Deployments connecting to Directory Servers using replication follow the same rules identified in Security Overview. This section gives an example replicated configuration and explains how to enable use of SSL in this configuration.
For an overview of planning, deploying, and securing replicated configurations see Appendix D, Defining and Configuring Synchronization User Lists for Identity Synchronization for Windows
Securing Replicated Configurations lists the configuration components requiring CA certificates and identifies which certificates are required where.
Table 10–3 MMR Configuration Components Requiring CA Certificates
Component |
Required CA certificates |
---|---|
Preferred Directory Server Replicated Master |
Active Directory System |
Secondary Directory Server Replicated Master |
Active Directory System |
Read-only Directory Server Hub(s) |
Preferred Directory Server Replicated Master Secondary Directory Server Replicated Master |
Directory Server Connector |
Preferred Directory Server Replicated Master Secondary Directory Server Replicated Master |
Active Directory System |
Replicated configuration shows Identity Synchronization for Windows installed in an MMR configuration, where there are two replicated Directory Server masters with multiple Directory Server read-only hubs or consumers. Each Directory Server has a Plug-in and there is only one Directory Server Connector, one Active Directory system, and one Active Directory Connector.
When the Directory Server source is configured for SSL, you must make sure that both the preferred and secondary Directory Server certificates are trusted by the replica Directory Server. This is true for every Directory Server Plug-in of type other that you install on a system with a Directory Server hub or read-only replica.
Directory Server Plug-ins have access to the same CA certificates as its associated Directory Server.
The above diagram is specific to two Directory Server masters. But you can extended this to contain multiple masters.