Sun Java logo     Previous      Contents      Index      Next     

Sun logo
Sun Java System Identity Synchronization for Windows 1 2004Q3 Installation and Configuration Guide 

Chapter 7
Migrating to Identity Synchronization for Windows 1 2004Q3

This chapter explains how to migrate your system from Sun Java System Identity Synchronization for Windows version 1.0 to version 1 2004Q3.

Note

Identity Synchronization for Windows version 1.0 installed Message Queue for you, but Identity Synchronization for Windows 1 2004Q3 does not.

Refer to the Sun Java System Message Queue product documentation for installation instructions.

The information is organized into the following sections:

Overview

Migration from Identity Synchronization for Windows version 1.0 (or version 1.0 SP1) to 1 2004Q3 is accomplished in several major phases:

  1. Preparing your Identity Synchronization for Windows version 1.0 (or 1.0 SP1) installation for Migration.
  2. Uninstalling Identity Synchronization for Windows version 1.0 (or 1.0 SP1).
  3. Installing or upgrading dependent products.
  4. Installing Identity Synchronization for Windows 1 2004Q3 using the configuration and connector states you backed-up.

    5. Note

    Install Identity Synchronization for Windows 1 2004Q3 on the same platform and architecture where you installed Identity Synchronization for Windows version 1.0 (or 1.0 SP1).

Before You Migrate

Before you start the migration process,

Preparing for Migration

You will use one or more the following utilities to migrate from version 1.0 to version 1 2004Q3:

Exporting Your Version 1.0 Configuration

You can use the export10cnf utility to export an existing version 1.0 configuration file to an XML file and then use the idsync importcnf command to quickly and accurately import the file into the 1 2004Q3 system before installing the connectors.

Tip

Although it is possible to manually re-enter the 1.0 configuration using the Identity Synchronization for Windows console, you are strongly advised to use the export10cnf utility. If you decide not to use export10cnf, then you will not be able to preserve the state of your connectors.

Exporting your version 1.0 configuration provides the following benefits:

You will find the export10cnf utility in the installation migration directory — no additional installation steps are necessary.

Using the export10cnf Utility

To export an Identity Synchronization for Windows configuration to an XML file, execute export10cnf from the migration directory as follows:

The export10cnf utility shares the same common arguments as the Identity Synchronization for Windows command-line utilities (see Common Arguments). The only export10cnf specific option is -f <filename>. If the operation is successful, then the utility will export the current configuration into the file specified in the argument of the -f option.

Inserting Clear-Text Passwords

The export10cnf utility does not export clear-text passwords from version 1.0 configurations (for security reasons). Instead, the utility inserts empty strings in cleartextPassword fields where appropriate. For example,

<Credentials

userName="cn=iswservice,cn=users,dc=example,dc=com"

cleartextPassword=""/>

<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->

You must enter a password manually — between the double quotes — for each and every cleartextPassword field in the exported configuration file before you can import the file into Identity Synchronization for Windows 1 2004Q3. (importcnf validation prevents you from importing a configuration file with empty password values.)

For example,

<Credentials

userName="cn=iswservice,cn=users,dc=example,dc=com"

cleartextPassword="mySecretPassword"/>

<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE
FIELD -->

Sample Export Configuration File

Code Example 7-1 contains a sample exported configuration file.

In this file,

At the completion of configuration export, export10cnf will report the result of the operation. If the operation fails, an appropriate error message is displayed with an error identifier.

Checking for Undelivered Messages

The Identity Synchronization for Windows 1.0 to 1 2004Q3 migration process minimizes system downtime by preserving the connectors’ states in your existing deployment. However, these states reflect only the last change received and acknowledged by the Message Queue — so you will not know whether the message was actually delivered and applied to the destination connector.

This behavior does not cause problems as long as the Message Queue remains the same; however, you will lose any messages on the Message Queue during the migration process (when you install Message Queue 3.5 SP1).

You must verify that synchronization topics on the existing Message Queue do not have any undelivered messages before you proceed with the migration. The Identity Synchronization for Windows checktopics utility enables you to verify that all synchronization topics are empty (and the system is quiescent).

Using the checktopics Utility

The checktopics utility is delivered in the migration directory of the Solaris/SPARC and the Windows Identity Synchronization for Windows 1 2004Q3 package.

Note

The only prerequisite for running checktopics is a suitable Java Virtual Machine (version 1.4.2_04 or later).

When you run the checktopics utility, it connects to the configuration directory, which contains information about Synchronization User Lists (SULs) and current synchronization topic names used in Message Queue. In addition, when you run checktopics, it queries the Message Queue to see how many outstanding messages remain on each active synchronization topic and then displays this information for you.

To execute the checktopics command line utility:

    1. Open a Terminal window and cd to the migration directory.
    2. From a command prompt, type the subcommand as follows:

      3. java -jar checktopics.jar -h <hostname> -p <port> -D <bind_DN> -w <bind_password> -s <root_suffix> -q <configuration_password> -Z

      For example,

      java -jar checktopics.jar -D "cn=directory manager" -w - -s "dc=example,dc=com" -q -

Note

After running checktopics, check your terminal for messages:

Clearing Messages

If any of the active synchronization topics have outstanding messages, you can use the following procedure to clear the messages:

  1. Restart synchronization.
  2. Wait until the messages are applied to the destination connector.
  3. Stop synchronization.
  4. Rerun checktopics.

Forcing Password Changes on Windows NT

On Windows NT, password changes are not monitored and new password values are not captured during the migration process. Consequently, there is no way to determine new password values after the migration is complete.

Instead of requiring all users to change passwords when you finish migrating to 1 2004Q3, you can use the forcepwchg command line utility to require a password change for all users who changed passwords during the migration process.

Note

The forcepwchg utility is available in the Windows packages only.

You will find the forcepwchg utility in the Windows migration directory. You execute forcepwchg directly from that directory — no additional installation steps are necessary.

You must run forcepwchg on the Primary Domain Controller (PDC) host where the NT components (connector, Change Detector DLL, and Password Filter DLL) are installed — you cannot run forcepwchg remotely.

The forcepwchg utility also prints out the account names (one name per line) that it is trying to migrate. If an error occurs during the migration process, the error happened while migrating the user account that printed out last.

Migrating Your System

This section provides instructions for migrating a single-host deployment to version 1 2004Q3. In a single-host deployment, all Identity Synchronization for Windows components are installed on a single host (Windows 2000 Server, Solaris version 8 or 9, or SPARC), as follows:

The following figure illustrates the migration process and may serve as a checklist to supplement the migration instructions that follow.

Figure 7-1  Migrating a Single-Host Deployment

Flow diagram showing steps for upgrading a single-host environment.

Continuation of flow diagram showing steps for upgrading a single-host environment.

Preparing for Migration

Use the following procedure to prepare to migrate from Identity Synchronization for Windows version 1.0 to version 1 2004Q3:

  1. From a command prompt:
    • On Solaris or SPARC: Type uncompress -c <filename> | tar xf -
    • On Windows: Type %JAVA_HOME%\bin\jar -xf <filename>
      (or use any zip archive program for Windows, such as WinZip®).

      • After the binaries are unpacked, you will see the following subdirectories containing the necessary migration tools:

    • installer/
    • lib/
    • migration/

      • Solaris

      Windows

      export10cnf.jar

      export10cnf.jar

             —

      forcepwchg.exe

      checktopics.jar

      checktopics.jar

  2. Export your version 1.0 configuration settings to an XML file.
    From the migration directory, execute export10cnf as described in Using the export10cnf Utility. For example:

    3. java -jar export10cnf.jar -D “cn=directory manager” -w - -s “dc=example,dc=com” -q - -f export.cfg

  3. Add passwords to the exported XML file.

    4. Enter a password between the double quotes for each cleartextPassword field in the exported configuration file (see Inserting Clear-Text Passwords).

  4. Stop synchronization as described in Starting and Stopping Synchronization.
  5. Verify that your system is in a quiescent state. From the migration directory, execute checktopics as described in Using the checktopics Utility.

    6. For example:

    java -jar checktopics.jar -D “cn=directory manager” -w - -s “dc=example,dc=com” -q -

  6. Stop Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services.

    7. Note

    Do not stop the Sun ONE Message Queue service at this point.

  7. On Windows NT only — Stop the Sun One NT ChangeDetector Service.
    You can stop the service from the command line by typing

    8. net stop “Sun One NT ChangeDetector Service”

  8. On Windows NT only — Save the NT ChangeDetector Service counters as follows:
    1. Open the Registry Editor by executing regedt32.exe.
    2. Select the HKEY_LOCAL_MACHINE window.
    3. Navigate to the SOFTWARE\Sun Microsystems\PSW\1.0 node.
    4. Save the following registry values:
      • HighestChangeNumber
      • LastProcessedSecLogRecordNumber
      • LastProcessedSecLogTimeStamp
      • QueueSize
  9. Save the connector states by backing up the persist and etc directories from the existing 1.0 installation tree.
    • On Solaris: Type cd <serverroot>/isw-<hostname>
      tar cf /var/tmp/connector-state.tar persist etc
    • On Windows: Type cd <serverroot>\isw-<hostname>
      zip -r C:\WINNT\Temp\connector-state.zip persist etc
      %JAVA_HOME%\bin\jar -cfM %TEMP%\connector-state.jar persist etc
      (or use any zip archive program for Windows, such as WinZip)
  10. Start the Identity Synchronization for Windows services (see (more...) ).

    11. Note

    You do not have to start the Sun ONE Message Queue service because you never stopped it.

Uninstalling Identity Synchronization for Windows

Note

The Identity Synchronization for Windows 1.0 uninstall program will remove the SUNWjss package if it is not registered for use by another application (other than Identity Synchronization for Windows 1.0). In particular, this situation may occur on Solaris machines if you installed a zip version of Directory Server 5.2.2, where the uninstall program removes the jss3.jar file from /usr/share/lib/mps/secv1.

If you encounter this situation as you migrate to Identity Synchronization for Windows 11 2004Q3, the installer will report that a required file is missing, and log the file name to the installation log. When this happens, you must re-install the required patches (see Sun Java System Software Requirements) and restart the installation process.

After completing the preparation steps, you are ready to begin uninstalling Identity Synchronization for Windows version 1.0 (or 1.0 SP1), as follows:

  1. Uninstall the Directory Server Plugin manually, and restart each Directory Server where the Plugin was installed.
  2. Execute the following steps on each Directory Server where the Plugin was installed:
    1. Remove the following entries from the Directory Server:

      2. cn=config,cn=pswsync,cn=plugins,cn=config
      cn=pswsync,cn=plugins,cn=config

      For example:

      ldapdelete -D “cn=directory manager” -w - -p <port> -c
      cn=config, cn=pswsync,cn=plugins,cn=config
      cn=pswsync,cn=plugins,cn=config

    2. Restart the Directory Server.
      • On Solaris: Type <serverroot>/slapd-<hostname>/restart-slapd
      • On Windows: Type <serverroot>\slapd-<hostname>\restart-slapd.bat
    3. Remove the Plugin binaries from the system.
      • On Solaris: Type rm <serverroot>/lib/psw-plugin.so
        rm <        serverroot>/lib/64/psw-plugin.so
      • On Windows: Type del <serverroot>\lib\psw-plugin.dll
  3. Change directory (cd) to <server_root>\isw-<hostname> and then use the Identity Synchronization for Windows 1.0 uninstallation program to uninstall the version 1.0/1.0 SP1 Connectors and Core components.

    4. Note

    You must always uninstall Connectors before uninstalling
    Core components.

    • On Solaris or SPARC: Type ./runUninstaller.sh
    • On Windows: Type \runUninstaller.bat
  4. Use the following steps to remove Identity Synchronization for Windows-related entries from the product registry file:
    1. Back-up a copy of the file (located at):
      • On Solaris: /var/sadm/install/productregistry
      • On Windows: C:\WINNT\System32\productregistry
    2. To remove the Identity Synchronization for Windows-related entries from the product registry file, follow the instructions provided in Step 6 of the Manually Uninstalling 1.0 Core and Instances from Solaris.
  5. On Windows only — After uninstalling Core, restart your machine.

    6. Note

    If the uninstall fails for any reason, you may have to manually uninstall the Identity Synchronization for Windows components. Instructions are provided in What to Do if the 1.0 Uninstallation Fails.

  6. On Windows only — Verify that Identity Synchronization for Windows is not running. If necessary, you can stop the service from the command line by typing

    7. net stop “Sun ONE Identity Synchronization for Windows”

    If this service continues running after uninstallation is completed, it causes a sharing violation that will prevent you from deleting the instance directory.

  7. Remove the Identity Synchronization for Windows instance directory (isw-<hostname>).

Installing or Upgrading the Dependent Products

Use the following steps to upgrade the Java Runtime Environment, install Message Queue, and upgrade Directory Server:

  1. Upgrade the Java 2 Runtime Environment (or Java 2 SDK) on each host (except on Windows NT) where Identity Synchronization for Windows components are installed. (The minimum required version is 1.4.2_04.)
  2. Install Message Queue 3.5 SP1 using instructions provided in the Sun Java System Message Queue 3.5 SP1 Installation Guide.
  3. Upgrade Directory Server to version 5.2 SP2 using instructions provided in the Sun Java System Directory Server 5 2004Q2 Installation and Migration Guide, which is available from the following location:

    4. http://docs.sun.com/db/coll/DirectoryServer_04q2

    The Directory Server upgrade will preserve your current Directory Server configuration and database.

Installing Identity Synchronization for Windows 1 2004Q3

Use the following steps to install the Identity Synchronization for Windows 1 2004Q3 components:

  1. Install Identity Synchronization for Windows 1 2004Q3 Core. (see Installing Core)
  2. Execute idsync prepds against Directory Server as follows to update the schema.
  3. Import your version 1.0 configuration XML file by typing

    4. idsync importcnf <arguments>

    Note

    If the program detects errors in your input configuration file, an error will result. Identity Synchronization for Windows will abort the importcnf process and provide necessary information to correct the mistakes.

    For more information about using idsync importcnf, see Using importcnf in Appendix A.

  4. Install the Identity Synchronization for Windows 1 2004Q3 Connectors (see Installing Connectors).
  5. Install Identity Synchronization for Windows 1 2004Q3 Directory Server Plugin (Installing Directory Server Plugins).
  6. Stop Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services.
  7. On Windows NT only — Stop the Sun Java™ System NT Change Detector service. You can stop the service from the command line by typing

    8. net stop “Sun Java(TM) System NT Change Detector”

  8. On Windows NT only — Restore the NT ChangeDetector Service counters:
    1. Open the Registry Editor by executing regedt32.exe.
    2. Select the HKEY_LOCAL_MACHINE window.
    3. Navigate to the SOFTWARE\Sun Microsystems\Sun Java(TM) System Identity Synchronization for Windows\1.1 node.
    4. Double-click on each of the following entries to restore their values (which you saved prior to uninstalling version 1.0):
      • HighestChangeNumber
      • LastProcessedSecLogRecordNumber
      • LastProcessedSecLogTimeStamp
      • QueueSize
  9. On Windows NT only — Start the Sun Java™ System NT Change Detector service. You can start the service from the command line by typing

    10. net start “Sun Java(TM) System NT Change Detector”

  10. Remove the 1 2004Q3 persist and etc directories (and all their contents) from the instance directory and restore the version 1.0 (or 1.0 SP1) persist and etc directories you backed up in Preparing for Migration.
    • On Solaris: Type

      • cd /var/opt/SUNWisw
      rm -rf etc persist
      tar xf /var/tmp/connector-state.tar

    • On Windows: Type

      • cd <serverroot>\isw-<hostname>
      rd /s etc persist
      %JAVA_HOME%\bin\jar -xf %TEMP%\connector-state.jar
      (or use any zip archive program for Windows, such as WinZip)

  11. Start Identity Synchronization for Windows service (see (more...) ).
  12. Start synchronization as described in Starting and Stopping Synchronization.
  13. Check the central audit log to verify there are no warning messages.

    14. Note

    If you customized your version 1.0 log settings, you must manually apply those customizations to your version 1 2004Q3 installation.
    Use the Identity Synchronization for Windows Console to configure your version 1 2004Q3 log settings.

What to Do if the 1.0 Uninstallation Fails

If the version 1 2004Q3 installation program finds remnants of the version 1.0 system, then the 1 2004Q3 installation will fail. Consequently, you should verify that all of the 1.0 components are completely removed from the system prior to installing version 1 2004Q3.

If the uninstallation program does not uninstall all of the version 1.0/1.0 SP1 components, you must manually clean up the Identity Synchronization for Windows product registry and Solaris packages.

Detailed instructions for uninstalling Identity Synchronization for Windows version 1.0 manually are provided in the following three sections:

Note

The instructions provided in this section are for uninstalling Identity Synchronization for Windows version 1.0 only.

Do not use the manual uninstallation procedures provided in the following sections unless the Identity Synchronization for Windows uninstallation program fails.

Manually Uninstalling 1.0 Core and Instances from Solaris

Use the instructions provided in this section to manually uninstall Core from a Solaris machine.

Note

In this section, Identity Synchronization for Windows locations are described in the following manner:

<serverroot>/isw-<hostname>

Where <serverroot> represents the parent directory of the Identity Synchronization for Windows installation location.

For example, if you installed Identity Synchronization for Windows in /var/Sun/mps/isw-<example>, the <serverroot> would be /var/Sun/mps.

  1. Stop all Identity Synchronization for Windows Java processes by typing /etc/init.d/isw stop into a terminal window.

    2. If the preceding command does not stop all of the Java processes, type the following:

    /usr/ucb/ps -gauxwww | grep java

    kill -s SIGTERM <process IDs from preceding command>

  2. Stop Message Queue as follows:
    1. At the prompt, type the following command to stop the Message Queue broker:

      2. /etc/init.d/imq stop

    2. To stop any remaining imq processes, type:

      3. * ps -ef | grep imqbroker

      * kill -s SIGTERM <process IDs from preceding command>

    3. Use one of the following methods to uninstall the broker packages and directories:
      • Use the Message Queue broker uninstall script (located in the Identity Synchronization for Windows instance directory on the host where you installed Core) to uninstall the broker. Type the following:

        • /<serverroot>/isw-<hostname>/imq_uninstall

      • Manually uninstall the packages and directories as follows:

        • Use the pkgrm: command to remove these packages:

        SUNWaclg

        SUNWiqum

        SUNWiqjx

        SUNWiqlen

        SUNWxsrt

        SUNWiqu

        SUNWjaf

        SUNWiqfs

        SUNWjhrt

        SUNWiqdoc

        SUNWiquc

        SUNWiqsup

        SUNWiqr

        SUNWjmail

         

        Use the rm -rf command to remove these directories:

        rm -rf /etc/imq

        rm -rf /var/imq

        rm -rf /usr/bin/imq*

  3. To remove the Identity Synchronization for Windows 1.0 Solaris packages,
    run pkgrm <packageName> for each of the packages listed in Table 7-1.
    (For example, pkgrm SUNWidscm SUNWidscn SUNWidscr SUNWidsct SUNWidsoc)

    4. Table 7-1  Solaris Packages to Remove

    Package Name

    Description

    SUNWidscm

    Sun ONE Directory Server Identity Synchronization package for
    Core components and Connectors.

    SUNWidscn

    Sun ONE Directory Server Identity Synchronization package for
    Console help files.

    SUNWidscr

    Sun ONE Directory Server Identity Synchronization package for
    Core Components.

    SUNWidsct

    Sun ONE Directory Server Identity Synchronization package for Connectors.

    SUNWidsoc

    Sun ONE Directory Server Identity Synchronization package for
    Object Cache.

    To verify that all of the packages were removed, type the following:

    pkginfo | grep -i "Identity Synchronization"

    Note

    Run the pkgrm <packageName> command again if there are still existing packages due to dependencies.

  4. Remove Director Server Plugin as follows:
    1. Open the Directory Server Console and select the Configuration tab.
    2. In the left pane, expand the Plugins node and select the pswsync node.
    3. In the right pane, uncheck the Enable plug-in check box.
    4. Click Save to save your changes.
    5. From the Directory Server Console, locate and remove the following entry from the Configuration Directory:

      6. cn=pswsync,cn=plugins,cn=config

    6. Stop Directory Server.
    7. To remove the Plugin binary, type

      8. rm -f /<serverroot>/lib/psw-plugin.so

    8. Restart Directory Server.
  5. Back-up (copy and rename) the current productregistry file located in /var/sadm/install/productregistry.
  6. Manually edit the productregistry file in /var/sadm/install/ to remove the following entries (if present):

    7. Note

    • For best results, use an XML editor. Alternatively, you can use a standard text editor.
    • Some of the following components may not be included in your file.
    • You must delete the beginning tag (<compid>), ending tag (<\compid>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. (See the example on (more...) .)

    • <compid>Identity Synchronization for Windows . . . </compid>
    • <compid>Core . . . </compid>
    • <compid>unistaller . . . </compid>
    • <compid>wpsyncwatchdog . . . </compid>
    • <compid>setenv . . . </compid>
    • <compid>Create DIT . . . </compid>
    • <compid>Extend Schema . . . </compid>
    • <compid>resources . . . </compid>
    • <compid>CoreComponents . . . </compid>
    • <compid>Connector . . . </compid>
    • <compid>DSConnector . . . </compid>
    • <compid>Directory Server Plugin . . . </compid>
    • <compid>DSSubcomponents . . . </compid>
    • <compid>ObjectCache . . . </compid>
    • <compid>ObjectCacheDLLs . . . </compid>
    • <compid>SUNWidscr . . . </compid>
    • <compid>SUNWidscm . . . </compid>
    • <compid>SUNWidsct . . . </compid>
    • <compid>SUNWidscn . . . </compid>
    • <compid>SUNWidsoc . . . </compid>
    • <compid>ADConnector . . . </compid>

      • The following is a example <compid> tag. Remove <compid>, </compid>, and all text and tags in-between.

      <compid>Identity Synchronization for Windows

      <compversion>1.0

      <uniquename>Identity Synchronization for Windows</uniquename>

      <compinstance>1

      <children>

      <compref>ADConnector

      <instance>1

      <version>1.0</version>

      </instance>

      </compref>

      <compref>DSSubcomponents

      . . .

      </compinstance>

      </compversion>

      </compid>

  7. Remove the following Identity Synchronization for Windows directories and files:
    1. From the installation location, type

      2. rm -rf /<serverroot>/isw-<hostname>

    2. Remove the bootstrap files by typing

      rm -rf /etc/init.d/isw

  8. Clean up the configuration directory as follows:
    1. Run the following ldapsearch command against the configuration directory where Identity Synchronization for Windows Core is installed to locate the Identity Synchronization for Windows Console subtree:

      2. ldapsearch -D "cn=directory manager" -w <my_password> -b o=netscaperoot "(nsnickname=isw)" dn

      Note

      ldapsearch is located in Directory Server’s <serverroot>/shared/bin/ldapsearch
      For example, /var/Sun/mps/shared/bin/ldapsearch

      The resulting entry should be similar to the following (note that the entry will always end with o=NetscapeRoot):

      "cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"

    2. Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree and all subtrees below it.
  9. Clean up the Identity Synchronization for Windows configuration registry as follows:
    1. Run the following ldapsearch command to locate the Identity Synchronization for Windows configuration registry in Directory Server:

      2. ldapsearch -D "cn=directory manager" -w <my_password> -b "dc=my,dc=domain" "(&(objectclass=iplanetservice)(ou=IdentitySynchronization))" dn

      The resulting entry should be similar to the following:

      "ou=IdentitySynchronization,ou=Services,dc=my,dc=domain"

    2. Use the Directory Server Console to remove the Identity Synchronization for Windows configuration registry and all subtrees below it.
  10. Clean up all other Console-related files as follows:
    1. Remove all Console jar files by typing:

      2. rm -rf <serverroot>/java/jars/isw*
      For example, /var/Sun/mps/java/jars/isw*

    2. Remove all Console servlet jar files by typing:

      3. rm -rf <serverroot>/bin/isw/
      For example, /var/Sun/mps/bin/isw/

Manually Uninstalling 1.0 Core and Instances from Windows 2000

Use the instructions provided in this section to manually uninstall Core from a Windows 2000 machine.

Note

In this section, Identity Synchronization for Windows locations are described in the following manner:

<serverroot>\isw-<hostname>

Where <serverroot> represents the parent directory of the Identity Synchronization for Windows installation location.

For example, if you installed Identity Synchronization for Windows in C:\Program Files\Sun\mps\isw-example, the <serverroot> would be C:\Program Files\Sun\mps.

  1. Stop all Identity Synchronization for Windows Java processes using one of the following methods:
    • Select Start > Settings > Control Panel > Administrative Tools > Services to open the Services window. In the right pane, right-click on Sun ONE Identity Synchronization for Windows and select Stop.
    • Open a Command Prompt window and type the following command:

      • net stop “Sun ONE Identity Synchronization for Windows

    • If the preceding methods do not work, you can use the following steps to stop the Java processes manually:
      1. Open the Services window, right-click on Sun ONE Identity Synchronization for Windows, and select Properties.
      2. From the General tab in the Properties window, select Manual from the Startup type drop-down list.

        3. Note

        Although you can view Java processes (such as pswwatchdog.exe) from the Windows Task Manager, you cannot determine which processes are specifically related to Identity Synchronization for Windows. For this reason, do not stop processes from the Windows Task Manager.

  2. Stop the Message Queue (for a Core uninstallation only) using one of the following methods:
    • In the Services window, right-click on iMQ Broker in the right pane and select Stop.
    • Open a Command Prompt window and type the following command:

      • net stop “iMQ Broker”

    • If the preceding methods do not work, you can use the following steps to stop Message Queue manually:
      1. Open the Services window, right-click on iMQ Broker and select Properties.
      2. From the General tab in the Properties window, select Manual from the Startup type drop-down list.
  3. Remove the Directory Server Plugin as follows:
    1. Open the Directory Server Console and select the Configuration tab.
    2. In the left pane, expand the Plugins node and select the pswsync node.
    3. In the right pane, uncheck the Enable plug-in check box.
    4. Click Save to save your changes.
    5. From the Console, locate and remove the following entry from the Configuration Directory:

      6. cn=pswsync,cn=plugins,cn=config

    6. Stop Directory Server, using one of the following methods:
      • In the Services window, right-click on Sun ONE Directory Server 5.2 in the right pane and select Stop.
      • Open a Command Prompt window and type the following command:

        • net stop slapd-<myhostname>

    7. Open the Windows Explorer to locate and remove the Plugin binary:

      8. <serverroot>\lib\psw-plugin.so

    8. Restart Directory Server.
  4. Open a Command Prompt window and type regedit to open the Registry Editor window.

    5. Important – Back up your current registry file before proceeding to Step 5.

    1. In the Registry Editor, select the top node (My Computer) in the left pane.
    2. Select Registry > Export Registry File from the menu bar.
    3. When the Export Registry File dialog box is displayed, specify a name for the file and select a location in which to save the backup registry.
  5. In the Registry Editor, select Edit > Delete from the menu bar and remove the following Identity Synchronization for Windows keys from the Windows Registry:
    • All entries under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Uninstall\Identity Synchronization for Windows
    • All CurrentControlSet and ControlSet (such as ControlSet001, ControlSet002, and so forth) entries under HKEY_LOCAL_MACHINE\SYSTEM\*, which includes the following entries (if they exist):
      • ...\Control\Session Manager\Environment\<isw-installation directory>
      • ...\Services\Eventlog\Application\Sun ONE Identity Synchronization for Windows
      • ...\Services\Sun ONE Identity Synchronization for Windows
      • ...\Services\iMQBroker
  6. Back-up (copy and rename) the current productregistry file located in C:\WINNT\system32.
  7. Edit the C:\WINNT\system32 \productregistry file to remove the following tags:

    8. Note

    • For best results, use an XML editor. Alternatively, you can use a standard text editor.
    • Some of the following components may not be included in your file.
    • You must delete the beginning tag (<compid>), ending tag (<\compid>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. (See the example (more...) .)

    • <compid>Identity Synchronization for Windows . . . </compid>
    • <compid>Core . . . </compid>
    • <compid>unistaller . . . </compid>
    • <compid>wpsyncwatchdog . . . </compid>
    • <compid>setenv . . . </compid>
    • <compid>Create DIT . . . </compid>
    • <compid>Extend Schema . . . </compid>
    • <compid>resources . . . </compid>
    • <compid>CoreComponents . . . </compid>
    • <compid>Connector . . . </compid>
    • <compid>DSConnector . . . </compid>
    • <compid>Directory Server Plugin . . . </compid>
    • <compid>DSSubcomponents . . . </compid>
    • <compid>ObjectCache . . . </compid>
    • <compid>ObjectCacheDLLs . . . </compid>
    • <compid>ADConnector . . . </compid>

      • The following is a <compid> tag sample. Remove <compid>, </compid>, and all text and tags in-between.

      <compid>Identity Synchronization for Windows

      <compversion>1.0

      <uniquename>Identity Synchronization for Windows</uniquename>

      <compinstance>1

      <children>

      <compref>ADConnector

      <instance>1

      <version>1.0</version>

      </instance>

      </compref>

      <compref>DSSubcomponents

      . . .

      </compinstance>

      </compversion>

      </compid>

  8. Remove the Identity Synchronization for Windows installation folder located at <serverroot>\isw-<hostname>.

    9. For example, C:\Program Files\Sun\mps\isw-example

  9. Clean up the configuration directory as follows:
    1. From a Command Prompt window, run the ldapsearch command against the configuration directory where Identity Synchronization for Windows Core is installed to locate the Identity Synchronization for Windows Console subtree.

      2. Note

      ldapsearch is located in <serverroot>\shared\bin\ldapsearch.

      For example,
      C:\Program Files\Sun\mps\shared\bin\ldapsearch

      ldapsearch -D "cn=directory manager" -w <my_password> -b o=netscaperoot "(nsnickname=isw)" dn

      The resulting entry should be similar to the following (note that the entry will always end with o=NetscapeRoot):

      "cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"

    2. Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree you found and all subtrees below it.
  10. Clean up the Identity Synchronization for Windows configuration directory (also know as the configuration registry) as follows:
    1. From a Command Prompt window, run the following ldapsearch command to locate the Identity Synchronization for Windows configuration directory in Directory Server:

      2. ldapsearch -D "cn=directory manager" -w <my_password> -b "dc=my,dc=domain" "(&(objectclass=iplanetservice)(ou=IdentitySynchronization))" dn

      The resulting entry should be similar to the following:

      "ou=IdentitySynchronization,ou=Services,dc=my,dc=domain"

    2. Use the Directory Server Console to remove the configuration directory subtree you found, including all subtrees below it.
  11. Clean up all other Console-related files as follows:
    1. Remove all Console jar files located in <serverroot>\java\jars\isw*
      For example, C:\Program Files\Sun\mps\java\jars\isw*
    2. Remove all Console servlet jar files located in \<directory_server_install_root>\bin\isw\
      For example, C:\SunOne\Servers\bin\isw\
  12. Restart your machine for all changes to take effect.

Manually Uninstalling a 1.0 Instance from Windows NT

Use the instructions provided in this section to manually uninstall an instance from a Windows NT machine.

Note

In this section, Identity Synchronization for Windows locations are described in the following manner:

<serverroot>\isw-<hostname>

Where <serverroot> represents the parent directory of the Identity Synchronization for Windows installation location. For example, if you installed Identity Synchronization for Windows in
C:\Program Files\Sun\mps\isw-example, the <serverroot> would be C:\Program Files\Sun\mps.

  1. Stop all Identity Synchronization for Windows Java processes (Core and instance installations) using one of the following methods:
    • Select Start > Settings > Control Panel > Administrative Tools > Services to open the Services window. In the right pane, right-click on Sun ONE Identity Synchronization for Windows and select Stop.
    • Open a Command Prompt window and type the following command:

      • net stop “Sun ONE Identity Synchronization for Windows

    • If the preceding methods do not work, use the following steps to stop the Java processes manually:
      1. Open the Services window, right-click on Sun ONE Identity Synchronization for Windows, and select Properties.
      2. From the General tab in the Properties window, select Manual from the Startup type drop-down list.

        3. Note

        Although you can view Java processes (such as pswwatchdog.exe) from the Windows Task Manager, you cannot determine which processes are specifically related to Identity Synchronization for Windows. For this reason, do not stop processes from the Windows Task Manager.

  2. Stop the Change Detector service using one of the following methods:
    • In the Services window, right-click on Sun ONE NT Change Detector Service in the right pane and select Stop.
    • Open a Command Prompt window and type the following command:

      • net stop “Sun ONE NT Change Detector Service”

    • If the preceding methods do not work, use the following steps to stop the Change Detector Service manually:
      1. Open the Services window, right-click on Change Detector Service and select Properties.
      2. From the General tab in the Properties window, select Manual from the Startup type drop-down list.
  3. Restart your Windows NT computer.
  4. You must remove Identity Synchronization for Windows registry keys. Open a Command Prompt window and type regedt32 to open the Registry Editor window.

    5. Caution

    Do not use regedit because the program does not allow you to edit multi-value strings.

    Be sure to back up your current Windows registry file before proceeding to Step 5.

    1. In the Registry Editor, select the top node (My Computer) in the left pane.
    2. Select Registry > Export Registry File from the menu bar.
    3. When the Export Registry File dialog box is displayed, specify a name for the file and select a location in which to save the backup registry.
  5. In the Registry Editor, select Edit > Delete from the menu bar and remove the following Identity Synchronization for Windows keys from the Registry:
    • All entries under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
      CurrentVersion\Uninstall\Identity Synchronization for Windows
    • All CurrentControlSet and ControlSet (such as ControlSet001, ControlSet002, and so forth) entries under HKEY_LOCAL_MACHINE\SYSTEM\*, which includes the following entries (if they exist):
      • ...\Control\Session Manager\Environment\<isw-installation directory>
      • ...\Services\Eventlog\Application\Sun ONE Identity Synchronization for Windows
      • ...\Services\Sun ONE Identity Synchronization for Windows
      • ...\Services\iMQBroker
    • The HKEY_LOCAL_MACHINE\SOFTWARE\Sun Microsystems\PSW
  6. Use regedt32 (do not use regedit) to modify (do not delete) the following registry key:
    1. Select the registry key entry in the left pane:

      2. HKEY_LOCAL_MACHINE\SYSTEM\\CurrentControlSet\\CONTROL\\LSA

      The registry value type must be REG_MULTI_SZ.

    2. In the right pane, right-click on the Notification Packages value and select Modify.
    3. Change the PASSFLT value to FPNWCLNT.
  7. Back-up (copy and rename) the current productregistry file located in C:\WINNT\system32.
  8. Edit the C:\WINNT\system32 productregistry file to remove the following tags:

    9. Note

    • For best results, use an XML editor. Alternatively, you can use a standard text editor.
    • Some of the following components may not be included in your file.
    • You must delete the beginning tag (<compid>), ending tag (<\compid>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. (See the example on (more...) .)

    • <compid>Identity Synchronization for Windows . . . </compid>
    • <compid>Core . . . </compid>
    • <compid>uninstaller . . . </compid>
    • <compid>wpsyncwatchdog . . . </compid>
    • <compid>setenv . . . </compid>
    • <compid>Create DIT . . . </compid>
    • <compid>Extend Schema . . . </compid>
    • <compid>resources . . . </compid>
    • <compid>CoreComponents . . . </compid>
    • <compid>Connector . . . </compid>
    • <compid>DSConnector . . . </compid>
    • <compid>Directory Server Plugin . . . </compid>
    • <compid>DSSubcomponents . . . </compid>
    • <compid>ObjectCache . . . </compid>
    • <compid>ObjectCacheDLLs . . . </compid>
    • <compid>ADConnector . . . </compid>

      • The following is a example <compid> tag. Remove <compid>, </compid>, and all text and tags in-between.

      <compid>Identity Synchronization for Windows

      <compversion>1.0

             <uniquename>Identity Synchronization for Windows</uniquename>

      <compinstance>1

      <children>

      <compref>ADConnector

      <instance>1

      <version>1.0</version>

      </instance>

      </compref>

      <compref>DSSubcomponents

      . . .

      </compinstance>

      </compversion>

      </compid>

  9. Remove the Identity Synchronization for Windows installation folder located at <serverroot>\isw-<hostname>.

    10. For example, C:\Program Files\Sun\mps\isw-example

    Note

    You must edit the Windows registry as described in Step 8 before proceeding to Step 10.

  10. Remove the Password Filter DLL.

    11. Locate the passflt.dll file in the C:\winnt\system32 folder, and rename the file to passflt.dll.old.

  11. Restart your machine for all changes to take effect.

Other Migration Scenarios

Because other deployment topologies are possible, your migration process may differ somewhat from the process described for a single-host deployment.

This section describes two alternative deployment scenarios and explains how to migrate each case. The sample deployment scenarios include:

Multimaster Replication Deployment

In a multimaster replication (MMR) deployment, two Directory Server instances are installed on different hosts. It is possible to run the hosts on different operating systems, but in this scenario, both hosts are running on the same operating system.

Table 7-2 illustrates how the Identity Synchronization for Windows components are distributed between the two hosts.

Table 7-2  Component Distribution in a Multimaster Replication Deployment

Host 1

Host 2

Directory Server (one instance) as the secondary master for synchronized users

Directory Server (one instance) as the preferred master for synchronized users

Core (Message Queue, Central Logger, System Manager, and Console)

Directory Server Plugin

Active Directory Connector

 

Directory Server Connector

 

Directory Server Plugin

 

The migration process keeps on-demand password synchronization running continuously on the preferred master or on the secondary master.

Note

If both hosts are running on a Solaris operating system, then a third host running Windows 2000 with Active Directory is required for synchronization purposes only. (No components would be installed on the third host.)

The following figure illustrates the process for migrating Identity Synchronization for Windows in a MMR deployment:

Figure 7-2  Migrating a Multimaster Replication Deployment

Flow diagram showing steps for upgrading a Multi-Master Replication Deployment.

Continuation of flow diagram showing steps for upgrading a Multi-Master Replication Deployment.

Multi-Host Deployment with Windows NT

Three hosts are used in this deployment scenario:

Table 7-3 illustrates how the Identity Synchronization for Windows components are distributed between the three hosts.

Table 7-3  Multi-Host Deployment

Host 1

Host 2

Host 3

Directory Server with configuration repository

Directory Server for synchronized users

Windows NT Connector

Core (Message Queue, Central Logger, System Manager, and Console)

Directory Server Connector

Windows NT Subcomponents (Password Filter DLL and Change Detector Service)

Active Directory Connector

Directory Server Plugin

 

As in the previous scenario, Hosts 1 and 2 are running on the same operating system.

Note

If both hosts are running a Solaris operating system, then a fourth host running Windows 2000 with Active Directory is required for synchronization purposes only. (No components would be installed on the fourth host.)

Figure 7-3 illustrates the process for migrating Identity Synchronization for Windows for a multi-host deployment:

Figure 7-3  Migrating a Multi-Host Deployment with Windows NT

Flow diagram showing steps for upgrading a mult-host deployment with Windows NT.

Flow diagram showing steps for upgrading a mult-host deployment with Windows NT.

Checking the Logs

After migrating to version 1 2004Q3, check the central audit log for messages indicating a problem — especially for Directory Server users whose password changes may have been missed during the migration process, which would result in a message similar to the following:

[16/Apr/2004:14:23:41.029 -0500] WARNING 14 CNN101

ds-connector-host.example.com "Unable to obtain password of user cn=JohnSmith,ou=people,dc=example,dc=com, because the password was encoded by a previous installation of Identity Synchronization for Windows Directory Server Plugin. The password of this user cannot be synchronized at this time. Update the password of this user again in the Directory Server."

You will not see this log message until after you start synchronization in Identity Synchronization for Windows 1 2004Q3, which is why checking the logs is the last step of the migration procedure.



Previous      Contents      Index      Next     

Part No: 817-6199-05.   Copyright 2004 Sun Microsystems, Inc. All rights reserved.