Sun Java System Identity Synchronization for Windows 1 2004Q3 Installation and Configuration Guide |
Chapter 7
Migrating to Identity Synchronization for Windows 1 2004Q3This chapter explains how to migrate your system from Sun Java System Identity Synchronization for Windows version 1.0 to version 1 2004Q3.
The information is organized into the following sections:
OverviewMigration from Identity Synchronization for Windows version 1.0 (or version 1.0 SP1) to 1 2004Q3 is accomplished in several major phases:
- Preparing your Identity Synchronization for Windows version 1.0 (or 1.0 SP1) installation for Migration.
- Uninstalling Identity Synchronization for Windows version 1.0 (or 1.0 SP1).
- Installing or upgrading dependent products.
- Installing Identity Synchronization for Windows 1 2004Q3 using the configuration and connector states you backed-up.
Before You MigrateBefore you start the migration process,
- Familiarize yourself with the new features and functionality provided in Sun Java System Identity Synchronization for Windows version 1 2004Q3.
- Read Chapter 2, "Preparing for Installation" for installation and configuration information you can use to plan your migration process.
- Document your version 1.0 deployment and configuration.
Be sure to note any customizations you have made to the configuration.- Schedule migration.
Because the migration process requires at least four hours, you may want to schedule migration after normal business hours.
If users input password or attribute changes while you are migrating the system from version 1.0 to 1 2004Q3, Identity Synchronization for Windows will process these changes as follows:
- For Active Directory: Any password changes made on Active Directory during the migration process will be synchronized on-demand by the Directory Server Plugin after completing the migration process.
- For Directory Server: Any password changes made on Directory Server during migration will not be synchronized. However, you will be able to identify affected users in the Identity Synchronization for Windows 1 2004Q3 logs after completing the migration process. (See Checking the Logs.)
- For Windows NT: Any password changes made on NT during the migration process will not be synchronized.
However, if you use the forcepwchg utility, you can identify affected users and force them to change passwords again. (See Forcing Password Changes on Windows NT and Checking the Logs for more information.)
- All other attribute changes made during migration (at any directory source) will be synchronized after you complete the migration process.
Preparing for MigrationYou will use one or more the following utilities to migrate from version 1.0 to version 1 2004Q3:
- export10cnf: A stand-alone utility that enables you to create an export configuration file from your Identity Synchronization for Windows 1.0 configuration. (See Exporting Your Version 1.0 Configuration for detailed information.)
Updates can remain in Message Queue after you stop 1.0 synchronization. You must verify that no updates exist in the Message Queue before you proceed with the migration. (See Checking for Undelivered Messages for detailed information.)
- forcepwchg: A Windows NT tool that enables you to identify users who changed passwords during the migration process and force them to change passwords again when your version 1 2004Q3 system is ready. (Password changes made on Windows NT are not captured during the migration process.) (See Forcing Password Changes on Windows NT for detailed information.)
Exporting Your Version 1.0 Configuration
You can use the export10cnf utility to export an existing version 1.0 configuration file to an XML file and then use the idsync importcnf command to quickly and accurately import the file into the 1 2004Q3 system before installing the connectors.
Exporting your version 1.0 configuration provides the following benefits:
- You eliminate most of the initial configuration process to be performed from the management Console.
- You guarantee that the connector IDs assigned in version 1 2004Q3 will match the connector IDs used in version 1.0, which greatly simplifies the task of preserving the existing connector states that can be used directly in your version 1 2004Q3 deployment.
You will find the export10cnf utility in the installation migration directory — no additional installation steps are necessary.
Using the export10cnf Utility
To export an Identity Synchronization for Windows configuration to an XML file, execute export10cnf from the migration directory as follows:
The export10cnf utility shares the same common arguments as the Identity Synchronization for Windows command-line utilities (see Common Arguments). The only export10cnf specific option is -f <filename>. If the operation is successful, then the utility will export the current configuration into the file specified in the argument of the -f option.
Inserting Clear-Text Passwords
The export10cnf utility does not export clear-text passwords from version 1.0 configurations (for security reasons). Instead, the utility inserts empty strings in cleartextPassword fields where appropriate. For example,
<Credentials
userName="cn=iswservice,cn=users,dc=example,dc=com"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
You must enter a password manually — between the double quotes — for each and every cleartextPassword field in the exported configuration file before you can import the file into Identity Synchronization for Windows 1 2004Q3. (importcnf validation prevents you from importing a configuration file with empty password values.)
For example,
<Credentials
userName="cn=iswservice,cn=users,dc=example,dc=com"
cleartextPassword="mySecretPassword"/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE
FIELD -->
Sample Export Configuration File
Code Example 7-1 contains a sample exported configuration file.
In this file,
- ad-host.example.com refers to the Active Directory domain controller.
- ds-host.example.com refers to the host running the Sun Java System Directory Server.
Code Example 7-1 Sample Export Configuration File
<SyncScopeDefinitionSet
index="0"
location="cn=users,dc=example,dc=com"
filter=""
creationExpression="cn=%cn%,cn=users,dc=example,dc=com"
sulid="SUL"/>
</ActiveDirectorySource>
<ActiveDirectoryGlobals
flowInboundCreates="true"
flowInboundModifies="true"
flowOutboundCreates="true"
flowOutboundModifies="true">
<AttributeDescription
parent.attr="CreationAttribute"
name="samaccountname"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeMap>
<AttributeDescription
parent.attr="WindowsAttribute"
name="samaccountname"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="SunAttribute"
name="uid"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
</AttributeMap>
<AttributeDescription
parent.attr="SignificantAttribute"
name="description"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeMap>
<AttributeDescription
parent.attr="SunAttribute"
name="sn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="WindowsAttribute"
name="sn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
</AttributeMap>
<SynchronizationHost
hostOrderOfSignificance="1"
hostname="ad-host.example.com"
port="389"
portSSLOption="true"
securePort="636">
<Credentials
userName="cn=iswservice,cn=users,dc=example,dc=com"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
</SynchronizationHost>
<AttributeDescription
parent.attr="CreationAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<TopologyHost
parent.attr="SchemaLocation"
hostname="ad-host.example.com"
port="3268"
portSSLOption="true"
securePort="3269">
<Credentials
parent.attr="Credentials"
userName="cn=iswservice,cn=users,dc=example,dc=com"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
</TopologyHost>
<TopologyHost
parent.attr="HostsTopologyConfiguration"
hostname="ad-host.example.com"
port="3268"
portSSLOption="true"
securePort="3269">
<Credentials
parent.attr="Credentials"
userName="cn=iswservice,cn=users,dc=example,dc=com"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
</TopologyHost>
<AttributeMap>
<AttributeDescription
parent.attr="SunAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="WindowsAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
</AttributeMap>
<AttributeMap>
<AttributeDescription
parent.attr="SunAttribute"
name="description"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="WindowsAttribute"
name="description"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
</AttributeMap>
</ActiveDirectoryGlobals>
<SunDirectoryGlobals
userObjectClass="inetorgperson"
flowInboundCreates="true"
flowInboundModifies="true"
flowOutboundCreates="true"
flowOutboundModifies="true">
<TopologyHost
parent.attr="SchemaLocation"
hostname="ds-host.example.com"
port="389"
portSSLOption="false"
securePort="636">
<Credentials
parent.attr="Credentials"
userName="cn=directory manager"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
</TopologyHost>
<TopologyHost
parent.attr="HostsTopologyConfiguration"
hostname="ds-host.example.com"
port="389"
portSSLOption="false"
securePort="636"><Credentials
parent.attr="Credentials"
userName="cn=directory manager"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
</TopologyHost>
<AttributeDescription
parent.attr="SignificantAttribute"
name="description"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="CreationAttribute"
name="sn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="CreationAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
</SunDirectoryGlobals>
</ActiveConfiguration>
At the completion of configuration export, export10cnf will report the result of the operation. If the operation fails, an appropriate error message is displayed with an error identifier.
Checking for Undelivered Messages
The Identity Synchronization for Windows 1.0 to 1 2004Q3 migration process minimizes system downtime by preserving the connectors’ states in your existing deployment. However, these states reflect only the last change received and acknowledged by the Message Queue — so you will not know whether the message was actually delivered and applied to the destination connector.
This behavior does not cause problems as long as the Message Queue remains the same; however, you will lose any messages on the Message Queue during the migration process (when you install Message Queue 3.5 SP1).
You must verify that synchronization topics on the existing Message Queue do not have any undelivered messages before you proceed with the migration. The Identity Synchronization for Windows checktopics utility enables you to verify that all synchronization topics are empty (and the system is quiescent).
Using the checktopics Utility
The checktopics utility is delivered in the migration directory of the Solaris/SPARC and the Windows Identity Synchronization for Windows 1 2004Q3 package.
Note
The only prerequisite for running checktopics is a suitable Java Virtual Machine (version 1.4.2_04 or later).
When you run the checktopics utility, it connects to the configuration directory, which contains information about Synchronization User Lists (SULs) and current synchronization topic names used in Message Queue. In addition, when you run checktopics, it queries the Message Queue to see how many outstanding messages remain on each active synchronization topic and then displays this information for you.
To execute the checktopics command line utility:
- Open a Terminal window and cd to the migration directory.
- From a command prompt, type the subcommand as follows:
java -jar checktopics.jar -h <hostname> -p <port> -D <bind_DN> -w <bind_password> -s <root_suffix> -q <configuration_password> -Z
For example,
java -jar checktopics.jar -D "cn=directory manager" -w - -s "dc=example,dc=com" -q -
Note
- For detailed information about the checktopics arguments, review Common Arguments.
- For more information about using checktopics, see Checking for Undelivered Messages.
After running checktopics, check your terminal for messages:
Clearing Messages
If any of the active synchronization topics have outstanding messages, you can use the following procedure to clear the messages:
Forcing Password Changes on Windows NT
On Windows NT, password changes are not monitored and new password values are not captured during the migration process. Consequently, there is no way to determine new password values after the migration is complete.
Instead of requiring all users to change passwords when you finish migrating to 1 2004Q3, you can use the forcepwchg command line utility to require a password change for all users who changed passwords during the migration process.
You will find the forcepwchg utility in the Windows migration directory. You execute forcepwchg directly from that directory — no additional installation steps are necessary.
You must run forcepwchg on the Primary Domain Controller (PDC) host where the NT components (connector, Change Detector DLL, and Password Filter DLL) are installed — you cannot run forcepwchg remotely.
The forcepwchg utility also prints out the account names (one name per line) that it is trying to migrate. If an error occurs during the migration process, the error happened while migrating the user account that printed out last.
Migrating Your SystemThis section provides instructions for migrating a single-host deployment to version 1 2004Q3. In a single-host deployment, all Identity Synchronization for Windows components are installed on a single host (Windows 2000 Server, Solaris version 8 or 9, or SPARC), as follows:
The following figure illustrates the migration process and may serve as a checklist to supplement the migration instructions that follow.
Figure 7-1 Migrating a Single-Host Deployment
Preparing for Migration
Use the following procedure to prepare to migrate from Identity Synchronization for Windows version 1.0 to version 1 2004Q3:
- From a command prompt:
- On Solaris or SPARC: Type uncompress -c <filename> | tar xf -
- On Windows: Type %JAVA_HOME%\bin\jar -xf <filename>
(or use any zip archive program for Windows, such as WinZip®).After the binaries are unpacked, you will see the following subdirectories containing the necessary migration tools:
- installer/
- lib/
- migration/
- Export your version 1.0 configuration settings to an XML file.
From the migration directory, execute export10cnf as described in Using the export10cnf Utility. For example:java -jar export10cnf.jar -D “cn=directory manager” -w - -s “dc=example,dc=com” -q - -f export.cfg
- Add passwords to the exported XML file.
Enter a password between the double quotes for each cleartextPassword field in the exported configuration file (see Inserting Clear-Text Passwords).
- Stop synchronization as described in Starting and Stopping Synchronization.
- Verify that your system is in a quiescent state. From the migration directory, execute checktopics as described in Using the checktopics Utility.
For example:
java -jar checktopics.jar -D “cn=directory manager” -w - -s “dc=example,dc=com” -q -
- Stop Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services.
- On Windows NT only — Stop the Sun One NT ChangeDetector Service.
You can stop the service from the command line by typingnet stop “Sun One NT ChangeDetector Service”
- On Windows NT only — Save the NT ChangeDetector Service counters as follows:
- Save the connector states by backing up the persist and etc directories from the existing 1.0 installation tree.
- On Solaris: Type cd <serverroot>/isw-<hostname>
tar cf /var/tmp/connector-state.tar persist etc- On Windows: Type cd <serverroot>\isw-<hostname>
zip -r C:\WINNT\Temp\connector-state.zip persist etc
%JAVA_HOME%\bin\jar -cfM %TEMP%\connector-state.jar persist etc
(or use any zip archive program for Windows, such as WinZip)- Start the Identity Synchronization for Windows services (see (more...) ).
Uninstalling Identity Synchronization for Windows
Note
The Identity Synchronization for Windows 1.0 uninstall program will remove the SUNWjss package if it is not registered for use by another application (other than Identity Synchronization for Windows 1.0). In particular, this situation may occur on Solaris machines if you installed a zip version of Directory Server 5.2.2, where the uninstall program removes the jss3.jar file from /usr/share/lib/mps/secv1.
If you encounter this situation as you migrate to Identity Synchronization for Windows 11 2004Q3, the installer will report that a required file is missing, and log the file name to the installation log. When this happens, you must re-install the required patches (see Sun Java System Software Requirements) and restart the installation process.
After completing the preparation steps, you are ready to begin uninstalling Identity Synchronization for Windows version 1.0 (or 1.0 SP1), as follows:
- Uninstall the Directory Server Plugin manually, and restart each Directory Server where the Plugin was installed.
- Execute the following steps on each Directory Server where the Plugin was installed:
- Remove the following entries from the Directory Server:
cn=config,cn=pswsync,cn=plugins,cn=config
cn=pswsync,cn=plugins,cn=configFor example:
ldapdelete -D “cn=directory manager” -w - -p <port> -c
cn=config, cn=pswsync,cn=plugins,cn=config
cn=pswsync,cn=plugins,cn=config- Restart the Directory Server.
- Remove the Plugin binaries from the system.
- Change directory (cd) to <server_root>\isw-<hostname> and then use the Identity Synchronization for Windows 1.0 uninstallation program to uninstall the version 1.0/1.0 SP1 Connectors and Core components.
- Use the following steps to remove Identity Synchronization for Windows-related entries from the product registry file:
- Back-up a copy of the file (located at):
- To remove the Identity Synchronization for Windows-related entries from the product registry file, follow the instructions provided in Step 6 of the Manually Uninstalling 1.0 Core and Instances from Solaris.
- On Windows only — After uninstalling Core, restart your machine.
Note
If the uninstall fails for any reason, you may have to manually uninstall the Identity Synchronization for Windows components. Instructions are provided in What to Do if the 1.0 Uninstallation Fails.
- On Windows only — Verify that Identity Synchronization for Windows is not running. If necessary, you can stop the service from the command line by typing
net stop “Sun ONE Identity Synchronization for Windows”
If this service continues running after uninstallation is completed, it causes a sharing violation that will prevent you from deleting the instance directory.
- Remove the Identity Synchronization for Windows instance directory (isw-<hostname>).
Installing or Upgrading the Dependent Products
Use the following steps to upgrade the Java Runtime Environment, install Message Queue, and upgrade Directory Server:
- Upgrade the Java 2 Runtime Environment (or Java 2 SDK) on each host (except on Windows NT) where Identity Synchronization for Windows components are installed. (The minimum required version is 1.4.2_04.)
- Java 2 SDK: http://java.sun.com/j2se/1.4.2/install.html
- Java 2 Runtime Environment: http://java.sun.com/j2se/1.4.2/jre/install.html
- Install Message Queue 3.5 SP1 using instructions provided in the Sun Java System Message Queue 3.5 SP1 Installation Guide.
- Upgrade Directory Server to version 5.2 SP2 using instructions provided in the Sun Java System Directory Server 5 2004Q2 Installation and Migration Guide, which is available from the following location:
http://docs.sun.com/db/coll/DirectoryServer_04q2
The Directory Server upgrade will preserve your current Directory Server configuration and database.
Installing Identity Synchronization for Windows 1 2004Q3
Use the following steps to install the Identity Synchronization for Windows 1 2004Q3 components:
- Install Identity Synchronization for Windows 1 2004Q3 Core. (see Installing Core)
- Execute idsync prepds against Directory Server as follows to update the schema.
- On Solaris: Type cd /opt/SUNWisw/bin
Then type: idsync prepds <arguments>- On Windows: Type cd \<serverroot>\isw-<hostname>\bin
Then type: idsync prepds <arguments>For more information about idsync prepds, see Appendix A, "Using the Identity Synchronization for Windows Command Line Utilities."
- Import your version 1.0 configuration XML file by typing
idsync importcnf <arguments>
Note
If the program detects errors in your input configuration file, an error will result. Identity Synchronization for Windows will abort the importcnf process and provide necessary information to correct the mistakes.
For more information about using idsync importcnf, see Using importcnf in Appendix A.
- Install the Identity Synchronization for Windows 1 2004Q3 Connectors (see Installing Connectors).
- Install Identity Synchronization for Windows 1 2004Q3 Directory Server Plugin (Installing Directory Server Plugins).
- Stop Identity Synchronization for Windows services (daemons) as described in Starting and Stopping Services.
- On Windows NT only — Stop the Sun Java System NT Change Detector service. You can stop the service from the command line by typing
net stop “Sun Java(TM) System NT Change Detector”
- On Windows NT only — Restore the NT ChangeDetector Service counters:
- Open the Registry Editor by executing regedt32.exe.
- Select the HKEY_LOCAL_MACHINE window.
- Navigate to the SOFTWARE\Sun Microsystems\Sun Java(TM) System Identity Synchronization for Windows\1.1 node.
- Double-click on each of the following entries to restore their values (which you saved prior to uninstalling version 1.0):
- On Windows NT only — Start the Sun Java System NT Change Detector service. You can start the service from the command line by typing
net start “Sun Java(TM) System NT Change Detector”
- Remove the 1 2004Q3 persist and etc directories (and all their contents) from the instance directory and restore the version 1.0 (or 1.0 SP1) persist and etc directories you backed up in Preparing for Migration.
- Start Identity Synchronization for Windows service (see (more...) ).
- Start synchronization as described in Starting and Stopping Synchronization.
- Check the central audit log to verify there are no warning messages.
What to Do if the 1.0 Uninstallation FailsIf the version 1 2004Q3 installation program finds remnants of the version 1.0 system, then the 1 2004Q3 installation will fail. Consequently, you should verify that all of the 1.0 components are completely removed from the system prior to installing version 1 2004Q3.
If the uninstallation program does not uninstall all of the version 1.0/1.0 SP1 components, you must manually clean up the Identity Synchronization for Windows product registry and Solaris packages.
Detailed instructions for uninstalling Identity Synchronization for Windows version 1.0 manually are provided in the following three sections:
Note
The instructions provided in this section are for uninstalling Identity Synchronization for Windows version 1.0 only.
Do not use the manual uninstallation procedures provided in the following sections unless the Identity Synchronization for Windows uninstallation program fails.
Manually Uninstalling 1.0 Core and Instances from Solaris
Use the instructions provided in this section to manually uninstall Core from a Solaris machine.
Note
In this section, Identity Synchronization for Windows locations are described in the following manner:
<serverroot>/isw-<hostname>
Where <serverroot> represents the parent directory of the Identity Synchronization for Windows installation location.
For example, if you installed Identity Synchronization for Windows in /var/Sun/mps/isw-<example>, the <serverroot> would be /var/Sun/mps.
- Stop all Identity Synchronization for Windows Java processes by typing /etc/init.d/isw stop into a terminal window.
If the preceding command does not stop all of the Java processes, type the following:
/usr/ucb/ps -gauxwww | grep java
kill -s SIGTERM <process IDs from preceding command>
- Stop Message Queue as follows:
- At the prompt, type the following command to stop the Message Queue broker:
/etc/init.d/imq stop
- To stop any remaining imq processes, type:
* ps -ef | grep imqbroker
* kill -s SIGTERM <process IDs from preceding command>
- Use one of the following methods to uninstall the broker packages and directories:
- Use the Message Queue broker uninstall script (located in the Identity Synchronization for Windows instance directory on the host where you installed Core) to uninstall the broker. Type the following:
/<serverroot>/isw-<hostname>/imq_uninstall
- Manually uninstall the packages and directories as follows:
Use the pkgrm: command to remove these packages:
SUNWaclg
SUNWiqum
SUNWiqjx
SUNWiqlen
SUNWxsrt
SUNWiqu
SUNWjaf
SUNWiqfs
SUNWjhrt
SUNWiqdoc
SUNWiquc
SUNWiqsup
SUNWiqr
SUNWjmail
Use the rm -rf command to remove these directories:
- To remove the Identity Synchronization for Windows 1.0 Solaris packages,
run pkgrm <packageName> for each of the packages listed in Table 7-1.
(For example, pkgrm SUNWidscm SUNWidscn SUNWidscr SUNWidsct SUNWidsoc)
Table 7-1 Solaris Packages to Remove
Package Name
Description
SUNWidscm
Sun ONE Directory Server Identity Synchronization package for
Core components and Connectors.SUNWidscn
Sun ONE Directory Server Identity Synchronization package for
Console help files.SUNWidscr
Sun ONE Directory Server Identity Synchronization package for
Core Components.SUNWidsct
Sun ONE Directory Server Identity Synchronization package for Connectors.
SUNWidsoc
Sun ONE Directory Server Identity Synchronization package for
Object Cache.To verify that all of the packages were removed, type the following:
pkginfo | grep -i "Identity Synchronization"
Note
Run the pkgrm <packageName> command again if there are still existing packages due to dependencies.
- Remove Director Server Plugin as follows:
- Open the Directory Server Console and select the Configuration tab.
- In the left pane, expand the Plugins node and select the pswsync node.
- In the right pane, uncheck the Enable plug-in check box.
- Click Save to save your changes.
- From the Directory Server Console, locate and remove the following entry from the Configuration Directory:
cn=pswsync,cn=plugins,cn=config
- Stop Directory Server.
- To remove the Plugin binary, type
rm -f /<serverroot>/lib/psw-plugin.so
- Restart Directory Server.
- Back-up (copy and rename) the current productregistry file located in /var/sadm/install/productregistry.
- Manually edit the productregistry file in /var/sadm/install/ to remove the following entries (if present):
Note
- For best results, use an XML editor. Alternatively, you can use a standard text editor.
- Some of the following components may not be included in your file.
- You must delete the beginning tag (<compid>), ending tag (<\compid>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. (See the example on (more...) .)
- <compid>Identity Synchronization for Windows . . . </compid>
- <compid>Core . . . </compid>
- <compid>unistaller . . . </compid>
- <compid>wpsyncwatchdog . . . </compid>
- <compid>setenv . . . </compid>
- <compid>Create DIT . . . </compid>
- <compid>Extend Schema . . . </compid>
- <compid>resources . . . </compid>
- <compid>CoreComponents . . . </compid>
- <compid>Connector . . . </compid>
- <compid>DSConnector . . . </compid>
- <compid>Directory Server Plugin . . . </compid>
- <compid>DSSubcomponents . . . </compid>
- <compid>ObjectCache . . . </compid>
- <compid>ObjectCacheDLLs . . . </compid>
- <compid>SUNWidscr . . . </compid>
- <compid>SUNWidscm . . . </compid>
- <compid>SUNWidsct . . . </compid>
- <compid>SUNWidscn . . . </compid>
- <compid>SUNWidsoc . . . </compid>
- <compid>ADConnector . . . </compid>
The following is a example <compid> tag. Remove <compid>, </compid>, and all text and tags in-between.
<compid>Identity Synchronization for Windows
<compversion>1.0
<uniquename>Identity Synchronization for Windows</uniquename>
<compinstance>1
<children>
<compref>ADConnector
<instance>1
<version>1.0</version>
</instance>
</compref>
<compref>DSSubcomponents
. . .
</compinstance>
</compversion>
</compid>
- Remove the following Identity Synchronization for Windows directories and files:
- Clean up the configuration directory as follows:
- Run the following ldapsearch command against the configuration directory where Identity Synchronization for Windows Core is installed to locate the Identity Synchronization for Windows Console subtree:
ldapsearch -D "cn=directory manager" -w <my_password> -b o=netscaperoot "(nsnickname=isw)" dn
Note
ldapsearch is located in Directory Server’s <serverroot>/shared/bin/ldapsearch
For example, /var/Sun/mps/shared/bin/ldapsearch
The resulting entry should be similar to the following (note that the entry will always end with o=NetscapeRoot):
"cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"
- Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree and all subtrees below it.
- Clean up the Identity Synchronization for Windows configuration registry as follows:
- Run the following ldapsearch command to locate the Identity Synchronization for Windows configuration registry in Directory Server:
ldapsearch -D "cn=directory manager" -w <my_password> -b "dc=my,dc=domain" "(&(objectclass=iplanetservice)(ou=IdentitySynchronization))" dn
The resulting entry should be similar to the following:
"ou=IdentitySynchronization,ou=Services,dc=my,dc=domain"
- Use the Directory Server Console to remove the Identity Synchronization for Windows configuration registry and all subtrees below it.
- Clean up all other Console-related files as follows:
Manually Uninstalling 1.0 Core and Instances from Windows 2000
Use the instructions provided in this section to manually uninstall Core from a Windows 2000 machine.
Note
In this section, Identity Synchronization for Windows locations are described in the following manner:
<serverroot>\isw-<hostname>
Where <serverroot> represents the parent directory of the Identity Synchronization for Windows installation location.
For example, if you installed Identity Synchronization for Windows in C:\Program Files\Sun\mps\isw-example, the <serverroot> would be C:\Program Files\Sun\mps.
- Stop all Identity Synchronization for Windows Java processes using one of the following methods:
- Select Start > Settings > Control Panel > Administrative Tools > Services to open the Services window. In the right pane, right-click on Sun ONE Identity Synchronization for Windows and select Stop.
- Open a Command Prompt window and type the following command:
net stop “Sun ONE Identity Synchronization for Windows”
- If the preceding methods do not work, you can use the following steps to stop the Java processes manually:
- Stop the Message Queue (for a Core uninstallation only) using one of the following methods:
- Remove the Directory Server Plugin as follows:
- Open the Directory Server Console and select the Configuration tab.
- In the left pane, expand the Plugins node and select the pswsync node.
- In the right pane, uncheck the Enable plug-in check box.
- Click Save to save your changes.
- From the Console, locate and remove the following entry from the Configuration Directory:
cn=pswsync,cn=plugins,cn=config
- Stop Directory Server, using one of the following methods:
- Open the Windows Explorer to locate and remove the Plugin binary:
<serverroot>\lib\psw-plugin.so
- Restart Directory Server.
- Open a Command Prompt window and type regedit to open the Registry Editor window.
Important – Back up your current registry file before proceeding to Step 5.
- In the Registry Editor, select Edit > Delete from the menu bar and remove the following Identity Synchronization for Windows keys from the Windows Registry:
- All entries under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\Identity Synchronization for Windows- All CurrentControlSet and ControlSet (such as ControlSet001, ControlSet002, and so forth) entries under HKEY_LOCAL_MACHINE\SYSTEM\*, which includes the following entries (if they exist):
- Back-up (copy and rename) the current productregistry file located in C:\WINNT\system32.
- Edit the C:\WINNT\system32 \productregistry file to remove the following tags:
Note
- For best results, use an XML editor. Alternatively, you can use a standard text editor.
- Some of the following components may not be included in your file.
- You must delete the beginning tag (<compid>), ending tag (<\compid>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. (See the example (more...) .)
- <compid>Identity Synchronization for Windows . . . </compid>
- <compid>Core . . . </compid>
- <compid>unistaller . . . </compid>
- <compid>wpsyncwatchdog . . . </compid>
- <compid>setenv . . . </compid>
- <compid>Create DIT . . . </compid>
- <compid>Extend Schema . . . </compid>
- <compid>resources . . . </compid>
- <compid>CoreComponents . . . </compid>
- <compid>Connector . . . </compid>
- <compid>DSConnector . . . </compid>
- <compid>Directory Server Plugin . . . </compid>
- <compid>DSSubcomponents . . . </compid>
- <compid>ObjectCache . . . </compid>
- <compid>ObjectCacheDLLs . . . </compid>
- <compid>ADConnector . . . </compid>
The following is a <compid> tag sample. Remove <compid>, </compid>, and all text and tags in-between.
<compid>Identity Synchronization for Windows
<compversion>1.0
<uniquename>Identity Synchronization for Windows</uniquename>
<compinstance>1
<children>
<compref>ADConnector
<instance>1
<version>1.0</version>
</instance>
</compref>
<compref>DSSubcomponents
. . .
</compinstance>
</compversion>
</compid>
- Remove the Identity Synchronization for Windows installation folder located at <serverroot>\isw-<hostname>.
For example, C:\Program Files\Sun\mps\isw-example
- Clean up the configuration directory as follows:
- From a Command Prompt window, run the ldapsearch command against the configuration directory where Identity Synchronization for Windows Core is installed to locate the Identity Synchronization for Windows Console subtree.
Note
ldapsearch is located in <serverroot>\shared\bin\ldapsearch.
For example,
C:\Program Files\Sun\mps\shared\bin\ldapsearch
ldapsearch -D "cn=directory manager" -w <my_password> -b o=netscaperoot "(nsnickname=isw)" dn
The resulting entry should be similar to the following (note that the entry will always end with o=NetscapeRoot):
"cn=Sun ONE Identity Synchronization for Windows,cn=server group, cn=myhost.mydomain.com,ou=mydomain.com,o=NetscapeRoot"
- Use the Directory Server Console to remove the Identity Synchronization for Windows Console subtree you found and all subtrees below it.
- Clean up the Identity Synchronization for Windows configuration directory (also know as the configuration registry) as follows:
- From a Command Prompt window, run the following ldapsearch command to locate the Identity Synchronization for Windows configuration directory in Directory Server:
ldapsearch -D "cn=directory manager" -w <my_password> -b "dc=my,dc=domain" "(&(objectclass=iplanetservice)(ou=IdentitySynchronization))" dn
The resulting entry should be similar to the following:
"ou=IdentitySynchronization,ou=Services,dc=my,dc=domain"
- Use the Directory Server Console to remove the configuration directory subtree you found, including all subtrees below it.
- Clean up all other Console-related files as follows:
- Restart your machine for all changes to take effect.
Manually Uninstalling a 1.0 Instance from Windows NT
Use the instructions provided in this section to manually uninstall an instance from a Windows NT machine.
Note
In this section, Identity Synchronization for Windows locations are described in the following manner:
<serverroot>\isw-<hostname>
Where <serverroot> represents the parent directory of the Identity Synchronization for Windows installation location. For example, if you installed Identity Synchronization for Windows in
C:\Program Files\Sun\mps\isw-example, the <serverroot> would be C:\Program Files\Sun\mps.
- Stop all Identity Synchronization for Windows Java processes (Core and instance installations) using one of the following methods:
- Select Start > Settings > Control Panel > Administrative Tools > Services to open the Services window. In the right pane, right-click on Sun ONE Identity Synchronization for Windows and select Stop.
- Open a Command Prompt window and type the following command:
net stop “Sun ONE Identity Synchronization for Windows”
- If the preceding methods do not work, use the following steps to stop the Java processes manually:
- Stop the Change Detector service using one of the following methods:
- In the Services window, right-click on Sun ONE NT Change Detector Service in the right pane and select Stop.
- Open a Command Prompt window and type the following command:
net stop “Sun ONE NT Change Detector Service”
- If the preceding methods do not work, use the following steps to stop the Change Detector Service manually:
- Restart your Windows NT computer.
- You must remove Identity Synchronization for Windows registry keys. Open a Command Prompt window and type regedt32 to open the Registry Editor window.
Caution
Do not use regedit because the program does not allow you to edit multi-value strings.
Be sure to back up your current Windows registry file before proceeding to Step 5.
- In the Registry Editor, select Edit > Delete from the menu bar and remove the following Identity Synchronization for Windows keys from the Registry:
- All entries under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Uninstall\Identity Synchronization for Windows- All CurrentControlSet and ControlSet (such as ControlSet001, ControlSet002, and so forth) entries under HKEY_LOCAL_MACHINE\SYSTEM\*, which includes the following entries (if they exist):
- The HKEY_LOCAL_MACHINE\SOFTWARE\Sun Microsystems\PSW
- Use regedt32 (do not use regedit) to modify (do not delete) the following registry key:
- Back-up (copy and rename) the current productregistry file located in C:\WINNT\system32.
- Edit the C:\WINNT\system32 productregistry file to remove the following tags:
Note
- For best results, use an XML editor. Alternatively, you can use a standard text editor.
- Some of the following components may not be included in your file.
- You must delete the beginning tag (<compid>), ending tag (<\compid>), and all contents in-between both tags). Ellipses are used in the following list to represent any additional text and/or tags that are included as part of these tags. (See the example on (more...) .)
- <compid>Identity Synchronization for Windows . . . </compid>
- <compid>Core . . . </compid>
- <compid>uninstaller . . . </compid>
- <compid>wpsyncwatchdog . . . </compid>
- <compid>setenv . . . </compid>
- <compid>Create DIT . . . </compid>
- <compid>Extend Schema . . . </compid>
- <compid>resources . . . </compid>
- <compid>CoreComponents . . . </compid>
- <compid>Connector . . . </compid>
- <compid>DSConnector . . . </compid>
- <compid>Directory Server Plugin . . . </compid>
- <compid>DSSubcomponents . . . </compid>
- <compid>ObjectCache . . . </compid>
- <compid>ObjectCacheDLLs . . . </compid>
- <compid>ADConnector . . . </compid>
The following is a example <compid> tag. Remove <compid>, </compid>, and all text and tags in-between.
<compid>Identity Synchronization for Windows
<compversion>1.0
<uniquename>Identity Synchronization for Windows</uniquename>
<compinstance>1
<children>
<compref>ADConnector
<instance>1
<version>1.0</version>
</instance>
</compref>
<compref>DSSubcomponents
. . .
</compinstance>
</compversion>
</compid>
- Remove the Identity Synchronization for Windows installation folder located at <serverroot>\isw-<hostname>.
For example, C:\Program Files\Sun\mps\isw-example
- Remove the Password Filter DLL.
Locate the passflt.dll file in the C:\winnt\system32 folder, and rename the file to passflt.dll.old.
- Restart your machine for all changes to take effect.
Other Migration ScenariosBecause other deployment topologies are possible, your migration process may differ somewhat from the process described for a single-host deployment.
This section describes two alternative deployment scenarios and explains how to migrate each case. The sample deployment scenarios include:
Multimaster Replication Deployment
In a multimaster replication (MMR) deployment, two Directory Server instances are installed on different hosts. It is possible to run the hosts on different operating systems, but in this scenario, both hosts are running on the same operating system.
Table 7-2 illustrates how the Identity Synchronization for Windows components are distributed between the two hosts.
Table 7-2 Component Distribution in a Multimaster Replication Deployment
Host 1
Host 2
Directory Server (one instance) as the secondary master for synchronized users
Directory Server (one instance) as the preferred master for synchronized users
Core (Message Queue, Central Logger, System Manager, and Console)
Directory Server Plugin
Active Directory Connector
Directory Server Connector
Directory Server Plugin
The migration process keeps on-demand password synchronization running continuously on the preferred master or on the secondary master.
Note
If both hosts are running on a Solaris operating system, then a third host running Windows 2000 with Active Directory is required for synchronization purposes only. (No components would be installed on the third host.)
The following figure illustrates the process for migrating Identity Synchronization for Windows in a MMR deployment:
Figure 7-2 Migrating a Multimaster Replication Deployment
Multi-Host Deployment with Windows NT
Three hosts are used in this deployment scenario:
Table 7-3 illustrates how the Identity Synchronization for Windows components are distributed between the three hosts.
Table 7-3 Multi-Host Deployment
Host 1
Host 2
Host 3
Directory Server with configuration repository
Directory Server for synchronized users
Windows NT Connector
Core (Message Queue, Central Logger, System Manager, and Console)
Directory Server Connector
Windows NT Subcomponents (Password Filter DLL and Change Detector Service)
Active Directory Connector
Directory Server Plugin
As in the previous scenario, Hosts 1 and 2 are running on the same operating system.
Note
If both hosts are running a Solaris operating system, then a fourth host running Windows 2000 with Active Directory is required for synchronization purposes only. (No components would be installed on the fourth host.)
Figure 7-3 illustrates the process for migrating Identity Synchronization for Windows for a multi-host deployment:
Figure 7-3 Migrating a Multi-Host Deployment with Windows NT
Checking the LogsAfter migrating to version 1 2004Q3, check the central audit log for messages indicating a problem — especially for Directory Server users whose password changes may have been missed during the migration process, which would result in a message similar to the following:
[16/Apr/2004:14:23:41.029 -0500] WARNING 14 CNN101
ds-connector-host.example.com "Unable to obtain password of user cn=JohnSmith,ou=people,dc=example,dc=com, because the password was encoded by a previous installation of Identity Synchronization for Windows Directory Server Plugin. The password of this user cannot be synchronized at this time. Update the password of this user again in the Directory Server."
You will not see this log message until after you start synchronization in Identity Synchronization for Windows 1 2004Q3, which is why checking the logs is the last step of the migration procedure.