This section summarizes the configuration tasks based on the main requirements of Example Bank.
Configuring Identity Synchronization for Windows to support multiple domains involves the following:
Setting up destinationindicator <-\> activedirectorydomainname <-\> user_nt_domain_name as a synchronized attribute
Using destinationindicator in the SUL filters so that entries modified in Directory Server can be located in the proper Active Directory domain
When linking users by using the idsync resync command, specifying allowLinkingOutOfScope="true" in the input file.
Do not specify the -k option because you want the destinationindicator attribute to be primed.
Configuring Identity Synchronization for Windows to support PAM LDAP involves the following:
Adding shadowAccount as an auxiliary object class for Directory Server
Adding the creation attribute default values for various shadowAccount attributes
For information about the prerequisites and how to conform to PAM LDAP on the Solaris OS, see Appendix A, Pluggable Authentication Modules.
Identity Synchronization for Windows has limited support for WAN deployments and can be synchronized with the Directory Server or Active Directory domain controllers that are only available over the WAN. However, the Identity Synchronization for Windows Core and all the connectors must be installed on the same LAN.
The setup in this scenario was achieved by installing the following:
Identity Synchronization for Windows Core.
Directory Server Connector.
Active Directory Connector on the same machine where Identity Synchronization for Windows Core and Directory Server Connector are installed.
Windows NT Connector on a machine in the same LAN.
In this case study, the Active Directory Connector communicates across the WAN with the Active Directory domain controller on the west coast. A domain controller is available on the east coast, but because it is not the PDC FSMO role owner, synchronization would be significantly delayed if it was selected.
When the Directory Server domain controller and Active Directory domain controller are separated by a WAN, you have the option of installing Identity Synchronization for Windows in one of the following:
On the same LAN as Directory Server
On the same LAN as Active Directory
Somewhere in between
In general, the best performance is achieved when Identity Synchronization for Windows is installed on the same LAN as Directory Server.
Identity Synchronization for Windows has been tested in a variety of WAN environments, but it requires minimum a link with at least T1 (1.44 Mb/sec) speeds and a round-trip latency of no more than 300 milliseconds.