Sun Java System Identity Synchronization for Windows 6.0 Deployment Planning Guide

When to Fail over

Identity Synchronization for Windows is a background system that with one exception is not user-facing. Therefore, if it is temporarily unavailable, for example, due to routine hardware maintenance, most users will be unaffected. After the system is restored, Identity Synchronization for Windows will synchronize all changes that were made while it was unavailable.

The user-facing aspect is the on-demand password synchronization performed from the Directory Server Plug-in to Active Directory. If on-demand password synchronization fails, the user will not be able to log in to Directory Server. Therefore, Identity Synchronization for Windows provides more availability options for this situation. The Directory Server Plug-in can be configured to authenticate to any Active Directory domain controller. Thus, even if all but one Active Directory domain controller is down, on-demand password synchronization will still succeed.

Note –

The Directory Server Plug-ins receive their configuration from the Directory Server Connector over an encrypted channel. This configuration, which includes the location of the Active Directory domain controllers and credentials, is cached in memory by the plug-in. So even if the Directory Server Connector is unavailable, it will still be able to connect to Active Directory. However, if Directory Server is restarted, the plug-in's cached configuration is lost, and on-demand synchronization on that Directory Server will fail until the Directory Server Connector is available.

Depending on the size of the deployment, the failover procedure might take minutes to over an hour to perform. Therefore, the failover procedure should not be undertaken if the Identity Synchronization for Windows outage is expected to be short and temporary, for example, during the system restart of the system that contains the Identity Synchronization for Windows Core. Use the failover procedure only in situations where Identity Synchronization for Windows must be completely reinstalled or a complete idsync resync operation must be run on a large population.

Such situations might include the following: