructions provided in Manually Uninstalling 1.1 Core and Instances from Solaris.

4. On Windows only. After uninstalling Core, restart your machine.

   ---

   Note –

   If the uninstall fails, you might have to manually uninstall the Identity Synchronization for Windows components. Instructions are provided in What to Do if the 1.1 Uninstallation Fails

   ---

5. On Windows only. Verify that Identity Synchronization for Windows is not running. If necessary, you can stop the service from the command line by typing the following command.

   net stop “Sun ONE Identity Synchronization for Windows”

   If this service continues running after uninstallation, it causes a sharing violation that prevents you from deleting the instance directory.

6. Remove the Identity Synchronization for Windows instance directory ( isw-< hostname \>).

Installing or Upgrading the Dependent Products

Use the following steps to upgrade the Java Run Environment, install Message Queue, and upgrade Directory Server.

1. Upgrade the Java 2 Runtime Environment (or Java 2 SDK) on each host (except on Windows NT) where Identity Synchronization for Windows components are installed. The minimum required version is 1.5.0.

   • Java 2 SDK: http://java.sun.com/j2se/1.5.0/install.html

   • Java 2 Runtime Environment: http://java.sun.com/j2se/1.5.0/jre/install.html

2. Install Message Queue 3.6 by using the instructions provided in Sun Java System Message Queue 3.6 Installation Guide.

3. Upgrade Directory Server to version 6.0. For more information, see Chapter 1, Overview of the Migration Process for Directory Server.

   ---

   Note –

   To keep the Administration Server intact, use the -N option while migrating Directory Server (configuration and data) to version 6.0. For more information on migrating configuration data and user data, see Using dsmig to Migrate Configuration Data and Using dsmig to Migrate User Data respectively.

   ---

   The Directory Server upgrade preserves your current Directory Server configuration and database.

Installing Identity Synchronization for Windows 6.0

Use the following steps to install the Identity Synchronization for Windows 6.0 components.

To install the Identity Synchronization for Windows 6.0 components:

1. Install Identity Synchronization for Windows 6.0 Core. For more information, see Installing Core in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

2. Execute idsync prepds against Directory Server to update the schema.

   • On Solaris type the following commands.

     cd /opt/SUNWisw/bin
     idsync prepds arguments\

   • On Windows type the following commands.

     cd serverRoot\isw-hostname\bin
     idsync prepds arguments\

   For more information about idsync prepds, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities, in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

3. Import your version 1.1, and 1.1 SP1, configuration XML file by typing the following command.

   idsync importcnf arguments\

   ---

   Note –

   If the program detects errors in your input configuration file, an error results. Identity Synchronization for Windows aborts the importcnf process and provides the necessary information to correct errors.

   For more information about using idsync importcnf , see Using importcnf in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide

   ---

4. Install the Identity Synchronization for Windows 6.0 Connectors. For more information, see Installing Connectors in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

5. If you did not select the Configure Identity Synchronization for Windows 6.0 Directory Server Plugin option while installing Directory Server connector, configure it now. For more information, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities, in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

6. Stop Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

7. On Windows NT only, complete the following steps.

   1. Stop the NT Change Detector service by typing the following command.

      net stop “Sun Java(TM) System NT Change Detector”

   2. Restore the NT Change Detector Service counters.

      1. Open the Registry Editor by executing regedt32.exe.

      2. Select the HKEY_LOCAL_MACHINE window.

      3. Navigate to the SOFTWARE\\Sun Microsystems\\Sun Java(TM) System Identity Synchronization for Windows\\1.1 node.

      4. Double-click on each of the following entries to restore their values (which you saved prior to uninstalling version 1.1).

         • HighestChangeNumber

         • LastProcessedSecLogRecordNumber

         • LastProcessedSecLogTimeStamp

         • QueueSize

   3. Start the NT Change Detector service by typing the following command.

      net start “Sun Java(TM) System NT Change Detector”

8. Remove the version 6.0 persist and etc directories (and all their contents) from the instance directory and restore the version 1.1, and 1.1 SP1, persist and etc directories you backed up in Preparing for Migration.

   • On Solaris, type the following command.

     cd /var/opt/SUNWisw 
     rm -rf etc persisttar xf /var/tmp/connector-state.tar

   • On Windows, type the following command.

     cd serverRoot\isw-hostname
     rd /s etc persist%JAVA_HOME%\\bin\\jar -xf %TEMP%\\ connector-state.jar

     Alternatively, use any archive program for Windows, such as WinZip.

9. Start the service and the synchronization.

   1. Start the Identity Synchronization for Windows service as described in Starting and Stopping Services in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

   2. Start synchronization as described in Starting and Stopping Synchronization in Sun Java System Directory Server Enterprise Edition 6.0 Installation Guide.

10. Check the central audit log to verify that there are no warning messages.

    ---

    Note –

    If you have customized the version 1.1 log settings, you must manually apply those customizations to your version 6.0 installation. Use the Identity Synchronization for Windows Console to configure your version 6.0 log settings.

    ---

What to Do if the 1.1 Uninstallation Fails

If the version 6.0 installation program finds remnants of the version 1.1 system, the 6.0 installation will fail. Verify that all of the 1.1 components are completely removed from the system prior to installing version 6.0.

If the uninstallation program does not uninstall all of the version 1.1 components, you must manually clean up the Identity Synchronization for Windows product registry and Solaris packages.

Detailed instructions for uninstalling Identity Synchronization for Windows version 1.1 manually are provided in the following sections:

• Manually Uninstalling 1.1 Core and Instances from Solaris

• Manually Uninstalling 1.1 Core and Instances from Windows 2000

• Manually Uninstalling a 1.1 Instance from Windows NT

The instructions provided in this section are for uninstalling Identity Synchronization for Windows version 1.1, and 1.1 SP1, only.

Do not use the manual uninstallation procedures provided in the following sections unless the Identity Synchronization for Windows uninstallation program fails.

Manually Uninstalling 1.1 Core and Instances from Solaris

Use the instructions provided in this section to manually uninstall Core from a Solaris machine.

In this section, Identity Synchronization for Windows locations are described in the following manner:

<serverRoot \>/ isw-<hostname \>

where <serverRoot \> represents the parent directory of the Identity Synchronization for Windows installation location.

For example, if you installed Identity Synchronization for Windows in /var/Sun/mps/isw-< example\>, the < serverRoot\> would be /var/Sun/mps.

To Manually Uninstall Core From a Solaris Machine:

1. Stop all Identity Synchronization for Windows Java processes by typing /etc/init.d/isw stop into a terminal window.

   If the preceding command does not stop all of the Java processes, type the following commands.

   /usr/ucb/ps -gauxwww | grep java
   kill -s SIGTERM process IDs from preceding command
   

2. Stop Message Queue.

   1. Type the following command to stop the Message Queue broker.

      /etc/init.d/imq stop

   2. Type the following commands to stop any remaining imq processes.

      * ps -ef | grep imqbroker
      * kill -s SIGTERM process IDs from preceding command
      

   3. Use one of the following methods to uninstall the broker packages and directories.

      • Use the Message Queue broker uninstall script to uninstall the broker. This script is located in the Identity Synchronization for Windows instance directory on the host where you installed Core.

        serverRoot/isw-hostname/imq_uninstall

      • Manually uninstall the packages and directories.

        Use the pkgrm command to remove the following packages.

        SUNWaclg
        SUNWiqum
        SUNWiqjx
        SUNWiqlen
        SUNWxsrt
        SUNWiqu
        SUNWjaf
        SUNWiqfs
        SUNWjhrt
        SUNWiqdoc
        SUNWiquc
        SUNWiqsup
        SUNWiqr
        SUNWjmail

        Use the rm -rf command to remove the following directories.

        /etc/imq
        /var/imq
        /usr/bin/imq*

3. To remove the Identity Synchronization for Windows 1.1 Solaris packages, run pkgrm package-name for each of the packages listed in Manually Uninstalling 1.1 Core and Instances from Solaris.

   The following example shows the use of pkgrm to uninstall packages.

   pkgrm SUNWidscm SUNWidscn SUNWidscr SUNWidsct SUNWidsoc

   Package Name	Description
   SUNWidscm	Sun ONE Directory Server Identity Synchronization package for Core components and Connectors.
   SUNWidscn	Sun ONE Directory Server Identity Synchronization package for Console help files.
   SUNWidscr	Sun ONE Directory Server Identity Synchronization package for Core Components.
   SUNWidsct	Sun ONE Directory Server Identity Synchronization package for Connectors.
   SUNWidsoc	Sun ONE Directory Server Identity Synchronization package for Object Cache.

   Type the following command to verify that all of the packages were removed.

   pkginfo | grep -i "Identity Synchronization"

   ---

   Note –

   Run the pkgrm package-name command again to check if there are still existing packages due to dependencies.

   ---

4. Remove the Directory Server Plugin.

   1. Open the Directory Server Console and select the Configuration tab.

   2. In the left pane, expand the Plugins node and select the pswsync node.

   3. In the right pane, clear the Enable plug-in check box.

   4. Click Save.

   5. From the Directory Server Console, locate and remove the following entry from the Configuration Directory:

      cn=pswsync,cn=plugins,cn=config

   6. Stop Directory Server.

   7. Remove the Plugin binary by typing the following command.

      rm -f serverRoot/lib/psw-plugin.so

   8. Restart Directory Server.

5. Back-up (copy and rename) the current productregistry file located in /var/sadm/install/productregistry.

6. Manually edit the productregistry file in /var/sadm/install/ to remove the following entries, if present:

   ---

   Note –

   • For best results, use an XML editor. Alternatively, you can use a standard text editor.

   • Some of the following components may not be included in your file.

   • You must delete the beginning tag (<compid\>), ending tag (</compid\>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text, or tags that are included as part of these tags. See the example on Manually Uninstalling 1.1 Core and Instances from Solaris.

   ---

   • <compid\>Identity Synchronization for Windows . . . </compid\>

   • <compid\>Core . . . </compid\>

   • <compid\>unistaller . . . </compid\>

   • <compid\>wpsyncwatchdog . . . </compid\>

   • <compid\>setenv . . . </compid\>

   • <compid\>Create DIT . . . </compid\>

   • <compid\>Extend Schema . . . </compid\>

   • <compid\>resources . . . </compid\>

   • <compid\>CoreComponents . . . </compid\>

   • <compid\>Connector . . . </compid\>

   • <compid\>DSConnector . . . </compid\>

   • <compid\>Directory Server Plugin . . . </compid\>

   • <compid\>DSSubcomponents . . . </compid\>

   • <compid\>ObjectCache . . . </compid\>

   • <compid\>ObjectCacheDLLs . . . </compid\>

   • <compid\>SUNWidscr . . . </compid\>

   • <compid\>SUNWidscm . . . </compid\>

   • <compid\>SUNWidsct . . . </compid\>

   • <compid\>SUNWidscn . . . </compid\>

   • <compid\>SUNWidsoc . . . </compid\>

   • <compid\>ADConnector . . . </compid\>

   The following is an example <compid\> tag. Remove <compid\>, </compid\>, and all the text and tags in-between.

   <compid\>Identity Synchronization for Windows <compversion\>1.1 <uniquename\>Identity Synchronization for Windows</uniquename\> <compinstance\>1 <children\> <compref\>ADConnector <instance\>1 <version\>1.1</version\> </instance\> </compref\> <compref\>DSSubcomponents . . . </compinstance\> </compversion\> </compid\>

7. Remove the following Identity Synchronization for Windows directories and files.

   1. From the installation location, type the following command.

      rm -rf serverRoot/isw-hostname
      

   2. To remove the bootstrap files, type the following command.

      rm -rf /etc/init.d/isw

8. Clean up the configuration directory as follows:

   1. Run the following ldapsearch command against the configuration directory where Identity Synchronization for Windows Core is installed to locate the Identity Synchronization for Windows Console subtree:

      ldapsearch -D "cn=directory manager" -w < password \> -b o=netscaperoot "(nsnickname=isw)" dn

      ---

      Note –

      ldapsearch is located in Directory Server’s < serverRoot\>/shared/bin/ldapsearch. For example, /var/Sun/mps/shared/bin/ldapsearch

      ---

      The resulting entry should be similar to the following. Note that the entry always ends with o=NetscapeRoot.

      "cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"

   2. Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree and all subtrees below it.

9. Clean up the Identity Synchronization for Windows configuration registry as follows:

   1. Run the following ldapsearch command to locate the Identity Synchronization for Windows configuration registry in Directory Server:

      ldapsearch -D "cn=directory manager" -w < password \> -b "dc=my,dc=domain" "(&(objectclass=iplanetservice)(ou=IdentitySynchronization))" dn

      The resulting entry should be similar to the following:

      "ou=IdentitySynchronization,ou=Services,dc=my,dc=domain"

   2. Use the Directory Server Console to remove the Identity Synchronization for Windows configuration registry and all subtrees below it.

10. Clean up all other Console-related files as follows:

    1. Remove all the Console jar files by typing:

       rm -rf < serverRoot \>/java/jars/isw* For example, /var/Sun/mps/java/jars/isw*

    2. Remove all the Console servlet jar files by typing:

       rm -rf <serverRoot \>/bin/isw/ For example, /var/Sun/mps/bin/isw/

Manually Uninstalling 1.1 Core and Instances from Windows 2000

Use the instructions provided in this section to manually uninstall Core from a Windows 2000 machine.

In this section, Identity Synchronization for Windows locations are described in the following manner:

serverRoot\isw-hostname\

where serverRoot represents the parent directory of the Identity Synchronization for Windows installation location.

For example, if you installed Identity Synchronization for Windows in C:\Program Files\Sun\mps\isw-example, the serverRoot would be C:\Program Files\Sun\mps.

To uninstall Core from a Windows 2000 machine:

1. Stop all Identity Synchronization for Windows Java processes using one of the following methods:

   • Select Start -> Settings -> Control Panel -> Administrative Tools -> Services to open the Services window. In the right pane, right-click on Identity Synchronization for Windows and select Stop.

   • Open a Command Prompt window and type the following command.

     net stop "Sun ONE Identity Synchronization for Windows"

   • If the preceding methods do not work, use the following steps to stop the Java processes manually.

     1. Open the Services window, right-click on Identity Synchronization for Windows, and select Properties.

     2. From the General tab in the Properties window, select Manual from the Startup type drop-down list.

   ---

   Note –

   Although you can view Java processes (such as pswwatchdog.exe ) from the Windows Task Manager, you cannot determine which processes are specifically related to Identity Synchronization for Windows. For this reason, do not stop processes from the Windows Task Manager.

   ---

2. For a Core uninstallation only, stop the Message Queue using one of the following methods:

   • In the Services window, right-click on iMQ Broker in the right pane and select Stop.

   • From a Command Prompt, type the following command.

     net stop "iMQ Broker"

   • If the preceding methods do not work, use the following steps to stop Message Queue manually.

     1. Open the Services window, right-click on iMQ Broker and select Properties.

     2. From the General tab in the Properties window, select Manual from the Startup type drop-down list.

     3. Open the Directory Server Console and select the Configuration tab.

     4. In the left pane, expand the Plugins node and select the pswsync node.

     5. In the right pane, uncheck the Enable plug-in check box.

     6. Click Save.

     7. From the Console, locate and remove the following entry from the Configuration Directory:

        cn=pswsync,cn=plugins,cn=config

     8. Stop Directory Server.

        You can stop the server using one of the following methods:

        • In the Services window, right-click on Sun ONE Directory Server 5.2 in the right pane and select Stop.

        • Open a Command Prompt window and type the following command.

          net stop slapd-myhostname
          

     9. Open Windows Explorer to locate and remove the Plugin binary:

        < ServerRoot\>\\lib\\psw-plugin.so

     10. Restart Directory Server.

3. Open a Command Prompt window and type regedit to open the Registry Editor window.

   ---

   Caution –

   Back up your current registry file before proceeding to Manually Uninstalling 1.1 Core and Instances from Windows 2000.

   ---

   1. In the Registry Editor, select My Computer in the left pane.

   2. Select Registry -> Export Registry File from the menu bar.

   3. When the Export Registry File dialog box is displayed, specify a name for the file and select a location to save the backup registry.

4. In the Registry Editor, select Edit -> Delete from the menu bar.

   Remove the following Identity Synchronization for Windows keys from the Windows Registry:

   • All entries under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Identity Synchronization for Windows.

   • All CurrentControlSet and ControlSet (such as ControlSet001, ControlSet002, and so forth) entries under HKEY_LOCAL_MACHINE\SYSTEM\*, which includes the following entries (if they exist).

     • ...\Control\Session Manager\Environment\< isw-installation directory\>

     • ...\Services\Eventlog\Application\Sun ONE Identity Synchronization for Windows

     • ...\Services\Sun ONE Identity Synchronization for Windows

     • ...\Services\iMQBroker

5. Backup (copy and rename) the current productregistry file located in C:\\WINNT\\system32 .

6. Edit the C:\WINNT\system32\productregistry file to remove the following tags:

   ---

   Note –

   • For best results, use an XML editor. Alternatively, you can use a standard text editor.

   • Some of the following components may not be included in your file.

   • You must delete the beginning tag (<compid\>), ending tag (</compid\>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. See the example Manually Uninstalling 1.1 Core and Instances from Windows 2000.

   ---

   • <compid\>Identity Synchronization for Windows . . . </compid\>

   • <compid\>Core . . . </compid\>

   • <compid\>unistaller . . . </compid\>

   • <compid\>wpsyncwatchdog . . . </compid\>

   • <compid\>setenv . . . </compid\>

   • <compid\>Create DIT . . . </compid\>

   • <compid\>Extend Schema . . . </compid\>

   • <compid\>resources . . . </compid\>

   • <compid\>CoreComponents . . . </compid\>

   • <compid\>Connector . . . </compid\>

   • <compid\>DSConnector . . . </compid\>

   • <compid\>Directory Server Plugin . . . </compid\>

   • <compid\>DSSubcomponents . . . </compid\>

   • <compid\>ObjectCache . . . </compid\>

   • <compid\>ObjectCacheDLLs . . . </compid\>

   • <compid\>ADConnector . . . </compid\>

   The following is a <compid\> tag sample. Remove <compid\>, </compid\>, and all the text and tags in-between.

   <compid\>Identity Synchronization for Windows <compversion\>1.1 <uniquename\>Identity Synchronization for Windows</uniquename\> <compinstance\>1 <children\> <compref\>ADConnector <instance\>1 <version\>1.1</version\> </instance\> </compref\> <compref\>DSSubcomponents . . . </compinstance\> </compversion\> </compid\>

7. Remove the Identity Synchronization for Windows installation folder located at serverRoot\isw-hostname.

   For example, C:\Program Files\Sun\mps\isw-example

8. Clean up the configuration directory as follows:

   1. From a Command Prompt window, run the ldapsearch command against the configuration directory where Identity Synchronization for Windows Core is installed to locate the Identity Synchronization for Windows Console subtree.

      ---

      Note –

      ldapsearch is located in < serverRoot\>\\shared\\bin\\ldapsearch.

      For example, C:\\Program Files\\Sun\\mps\\shared\\bin\\ldapsearch

      ---

      ldapsearch -D "cn=directory manager" -w < password\> -b o=netscaperoot "(nsnickname=isw)" dn

      The resulting entry should be similar to the following (note that the entry will always end with o=NetscapeRoot):

      "cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"

   2. Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree that you found and all subtrees under it.

9. Clean up the Identity Synchronization for Windows configuration directory ( also know as the configuration registry) as follows:

   1. From a Command Prompt window, run the following ldapsearch command to locate the Identity Synchronization for Windows configuration directory in Directory Server:

      ldapsearch -D "cn=directory manager" -w <password \> -b "dc=my,dc=domain" "(&(objectclass=iplanetservice)(ou=IdentitySynchronization))" dn

      The resulting entry should be similar to the following:

      "ou=IdentitySynchronization,ou=Services,dc=my,dc=domain"

   2. Use the Directory Server Console to remove the configuration directory subtree that you found, including all subtrees under it.

10. Clean up all other Console-related files as follows:

    1. Remove all Console jar files located in < serverRoot \>\\java\\jars\\isw*For example, C:\\Program Files\\Sun\\mps\\java\\jars\\isw*

    2. Remove all Console servlet jar files located in < directory-server-install-root \>\\bin\\isw\\For example, C:\\SunOne\\Servers\\bin\\isw\\

Next Steps

Restart your machine for all changes to take effect.

Manually Uninstalling a 1.1 Instance from Windows NT

Use the instructions provided in this section to manually uninstall an instance from a Windows NT machine.

In this section, Identity Synchronization for Windows locations are described as follows:

<serverRoot\>\\isw-<hostname\>

where <serverRoot \> represents the parent directory of the Identity Synchronization for Windows installation location. For example, if you installed Identity Synchronization for Windows in C:\\Program Files\\Sun\\mps\\isw- example, the < serverRoot \> would be C:\\Program Files\\Sun\\mps.

1. Stop all the Identity Synchronization for Windows Java processes (Core and instance installations) using one of the following methods:

   • Select Start -> Settings -> Control Panel -> Administrative Tools -> Services to open the Services window. In the right pane, right-click on Identity Synchronization for Windows and select Stop.

   • Open a Command Prompt window and type the following command:

     net stop “Sun ONE Identity Synchronization for Windows”

   • If the preceding methods do not work, use the following steps to stop the Java processes manually:

     1. Open the Services window, right-click on Identity Synchronization for Windows, and select Properties.

     2. From the General tab in the Properties window, select Manual from the Startup type drop-down list.

   ---

   Note –

   Although you can view Java processes (such as pswwatchdog.exe) from the Windows Task Manager, you cannot determine which processes are specifically related to Identity Synchronization for Windows. For this reason, do not stop processes from the Windows Task Manager.

   ---

2. Stop the Change Detector service using one of the following methods:

   • In the Services window, right-click on Sun ONE NT Change Detector Service in the right pane and select Stop.

   • Open a Command Prompt window and type the following command:

     net stop “Sun ONE NT Change Detector Service”

   • If the preceding methods do not work, use the following steps to stop the Change Detector Service manually:

     1. Open the Services window, right-click on Change Detector Service and select Properties.

     2. From the General tab in the Properties window, select Manual from the Startup type drop-down list.

     3. Restart your Windows NT computer.

3. You must remove Identity Synchronization for Windows registry keys. Open a Command Prompt window and type regedt32 to open the Registry Editor window.

   ---

   Caution –

   Do not use regedit because the program does not allow you to edit multi-value strings.

   Backup your current Windows registry file before proceeding to Manually Uninstalling a 1.1 Instance from Windows NT.

   ---

   1. In the Registry Editor, select the top node (My Computer) in the left pane.

   2. Select Registry -> Export Registry File from the menu bar.

   3. When the Export Registry File dialog box is displayed, specify a name for the file and select a location to save the backup registry.

4. In the Registry Editor, select Edit -> Delete from the menu bar.

   Remove the following Identity Synchronization for Windows keys from the Registry:

   • All entries under HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Identity Synchronization for Windows

   • All CurrentControlSet and ControlSet (such as ControlSet001, ControlSet002) entries under HKEY_LOCAL_MACHINE\\SYSTEM\\*.

     These entries include the following:

     • ...\\Control\\Session Manager\\Environment\\ <isw-installation directory\>

     • ...\\Services\\Eventlog\\Application\\Sun ONE Identity Synchronization for Windows

     • ...\\Services\\Sun ONE Identity Synchronization for Windows

     • ...\\Services\\iMQBroker

   • The HKEY_LOCAL_MACHINE\\SOFTWARE\\Sun Microsystems\\PSW

5. Use regedt32 (do not use regedit) to modify (do not delete) the following registry key:

   1. Select the registry key entry in the left pane:

      HKEY_LOCAL_MACHINE\\SYSTEM\\\\CurrentControlSet\\\\CONTROL\\\\LSA

      The registry value type must be REG_MULTI_SZ.

   2. In the right pane, right-click on the Notification Packages value and select Modify.

   3. Change the PASSFLT value to FPNWCLNT.

6. Backup (copy and rename) the current productregistry file located in C:\\WINNT\\system32 .

7. Edit the C:\\WINNT\\system32 productregistry file to remove the following tags:

   ---

   Note –

   • For best results, use an XML editor. Alternatively, you can use a standard text editor.

   • Some of these components might not be included in your file.

   • You must delete the beginning tag (<compid\>), ending tag (<\\compid\>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. See the example on Manually Uninstalling 1.1 Core and Instances from Windows 2000.

   ---

   • <compid\>Identity Synchronization for Windows . . . </compid\>

   • <compid\>Core . . . </compid\>

   • <compid\>uninstaller . . . </compid\>

   • <compid\>wpsyncwatchdog . . . </compid\>

   • <compid\>setenv . . . </compid\>

   • <compid\>Create DIT . . . </compid\>

   • <compid\>Extend Schema . . . </compid\>

   • <compid\>resources . . . </compid\>

   • <compid\>CoreComponents . . . </compid\>

   • <compid\>Connector . . . </compid\>

   • <compid\>DSConnector . . . </compid\>

   • <compid\>Directory Server Plugin . . . </compid\>

   • <compid\>DSSubcomponents . . . </compid\>

   • <compid\>ObjectCache . . . </compid\>

   • <compid\>ObjectCacheDLLs . . . </compid\>

   • <compid\>ADConnector . . . </compid\>

   The following is a example <compid\> tag. Remove <compid\>, </compid\>, and all the text and tags in-between.

   <compid\>Identity Synchronization for Windows <compversion\>1.1 <uniquename\>Identity Synchronization for Windows</uniquename\> <compinstance\>1 <children\> <compref\>ADConnector <instance\>1 <version\>1.1</version\> </instance\> </compref\> <compref\>DSSubcomponents . . . </compinstance\> </compversion\> </compid\>

8. Remove the Identity Synchronization for Windows installation folder located at < serverRoot \>\\isw-< hostname \>.

   For example, C:\\Program Files\\Sun\\mps\\isw-example

   ---

   Note –

   You must edit the Windows registry as described in Manually Uninstalling a 1.1 Instance from Windows NT before proceeding to Manually Uninstalling a 1.1 Instance from Windows NT.

   ---

9. Remove the Password Filter DLL.

   Locate the passflt.dll file in the C:\\winnt\\system32 folder, and rename the file to passflt.dll.old.

10. Restart your machine for all changes to take effect.

Other Migration Scenarios

Because other deployment topologies are possible, your migration process may differ from the process described for a single-host deployment.

This section describes two alternative deployment scenarios and explains how to migrate in each case.

The sample deployment scenarios include:

• Multi-Master Replication Deployment

• Multi-Host Deployment with Windows NT

Multi-Master Replication Deployment

In a multi-master replication (MMR) deployment, two Directory Server instances are installed on different hosts. It is possible to run the hosts on different operating systems, but in this scenario, both hosts are running on the same operating system.

Table 7–1 and Figure 7–2 illustrate how the Identity Synchronization for Windows components are distributed between the two hosts.

The migration process keeps on-demand password synchronization running continuously on the preferred master or on the secondary master.

If both hosts are running on a Solaris operating system, then a third host running Windows 2000 with Active Directory is required for synchronization purposes only. (No components would be installed on the third host.)

The following figure illustrates the process for migrating Identity Synchronization for Windows in a MMR deployment.

Figure 7–2 Migrating a Multi-Master Replication Deployment

Multi-Host Deployment with Windows NT

Three hosts are used in this deployment scenario:

• A Windows NT system

• A host for Directory Server with the synchronized users and the Directory Server Connector

• A host for all other components

Table 7–2 and Figure 7–3 illustrate how the Identity Synchronization for Windows components are distributed between the three hosts.

In the previous scenario, hosts 1 and 2 are running on the same operating system.

Directory Server at host1 contains the configuration registry and the Admin Server console. Ensure you migrate to Directory Server 6.0 using the -N option to keep the Admin Server intact. For more information on migrating configuration data and user data, see Using dsmig to Migrate Configuration Data and Using dsmig to Migrate User Data respectively.

Directory Server at host2 contains the data and the Directory Server plugin. When you migrate Directory Server to 6.0, the plugin configuration is lost. But it does not cause any problem as Identity Synchronization for Windows migration requires the connectors to be reinstalled and plugin to be reconfigured. Therefore, Directory Server at host2 should be migrated after Identity Synchronization for Windows uninstallation.

If both hosts are running a Solaris operating system, then a fourth host running Windows 2000 with Active Directory is required for synchronization purposes only. (No components would be installed on the fourth host.)

Figure 7–3 illustrates the process for migrating Identity Synchronization for Windows for a multi-host deployment

Figure 7–3 Migrating a Multi-Host Deployment with Windows NT

Checking the Logs

After migrating to version 6.0, check the central audit log for messages indicating a problem. In particular, check for Directory Server users whose password changes may have been missed during the migration process. Such errors would be similar to the following:

[16/Apr/2004:14:23:41.029 -0500] WARNING    14  CNN101 ds-connector-host.example.com
  				"Unable to obtain password of user cn=JohnSmith,ou=people,dc=example,dc=com, 
					because the password was encoded by a previous installation of 
					Identity Synchronization for Windows Directory Server Plugin. 
					The password of this user cannot be synchronized at this time. 
					Update the password of	this user again in the Directory Server."

You will not see this log message until after you start synchronization in Identity Synchronization for Windows 6.0. This is why checking the logs is the last step of the migration procedure.