This chapter explains how to migrate your system from Identity Synchronization for Windows version 1.1, and 1.1 SP1, to version 6.0.
In the remainder of this chapter, version 1.1 includes version 1.1 SP1.
When you install Identity Synchronization for Windows version 1.1, Message Queue is also installed on your system. Identity Synchronization for Windows 6.0 does not install Message Queue.
For installation and upgrade information about Message Queue, read the installation instructions for Java Enterprise System software at http://docs.sun.com/coll/1286.2.
This chapter includes the following sections:
Migration from Identity Synchronization for Windows version 1.1 to version 6.0 is accomplished in the following major phases:
Preparing your Identity Synchronization for Windows 1.1 installation for migration.
Uninstalling Identity Synchronization for Windows 1.1.
Installing or upgrading dependent products.
Installing Identity Synchronization for Windows 6.0 by using the configuration and connector states you backed up.
Install Identity Synchronization for Windows 6.0 on the same platform and architecture where you installed Identity Synchronization for Windows 1.1.
Complete the following tasks before you migrate:
Familiarize yourself with the new features and functionality provided in Identity Synchronization for Windows 6.0.
Read Chapter 3, Understanding the Product, in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide for installation and configuration information that you can use to plan your migration process.
Document your version 1.1 deployment and configuration. Be sure to note any customizations you have made to the configuration.
Schedule migration. Because the migration process requires at least four hours, you might want to schedule migration after normal business hours.
If the input password or attribute changes while you are migrating the system, Identity Synchronization for Windows processes these changes as follows:
For Active Directory. Any password changes made on Active Directory during the migration process will be synchronized on demand by the Directory Server Plug-in after the migration process.
For Directory Server. Any password changes made on Directory Server during the migration process will not be synchronized. However, you can identify affected users in the Identity Synchronization for Windows 6.0 logs after completing the migration process. For more information, see Checking the Logs.
For Windows NT. Any password changes made on NT during the migration process will not be synchronized.
However, if you use the forcepwchg utility, you can identify affected users and force them to change passwords again. For more information, see Forcing Password Changes on Windows NT.
All other attribute changes made during the migration process (at any directory source) will be synchronized after the migration process.
Use one or more of the following utilities to migrate from Identity Synchronization for Windows 1.1 to Identity Synchronization for Windows 6.0:
export11cnf. A stand-alone utility that enables you to create an export configuration file from your Identity Synchronization for Windows 1.1 configuration. For more information , see Exporting Version 1.1 Configuration.
The exported XML document contains the directory deployment topology and enough information to configure the Identity Synchronization for Windows 6.0 installation.
checktopics. A utility that checks Message Queue synchronization topics in a 1.1 installation and determines if any undelivered messages remain in the queue.
Updates can remain in Message Queue after you stop 1.1 synchronization. You must verify that no updates exist in the Message Queue before you proceed with the migration. For more information, see Checking for Undelivered Messages.
forcepwchg. A Windows NT tool that enables you to identify users who changed passwords during the migration process and forces them to change passwords again when the version 6.0 system is ready. Password changes made on Windows NT are not captured during the migration process. For more information, see Forcing Password Changes on Windows NT for detailed information.
These utilities facilitate the migration of Identity Synchronization for Windows version 1.1 to version 6.0. The migration is performed in the same environment where Identity Synchronization for Windows 1.1 is deployed. Consequently, these utilities are available in the Solaris/SPARC and Windows packages only.
You can find the migration utilities in the installation migration directory. No additional installation steps are required.
You can use the export11cnf utility to export an existing version 1.1 configuration file to an XML file and then use the idsync importcnf command to import the file into the Identity Synchronization for Windows 6.0 system before installing the connectors.
While you can update the 1.1 system configuration manually by using the Identity Synchronization for Windows console, we recommend that you use the export11cnf utility. If you do not use export11cnf, the state of the connectors is not preserved.
Exporting the version 1.1 configuration enables you to:
Eliminate most of the initial configuration process to be performed from the management Console.
Guarantee that the connector IDs assigned in version 6.0 match the connector IDs used in version 1.1. This simplifies the task of preserving the existing connector states that can be used directly in the version 6.0 deployment.
Back up the persist and etc directories, and then restore them later to avoid confusion about the underlying directory structure.
You can find the export11cnf utility in the installation migration directory. No additional installation steps are necessary.
To export an Identity Synchronization for Windows configuration to an XML file, execute export11cnf from the migration directory as follows:
In a terminal window, type the following:
java -jar export11cnf.jar -h hostname -p port -D bind DN -w bind password -s rootsuffix -q configuration password -Z -P cert-db-path -m secmod-db-path -f filename |
java -jar export11cnf.jar -D “cn=dirmanager” -w - -q - -s “dc=example,dc=com” -f exported-configuration
The export11cnf utility shares the same common arguments as the Identity Synchronization for Windows command-line utilities. For more information, see Common Arguments to the Idsync Subcommands in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide. The export11cnf utility exports the current configuration into the file specified in the argument of the -f option.
For security reasons, the export11cnf utility does not export clear-text passwords from version 1.1. Instead, the utility inserts empty strings in cleartextPassword fields wherever applicable. For example,
<Credentials userName="cn=iswservice,cn=users,dc=example,dc=com" cleartextPassword=""/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD --> |
You must enter a password manually, between double quotes, for every cleartextPassword field in the exported configuration file, before you can import the file into Identity Synchronization for Windows. importcnf validation prevents you from importing a configuration file with empty password values.
For example,
<Credentials userName="cn=iswservice,cn=users,dc=example,dc=com" cleartextPassword="mySecretPassword"/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
In the following sample exported configuration file,
ad-host.example.com refers to the Active Directory domain controller.
ds-host.example.com refers to the host running Directory Server.
<?xml version="1.0" encoding="UTF-8"?> <ActiveConfiguration> <SunDirectorySource parent.attr="DirectorySource" onDemandSSLOption="true" maxConnections="5" displayName="dc=example,dc=com" resyncInterval="1000"> <SynchronizationHost hostOrderOfSignificance="1" hostname="ds-host.example.com" port="389" portSSLOption="true" securePort="636"/> <Credentials userName="uid=PSWConnector, dc=example, dc=com" </SynchronizationHost> <SyncScopeDefinitionSet index="0" location="ou=people,dc=example,dc=com" filter="" creationExpression="uid=%uid%,ou=people,dc=example,dc=com" sulid="SUL1"/> </SunDirectorySource> <ActiveDirectorySource parent.attr="DirectorySource" displayName="example.com" resyncInterval="1000"> <SynchronizationHost hostOrderOfSignificance="1" hostname="ad-host.example.com" port="389" portSSLOption="true" securePort="636"> <Credentials userName="cn=Administrator,cn=Users,dc=metaqa,dc=com" cleartextPassword=""/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD --> </SynchronizationHost> <SyncScopeDefinitionSet index="0" location="cn=users,dc=example,dc=com" filter="" creationExpression="cn=%cn%,cn=users,dc=example,dc=com" sulid="SUL1"/> </ActiveDirectorySource> <ActiveDirectoryGlobals flowInboundCreates="true" flowInboundModifies="true" flowOutboundCreates="true" flowOutboundModifies="true"> <TopologyHost parent.attr="SchemaLocation" hostname="ad-host.example.com" port="3268" portSSLOption="true" securePort="3269"> <Credentials parent.attr="Credentials" userName="cn=Administrator,cn=Users,dc=example,dc=com" cleartextPassword=""/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD --> </TopologyHost> <TopologyHost parent.attr="HostsTopologyConfiguration" hostname="ad-host.example.com" port="3268" portSSLOption="true" securePort="3269"> <Credentials parent.attr="Credentials" userName="cn=Administrator,cn=Users,dc=example,dc=com" cleartextPassword=""/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD --> </TopologyHost> <AttributeMap> <AttributeDescription parent.attr="WindowsAttribute" name="lockouttime" syntax="1.2.840.113556.1.4.906"/> <AttributeDescription parent.attr="SunAttribute" name="pwdaccountlockedtime" syntax="1.3.6.1.4.1.1466.115.121.1.24"/> </AttributeMap> <AttributeDescription parent.attr="SignificantAttribute" name="lockouttime" syntax="1.2.840.113556.1.4.906"/> <AttributeDescription parent.attr="SignificantAttribute" name="samaccountname" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="CreationAttribute" name="samaccountname" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeMap> <AttributeDescription parent.attr="WindowsAttribute" name="samaccountname" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="SunAttribute" name="uid" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> </AttributeMap> <AttributeMap> <AttributeDescription parent.attr="SunAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="WindowsAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> </AttributeMap> <AttributeDescription parent.attr="SignificantAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="SignificantAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="CreationAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeMap> <AttributeDescription parent.attr="SunAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="WindowsAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> </AttributeMap> <AttributeMap> <AttributeDescription parent.attr="SunAttribute" name="uniquemember" syntax="1.3.6.1.4.1.1466.115.121.1.25"/> <AttributeDescription parent.attr="WindowsAttribute" name="member" syntax="1.2.840.113556.1.4.910"/> </AttributeMap> <AttributeDescription parent.attr="SignificantAttribute" name="member" syntax="1.2.840.113556.1.4.910"/> </ActiveDirectoryGlobals> <SunDirectoryGlobals userObjectClass="inetOrgPerson" flowInboundCreates="true" flowInboundModifies="true" flowOutboundCreates="true" flowOutboundModifies="true"> <AttributeDescription parent.attr="SignificantAttribute" name="uniquemember" syntax="1.3.6.1.4.1.1466.115.121.1.25"/> <AttributeDescription parent.attr="CreationAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="SignificantAttribute" name="cn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="SignificantAttribute" name="pwdaccountlockedtime" syntax="1.3.6.1.4.1.1466.115.121.1.24"/> <TopologyHost parent.attr="SchemaLocation" hostname="ds-host.example.com" port="389" portSSLOption="false" securePort="636"> <Credentials parent.attr="Credentials" userName="cn=directory manager" cleartextPassword=""/> <!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD --> </TopologyHost> <AttributeDescription parent.attr="SignificantAttribute" name="uid" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="CreationAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> <AttributeDescription parent.attr="SignificantAttribute" name="sn" syntax="1.3.6.1.4.1.1466.115.121.1.15"/> </SunDirectoryGlobals> </ActiveConfiguration> |
After the completion of configuration export, export11cnf reports the result of the operation. If the operation fails, an appropriate error message is displayed with an error identifier.
The migration process minimizes system downtime by preserving the connectors’ states in the existing deployment. However, these states reflect only the last change received and acknowledged by the Message Queue. Therefore, you do not know whether the message was actually delivered and applied to the destination connector.
This behavior does not cause problems as long as the Message Queue remains the same. However, you will lose any messages on the Message Queue during the migration process when you install Message Queue 3.6.
You must verify that the synchronization topics on the existing Message Queue do not have any undelivered messages before you proceed with the migration. The Identity Synchronization for Windows checktopics utility enables you to verify that all the synchronization topics are empty and the system is not causing any problem.
The checktopics utility is delivered in the migration directory of the Solaris/SPARC and the Windows Identity Synchronization for Windows 6.0 package.
The prerequisite to run checktopics is a Java Virtual Machine.
When you run the checktopics utility, it connects to the configuration directory, which contains information about Synchronization User Lists (SULs) and current synchronization topic names used in Message Queue. In addition, when you run checktopics, it queries Message Queue to check how many outstanding messages remain on each active synchronization topic and then displays this information for you.
To execute the checktopics command line utility:
Open a Terminal window and cd to the migration directory.
From a command prompt, type the subcommand as follows.
java -jar checktopics.jar -h hostname \ -p port -D bind-DN \ -w bind-password -s root-suffix \ -q configuration-password -Z |
java -jar checktopics.jar -D "cn=directory manager" -w - -s "dc=example,dc=com" -q -Z
For more information about the checktopics arguments, see Common Arguments to the Idsync Subcommands in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide. For more information about using checktopics, see Checking for Undelivered Messages.
After running checktopics, check your terminal for the following messages:
If the operation succeeds, the terminal window displays a message stating that there are no outstanding messages in the logs.
If the operation fails, an appropriate error message is displayed with an error identifier.
If any of the active synchronization topics contain outstanding messages, use the following procedure to clear the messages.
Wait until the messages are applied to the destination connector.
Stop synchronization.
Rerun checktopics.
On Windows NT, password changes are not monitored and new password values are not captured during the migration process. Consequently, you cannot determine new password values after the migration process.
Instead of requiring all users to change passwords when you finish migrating to 6.0, you can use the forcepwchg command-line utility to require a password change for all the users who changed passwords during the migration process.
The forcepwchg utility is available only in the Windows packages.
You can find the forcepwchg utility in the Windows migration directory. Execute forcepwchg directly from that directory. No additional installation steps are necessary.
You must run forcepwchg on the Primary Domain Controller (PDC) host where the NT components (connector, Change Detector DLL, and Password Filter DLL) are installed. You cannot run forcepwchg remotely.
The forcepwchg utility also prints the account names (one name per line) that it is trying to migrate. If an error occurs during the migration process, look into the next entry to the last printed entry.
This section provides instructions for migrating a single-host deployment to version Identity Synchronization for Windows 6.0.
In a single-host deployment, all Identity Synchronization for Windows components are installed on a single host (Windows 2000 Server, Solaris version 8 or 9, or SPARC), as follows:
Directory Server (one instance)
Core (Message Queue, Central Logger, System Manager, and Console)
Directory Server Connector
Directory Server Plug-in
If you are using Solaris as your installation host, then a Windows 2000 machine with Active Directory is required for synchronization purposes only. (No components would be installed on the Windows 2000 machine.)
The following figure illustrates the migration process and serves as a checklist to supplement the migration instructions that follow.
Use the following procedure to prepare for migration to version 6.0.
Open a terminal window or command prompt.
On Solaris type the following command.
uncompress -c filename | tar xf -
On Windows type the following command or use any archive program for Windows, such as WinZip.
%JAVA_HOME%\\bin\\jar -xf filename
When the binaries are unpacked, the following subdirectories contain the required migration tools:
Solaris |
Windows |
---|---|
export11cnf.jar |
|
| |
checktopics.jar |
Export your version 1.1 configuration settings to an XML file.
From the migration directory, execute export11cnf as described in Using the export11cnf Utility.
java -jar export11cnf.jar -D “cn=directory manager” -w - \ -s “dc=example,dc=com” -q - -f export.cfg
Add passwords to the exported XML file.
Enter a password between the double quotes for each cleartextPassword field in the exported configuration file. For more information, see Inserting Clear-Text Passwords.
Stop synchronization as described in Starting and Stopping Synchronization in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
Verify that your system is in a stable state.
From the migration directory, execute checktopics as described in Using the checktopics Utility. The following example shows the execution of the checktopics command.
java -jar checktopics.jar -D “cn=directory manager” -w - \ -s “dc=example,dc=com” -q -Z
Stop Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
Do not stop the Sun ONE Message Queue service.
On Windows NT only, perform the following steps.
Save the connector states by backing up the persist and etc directories from the existing 1.1 installation tree.
On Solaris, type the following command.
cd serverRoot/isw-hostname tar cf /var/tmp/connector-state.tar persist etc
On Windows, type the following command.
cd serverRoot\isw-hostname zip -r C:\\WINNT\Temp\connector-state.zip persist etc%JAVA_HOME%\bin\jar -cfM %TEMP%\connector-state.jar persist etc
Alternatively, use any archive program for Windows, such as WinZip.
Start the Identity Synchronization for Windows services. For more information, see Starting and Stopping Services in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
The Identity Synchronization for Windows 1.1 uninstall program removes the SUNWjss package if it is not registered for use by another application. In particular, this situation may occur on a Solaris machine if you installed a zip version of Directory Server 5.2, where the uninstall program removes the jss3.jar file from /usr/share/lib/mps/secv1.
If you encounter this situation as you migrate to Identity Synchronization for Windows 6.0, the installer reports that a required file is missing, and logs the file name to the installation log. When this happens, you must reinstall the required patches and restart the installation process. For a list of required patches, see (see Software Dependency Requirements in Sun Java System Directory Server Enterprise Edition 6.3 Release Notes.
Uninstall the Directory Server plug-in manually and restart each Directory Server where the plug-in was installed.
Execute the following steps on each Directory Server where the plug-in was installed:
Remove the following entries from the Directory Server:
cn=config,cn=pswsync,cn=plugins,cn=configcn=pswsync,cn=plugins,cn=config
For example:
ldapdelete -D “cn=directory manager” -w - -p <port \> -c cn=config, cn=pswsync,cn=plugins,cn=configcn=pswsync,cn=plugins,cn=config
Restart the Directory Server.
Remove the Plug-in binaries from the system.
Change directory (cd) to < ServerRoot \>\\isw-< hostname\> and then use the Identity Synchronization for Windows 1.1 (or 1.1 SP1) uninstallation program to uninstall the version 1.1, and 1.1 SP1, Connectors and Core components.
You must uninstall Connectors before uninstalling Core components.
Back up the product registry file and remove Identity Synchronization for Windows related entries from the file.
The location of the file is as follows:
On Solaris: /var/sadm/install/productregistry
On Windows: C:\\WINNT\\System32\\productregistry
To remove the Identity Synchronization for Windows related entries from the product registry file, follow the instructions provided in Manually Uninstalling 1.1 Core and Instances from Solaris.
On Windows only. After uninstalling Core, restart your machine.
If the uninstall fails, you might have to manually uninstall the Identity Synchronization for Windows components. Instructions are provided in What to Do if the 1.1 Uninstallation Fails
On Windows only. Verify that Identity Synchronization for Windows is not running. If necessary, you can stop the service from the command line by typing the following command.
net stop “Sun ONE Identity Synchronization for Windows” |
If this service continues running after uninstallation, it causes a sharing violation that prevents you from deleting the instance directory.
Remove the Identity Synchronization for Windows instance directory (isw-< hostname \>).
Use the following steps to upgrade the Java Run Environment, install Message Queue, and upgrade Directory Server.
Upgrade the Java 2 Runtime Environment (or Java 2 SDK) on each host (except on Windows NT) where Identity Synchronization for Windows components are installed. The minimum required version is 1.5.0.
Java 2 SDK: http://java.sun.com/j2se/1.5.0/install.html
Java 2 Runtime Environment: http://java.sun.com/j2se/1.5.0/jre/install.html
Install Message Queue 3.6 by using the instructions provided in Sun Java System Message Queue 3.6 Installation Guide.
Upgrade Directory Server to version 6.3. For more information, see Chapter 1, Overview of the Migration Process for Directory Server.
To keep the Administration Server intact, use the -N option while migrating Directory Server (configuration and data) to version 6.3. For more information on migrating configuration data and user data, see Using dsmig to Migrate Configuration Data and Using dsmig to Migrate User Data respectively.
The Directory Server upgrade preserves your current Directory Server configuration and database.
Use the following steps to install the Identity Synchronization for Windows 6.0 components.
Install Identity Synchronization for Windows Core. For more information, see Installing Core in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
Execute idsync prepds against Directory Server to update the schema.
On Solaris type the following commands.
cd /opt/SUNWisw/bin idsync prepds arguments\
On Windows type the following commands.
cd serverRoot\isw-hostname\bin idsync prepds arguments\
For more information about idsync prepds, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities, in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
Import your version 1.1, and 1.1 SP1, configuration XML file by typing the following command.
idsync importcnf arguments\
If the program detects errors in your input configuration file, an error results. Identity Synchronization for Windows aborts the importcnf process and provides the necessary information to correct errors.
For more information about using idsync importcnf , see Using importcnf in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide
Install the Identity Synchronization for Windows 6.0 Connectors. For more information, see Installing Connectors in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
If you did not select the Configure Identity Synchronization for Windows 6.0 Directory Server Plug-in option while installing Directory Server connector, configure it now. For more information, see Appendix A, Using the Identity Synchronization for Windows Command Line Utilities, in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
Stop Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
On Windows NT only, complete the following steps.
Stop the NT Change Detector service by typing the following command.
net stop “Sun Java(TM) System NT Change Detector”
Restore the NT Change Detector Service counters.
Select the HKEY_LOCAL_MACHINE window.
Navigate to the SOFTWARE\\Sun Microsystems\\Sun Java(TM) System Identity Synchronization for Windows\\1.1 node.
Double-click on each of the following entries to restore their values (which you saved prior to uninstalling version 1.1).
HighestChangeNumber
LastProcessedSecLogRecordNumber
LastProcessedSecLogTimeStamp
QueueSize
Start the NT Change Detector service by typing the following command.
net start “Sun Java(TM) System NT Change Detector”
Remove the version 6.0 persist and etc directories (and all their contents) from the instance directory and restore the version 1.1, and 1.1 SP1, persist and etc directories you backed up in Preparing for Migration.
On Solaris, type the following command.
cd /var/opt/SUNWisw rm -rf etc persisttar xf /var/tmp/connector-state.tar
On Windows, type the following command.
cd serverRoot\isw-hostname rd /s etc persist%JAVA_HOME%\\bin\\jar -xf %TEMP%\\ connector-state.jar
Alternatively, use any archive program for Windows, such as WinZip.
Start the service and the synchronization.
Start the Identity Synchronization for Windows service as described in Starting and Stopping Services in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
Start synchronization as described in Starting and Stopping Synchronization in Sun Java System Directory Server Enterprise Edition 6.3 Installation Guide.
Check the central audit log to verify that there are no warning messages.
If you have customized the version 1.1 log settings, you must manually apply those customizations to your version Identity Synchronization for Windows 6.0 installation. Use the Identity Synchronization for Windows Console to configure your log settings.
If the version 6.0 installation program finds remnants of the version 1.1 system, the installation will fail. Verify that all of the 1.1 components are completely removed from the system before starting the new installation.
If the uninstallation program does not uninstall all of the version 1.1 components, you must manually clean up the Identity Synchronization for Windows product registry and Solaris packages.
Detailed instructions for uninstalling Identity Synchronization for Windows version 1.1 manually are provided in the following sections:
The instructions provided in this section are for uninstalling Identity Synchronization for Windows version 1.1, and 1.1 SP1, only.
Do not use the manual uninstallation procedures provided in the following sections unless the Identity Synchronization for Windows uninstallation program fails.
Use the instructions provided in this section to manually uninstall Core from a Solaris machine.
In this section, Identity Synchronization for Windows locations are described in the following manner:
<serverRoot \>/ isw-<hostname \>
where <serverRoot \> represents the parent directory of the Identity Synchronization for Windows installation location.
For example, if you installed Identity Synchronization for Windows in /var/Sun/mps/isw-< example\>, the < serverRoot\> would be /var/Sun/mps.
Stop all Identity Synchronization for Windows Java processes by typing /etc/init.d/isw stop into a terminal window.
If the preceding command does not stop all of the Java processes, type the following commands.
/usr/ucb/ps -gauxwww | grep java kill -s SIGTERM process IDs from preceding command
Stop Message Queue.
Type the following command to stop the Message Queue broker.
/etc/init.d/imq stop
Type the following commands to stop any remaining imq processes.
* ps -ef | grep imqbroker * kill -s SIGTERM process IDs from preceding command
Use one of the following methods to uninstall the broker packages and directories.
Use the Message Queue broker uninstall script to uninstall the broker. This script is located in the Identity Synchronization for Windows instance directory on the host where you installed Core.
serverRoot/isw-hostname/imq_uninstall
Manually uninstall the packages and directories.
Use the pkgrm command to remove the following packages.
SUNWaclg SUNWiqum SUNWiqjx SUNWiqlen SUNWxsrt SUNWiqu SUNWjaf SUNWiqfs SUNWjhrt SUNWiqdoc SUNWiquc SUNWiqsup SUNWiqr SUNWjmail
Use the rm -rf command to remove the following directories.
/etc/imq /var/imq /usr/bin/imq*
To remove the Identity Synchronization for Windows 1.1 Solaris packages, run pkgrm package-name for each of the packages listed in Manually Uninstalling 1.1 Core and Instances from Solaris.
The following example shows the use of pkgrm to uninstall packages.
pkgrm SUNWidscm SUNWidscn SUNWidscr SUNWidsct SUNWidsoc
Type the following command to verify that all of the packages were removed.
pkginfo | grep -i "Identity Synchronization"
Run the pkgrm package-name command again to check if there are still existing packages due to dependencies.
Remove the Directory Server Plug-in.
Open the Directory Server Console and select the Configuration tab.
In the left pane, expand the Plugins node and select the pswsync node.
In the right pane, clear the Enable plug-in check box.
Click Save.
From the Directory Server Console, locate and remove the following entry from the Configuration Directory:
cn=pswsync,cn=plugins,cn=config
Stop Directory Server.
Remove the Plugin binary by typing the following command.
rm -f serverRoot/lib/psw-plugin.so
Restart Directory Server.
Back-up (copy and rename) the current productregistry file located in /var/sadm/install/productregistry.
Manually edit the productregistry file in /var/sadm/install/ to remove the following entries, if present:
For best results, use an XML editor. Alternatively, you can use a standard text editor.
Some of the following components may not be included in your file.
You must delete the beginning tag (<compid\>), ending tag (</compid\>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text, or tags that are included as part of these tags. See the example on Manually Uninstalling 1.1 Core and Instances from Solaris.
<compid\>Identity Synchronization for Windows . . . </compid\>
<compid\>Core . . . </compid\>
<compid\>unistaller . . . </compid\>
<compid\>wpsyncwatchdog . . . </compid\>
<compid\>setenv . . . </compid\>
<compid\>Create DIT . . . </compid\>
<compid\>Extend Schema . . . </compid\>
<compid\>resources . . . </compid\>
<compid\>CoreComponents . . . </compid\>
<compid\>Connector . . . </compid\>
<compid\>DSConnector . . . </compid\>
<compid\>Directory Server Plugin . . . </compid\>
<compid\>DSSubcomponents . . . </compid\>
<compid\>ObjectCache . . . </compid\>
<compid\>ObjectCacheDLLs . . . </compid\>
<compid\>SUNWidscr . . . </compid\>
<compid\>SUNWidscm . . . </compid\>
<compid\>SUNWidsct . . . </compid\>
<compid\>SUNWidscn . . . </compid\>
<compid\>SUNWidsoc . . . </compid\>
<compid\>ADConnector . . . </compid\>
The following is an example <compid\> tag. Remove <compid\>, </compid\>, and all the text and tags in-between.
<compid\>Identity Synchronization for Windows <compversion\>1.1 <uniquename\>Identity Synchronization for Windows</uniquename\> <compinstance\>1 <children\> <compref\>ADConnector <instance\>1 <version\>1.1</version\> </instance\> </compref\> <compref\>DSSubcomponents . . . </compinstance\> </compversion\> </compid\> |
Remove the following Identity Synchronization for Windows directories and files.
Clean up the configuration directory as follows:
Run the following ldapsearch command against the configuration directory where Identity Synchronization for Windows Core is installed to locate the Identity Synchronization for Windows Console subtree:
ldapsearch -D "cn=directory manager" -w < password \> -b o=netscaperoot "(nsnickname=isw)" dn
ldapsearch is located in Directory Server’s < serverRoot\>/shared/bin/ldapsearch. For example, /var/Sun/mps/shared/bin/ldapsearch
The resulting entry should be similar to the following. Note that the entry always ends with o=NetscapeRoot.
"cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"
Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree and all of the subtrees below it.
Clean up the Identity Synchronization for Windows configuration registry as follows:
Run the following ldapsearch command to locate the Identity Synchronization for Windows configuration registry in Directory Server:
ldapsearch -D "cn=directory manager" -w < password \> -b "dc=my,dc=domain" "(&(objectclass=iplanetservice)(ou=IdentitySynchronization))" dn
The resulting entry should be similar to the following:
"ou=IdentitySynchronization,ou=Services,dc=my,dc=domain"
Use the Directory Server Console to remove the Identity Synchronization for Windows configuration registry and all of the subtrees below it.
Clean up all other Console-related files as follows:
Use the instructions provided in this section to manually uninstall Core from a Windows 2000 machine.
In this section, Identity Synchronization for Windows locations are described in the following manner:
serverRoot\isw-hostname\
where serverRoot represents the parent directory of the Identity Synchronization for Windows installation location.
For example, if you installed Identity Synchronization for Windows in C:\Program Files\Sun\mps\isw-example, the serverRoot would be C:\Program Files\Sun\mps.
Stop all Identity Synchronization for Windows Java processes using one of the following methods:
Select Start -> Settings -> Control Panel -> Administrative Tools -> Services to open the Services window. In the right pane, right-click on Identity Synchronization for Windows and select Stop.
Open a Command Prompt window and type the following command.
net stop "Sun ONE Identity Synchronization for Windows"
If the preceding methods do not work, use the following steps to stop the Java processes manually.
Although you can view Java processes (such as pswwatchdog.exe ) from the Windows Task Manager, you cannot determine which processes are specifically related to Identity Synchronization for Windows. For this reason, do not stop processes from the Windows Task Manager.
For a Core uninstallation only, stop the Message Queue using one of the following methods:
In the Services window, right-click on iMQ Broker in the right pane and select Stop.
From a Command Prompt, type the following command.
net stop "iMQ Broker"
If the preceding methods do not work, use the following steps to stop Message Queue manually.
Open the Services window, right-click on iMQ Broker and select Properties.
From the General tab in the Properties window, select Manual from the Startup type drop-down list.
Open the Directory Server Console and select the Configuration tab.
In the left pane, expand the Plugins node and select the pswsync node.
In the right pane, uncheck the Enable plug-in check box.
Click Save.
From the Console, locate and remove the following entry from the Configuration Directory:
cn=pswsync,cn=plugins,cn=config
Stop Directory Server.
You can stop the server using one of the following methods:
Open Windows Explorer to locate and remove the Plugin binary:
< ServerRoot\>\\lib\\psw-plugin.so
Restart Directory Server.
Open a Command Prompt window and type regedit to open the Registry Editor window.
Back up your current registry file before proceeding to Manually Uninstalling 1.1 Core and Instances from Windows 2000.
In the Registry Editor, select Edit -> Delete from the menu bar.
Remove the following Identity Synchronization for Windows keys from the Windows Registry:
All entries under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Identity Synchronization for Windows.
All CurrentControlSet and ControlSet (such as ControlSet001, ControlSet002, and so forth) entries under HKEY_LOCAL_MACHINE\SYSTEM\*, which includes the following entries (if they exist).
...\Control\Session Manager\Environment\< isw-installation directory\>
...\Services\Eventlog\Application\Sun ONE Identity Synchronization for Windows
...\Services\Sun ONE Identity Synchronization for Windows
...\Services\iMQBroker
Backup (copy and rename) the current productregistry file located in C:\\WINNT\\system32 .
Edit the C:\WINNT\system32\productregistry file to remove the following tags:
For best results, use an XML editor. Alternatively, you can use a standard text editor.
Some of the following components may not be included in your file.
You must delete the beginning tag (<compid\>), ending tag (</compid\>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. See the example Manually Uninstalling 1.1 Core and Instances from Windows 2000.
<compid\>Identity Synchronization for Windows . . . </compid\>
<compid\>Core . . . </compid\>
<compid\>unistaller . . . </compid\>
<compid\>wpsyncwatchdog . . . </compid\>
<compid\>setenv . . . </compid\>
<compid\>Create DIT . . . </compid\>
<compid\>Extend Schema . . . </compid\>
<compid\>resources . . . </compid\>
<compid\>CoreComponents . . . </compid\>
<compid\>Connector . . . </compid\>
<compid\>DSConnector . . . </compid\>
<compid\>Directory Server Plugin . . . </compid\>
<compid\>DSSubcomponents . . . </compid\>
<compid\>ObjectCache . . . </compid\>
<compid\>ObjectCacheDLLs . . . </compid\>
<compid\>ADConnector . . . </compid\>
The following is a <compid\> tag sample. Remove <compid\>, </compid\>, and all the text and tags in-between.
<compid\>Identity Synchronization for Windows <compversion\>1.1 <uniquename\>Identity Synchronization for Windows</uniquename\> <compinstance\>1 <children\> <compref\>ADConnector <instance\>1 <version\>1.1</version\> </instance\> </compref\> <compref\>DSSubcomponents . . . </compinstance\> </compversion\> </compid\> |
Remove the Identity Synchronization for Windows installation folder located at serverRoot\isw-hostname.
For example, C:\Program Files\Sun\mps\isw-example
Clean up the configuration directory as follows:
From a Command Prompt window, run the ldapsearch command against the configuration directory where Identity Synchronization for Windows Core is installed to locate the Identity Synchronization for Windows Console subtree.
ldapsearch is located in < serverRoot\>\\shared\\bin\\ldapsearch.
For example, C:\\Program Files\\Sun\\mps\\shared\\bin\\ldapsearch
ldapsearch -D "cn=directory manager" -w < password\> -b o=netscaperoot "(nsnickname=isw)" dn
The resulting entry should be similar to the following (note that the entry will always end with o=NetscapeRoot):
"cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"
Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree that you found and all subtrees under it.
Clean up the Identity Synchronization for Windows configuration directory ( also know as the configuration registry) as follows:
From a Command Prompt window, run the following ldapsearch command to locate the Identity Synchronization for Windows configuration directory in Directory Server:
ldapsearch -D "cn=directory manager" -w <password \> -b "dc=my,dc=domain" "(&(objectclass=iplanetservice)(ou=IdentitySynchronization))" dn
The resulting entry should be similar to the following:
"ou=IdentitySynchronization,ou=Services,dc=my,dc=domain"
Use the Directory Server Console to remove the configuration directory subtree that you found, including all subtrees under it.
Restart your machine for all changes to take effect.
Use the instructions provided in this section to manually uninstall an instance from a Windows NT machine.
In this section, Identity Synchronization for Windows locations are described as follows:
<serverRoot\>\\isw-<hostname\>
where <serverRoot \> represents the parent directory of the Identity Synchronization for Windows installation location. For example, if you installed Identity Synchronization for Windows in C:\\Program Files\\Sun\\mps\\isw- example, the < serverRoot \> would be C:\\Program Files\\Sun\\mps.
Stop all the Identity Synchronization for Windows Java processes (Core and instance installations) using one of the following methods:
Select Start -> Settings -> Control Panel -> Administrative Tools -> Services to open the Services window. In the right pane, right-click on Identity Synchronization for Windows and select Stop.
Open a Command Prompt window and type the following command:
net stop “Sun ONE Identity Synchronization for Windows”
If the preceding methods do not work, use the following steps to stop the Java processes manually:
Although you can view Java processes (such as pswwatchdog.exe) from the Windows Task Manager, you cannot determine which processes are specifically related to Identity Synchronization for Windows. For this reason, do not stop processes from the Windows Task Manager.
Stop the Change Detector service using one of the following methods:
In the Services window, right-click on Sun ONE NT Change Detector Service in the right pane and select Stop.
Open a Command Prompt window and type the following command:
net stop “Sun ONE NT Change Detector Service”
If the preceding methods do not work, use the following steps to stop the Change Detector Service manually:
You must remove Identity Synchronization for Windows registry keys. Open a Command Prompt window and type regedt32 to open the Registry Editor window.
Do not use regedit because the program does not allow you to edit multi-value strings.
Backup your current Windows registry file before proceeding to Manually Uninstalling a 1.1 Instance from Windows NT.
In the Registry Editor, select Edit -> Delete from the menu bar.
Remove the following Identity Synchronization for Windows keys from the Registry:
All entries under HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\Identity Synchronization for Windows
All CurrentControlSet and ControlSet (such as ControlSet001, ControlSet002) entries under HKEY_LOCAL_MACHINE\\SYSTEM\\*.
These entries include the following:
...\\Control\\Session Manager\\Environment\\ <isw-installation directory\>
...\\Services\\Eventlog\\Application\\Sun ONE Identity Synchronization for Windows
...\\Services\\Sun ONE Identity Synchronization for Windows
...\\Services\\iMQBroker
The HKEY_LOCAL_MACHINE\\SOFTWARE\\Sun Microsystems\\PSW
Use regedt32 (do not use regedit) to modify (do not delete) the following registry key:
Backup (copy and rename) the current productregistry file located in C:\\WINNT\\system32 .
Edit the C:\\WINNT\\system32 productregistry file to remove the following tags:
For best results, use an XML editor. Alternatively, you can use a standard text editor.
Some of these components might not be included in your file.
You must delete the beginning tag (<compid\>), ending tag (<\\compid\>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. See the example on Manually Uninstalling 1.1 Core and Instances from Windows 2000.
<compid\>Identity Synchronization for Windows . . . </compid\>
<compid\>Core . . . </compid\>
<compid\>uninstaller . . . </compid\>
<compid\>wpsyncwatchdog . . . </compid\>
<compid\>setenv . . . </compid\>
<compid\>Create DIT . . . </compid\>
<compid\>Extend Schema . . . </compid\>
<compid\>resources . . . </compid\>
<compid\>CoreComponents . . . </compid\>
<compid\>Connector . . . </compid\>
<compid\>DSConnector . . . </compid\>
<compid\>Directory Server Plugin . . . </compid\>
<compid\>DSSubcomponents . . . </compid\>
<compid\>ObjectCache . . . </compid\>
<compid\>ObjectCacheDLLs . . . </compid\>
<compid\>ADConnector . . . </compid\>
The following is a example <compid\> tag. Remove <compid\>, </compid\>, and all the text and tags in-between.
<compid\>Identity Synchronization for Windows <compversion\>1.1 <uniquename\>Identity Synchronization for Windows</uniquename\> <compinstance\>1 <children\> <compref\>ADConnector <instance\>1 <version\>1.1</version\> </instance\> </compref\> <compref\>DSSubcomponents . . . </compinstance\> </compversion\> </compid\> |
Remove the Identity Synchronization for Windows installation folder located at < serverRoot \>\\isw-< hostname \>.
For example, C:\\Program Files\\Sun\\mps\\isw-example
You must edit the Windows registry as described in Manually Uninstalling a 1.1 Instance from Windows NT before proceeding to Manually Uninstalling a 1.1 Instance from Windows NT.
Remove the Password Filter DLL.
Locate the passflt.dll file in the C:\\winnt\\system32 folder, and rename the file to passflt.dll.old.
Restart your machine for all changes to take effect.
Because other deployment topologies are possible, your migration process may differ from the process described for a single-host deployment.
This section describes two alternative deployment scenarios and explains how to migrate in each case.
The sample deployment scenarios include:
In a multi-master replication (MMR) deployment, two Directory Server instances are installed on different hosts. It is possible to run the hosts on different operating systems, but in this scenario, both hosts are running on the same operating system.
Table 7–1 and Figure 7–2 illustrate how the Identity Synchronization for Windows components are distributed between the two hosts.
Table 7–1 Component Distribution in a Multi-Master Replication Deployment
The migration process keeps on-demand password synchronization running continuously on the preferred master or on the secondary master.
If both hosts are running on a Solaris operating system, then a third host running Windows 2000 with Active Directory is required for synchronization purposes only. (No components would be installed on the third host.)
The following figure illustrates the process for migrating Identity Synchronization for Windows in a MMR deployment.
Three hosts are used in this deployment scenario:
A Windows NT system
A host for Directory Server with the synchronized users and the Directory Server Connector
A host for all other components
Table 7–2 and Figure 7–3 illustrate how the Identity Synchronization for Windows components are distributed between the three hosts.
Table 7–2 Multi-Host Deployment
In the previous scenario, hosts 1 and 2 are running on the same operating system.
Directory Server at host1 contains the configuration registry and the Admin Server console. Ensure you migrate to Directory Server 6.0 using the -N option to keep the Admin Server intact. For more information on migrating configuration data and user data, see Using dsmig to Migrate Configuration Data and Using dsmig to Migrate User Data respectively.
Directory Server at host2 contains the data and the Directory Server plugin. When you migrate Directory Server to 6.0, the plugin configuration is lost. But it does not cause any problem as Identity Synchronization for Windows migration requires the connectors to be reinstalled and plugin to be reconfigured. Therefore, Directory Server at host2 should be migrated after Identity Synchronization for Windows uninstallation.
If both hosts are running a Solaris operating system, then a fourth host running Windows 2000 with Active Directory is required for synchronization purposes only. (No components would be installed on the fourth host.)
Figure 7–3 illustrates the process for migrating Identity Synchronization for Windows for a multi-host deployment
After migration, check the central audit log for messages indicating a problem. In particular, check for Directory Server users whose password changes may have been missed during the migration process. Such errors would be similar to the following:
[16/Apr/2004:14:23:41.029 -0500] WARNING 14 CNN101 ds-connector-host.example.com "Unable to obtain password of user cn=JohnSmith,ou=people,dc=example,dc=com, because the password was encoded by a previous installation of Identity Synchronization for Windows Directory Server Plugin. The password of this user cannot be synchronized at this time. Update the password of this user again in the Directory Server."
You will not see this log message until after you start synchronization in Identity Synchronization for Windows 6.0. This is why checking the logs is the last step of the migration procedure.