| Skip Navigation Links | |
| Exit Print View | |
|
Oracle Directory Server Enterprise Edition Upgrade and Migration Guide 11 g Release 1 (11.1.1.5.0) |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Oracle Directory Server Enterprise Edition Upgrade and Migration Guide 11 g Release 1 (11.1.1.5.0) |
Part I Patching Directory Server Enterprise Edition 7 to 11g Release 1 (11.1.1.5.0)
2. Patching Directory Server Enterprise Edition 7 to Version 11g Release 1 (11.1.1.5.0)
Part II Upgrading Directory Server Enterprise Edition 6 to 11g Release 1 (11.1.1.5.0)
3. Upgrading Directory Server Enterprise Edition 6 to Version 11g Release 1 (11.1.1.5.0)
Part III Migrating Directory Server Enterprise Edition 5.2 to Version 11g Release 1 (11.1.1.5.0)
4. Overview of the Migration Process for Directory Server
5. Automated Migration Using the dsmig Command
6. Migrating Directory Server Manually
7. Migrating a Replicated Topology
8. Architectural Changes in Directory Server Since Version 5.2
9. Migrating Directory Proxy Server
10. Migrating Identity Synchronization for Windows
Before You Migrate Identity Synchronization for Windows
Preparing for Identity Synchronization for Windows Migration
Exporting Version 1.1 Configuration
Inserting Clear-Text Passwords
Sample Export Configuration File
Preparing to migrate from version 1.1, and 1.1 SP1, to version 6.0 SP1
Uninstalling Identity Synchronization for Windows
To Uninstall Identity Synchronization for Windows Version 1.1
Installing or Upgrading the Dependent Products
Installing Identity Synchronization for Windows 6.0 SP1
To install the Identity Synchronization for Windows 6.0 SP1 components:
What to Do if the 1.1 Uninstallation Fails
Manually Uninstalling 1.1 Core and Instances from Solaris
To Manually Uninstall Core From a Solaris Machine:
Manually Uninstalling 1.1 Core and Instances from Windows 2000
To uninstall Core from a Windows 2000 machine:
Manually Uninstalling a 1.1 Instance from Windows NT
Multi-Master Replication Deployment
Use one or more of the following utilities to migrate from Identity Synchronization for Windows 1.1 to Identity Synchronization for Windows 6.0 SP1:
export11cnf. A stand-alone utility that enables you to create an export configuration file from your Identity Synchronization for Windows 1.1 configuration. For more information , see Exporting Version 1.1 Configuration.
The exported XML document contains the directory deployment topology and enough information to configure the Identity Synchronization for Windows 6.0 SP1 installation.
checktopics. A utility that checks Message Queue synchronization topics in a 1.1 installation and determines if any undelivered messages remain in the queue.
Updates can remain in Message Queue after you stop 1.1 synchronization. You must verify that no updates exist in the Message Queue before you proceed with the migration. For more information, see Checking for Undelivered Messages.
forcepwchg. A Windows NT tool that enables you to identify users who changed passwords during the migration process and forces them to change passwords again when the version 6.0 SP1 system is ready. Password changes made on Windows NT are not captured during the migration process. For more information, see Forcing Password Changes on Windows NT for detailed information.
Note - These utilities facilitate the migration of Identity Synchronization for Windows version 1.1 to version 6.0 SP1. The migration is performed in the same environment where Identity Synchronization for Windows 1.1 is deployed. Consequently, these utilities are available in the Solaris/SPARC and Windows packages only.
You can find the migration utilities in the installation migration directory. No additional installation steps are required.
You can use the export11cnf utility to export an existing version 1.1 configuration file to an XML file and then use the idsync importcnf command to import the file into the Identity Synchronization for Windows 6.0 SP1 system before installing the connectors.
Tip - While you can update the 1.1 system configuration manually by using the Identity Synchronization for Windows console, we recommend that you use the export11cnf utility. If you do not use export11cnf, the state of the connectors is not preserved.
Exporting the version 1.1 configuration enables you to:
Eliminate most of the initial configuration process to be performed from the management Console.
Guarantee that the connector IDs assigned in version 6.0 SP1 match the connector IDs used in version 1.1. This simplifies the task of preserving the existing connector states that can be used directly in the version 6.0 SP1 deployment.
Back up the persist and etc directories, and then restore them later to avoid confusion about the underlying directory structure.
You can find the export11cnf utility in the installation migration directory. No additional installation steps are necessary.
To export an Identity Synchronization for Windows configuration to an XML file, execute export11cnf from the migration directory as follows:
In a terminal window, type the following:
java -jar export11cnf.jar -h hostname \ -p port -D bind DN \ -w bind password -s rootsuffix \ -q configuration password -Z -P cert-db-path \ -m secmod-db-path -f filename
java -jar export11cnf.jar -D “cn=dirmanager” -w - -q - -s “dc=example,dc=com” -f exported-configuration
The export11cnf utility shares the same common arguments as the Identity Synchronization for Windows command-line utilities. For more information, see Common Arguments to the Idsync Subcommands in Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide. The export11cnf utility exports the current configuration into the file specified in the argument of the -f option.
For security reasons, the export11cnf utility does not export clear-text passwords from version 1.1. Instead, the utility inserts empty strings in cleartextPassword fields wherever applicable. For example,
<Credentials
userName="cn=iswservice,cn=users,dc=example,dc=com"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
You must enter a password manually, between double quotes, for every cleartextPassword field in the exported configuration file, before you can import the file into Identity Synchronization for Windows. importcnf validation prevents you from importing a configuration file with empty password values.
For example,
<Credentials
userName="cn=iswservice,cn=users,dc=example,dc=com"
cleartextPassword="mySecretPassword"/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
In the following sample exported configuration file,
ad-host.example.com refers to the Active Directory domain controller.
ds-host.example.com refers to the host running Directory Server.
Example 10-1 Sample Export Configuration File
<?xml version="1.0" encoding="UTF-8"?>
<ActiveConfiguration>
<SunDirectorySource
parent.attr="DirectorySource"
onDemandSSLOption="true"
maxConnections="5"
displayName="dc=example,dc=com"
resyncInterval="1000">
<SynchronizationHost
hostOrderOfSignificance="1"
hostname="ds-host.example.com"
port="389"
portSSLOption="true"
securePort="636"/>
<Credentials
userName="uid=PSWConnector,
dc=example,
dc=com"
</SynchronizationHost>
<SyncScopeDefinitionSet
index="0"
location="ou=people,dc=example,dc=com"
filter=""
creationExpression="uid=%uid%,ou=people,dc=example,dc=com"
sulid="SUL1"/>
</SunDirectorySource>
<ActiveDirectorySource
parent.attr="DirectorySource"
displayName="example.com"
resyncInterval="1000">
<SynchronizationHost
hostOrderOfSignificance="1"
hostname="ad-host.example.com"
port="389"
portSSLOption="true"
securePort="636">
<Credentials
userName="cn=Administrator,cn=Users,dc=metaqa,dc=com"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
</SynchronizationHost>
<SyncScopeDefinitionSet
index="0"
location="cn=users,dc=example,dc=com"
filter=""
creationExpression="cn=%cn%,cn=users,dc=example,dc=com"
sulid="SUL1"/>
</ActiveDirectorySource>
<ActiveDirectoryGlobals
flowInboundCreates="true"
flowInboundModifies="true"
flowOutboundCreates="true"
flowOutboundModifies="true">
<TopologyHost
parent.attr="SchemaLocation"
hostname="ad-host.example.com"
port="3268"
portSSLOption="true"
securePort="3269">
<Credentials
parent.attr="Credentials"
userName="cn=Administrator,cn=Users,dc=example,dc=com"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
</TopologyHost>
<TopologyHost
parent.attr="HostsTopologyConfiguration"
hostname="ad-host.example.com"
port="3268"
portSSLOption="true"
securePort="3269">
<Credentials
parent.attr="Credentials"
userName="cn=Administrator,cn=Users,dc=example,dc=com"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
</TopologyHost>
<AttributeMap>
<AttributeDescription
parent.attr="WindowsAttribute"
name="lockouttime"
syntax="1.2.840.113556.1.4.906"/>
<AttributeDescription
parent.attr="SunAttribute"
name="pwdaccountlockedtime"
syntax="1.3.6.1.4.1.1466.115.121.1.24"/>
</AttributeMap>
<AttributeDescription
parent.attr="SignificantAttribute"
name="lockouttime"
syntax="1.2.840.113556.1.4.906"/>
<AttributeDescription
parent.attr="SignificantAttribute"
name="samaccountname"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="CreationAttribute"
name="samaccountname"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeMap>
<AttributeDescription
parent.attr="WindowsAttribute"
name="samaccountname"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="SunAttribute"
name="uid"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
</AttributeMap>
<AttributeMap>
<AttributeDescription
parent.attr="SunAttribute"
name="sn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="WindowsAttribute"
name="sn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
</AttributeMap>
<AttributeDescription
parent.attr="SignificantAttribute"
name="sn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="SignificantAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="CreationAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeMap>
<AttributeDescription
parent.attr="SunAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="WindowsAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
</AttributeMap>
<AttributeMap>
<AttributeDescription
parent.attr="SunAttribute"
name="uniquemember"
syntax="1.3.6.1.4.1.1466.115.121.1.25"/>
<AttributeDescription
parent.attr="WindowsAttribute"
name="member"
syntax="1.2.840.113556.1.4.910"/>
</AttributeMap>
<AttributeDescription
parent.attr="SignificantAttribute"
name="member"
syntax="1.2.840.113556.1.4.910"/>
</ActiveDirectoryGlobals>
<SunDirectoryGlobals
userObjectClass="inetOrgPerson"
flowInboundCreates="true"
flowInboundModifies="true"
flowOutboundCreates="true"
flowOutboundModifies="true">
<AttributeDescription
parent.attr="SignificantAttribute"
name="uniquemember"
syntax="1.3.6.1.4.1.1466.115.121.1.25"/>
<AttributeDescription
parent.attr="CreationAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="SignificantAttribute"
name="cn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="SignificantAttribute"
name="pwdaccountlockedtime"
syntax="1.3.6.1.4.1.1466.115.121.1.24"/>
<TopologyHost
parent.attr="SchemaLocation"
hostname="ds-host.example.com"
port="389"
portSSLOption="false"
securePort="636">
<Credentials
parent.attr="Credentials"
userName="cn=directory manager"
cleartextPassword=""/>
<!-- INSERT PASSWORD BETWEEN THE DOUBLE QUOTES IN THE ABOVE FIELD -->
</TopologyHost>
<AttributeDescription
parent.attr="SignificantAttribute"
name="uid"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="CreationAttribute"
name="sn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
<AttributeDescription
parent.attr="SignificantAttribute"
name="sn"
syntax="1.3.6.1.4.1.1466.115.121.1.15"/>
</SunDirectoryGlobals>
</ActiveConfiguration>
After the completion of configuration export, export11cnf reports the result of the operation. If the operation fails, an appropriate error message is displayed with an error identifier.
The migration process minimizes system downtime by preserving the connectors’ states in the existing deployment. However, these states reflect only the last change received and acknowledged by the Message Queue. Therefore, you do not know whether the message was actually delivered and applied to the destination connector.
This behavior does not cause problems as long as the Message Queue remains the same. However, you will lose any messages on the Message Queue during the migration process when you install Message Queue 3.6.
You must verify that the synchronization topics on the existing Message Queue do not have any undelivered messages before you proceed with the migration. The Identity Synchronization for Windows checktopics utility enables you to verify that all the synchronization topics are empty and the system is not causing any problem.
The checktopics utility is delivered in the migration directory of the Solaris/SPARC and the Windows Identity Synchronization for Windows 6.0 SP1 package.
Note - The prerequisite to run checktopics is a Java Virtual Machine.
When you run the checktopics utility, it connects to the configuration directory, which contains information about Synchronization User Lists (SULs) and current synchronization topic names used in Message Queue. In addition, when you run checktopics, it queries Message Queue to check how many outstanding messages remain on each active synchronization topic and then displays this information for you.
To execute the checktopics command line utility:
java -jar checktopics.jar -h hostname \ -p port -D bind-DN \ -w bind-password -s root-suffix \ -q configuration-password -Z
java -jar checktopics.jar -D "cn=directory manager" -w - -s "dc=example,dc=com" -q -Z
Note - For more information about the checktopics arguments, see Common Arguments to the Idsync Subcommands in Oracle Identity Synchronization for Windows 6.0 Installation and Configuration Guide. For more information about using checktopics, see Checking for Undelivered Messages.
After running checktopics, check your terminal for the following messages:
If the operation succeeds, the terminal window displays a message stating that there are no outstanding messages in the logs.
If the operation fails, an appropriate error message is displayed with an error identifier.
If any of the active synchronization topics contain outstanding messages, use the following procedure to clear the messages.
On Windows NT, password changes are not monitored and new password values are not captured during the migration process. Consequently, you cannot determine new password values after the migration process.
Instead of requiring all users to change passwords when you finish migrating to 6.0 SP1, you can use the forcepwchg command-line utility to require a password change for all the users who changed passwords during the migration process.
You can find the forcepwchg utility in the Windows migration directory. Execute forcepwchg directly from that directory. No additional installation steps are necessary.
You must run forcepwchg on the Primary Domain Controller (PDC) host where the NT components (connector, Change Detector DLL, and Password Filter DLL) are installed. You cannot run forcepwchg remotely.
The forcepwchg utility also prints the account names (one name per line) that it is trying to migrate. If an error occurs during the migration process, look into the next entry to the last printed entry.
|